What is High-Risk AI System?

A high-risk AI system is an AI application the EU AI Act classifies as posing significant risk to health, safety, or fundamental rights — either because it is a safety component of a regulated product (Annex I) or is used in a listed sensitive area (Annex III) such as employment, education, credit, biometrics, or law enforcement.

The high-risk category is where most of the EU AI Act's substantive obligations land. Providers of high-risk systems must implement a continuous risk management system, ensure data governance and quality, maintain technical documentation and automatic logging, provide transparency and human oversight, and meet accuracy, robustness, and cybersecurity requirements before passing a conformity assessment and registering the system. Deployers (the organizations using these systems) carry duties too, including human oversight and, for some, a fundamental rights impact assessment.

For example, an HR platform that screens job applicants or ranks candidates is treated as high-risk under Annex III — so the vendor and the employer using it both inherit documentation and oversight obligations that a simple chatbot would not trigger. Misclassifying such a tool as low-risk is a common and costly mistake, because the Act's enforcement timeline phases high-risk obligations in through 2026 and 2027.

Getting audit-ready starts with documenting how you classified each AI system and the controls you applied. An AI governance policy, an AI risk register, and an impact-assessment template give you a repeatable, defensible record. Templates accelerate that documentation, but they do not by themselves make a system compliant — you still have to perform the assessments, apply real controls, and (for high-risk systems) complete the required conformity steps.

Related terms: Algorithmic Impact Assessment · AI Risk Management · AI Management System (AIMS) · Data Protection Impact Assessment (DPIA)

Frequently asked questions

How do I know if my AI system is high-risk under the EU AI Act?

It is high-risk if it is a safety component of a product covered by EU harmonization law (Annex I) or falls into a listed use case in Annex III — biometrics, critical infrastructure, education, employment, access to essential services, law enforcement, migration, or administration of justice. A limited exception applies if the system does not pose a significant risk to health, safety, or rights, but you must document that determination.

Is a high-risk AI system the same as a prohibited AI system?

No. Prohibited systems (such as social scoring or untargeted facial-recognition scraping) are banned outright. High-risk systems are permitted but heavily regulated, requiring risk management, documentation, human oversight, and conformity assessment before they can be placed on the market.

Does the high-risk classification apply outside the EU?

It can. The EU AI Act has extraterritorial reach: if your AI system's output is used in the EU, or you place it on the EU market, you may fall in scope regardless of where your company is based.

Toolkits that cover High-Risk AI System

Learn more in our AI Governance (EU AI Act & NIST AI RMF) guide, explore the editable policy templates, or browse the full compliance glossary.

← Back to the compliance glossary