The four risk tiers
The EU AI Act classifies AI systems by risk and scales obligations accordingly:
- Unacceptable risk → banned. Social scoring by governments, manipulative/exploitative systems, most real-time public biometric surveillance. These are prohibited outright.
- High risk → strict obligations. AI used in hiring, credit/lending, education, critical infrastructure, law enforcement, medical devices, etc. Allowed, but with heavy requirements (below). This is the tier most serious business AI falls into.
- Limited risk → transparency. Chatbots and generative AI must disclose that content is AI-generated / that the user is talking to an AI (and label deepfakes).
- Minimal risk → no obligations. Spam filters, game AI — the vast majority.
High-risk obligations (what you must build)
For a high-risk system, the Act requires (engineering-relevant subset):
- Risk management system — ongoing identification and mitigation of risks.
- Data governance — quality, representativeness, and bias checks on training/validation data.
- Technical documentation & record-keeping — how the system works; automatic logging of its operation (audit trails).
- Transparency — clear information to users/deployers about capabilities and limits.
- Human oversight — a human can understand, intervene in, and override the system.
- Accuracy, robustness, and cybersecurity — including resistance to the attacks in the AI Security course.
General-purpose AI (GPAI)
Providers of large general models have their own transparency/documentation duties (training-data summaries, copyright compliance), with extra obligations for the most capable "systemic-risk" models.
Practically
If you're deploying a high-risk AI (using a hiring tool), you inherit obligations too — due diligence, human oversight, monitoring. The engineering takeaway: know your risk tier, and if it's high-risk, build the risk management, data governance, logging, human-oversight, and documentation the Act requires — which are exactly the controls in the rest of this course.