As the European Union’s AI Act moves toward full implementation, one of the most consequential questions for businesses is whether their AI systems will be classified as “high-risk” – triggering significant compliance obligations.
On May 19, 2026, the European Commission released draft guidelines on the classification of high-risk AI systems under Article 6 of the EU AI Act, with consultation open through June 23, 2026. The guidance arrives after delays and at a moment when businesses are still trying to understand how the AI Act’s high-risk framework will apply in practice.
The publication matters for a practical reason: before an organization can determine what high-risk AI obligations apply, it must first determine whether the system is high-risk at all.
The draft guidelines do not answer every implementation question but they do provide a more useful vocabulary for the classification exercise — particularly around the following: intended purpose, safety components, Annex III use cases, human involvement, complex systems, and the line between workflow support and decision influence.
First, What is an “AI System”?
The AI Act defines an AI system as, “a machine-based system that is designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment, and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments.”
The draft guidance emphasizes that not every software application or automated decision-making system qualifies as an AI system. The system must meet the AI Act definition before high-risk classification is even considered.
That threshold matters. The high-risk analysis is not triggered simply because a tool is automated, sophisticated, or marketed as AI. The first question is whether the system falls within the Act’s definition. Only then does the classification analysis begin.
How the High-Risk Framework is Structured
The draft guidelines focus on Article 6, the AI Act’s central classification provision for high-risk AI systems. At a high level, Article 6 creates two pathways into high-risk classification.
First, product safety systems. An AI system may be high-risk if the system itself is a regulated product, or is used as a safety component of a regulated product, covered by the EU product-safety laws listed in Annex I, and the product is subject to a third-party conformity assessment.
The draft guidance clarifies that “safety component” is assessed under the AI Act’s own definition. A system may qualify where it is intended to prevent or mitigate safety risks, or where its failure or malfunction could endanger health, safety, or property. Efficiency, performance optimization, comfort, or convenience functions serve a different purpose. Those functions do not become safety functions simply because they are beneficial. But a system marketed as an efficiency tool may still be safety-relevant if its failure could create a health or safety hazard.
Second, listed high-risk use cases. An AI system may also be high-risk if it falls within one of the use cases listed in Annex III. Annex III covers sensitive areas where AI may affect health, safety, fundamental rights, or access to important opportunities. Those areas include biometrics, critical infrastructure, education and vocational training, employment and worker management, access to essential private and public services, law enforcement, migration and border control, and administration of justice and democratic processes.
The practical takeaway is: high-risk classification is not driven by whether a tool feels advanced or novel. It turns on the system’s role, purpose, context, and impact. For businesses, the harder work is not only making that assessment, but documenting it clearly and maintaining evidence that the system is actually designed, marketed, deployed, and used in a manner consistent with the classification.
Intended Purpose Matters
The draft guidelines place significant weight on intended purpose of the AI system. Under the AI Act, intended purpose refers to the use intended by the provider, including the specific context and conditions of use, as reflected in instructions for use, promotional or sales materials, statements, and technical documentation. This means classification is shaped by product, commercial, and documentation decisions made well before deployment.
A provider that describes a system broadly across many contexts may have a harder time later arguing that high-risk uses are outside the intended purpose. The draft guidance states that a provider cannot simply disclaim high-risk uses if its marketing materials, product examples, or overall positioning suggest or encourage those uses in practice. Any limitations should be clearly, concretely, and coherently described across materials.
For businesses, actual use should align with product documentation, sales materials, contractual restrictions, and technical limitations. A disclaimer stating that high-risk uses are not intended will carry little weight if the system’s design or marketing suggests otherwise.
Workflow Support is Different from Decision Influence
One of the most useful parts of the draft guidance is its treatment of systems that may fall within an Annex III area but do not materially influence a decision.
The AI Act includes a “filter” mechanism for certain Annex III systems. A system may avoid high-risk classification where it performs only a narrow procedural task, improves a previously completed human activity, detects decision-making patterns without replacing or influencing human assessment without proper review, or performs a preparatory task.
The draft guidance reads those exceptions narrowly. Systems that sort documents, convert unstructured data into structured data, detect duplicates, or organize information may be procedural or preparatory. Systems that score, rank, label information as useful or less useful, suggest next steps, evaluate credibility, or produce specific recommendations are more likely to influence the substance of the decision and, thus, fall into a high-risk calssification.
The operational question is whether the system is organizing the record, or shaping the judgment.
That distinction is especially important in employment, education, essential services, and other Annex III contexts where AI-enabled systems are often described as “support” tools, even when their outputs meaningfully impact the decision.
Human Involvement Does Not Prevent High-Risk Classification
The draft guidance also makes clear that human involvement does not, by itself, prevent high-risk classification. Human oversight may be required for compliance, and the type and degree of human involvement may matter in limited cases under the Article 6(3) filter when determining whether a system qualifies for one of the exceptions. But the guidance states that human involvement does not change the system’s intended purpose or the area in which it is used.
For businesses, adding a human reviewer does not necessarily move a system out of high-risk territory. The more important question is whether the system’s role remains procedural or preparatory, or whether its output materially influences the substance of the decision.
Complex Systems Should be Assessed as Workflows
The guidance also addresses complex systems. Where several AI systems form part of a larger configuration and their combined intended purpose or joint outputs materially influence an individual decision, the combined configuration may be treated as a single AI system for purposes of high-risk classification.
That matters because businesses often deploy workflows, not isolated tools: intake systems, scoring engines, recommendation layers, dashboards, review queues, and escalation mechanisms.
For organizations using modular or agentic AI architectures, the analysis should not stop at the component level. If the components work together to support a high-risk purpose, the workflow may need to be assessed as a whole.
What the Guidance Does Not Do
The draft guidelines are helpful, but they are not a complete answer. They are draft and non-binding, and authoritative interpretation ultimately belongs to the Court of Justice of the European Union.
They also do not fully address how providers and deployers should satisfy the Act’s substantive high-risk obligations once classification is resolved. The Commission describes the guidelines as limited to whether an AI system is high-risk, with separate guidance expected on compliance with high-risk requirements and obligations.
Most importantly, they do not eliminate judgment. Businesses still need to understand the system’s intended purpose, architecture, documentation, deployment context, affected individuals, data inputs, outputs, human review process, and operational role.
Why This Matters Beyond the EU
The EU AI Act is relevant to U.S.-based organizations that develop, market, deploy, or rely on AI systems connected to the EU market or individuals in the EU. That includes not only companies building AI-enabled products, but also businesses using vendor tools in sensitive operational areas such as employment, education, financial services, healthcare, biometrics, critical infrastructure, or other consequential workflows.
Conclusion
The Commission’s draft high-risk AI guidelines provide useful clarity. Importantly, they do not make AI Act implementation automatic – the first step is classification.
Businesses need to understand whether a system qualifies as an AI system, what its intended purpose is, whether it falls within a regulated product or listed high-risk use case, and whether the organization’s role is that of a provider, deployer, importer, distributor, or other participant in the AI value chain.
The real value of the AI guidelines is that they give businesses a more structured way to ask the threshold question: what role does this system play, and does that role place it in high-risk territory? That question should be answered before the system is marketed broadly, deployed deeply, or embedded into consequential workflows. Once an AI system is already operating inside a business process, classification becomes harder to unwind. The draft guidance is a timely reminder that AI governance is not only about building policies. It is about making clear, documented decisions while the system’s purpose, use, and risk profile are still capable of being shaped.
Thompson Coburn attorneys can assist organizations in evaluating AI use cases, vendor relationships, product documentation, deployment workflows, and governance structures to assess potential EU AI Act obligations and develop practical, risk-based compliance strategies.
