The single most important question under the EU AI Act is not what the law says in general. It is whether your specific product is classed as high risk, because that one classification determines whether you face a handful of light obligations or a substantial compliance programme. Most guides explain the categories in the abstract. This one is built around the question you actually have, which is does my product qualify, using the kinds of products founders genuinely build.

We will explain how high risk classification works, then walk through the real cases, lead scoring, HR and recruitment tools, credit decisions, content moderation and more, so you can place your own product with some confidence.

How high risk classification actually works

The first thing to understand is the principle that trips most founders up. High risk classification is based on what your AI is used for, not how clever it is. A powerful large language model used to summarise internal documents is low risk. A simpler model used to score job applicants can be high risk. The capability does not determine the tier. The use case does.

The Act contains a specific list, known as Annex III, of use cases that are considered high risk. If your system's intended purpose falls into one of those categories and it materially influences a consequential decision about a person, you are likely high risk. If it does not fall into any of them, you are generally not high risk, even if your product is sophisticated or sensitive in other ways.

There is also an important profiling rule. Where a system on the list profiles individuals, meaning it automatically processes personal data to assess things like their work performance, economic situation, behaviour, or interests, it is treated as high risk. That catches a lot of products that score or rank people.

The categories that matter for startups

Annex III covers eight areas, but several are about law enforcement, migration, justice, and critical infrastructure that most startups will never touch. The categories founders actually build into are a smaller set, and these are the ones to focus on.

• Employment and worker management. This is the broadest and most relevant category for startups. It covers AI used to recruit or select people, to filter or rank job applications, to evaluate candidates, and to make or support decisions about promotion, termination, task allocation, or performance monitoring.
• Access to essential services. This covers AI used to assess creditworthiness or set credit scores, to price life and health insurance, and to evaluate eligibility for essential public benefits and services.
• Biometrics. Remote biometric identification, biometric categorisation by sensitive attributes, and emotion recognition. Note that simple identity verification, confirming someone is who they claim to be, is treated differently from identifying people in a wider population.
• Education. AI used to decide admission to education, to evaluate learning outcomes, or to assess the level of education someone should receive.

If your product does not touch any of these, and is not a safety component of a regulated product, it is very likely not high risk. Most ordinary AI SaaS sits outside these categories.

The real cases founders build

Now the practical part, the actual products founders ask about, and where they tend to land.

• Lead scoring and sales AI. Scoring or ranking business leads is generally not high risk, because it is about prospects and commercial likelihood rather than a consequential decision about a person's access to employment, credit, or services. However, be careful if your scoring shades into assessing individuals in ways that affect their access to something significant, because that changes the picture.
• HR and recruitment tools. This is the clearest high risk case for startups. If your AI screens, ranks, filters, or scores job candidates, or supports hiring, promotion, or firing decisions, it falls squarely into the employment category and is very likely high risk. This is the single most common way a startup ends up high risk without expecting to.
• CV summarisation, the grey zone. A tool that simply summarises a CV for a human recruiter, without ranking or scoring, sits in a more defensible position. But if that summary systematically steers selection by emphasising some candidates over others, the argument that it is not influencing a consequential decision weakens. When in doubt here, treat it as high risk and document your reasoning.
• Credit and lending decisions. AI that evaluates creditworthiness or sets a credit score is high risk. There is a specific carve out for AI used purely to detect financial fraud, which is not treated the same way, but genuine credit assessment about individuals is in scope.
• Insurance pricing. AI used for risk assessment and pricing in life and health insurance for individuals is high risk.
• Content moderation. General content moderation is not itself an Annex III category, so a content moderation tool is often not high risk on that basis alone. But be cautious, because if your system performs emotion recognition, biometric categorisation, or profiles individuals in ways that touch the listed categories, those elements can pull parts of it into scope. The classification follows the specific function, not the broad label.

The pattern across all of these is consistent. Anything that makes or materially supports a decision about a person's job, money, education, or essential services is the danger zone. Anything that assists, summarises, or operates on commercial rather than personal stakes is usually safer, but the details matter.

The exemptions worth knowing

Even if your product falls within a listed category, there are narrow exemptions that can take it out of high risk, and they are worth understanding rather than assuming the worst.

A system may avoid high risk classification if it performs only a narrow preparatory task, or if it merely improves the result of a previously completed human activity, or if it detects patterns without being meant to replace or influence a properly reviewed human decision. The key thread is genuine, meaningful human decision making that your AI supports rather than supplants. If a human is genuinely making the decision and your AI is a minor input, you have a stronger case. If your AI is effectively making the call, you do not.

Crucially, if you believe your system falls within a category but is not actually high risk, the Act expects you to document that assessment before you put the product on the market. The exemption is not automatic. You have to reason it through and write it down.

What it means if you do qualify

If your product is high risk, the obligations are real but manageable, and most are things you build in rather than paperwork you bolt on. They include a risk management process, data governance, technical documentation, automatic logging of events, human oversight, transparency to affected people, and for providers a conformity assessment and registration in an EU database. For most Annex III systems that are not tied to other regulated products, the conformity assessment can be a self assessment against the requirements, which is more achievable for a startup than it first sounds.

The deadline that matters is 2 August 2026 for high risk obligations, though a proposed package of amendments may move some of this later. Plan for the 2026 date rather than betting on a delay.

The honest takeaway

For most AI startups, the honest answer is that you are probably not high risk, because most products do not make consequential decisions about people's jobs, money, education, or essential services. The startups that are high risk usually know which category they are in once it is explained, because they are building recruitment tools, credit assessment, or similar.

The real mistake is not being high risk. It is failing to check, assuming you are minimal risk when your product actually scores or decides about people, and getting caught out by a buyer or regulator later. Work out your classification honestly, document the reasoning, and if you are in the grey zone, treat it as high risk until you can show otherwise. That clarity is itself something enterprise buyers increasingly want to see.