Why the New EU AI Act High-Risk Guidelines Matter for Companies

New draft guidelines from the European Commission could significantly expand high-risk AI obligations

Many companies currently assume that high-risk AI only applies to highly specialized systems. Applicant scoring, credit decisions, or biometric surveillance — sure. But chatbots, copilots, or general AI assistants? Probably not.

The European Commission’s new draft guidelines on high-risk AI classification could fundamentally change that assumption.

The 167-page document provides the first detailed interpretation of when AI systems fall under the strictest requirements of the EU AI Act. And the impact could be far broader than many organizations currently expect.

Most importantly: the classification no longer depends only on the technology itself, but increasingly on the actual use case, documentation, and interaction with other systems.

Key takeaway:

Even general-purpose AI systems may now fall into the high-risk category if their documentation, marketing, or intended use does not clearly exclude high-risk applications.

What exactly was published?

The European Commission released draft guidelines explaining how high-risk AI systems should be interpreted under the EU AI Act.

The guidelines are currently part of a public consultation process. Companies and stakeholders can still submit feedback until June 2026.

The publication has been highly anticipated — not only because of its regulatory importance, but also because companies have been waiting for practical guidance on how high-risk obligations will actually be applied.

Most importantly, the guidelines affect far more organizations than previous discussions around prohibited AI practices or foundation models alone.

Why these new guidelines are so important

Many companies currently classify their AI systems as “limited risk” or “minimal risk.” That assessment may become significantly harder in the future.

The Commission makes one thing very clear: the risk category is not determined solely by the AI technology itself, but by the actual purpose and operational context of the system.

🤖

General-purpose AI under scrutiny

General-purpose AI systems such as chatbots, copilots, or AI agents may now fall under high-risk obligations if their documentation does not clearly exclude high-risk use cases.

📄

Documentation becomes critical

Marketing language, technical documentation, and public product descriptions may now directly influence whether an AI system is classified as high-risk.

Why chatbots and copilots could suddenly become compliance-relevant

Many organizations currently deploy general-purpose AI systems without conducting any formal risk classification. That could become a serious problem.

The new guidelines clearly show that the actual deployment context matters more than the AI model itself.

A general AI assistant may suddenly fall into the high-risk category if it is used to:

evaluate employees
pre-screen job applicants
support credit decisions
generate recommendations about individuals
analyze productivity data
evaluate behavioral patterns

This potentially affects standard enterprise software such as copilots, internal AI assistants, and AI-powered SaaS features.

Many companies currently underestimate how quickly general AI systems can evolve into high-risk operational environments.

Human oversight alone may not be enough

Another important point in the guidelines: human oversight does not automatically prevent a system from being classified as high-risk.

Many companies currently argue:

“A human still makes the final decision.”

The Commission appears to interpret this much more narrowly. The intended purpose of the AI system remains the decisive factor.

If an AI system evaluates applicants, prepares credit recommendations, or monitors employees, it may still qualify as high-risk — even if humans remain involved in the final decision-making process.

This means that human oversight alone will likely no longer be sufficient as a general compliance argument.

Which systems could now become particularly critical

The draft guidelines contain numerous practical examples. Three areas are especially important.

Recruiting and HR systems

AI systems used for applicant evaluation, automated pre-selection, or employee assessments remain one of the core high-risk categories. The Commission also clarifies that this may apply to freelancer platforms and gig-economy environments.

Especially relevant: ranking systems, applicant filters, productivity scoring, or algorithmic workforce planning.

Emotion recognition and biometrics

The guidelines devote significant attention to emotion recognition technologies. Systems designed to detect emotions, moods, or behavioral states are now under increased scrutiny.

Potentially affected: call center analytics, smart devices, event security systems, or AI-based behavioral analysis tools.

Creditworthiness and scoring systems

Credit scoring remains clearly within the high-risk category. Importantly, the Commission clarifies that a “score” does not necessarily need to be numerical — rankings or labels may also qualify.

Important: Combined systems involving risk assessment and pricing calculations may also be assessed together.

The real problem: many companies do not fully know their AI landscape

The new guidelines amplify an issue many organizations already face today: shadow AI.

Employees frequently use AI systems without central approval — including ChatGPT, copilot plugins, browser extensions, or AI features embedded within SaaS platforms.

This becomes especially problematic when:

• personal data is processed
• AI systems support decisions about individuals
• no documentation exists
• departments independently introduce AI tools

Many companies currently underestimate how many AI systems are already being used productively inside their organization.

Why manual AI inventories quickly become unmanageable

The new guidelines significantly increase documentation requirements.

Companies will need to document not only which AI systems exist, but also:

which use cases were excluded
why a classification decision was made
which changes were introduced over time
how systems interact with one another
which assessments were performed

Many organizations still try to manage this using spreadsheets, Word documents, and isolated reviews. Once multiple departments are involved, this quickly becomes difficult to maintain.

What companies may need to prove during audits

The draft guidelines strongly suggest that organizations will need to justify their classifications in a structured and traceable way.

One of the most critical future questions may become:

“Why was this AI system not classified as high-risk?”

Organizations should therefore already begin documenting:

which AI systems are deployed
which risk category was assigned
which criteria were evaluated
which exemptions were applied
who performed the assessment
which changes were introduced over time

What many companies still misunderstand

Common assumptions

“We only use standard AI.”

“A human reviews the result.”

“Our tool does not make decisions.”

“This only affects large enterprises.”

The guidelines now suggest

The deployment context is decisive.

General-purpose AI can become high-risk.

Documentation and purpose descriptions matter.

Mid-sized companies and SaaS providers are also affected.

What companies should do now

Immediate actions for companies

☐ Review documentation for all AI systems

☐ Review product descriptions and marketing language

☐ Identify potential high-risk use cases

☐ Reassess recruiting and HR systems

☐ Assess interconnected AI systems together

☐ Document exemptions and classification decisions

☐ Define AI governance responsibilities

☐ Make shadow AI visible across departments

Conclusion

The European Commission’s draft guidelines could significantly expand the practical scope of high-risk AI obligations under the EU AI Act.

Organizations using general-purpose AI systems in productive environments should critically reassess their current classifications. In the future, the decisive factor may no longer be the AI technology itself, but its operational purpose, documentation, and interaction with other systems.

Many companies still underestimate how quickly their AI systems could fall into the high-risk category.

The real challenge will therefore not only be regulatory interpretation, but operational governance: Which systems exist? Who evaluates them? Which risks emerge? And how is everything documented in a traceable, audit-ready way?

This article is intended for general informational purposes only and does not constitute legal advice. The draft guidelines are still under consultation and may change before final publication.

About SimpleAct: SimpleAct helps organizations document AI systems, assess risk classifications, and implement EU AI Act requirements in an audit-ready way.

Learn more →

New EU Guidelines: When AI Systems Suddenly Become High-Risk