What triggers this
- Real-time biometric surveillance in public spaces
- Social scoring by governments or employers
- AI exploiting psychological vulnerabilities to manipulate behaviour
- Predictive policing based on profiling
- Subliminal manipulation techniques
Executive implication
If any system in your portfolio matches these descriptions — even partially — the correct action is immediate decommissioning, not remediation. There is no conformity path. Legal exposure extends to directors personally in most member states.
Enforcement exposure
Whichever is higher. The highest penalty band in the Act. Criminal referral is possible in some jurisdictions.
What triggers this
- HR and recruitment AI (screening, scoring, ranking)
- Credit scoring and lending decisions
- Insurance risk assessment
- Medical devices and clinical decision support
- Critical infrastructure (energy, water, transport)
- Education assessment systems
- Law enforcement tools
What compliance requires
- Conformity assessment before deployment
- Human oversight mechanisms built in
- Audit trail and logging (retained)
- Registration in the EU AI Act database
- Technical documentation to prescribed standard
- Data governance and bias testing
- Designated accountability owner
Enforcement exposure
Plus market withdrawal orders, suspension of systems, and reputational exposure. Procurement-blocking in public sector contracts likely.
What triggers this
- Customer-facing chatbots and virtual assistants
- AI-generated content (text, images, audio, video)
- Deepfake or synthetic media tools
- Emotion recognition in customer interactions
What compliance requires
- Disclose that users are interacting with AI — not a human
- Label AI-generated content as such
- Mark synthetic media (deepfakes) clearly
- No technical documentation or registration required
Enforcement exposure
Penalties apply for failure to disclose AI identity. Compliance cost is low — the risk of non-compliance here is primarily reputational.
What falls here
- Spam and content filters
- Recommendation engines (unless consequential decisions)
- AI in video games
- Predictive maintenance (non-critical infrastructure)
- Internal productivity tools with no personnel decision output
What compliance requires
Nothing mandatory. The Act encourages voluntary adoption of codes of conduct, but imposes no legal requirement. The CIO/CFO task here is simply to confirm systems are correctly classified — not assumed to be minimal risk.
Key risk
A system that appears minimal risk may be high risk if its outputs feed into decisions about people. Document your reasoning — not just your conclusion.
Answer four questions. Takes 90 seconds. Gets you a starting position — not a legal opinion.