Yesterday, the European Commission published what may be the most practically useful document it has released under the EU AI Act so far: draft guidelines on how to classify whether an AI system is high-risk.
For the past two years, "Is my AI system high-risk?" has been the question sitting at the top of every enterprise legal team's EU AI Act to-do list. It determines whether you face stringent pre-market obligations — risk assessments, governance documentation, human oversight requirements, post-market monitoring — or whether your system falls into the far lighter limited-risk or minimal-risk categories. The answer shapes your compliance roadmap, your audit posture, and your product architecture.
On May 19, 2026, the Commission finally issued a formal answer. And it's open for comment until June 23, 2026.
What the Draft Guidelines Actually Say
The guidelines are designed to support AI providers and deployers in assessing whether their system qualifies as high-risk under the Act. Under the EU AI Act, a limited list of AI use cases are considered high-risk when they endanger health, safety, or fundamental rights.
The high-risk areas identified in the Act span a range of enterprise-relevant deployments:
- Critical infrastructure — AI systems used in utilities, transport, or other essential services where failure could threaten public safety
- Education and employment — AI that affects access to education or scoring of exams; CV-sorting or workforce management tools
- Essential public and private services — credit scoring systems, insurance underwriting AI, benefits administration
- Biometrics — emotion recognition, biometric categorization, remote identification systems
- Migration, asylum, and border control
- Administration of justice and democratic processes
The draft guidelines publish practical examples alongside each category — the first time enterprises have had official worked examples to anchor their self-assessments against.
Why This Matters Right Now
August 2, 2026 is 74 days away. That is the date the AI Act becomes fully applicable for the bulk of its provisions.
The AI Omnibus political agreement reached on May 7 did push the enforcement deadline for some high-risk categories — specifically systems integrated into regulated products — to December 2027 and beyond. But that reprieve is category-specific and doesn't eliminate the classification exercise. You still need to know where your systems land.
More urgently: the transparency obligations under Article 50, which require chatbot disclosure and AI-generated content marking, remain on the August 2026 schedule regardless of the Omnibus. Any enterprise deploying general-purpose AI tools — including employee-facing chatbots, AI writing assistants, and LLM-powered workflows — faces those obligations in 74 days.
And the Commission is asking for enterprise input on the high-risk classification draft before it's final. The consultation window closes June 23, 2026 — a short window for enterprise legal and compliance teams to review and respond.
The Governance Gap That Classification Doesn't Solve
Here is the part the draft guidelines don't address: even if you correctly classify your AI systems as lower-risk, you still have a real-time enforcement problem.
The EU AI Act's compliance regime assumes you know what your employees are doing with AI tools. But in most enterprises, that visibility doesn't exist. Finance teams are using Claude to draft memos. HR teams are running candidate summaries through ChatGPT. Developers are prompting Copilot with code that contains customer data.
Classification tells you which box your AI deployments fall into. It does not tell you whether your employees are using AI in ways that would move you across the high-risk threshold — or create liability under the transparency rules that take effect in August.
That's the gap that real-time policy enforcement closes. Knowing your classification is step one. Enforcing that classification at the point of use — in the browser, at the proxy layer, before sensitive data leaves — is step two.
What Enterprise Teams Should Do Before June 23
- Pull the draft guidelines from the AI Act Single Information Platform and map your AI systems against the practical examples
- Identify your deployer obligations — not just provider obligations. If you're running an AI system built on a third-party model (GPT-4, Claude, Gemini), you may have deployer-side high-risk obligations even if you didn't build the underlying model
- Submit feedback by June 23 if any of the draft classification criteria affect your industry. The Commission is explicitly inviting input from providers, deployers, businesses, and public authorities
- Audit your shadow AI exposure before August. The transparency rules don't have a carve-out for tools employees are using without IT approval
The Commission gave enterprises the classification framework. Now the harder work — knowing what's actually running in your environment, and enforcing your policy against it — is yours to complete before August 2.