Step 1: confirm the system is in scope
Begin by checking whether the EU AI Act applies at all. It governs AI systems placed on the EU market or whose outputs are used in the EU, regardless of where the provider sits. Confirm the system meets the Act's definition of an AI system and that your organisation's role, provider or deployer, brings duties. Recording why a system is in or out of scope is the first piece of evidence an assessor will look for, so do not skip the reasoning.
Step 2: screen for prohibited uses
Check the system against the Act's banned practices, the unacceptable-risk tier. These include specific manipulative, exploitative, and untargeted surveillance uses. If a system falls here, classification ends: the use is not permitted and must be stopped or redesigned, not governed. Clearing this screen first prevents you from spending effort building controls around a use that is not allowed in the first place.
Step 3: test against the high-risk criteria
Determine whether the system is high-risk. This tier covers AI used as a safety component of regulated products and AI in named areas such as employment, education, essential services, credit, law enforcement, and critical infrastructure. High-risk classification triggers the heaviest obligations, so apply the criteria carefully and document how the system does or does not meet them. When a system sits near the line, record the analysis rather than rounding down, because under-classification is the error assessors penalise.
Step 4: place remaining systems in limited or minimal risk
Systems that are neither prohibited nor high-risk fall into limited risk, which carries transparency duties such as telling people they are interacting with AI or labelling generated content, or minimal risk, which carries no specific obligations under the Act. Assign the tier, note the transparency duties that apply, and keep the record. Even minimal-risk systems belong in your inventory, because a change in use can move a system into a higher tier later.
Step 5: translate the tier into enforceable obligations
Classification is only useful if it changes what you do. For each high-risk and limited-risk system, convert the tier into the specific duties it triggers and the controls that meet them: risk management, human oversight, transparency notices, and record-keeping. Route the system through a layer that enforces those controls at runtime and records the evidence, so the classification is backed by behaviour an auditor can verify rather than a label in a spreadsheet.
Frequently asked questions
What are the EU AI Act risk tiers?
Four: unacceptable risk (prohibited), high risk (heavy obligations), limited risk (transparency duties), and minimal risk (no specific obligations). Each system is placed in one based on its use.
What happens if we under-classify a system?
Under-classification means you miss obligations the system actually triggers, which is the error assessors penalise. When a system sits near a tier boundary, document the analysis and classify to the higher duty rather than rounding down.