Everyone is talking about AI compliance. Checklists, controls, risk management frameworks, readiness assessments. That’s understandable. Most obligations under the EU AI Act only apply after an AI system is classified as high-risk. But that framing misses the most consequential moment in the entire regime. The EU AI Act’s first real decision happens before compliance begins: the decision about whether a system is high-risk in the first place. That decision is not mechanical, and it is not neutral.

Articles 6 and 11 of the EU AI Act are often treated as definitional or procedural provisions. In practice, they do something far more important: they force organizations to exercise judgment and to own the consequences of that judgment. Whether an AI system is considered high-risk depends on its intended purpose, its reasonably foreseeable use, the context in which it is deployed, and the role it plays in decision-making that may affect fundamental rights. None of these are purely technical determinations. They are organizational ones. Once a classification decision is made, a very different regulatory universe attaches or doesn’t.

The challenge most organizations will face is not identifying obviously high-risk systems. Those tend to be visible, escalated, and debated. The harder problem is documenting why a system is not high-risk. That determination often happens early in development, with incomplete information, under time pressure, and across fragmented teams. Yet Article 11 requires that classification decisions be justified and documented in a way that can withstand scrutiny later — potentially years later — when the context of deployment, use, or harm looks very different. Documentation is therefore not about record-keeping. It is about creating an institutional narrative that can survive enforcement, audit, or litigation.

One of the quiet design choices of the EU AI Act is that regulators do not centrally classify systems. That responsibility is deliberately pushed inward, onto providers and deployers. Discretion does not disappear under the Act. It moves. The real question becomes who inside the enterprise decides. Legal, product, compliance, risk, a committee, or no one explicitly. These governance questions are not downstream implementation details. They are the core risk of the regime.

The AI Act’s obligations largely apply starting in 2026, but classification decisions are already being made today — implicitly, informally, and often without a clear governance framework. By the time enforcement begins, those early decisions will already be embedded in products, processes, and documentation trails. That is why the first real decision under the EU AI Act is not about controls. It is about who decides, on what basis, and with what accountability, before compliance ever starts.

Reply question (serious answers only): Is AI system classification discussed as a governance issue inside your organization? Reply YES or NO. (Every reply is read.)

Keep Reading