AI risk classification tiers under the EU AI Act
Under the EU AI Act, AI systems fall into four risk tiers: unacceptable risk (banned), high risk (heavily regulated), limited risk (transparency obligations) and minimal risk (no specific obligations). The tier determines which legal requirements apply to a given system.
The four tiers
- Unacceptable risk — prohibited outright. Examples include government social scoring and manipulative techniques that cause harm.
- High risk — allowed but subject to strict requirements: risk management, high-quality data, technical documentation, logging, human oversight, accuracy and cybersecurity, plus conformity assessment.
- Limited risk — transparency obligations, such as disclosing that content is AI-generated or that a user is interacting with a chatbot.
- Minimal risk — the majority of AI systems; no specific obligations.
Why classification matters
Classification is the first step in any EU AI Act gap analysis: it determines which obligations apply. Misclassifying a high-risk system is a common and costly mistake.
Where it fits in governance
Classification is a per-system activity. The AI Governance Portal focuses on your organization's overall governance posture against the EU AI Act, ISO/IEC 42001 and NIST AI RMF — the program-level controls and processes that should be in place before and around any individual system's classification.
Want to know where you stand against this framework?
Start an AI governance gap analysis →