Most companies today are asking how to prepare for the AI Act. However, a far more important question is: how can you even tell if any of the systems you use are high-risk?
This is not an academic legal problem. It is a very practical management risk. In many organisations, AI no longer operates as an experimental chatbot, but as an integral part of HR, sales, customer service, finance, education or security processes. It is often embedded within the functions of off-the-shelf platforms that a company has purchased as a tool for automating work. And that is precisely why classification may prove more difficult than the implementation itself.
The AI Act does not classify a system as high-risk simply because it is modern, complex or based on a large language model. The key factor is something else: what the system is used for and what impact it may have on people.
If AI helps decide who gets a job, a loan, a promotion, access to benefits, a school grade or the opportunity to use an important service, the organisation should be on high alert. It is precisely in such contexts that technology ceases to be merely a tool for efficiency and begins to help shape decisions with real-world consequences.
The simplest test for a board of directors is therefore not: ‘Do we use AI?’. It is: ‘Does AI influence decisions affecting people?’. If the answer is yes, the next step is to check whether the specific use case falls within the catalogue of high-risk areas, such as employment, education, access to financial services, critical infrastructure, biometrics, migration or selected public services.
HR is a good example. A recruitment management system in itself does not necessarily pose a problem. But if an AI module analyses CVs, filters candidates, ranks those invited for interview or assesses an employee’s suitability for a role, the situation becomes entirely different. From the perspective of the AI Act, it is not the product’s label that matters, but its function within the decision-making process.
The situation is similar in finance. A model used to detect fraud may be classified differently from a system assessing an individual’s creditworthiness. For businesses, the difference is fundamental, as the latter category directly affects a person’s access to financial services.
One of the most common mistakes organisations make is the belief that risk disappears if ‘the final decision is made by a human’. In practice, this depends on whether human oversight is genuine. If an employee merely approves the system’s recommendation, does not understand the basis for it, and lacks the time or expertise to challenge it, the oversight may be merely superficial.
This is an important shift in thinking. The AI Act does not merely ask whether a human is formally involved in the process. It asks whether they have a genuine opportunity to interpret the result, halt the system’s operation, overturn the decision or carry out an independent assessment.
Once a system has been classified as high-risk AI, it ceases to be merely an IT project. It becomes part of the organisational framework. The company must know what risks the system generates, what data it operates on, who oversees its use, how decisions are documented, and what happens when the system starts to malfunction.
In practice, this entails several fundamental obligations. The organisation requires a risk management process, data quality controls, technical and operational documentation, logging of system activities, effective human oversight, and monitoring of the AI’s performance following implementation. For suppliers, there are also obligations relating to conformity assessment, registration and demonstrating that the system meets regulatory requirements.
For companies purchasing off-the-shelf solutions, this means a change in how they engage with suppliers. The question ‘how effective is your model?’ is no longer sufficient. Questions regarding the system’s classification, documentation, training data, control mechanisms, allocation of responsibility and auditability will become increasingly important.
The greatest risk, therefore, is not that a company will deliberately implement a high-risk system. The real problem arises when an organisation fails to realise that such a system is already in operation within one of its processes. This is particularly true when it forms part of a larger platform, a software update, or a module purchased simply as a standard automation tool.
That is why the first step towards compliance with the AI Act should not begin with procedures, but with an inventory. A company must know where it uses AI, in which processes, in relation to which individuals, and with what impact on decisions. Only then can we meaningfully discuss classification, obligations and accountability.

