Skill Guide

AI system risk classification under frameworks like the EU AI Act

The systematic process of categorizing an AI system based on its intended purpose and the severity of potential harm to health, safety, or fundamental rights, as mandated by regulatory frameworks like the EU AI Act.

This skill is critical for enabling compliant market access, mitigating catastrophic legal and reputational risk, and building stakeholder trust. Organizations that master it can strategically allocate resources to high-risk systems while accelerating innovation in low-risk categories.

1 Careers

1 Categories

9.2 Avg Demand

15% Avg AI Risk

How to Learn AI system risk classification under frameworks like the EU AI Act

1. **EU AI Act Core Text:** Read and internalize Articles 6-8 and Annex I-III, which define the risk categories and prohibited uses. 2. **Key Terminology:** Master definitions for 'high-risk AI system,' 'substantial modification,' and 'intended purpose.' 3. **Comparison Frameworks:** Study the National Institute of Standards and Technology (NIST) AI Risk Management Framework (AI RMF) to understand alternative classification methodologies.

1. **Practical Classification:** Apply the Act's criteria to real-world AI use cases (e.g., a CV-screening tool, a predictive maintenance system, a deepfake generator). 2. **Gap Analysis:** Identify where an existing internal AI governance checklist falls short of the Act's specific documentation and risk management requirements for high-risk systems. 3. **Common Mistake:** Avoid conflating technical complexity with regulatory risk; a simple algorithm in a high-risk use case (e.g., credit scoring) requires more stringent oversight than a complex one in a low-risk area.

1. **Strategic Integration:** Design an enterprise-wide risk classification taxonomy that maps EU AI Act categories to internal product development and procurement workflows. 2. **Cross-Framework Synthesis:** Build a unified compliance model that reconciles the EU AI Act with other emerging frameworks (e.g., Canada's AIDA, China's AI Safety Governance). 3. **Executive Advisory:** Develop the ability to brief leadership on the strategic and financial implications of classifying a flagship AI product as high-risk versus unacceptable risk.

Practice Projects

Beginner

Case Study/Exercise

Classify a Portfolio of AI Systems

Scenario

You are given a list of 10 hypothetical AI system descriptions (e.g., 'chatbot for customer service,' 'AI for biometric identification in public spaces,' 'system for prioritizing emergency service dispatch').

How to Execute

1. For each system, define its 'intended purpose.' 2. Cross-reference the purpose against the EU AI Act's prohibited practices (Annex II) and high-risk areas (Annex III). 3. Assign each a preliminary risk tier: Unacceptable, High, Limited, or Minimal. 4. Document your rationale using specific Articles and Annexes as references.

Intermediate

Project

Develop a Pre-Market Risk Assessment Checklist

Scenario

Your AI startup is building a hiring algorithm. You must create an internal compliance checklist to determine if it qualifies as a high-risk system under the EU AI Act before launch.

How to Execute

1. Draft a checklist of questions based on Annex III, Category 4 ('Employment, Workers Management'). 2. Map each question to a specific requirement for high-risk systems (e.g., 'Does it make or assist decisions on recruitment, promotion, or termination?'). 3. Include a mandatory section for conformity assessment procedures and required documentation (technical file, risk management system). 4. Stress-test the checklist with two scenarios: one where the algorithm is a simple filter and one where it scores candidates.

Advanced

Case Study/Exercise

Navigate a Reclassification Crisis

Scenario

A major client's AI-driven medical diagnostic tool, initially classified as 'high-risk,' undergoes a substantial modification. The client argues it should be reclassified as 'limited risk' to avoid stringent conformity assessments, citing a change in the algorithm's backend.

How to Execute

1. **Legal Analysis:** Scrutinize Article 6(3) on 'substantial modification' and relevant case law or guidance from the European Artificial Intelligence Board. 2. **Technical Audit:** Assess if the modification changes the system's intended purpose or affects its compliance with high-risk requirements. 3. **Risk Re-evaluation:** Conduct a full risk assessment to determine if the original high-risk classification is still valid. 4. **Stakeholder Negotiation:** Prepare a formal recommendation document for the client, advising on the safest legal and operational path, potentially recommending a voluntary conformity assessment to mitigate risk.

Tools & Frameworks

Regulatory & Standards Texts

EU AI Act (Final Text)NIST AI Risk Management Framework (AI RMF 1.0)ISO/IEC 42001:2023 (AI Management System)

The EU AI Act is the primary legal reference. NIST AI RMF provides a complementary, risk-based process. ISO 42001 offers a certifiable management system structure to operationalize the classification and risk controls.

Mental Models & Methodologies

Intended Purpose AnalysisUse-Case vs. Technology DeconstructionCone of Uncertainty Risk Mapping

**Intended Purpose Analysis** is the mandatory first step in any classification. **Use-Case vs. Technology Deconstruction** prevents misclassification by focusing on application, not just the model. **Cone of Uncertainty** helps map potential future harms and cascading risks of a system.

Interview Questions

Answer Strategy

Structure the answer by first defining the intended purpose, then systematically checking it against the Act. Sample Answer: 'First, I'd define the system's intended purpose: automated defect detection on an assembly line. This falls under Annex III, Category 5 (Product Safety) as a safety component of a product. However, I would analyze if it falls under a specific exclusion in Article 2(2) or if it's merely a component of a larger quality management system. The final classification hinges on whether the AI's output directly influences the safety qualification of the vehicle component, making it a high-risk system subject to conformity assessment.'

Answer Strategy

This tests risk communication and governance enforcement. Core competency: balancing business agility with regulatory duty. Sample Response: 'I would schedule a short alignment session. I'd first validate their assessment-it may be correct under the Act's 'minimal risk' category, which imposes no specific obligations. However, I'd explain that the Act's risk tiers are a floor, not a ceiling. Our internal governance policy likely requires a documented review for any new AI system to manage reputational and data privacy risks. I'd frame the review as a value-add to ensure the tool's effectiveness and security, not a bureaucratic hurdle.'