Guozhen AIGlobal AI field notes and model intelligence
Back to AI decision guides

AI compliance

EU AI Act compliance checklist: classify AI systems before rollout

A practical EU AI Act checklist for product teams: risk categories, high-risk classification, transparency duties, GPAI exposure, documentation, human oversight, and monitoring.

Updated 2026-06-1110 min readIntermediate
Open governance framework guide Read red teaming guide

Best for

  • Product teams preparing AI systems for EU users or customers
  • Founders selling AI products to European enterprises
  • Security, legal, and compliance teams building AI review gates
  • Developers who need to understand product evidence before launch

Not for

  • Jurisdiction-specific legal advice
  • A substitute for counsel on high-risk or regulated use cases
  • Assuming every chatbot has the same obligations

Comparison

Choose by workflow, not brand

OptionBest forStrengthsTradeoffsUse when
Minimal or low-risk AIInternal productivity, low-impact assistance, and systems with limited user or rights impactUsually lighter governance and documentation burden.Still needs security, privacy, and transparency review where relevant.The AI does not materially affect rights, safety, access, employment, health, credit, or critical services.
Limited-risk AIChatbots, generated content, deepfakes, and systems requiring transparency to usersObligations focus more on disclosure and user awareness.Labeling, interface copy, and content provenance need product implementation.Users must know they are interacting with AI or seeing AI-generated content.
High-risk AIUse cases affecting health, safety, fundamental rights, employment, education, law enforcement, migration, or critical accessClearer obligation set around risk management, data quality, logging, documentation, human oversight, robustness, and accuracy.Requires formal legal review, system documentation, monitoring, and post-market processes.The system falls into high-risk product or use-case categories.

Classify before building the control plan

The same technical stack can create different obligations depending on use case, user group, market role, and impact. Classification should happen before procurement, launch, or customer rollout.

  • Identify whether you are provider, deployer, importer, distributor, or another role.
  • List the AI system purpose, users, affected people, data, and decisions influenced.
  • Escalate employment, education, healthcare, credit, law enforcement, migration, or safety workflows.

Turn obligations into product tickets

Compliance work becomes real when obligations become implementation tasks: user disclosure, logs, documentation, data quality checks, human oversight, incident workflow, and monitoring.

  • Create product requirements for transparency and disclosure.
  • Create engineering requirements for logs, auditability, robustness, and monitoring.
  • Create governance requirements for human review, incident reporting, and lifecycle updates.

Watch GPAI and generated-content duties

General-purpose AI and AI-generated content obligations may apply even when the product is not a classic high-risk decision system. Keep an eye on model-provider duties, deployer duties, labeling, and generated-content transparency.

  • Track which foundation models and providers power the product.
  • Label AI-generated content when transparency duties apply.
  • Review official timelines and guidance because implementation details continue to evolve.

Decision Rules

A practical checklist

01

Start every EU AI Act review with role and risk classification.

02

Escalate high-impact domains to legal, security, and product leadership.

03

Translate transparency obligations into visible product behavior.

04

Keep evidence for data, logging, human oversight, robustness, and monitoring where required.

Related Guides

Continue the decision path

Open governance framework guide

Map EU AI Act work to NIST AI RMF and ISO/IEC 42001.

Open

Read red teaming guide

Test high-impact AI workflows before rollout.

Open

AI governance framework guide

Compare NIST AI RMF, ISO/IEC 42001, and EU AI Act governance work.

Open

AI data residency guide

Handle regional storage, processing, and data controls.

Open

LLM guardrails guide

Add human oversight and safety controls for AI workflows.

Open

Chinese Archive

Aligned deeper reading

AI security and privacy archive

Chinese AI security and privacy materials.

Open

AI product archive

Chinese AI product planning and governance notes.

Open

Topic Hubs

Explore the wider search cluster

Topic hub

Security and governance

Compare AI security controls, governance frameworks, compliance automation, data privacy, vendor questionnaires, red teaming, SIEM, SOAR, XDR, CNAPP, DSPM, DLP, PAM, GRC, and risk tooling.

Open

Industry Pages

See this guide in a buyer workflow

Industry page

Cybersecurity AI

Compare AI cybersecurity tools for SOC analysts, SIEM, SOAR, XDR, CNAPP, exposure management, DSPM, DLP, PAM, email security, AI GRC, vendor risk, red teaming, and compliance automation.

Open

Industry page

Legal AI

Compare AI tools for legal teams, contract review, CLM, eDiscovery, compliance automation, GRC, vendor review, document processing, and high-control review workflows.

Open

Industry page

Healthcare AI

Compare AI medical scribes, healthcare documentation tools, document processing, privacy controls, compliance automation, support workflows, analytics, and operational AI for healthcare teams.

Open

Industry page

HR and recruiting AI

Compare AI recruiting tools, HR software, notetaker apps, meeting assistants, knowledge management, compliance workflows, and people operations automation.

Open

FAQ

Common questions

What is the first step for EU AI Act compliance?

Classify the AI system by role, use case, and risk category. The obligations depend on whether the system is prohibited, high-risk, limited-risk, GPAI-related, or minimal-risk.

Are all AI chatbots high-risk under the EU AI Act?

No. Many chatbots are more likely to involve transparency duties, but use case and impact matter. High-risk classification depends on specific categories and effects.

Can engineers handle EU AI Act compliance alone?

No. Engineers can build evidence, logs, controls, and product behavior, but classification and obligations require legal and governance review.

Source Links

Primary references used for this guide

Reference

EU AI Act overview

European Commission overview of the AI Act.

Open

Reference

EU high-risk AI guidelines

European Commission guidance page for high-risk AI classification.

Open

Reference

European approach to AI

European Commission overview of the risk-based AI approach.

Open

Reference

AI-generated content transparency code

European Commission page on AI Act transparency obligations for generated content.

Open

Build your own evaluation note

The strongest decision is always local to your workflow. Save the vendor links, define a representative task, record the exact prompt or command, and compare the final evidence instead of the marketing claim.

Return to the AI learning map