← All insights
ComplianceJune 6, 20264 min read

EU AI Act Annex III: Classifying High-Risk AI

By · AI agents for European teams

The team behind AgentWorks — building EU-compliant AI agents and multi-LLM workflows for European teams.

Reviewed June 6, 2026

Share

TL;DR

This article walks through the eight EU AI Act Annex III categories that trigger high-risk classification, with particular focus on employment and essential-services use cases that business AI teams often underestimate. It includes the Article 6(3) exception and a practical checklist for classifying AI agents before deployment.

EU AI Act Annex III: Classifying High-Risk AI Systems

Most teams building AI agents assume the EU AI Act's toughest rules apply to someone else, usually a defense contractor or a biometric surveillance vendor. Then they look closely at Annex III and find their HR screening bot or credit-scoring assistant sitting squarely inside a high-risk category they had not considered.

Annex III is the list that decides which AI systems trigger the AI Act's heaviest obligations: conformity assessments, mandatory logging, human oversight design, and registration in an EU database, among others. Getting the classification right at the design stage is far cheaper than retrofitting compliance onto a system already in production.

The eight Annex III categories

Under Article 6(2), an AI system intended for one of these purposes is classified as high-risk, unless a narrow exception applies:

  1. Biometrics — remote biometric identification, biometric categorization based on sensitive attributes, and emotion recognition systems
  2. Critical infrastructure — safety components in the management of critical digital infrastructure, road traffic, or water, gas, heating, and electricity supply
  3. Education and vocational training — systems that determine access to institutions, or assess and evaluate students
  4. Employment and worker management — recruitment, hiring, promotion, termination, task allocation, or performance monitoring
  5. Essential private and public services — creditworthiness evaluation, insurance risk assessment and pricing for life and health insurance, and eligibility for public assistance benefits
  6. Law enforcement — risk assessment, evidence evaluation, and profiling in criminal contexts
  7. Migration, asylum, and border control — risk assessment, examination of applications, and detection of specific individuals
  8. Administration of justice and democratic processes — systems assisting judicial authorities in researching or interpreting facts and law

The category that catches most business software builders off guard

Employment and worker management is the one companies underestimate most often, because it does not sound like the dramatic "high-risk AI" the headlines describe. But an agent that screens résumés, ranks candidates, drafts performance review language, or flags employees for termination review falls inside this category almost by definition, regardless of how conversational or "assistive" the tool feels to the person using it.

The same applies to essential services. A support agent that only answers billing questions is low risk. The moment that same agent's output feeds into a decision about credit terms, insurance pricing, or loan eligibility, even as one input among several, the system it's embedded in likely needs high-risk classification. The trigger is the purpose the output serves, not how autonomous the AI feels.

The exception clause most guidance skips

Article 6(3) carves out a narrow exception: a system in an Annex III category is not high-risk if it does not materially influence the outcome of the decision, performs a narrow procedural task, improves the result of a previously completed human activity, or detects patterns without replacing human assessment. This exception does not apply, however, if the system profiles natural persons — profiling automatically pulls the system back into high-risk status regardless of how narrow its stated task is.

This exception matters because it means not every AI touching an Annex III domain is automatically high-risk. A tool that pre-sorts résumés by keyword match for a human recruiter to review, without scoring or ranking candidates, may fall under this carve-out. A tool that assigns each candidate a fit score does not, because scoring is squarely the kind of evaluative output the exception excludes. The line is thin enough that most legal teams treat borderline cases as high-risk by default rather than betting on the exception holding up under review.

What high-risk classification actually requires

Once a system is classified as high-risk, the obligations are substantial, not just paperwork:

  • A risk management system covering the full lifecycle
  • Data governance ensuring training, validation, and testing data meets quality criteria
  • Technical documentation demonstrating compliance before market placement
  • Automatic logging throughout operation (Article 12)
  • Transparency and instructions for use enabling deployers to operate the system correctly
  • Human oversight measures built into the system design, not bolted on afterward
  • Accuracy, robustness, and cybersecurity requirements appropriate to the system's purpose

Providers bear most of this burden, but deployers (the companies actually running the system) inherit real obligations too, including ensuring human oversight is exercised in practice and monitoring the system's operation.

A practical classification checklist

Before building or buying an AI agent for any employment, credit, insurance, education, or public-service use case:

  1. Identify what decision or output the AI feeds into, not just what task it performs
  2. Check whether that decision area appears in the eight Annex III categories
  3. If it does, test the Article 6(3) exception carefully: does the system score, rank, or profile individuals, or does it only assist a human who retains full judgment
  4. If borderline, document the reasoning either way, because the classification decision itself needs to be defensible
  5. If high-risk, build logging, human oversight, and documentation into the system from day one rather than retrofitting them before a deadline

Building on infrastructure that assumes this from the start

Retrofitting Article 12 logging, human oversight gates, and documentation onto a system already in production is a multi-month project most teams underestimate. Choosing a platform where audit trails, approval gates, and role-based access are default behavior rather than features you bolt on later removes that risk before it exists. See how AgentWorks approaches AI Act readiness for agents touching employment, credit, and other Annex III domains.

Classification is not a one-time exercise either. Adding a new capability to an existing agent, such as letting an HR assistant also rank candidates instead of just summarizing applications, can move a system from low-risk to high-risk overnight. Re-check the classification every time the agent's scope changes, not just when it launches.

About the author

· AI agents for European teams

AgentWorks is an AI agent platform purpose-built for European teams that need EU AI Act-ready governance, multi-LLM choice across OpenAI, Anthropic, Google and Mistral, and transparent per-token € pricing.

Read more about AgentWorks