How accurate is this classification?

It is an indicative, rules-based estimate built from the EU AI Act's Annex III categories and prohibited practices. Final classification depends on specific facts and may require legal review, especially near tier boundaries.

What are the EU AI Act risk tiers?

Four tiers — unacceptable (banned), high (heavily regulated under Annex III or as a safety component), limited (transparency duties such as chatbot disclosure), and minimal (largely unregulated).

How does NIST AI RMF relate to the EU AI Act?

The EU AI Act is binding law with tiered obligations, while the NIST AI Risk Management Framework is a voluntary US framework organised around four functions — Govern, Map, Measure and Manage. Many organisations use NIST to operationalise EU compliance.

Why does deployment sector change the tier?

Annex III ties high-risk status to sensitive sectors such as employment, credit, biometrics, education, law enforcement and critical infrastructure. The same model can be minimal-risk in marketing yet high-risk in recruitment.

Is a chatbot high risk?

Usually not by itself. A general chatbot is typically limited-risk with a transparency duty to tell users they are talking to AI. It only becomes high-risk if its use falls into an Annex III sector such as medical triage or hiring decisions.

AI System Risk Classifier

Find where your AI system sits before you build the controls

Every AI governance decision starts with one question: how risky is this system, legally? Get the tier wrong and you either over-engineer controls for a harmless tool or — far worse — ship a high-risk system with none of the mandatory safeguards. This classifier takes a short description of your system’s purpose, output, audience and sector and returns an indicative EU AI Act tier alongside NIST AI RMF risk signals, so you can scope your compliance work from a defensible starting point.

How the classification works

The tool applies a transparent rule set drawn from the law itself:

Prohibited check first. Certain purposes — social scoring, manipulative behavioural targeting, untargeted face scraping — are banned outright under Article 5 regardless of anything else.
Sector and purpose drive high-risk. Annex III lists the sensitive domains. A system used for hiring, credit, biometric identification, education grading, essential services or law enforcement is presumptively high-risk.
Output and autonomy raise the floor. Systems that make or materially inform decisions about people score higher than those that merely generate draft content a human reviews.
Everything else is limited or minimal. Public-facing generative or conversational systems carry transparency duties (limited); internal, low-stakes tools are minimal.

In parallel it maps your answers to NIST AI RMF signals across the Govern, Map, Measure and Manage functions, flagging where you should concentrate testing and oversight effort even when the law is silent.

Notes and tips

Treat the result as a starting hypothesis, not a verdict — borderline cases (especially around “materially informs a decision”) need human judgement.
The same model often warrants different tiers for different features; classify each use case, not the underlying model.
Once you have a tier, jump to the EU AI Act Compliance Checklist to turn it into a concrete obligations list, and run a GDPR for AI check if personal data is involved.
High and limited tiers both have transparency duties; do not skip user disclosure just because you landed below “high”.