Contact us: +47 35 68 88 99
Norsk
Tilbake til bloggen
4 min read

AI Act: Understand the four AI risk levels

Sandie Thieu Bui
By: Sandie Thieu Bui | 19 mai

With the new EU AI Act, different regulations are set in place based on the level of AI risk they pose. Last year, we walked you through what it’s all about, who it affects, and what you need to do to stay compliant.

In this blog post, we walk you through the four AI risk levels defined by the AI Act: The unacceptable, the high, the limited, and the minimal or no risk. The goal is for you to understand the different rules for each risks system.

Now, let’s go through each level one by one.

1. Unacceptable risk

image (2)-1

These types of AI systems pose the highest level of risk. And because of their risk level, they are now fully banned and prohibited from the EU, as of early 2025.

And why, you may ask?

Because they contradict many of the EU’s values, such as respect for human equality, human freedom and fundamental rights.

These prohibited systems include, but are not limited to:

  1. Social scoring: Ranking people based on behavior, affecting their access to opportunities and services.

  2. Emotional manipulation: When services use emotions to keep people hooked, often without them realizing it. This also includes exploiting vulnerabilities of specific groups of people, including information about their age, disability or even sometimes their specific social or economic situation.

Basically, that one Black Mirror episode/China’s Social Credit System could neeever exist in an EU context.

Both examples above are already mentioned in our previous blog about the AI Act. Some other yet-to-be-mentioned systems include:

  1. Scraping facial images: Creating or expanding databases, scraping facial images from the internet, or video surveillance footage.

  2. Predictive policing: Attempting to assess when and where crimes will happen and who might be involved, reinforcing strong biases.

To conclude: Any dystopian systems you can imagine from any sci-fi movie about AI and robots are all prohibited.

Thank god.

 

2. High risk

image (3)-3

AI systems in this category are allowed in the EU, but they are also the most regulated and required to adhere to strict requirements, including risk management, data governance, technical documentation, and human oversight.

Usually, this type of AI system is built into devices in critical areas like medical devices, vehicles, lifts, or machinery.

If used incorrectly, they can cause serious consequences for people’s health and safety, their fundamental rights, or even going a step beyond that and negatively affecting the environment.

Let’s look at some examples of these high risk systems in different sectors, together:

  1. Critical infrastructure: Managing and operating road traffic, energy supply or digital infrastructures
  2. Education and employment: E.g., when recruiting a new employee, doing performance evaluations
  3. Migration: Reviewing applications for asylum, visa or residence permits.

When they’re not regulated, these are AI systems that can create or reinforce existing bias. Maybe even profile specific groups, like minorities and or people of color.

In other words: When AI is running wild, it can start to have preferences… And not the good kind.

And why is this bad? Because it can lead to unfair or even unequal outcomes for those affected, e.g., affecting their career or even their chance for citizenship.

 

3. Limited risk

image (4)-1

AI systems categorized in this risk level don’t pose any major risks like we’ve seen in the two previous risk levels.

But even so, transparency is still considered to be important, because these systems include a risk of manipulation or deceit. This includes tools embedded with chatbots or emotion recognition.

E.g., when you’re chatting with ChatGPT, it should tell you that you’re chatting with a computer and not some random human being on the other side of the screen.

This transparency helps build trust and keeps things clear.

 

4. Minimal or no risk

image (5)-2

This is what the AI Act has defined as the lowest level of risk. And it includes the rest of the AI systems that don’t fall under the above-mentioned risk levels, e.g., spam filters and AI-enabled video games.

These systems don’t require any regulations, and thus, no rules. But it’s still recommended to have some sort of human oversight to avoid any potential issues that might come up.

Why?

It's all about the famous transparency. It's to make sure the systems don’t create any sort of bias and discrimination.

 

So... What now?

Hopefully this guide has helped you better understand the four AI risk categories in the AI Act, and maybe even helped you figure out which category your AI might fall under. If an AI tool is involved in critical areas like healthcare or finance, it’s probably high-risk. Everyday tools like chatbots might be limited risk.

Make sure to review the AI Act’s detailed guidelines to understand the specifics for each category and the consequenses for not following these requirements.

It’s generally also a good idea to conduct a risk assessment to evaluate how your AI system could impact safety or people’s rights.

While our expertise is in cybersecurity awareness and phishing training, we encourage you to embrace these new regulations as an opportunity to enhance transparency and trust in your AI practices.

If you need support in building a culture of awareness and preparedness, we’re here to help with training solutions that strengthen your overall security framework.

Back to blog