EU AI Act AI Governance May 23, 2026 · 6 min read

The EU Just Published the Rules for Classifying Your AI as High-Risk. Here's What Enterprise Teams Need to Read Now.

The EU AI Act doesn't ask whether you think your AI is risky. It tells you exactly which use cases and product types are high-risk — and then requires you to prove you've classified correctly. The Commission published the classification rulebook four days ago. Most enterprise teams haven't read it yet.

The Classification Question Is Now a Legal Question

On May 19, 2026, the European Commission published draft guidelines on the classification of high-risk AI systems — the official document that answers the question every enterprise AI team has been asking: does my system qualify as high-risk under the EU AI Act, and if so, what exactly do I have to do?

This is not another explainer on the Act's general structure. These guidelines are the Commission's authoritative interpretation of Article 6, the provision that sorts AI systems into "high-risk" and "everything else." The guidelines aim to support providers and deployers of AI systems, as well as competent market surveillance authorities, in assessing whether an AI system should be classified as high-risk, thereby facilitating the uniform application and effective enforcement of Article 6 AI Act.

If you deploy AI in financial services, healthcare, education, critical infrastructure, or use AI for employment decisions, someone at your organization needs to have read this document before the next procurement conversation.

Two Tests, Not One

The guidelines follow the structure of Article 6, which establishes two independent paths to high-risk classification.

Path 1 — Safety-component classification (Article 6(1)): An AI system is high-risk if it is a safety component of a product covered by EU harmonisation legislation listed in Annex I — medical devices, machinery, vehicles, aviation systems — and if that product requires a third-party conformity assessment. This path catches AI embedded into physical products in regulated sectors. Healthcare vendors deploying AI diagnostics, industrial automation vendors, and automotive AI land here.

Path 2 — Use-case classification (Article 6(2)): An AI system is high-risk if it falls into one of the specific use cases listed in Annex III of the Act. The Commission's guidance covers which use cases are in scope:

The guidelines contain practical examples of systems that should and should not be classified as high-risk under each category — the Commission's attempt to give enterprises something more actionable than the statutory text alone.

What High-Risk Classification Actually Requires

Classifying as high-risk isn't a paperwork exercise. Under the AI Act, high-risk systems are subject to strict obligations before they can be put on the market:

The logging and human oversight requirements are where most enterprises are not operationally ready. Deploying a credit scoring model is straightforward. Demonstrating to a regulator that every decision was logged, reviewable, and subject to documented human oversight is a different operational capability.

The Timeline Is More Complicated Than It Looks

The EU AI Act's enforcement timeline shifted with the "AI omnibus" deal reached on May 7, 2026. The short version:

Enterprise legal and compliance teams sometimes read these extensions as permission to wait. That's a misread of the practical situation for two reasons.

First, you can only know which timeline applies to you after completing the classification analysis. The classification process itself is not deferred — it's the prerequisite for knowing your deadline.

Second, enterprise procurement is already happening on AI Act timelines. Banks evaluating HR software vendors are asking for AI Act compliance documentation today, not in December 2027. A utility procuring grid management AI is asking "are you compliant?" now. Answering that question requires the classification work to be done.

The Window for Feedback Is Now

The Commission published these guidelines in draft form to collect stakeholder feedback before finalization. Organizations that believe a system should or shouldn't be classified as high-risk have an opportunity to shape how the final guidance reads.

For enterprises operating at scale in any of the Annex III use-case areas, submitting feedback is practical compliance work — the guidance you help write is the guidance you'll be assessed against.

What This Means for AI Governance Programs

The classification guidelines change one practical thing for enterprise governance programs: the question is no longer "should we have an AI policy?" It's "for which of our systems does the policy need to include the specific controls the Act requires — risk assessment documentation, activity logging, human oversight records?"

That's a tractable question. It starts with inventory — knowing what AI systems you're running and in which use cases. It continues with classification — applying the Article 6 two-test framework to each system. It ends with implementation — building the audit trail and oversight workflows the high-risk obligations require.

The organizations that complete this analysis now, rather than in Q3 2027, are the ones whose compliance programs won't be in reactive mode when regulators or enterprise customers start asking for documentation.

Containment.AI enforces AI usage policies in real time at the browser and proxy layer — logging every employee interaction with external AI tools with a tamper-evident audit trail. For enterprises managing EU AI Act compliance, that logging is the operational foundation of the activity-traceability requirement Article 9 demands. Start a free trial or read the docs.

Ready to close the gap?

Talk to us about runtime AI governance for regulated environments.

Schedule a Conversation →