Is a credit-scoring system high-risk under Annex III even if it does not make the final lending decision?

Yes. Point 5(b) covers AI used to evaluate the creditworthiness of natural persons or establish their credit score, regardless of whether the system makes the final lending decision. A credit-scoring system that produces an input for a human underwriter still falls inside Point 5(b). The exception under Article 6(3) does not cover credit scoring in most enterprise deployments, since the score materially influences the human decision.

How does Annex III interact with the AI Liability Directive?

Annex III is the classification driver under the AI Act. The AI Liability Directive proposal sits alongside the Act and addresses non-contractual civil liability for damages caused by AI systems. The Directive references the AI Act classifications, so an Annex III high-risk system inherits the heightened liability framing under the proposed Directive when adopted. The Liability Directive proposal has progressed slowly through the EU legislative process and is not in force at the time of writing.

Does an internal-only AI system used by employees fall under Annex III?

The classification depends on what the system does, not on whether the users are employees. An internal AI system used for hiring decisions falls under Point 4. An internal AI system used to determine employee performance evaluations falls under Point 4. An internal AI system used purely for productivity assistance, without informing a decision in one of the listed use cases, does not fall under Annex III on its own. The Annex III scope follows the use case.

What happens if a deployer uses an AI system in a high-risk use case the provider did not anticipate?

Article 25 covers the case where a deployer's use of an AI system substantially modifies the intended purpose declared by the provider. The deployer in that case takes on the provider obligations for the new intended purpose, including the conformity assessment. This pathway catches AI systems that are sold for general use but deployed for a high-risk Annex III use case. The deployer's procurement and assessment process has to surface the substantial modification before it goes into production.

Will Annex III be expanded by the Commission?

Article 7 gives the Commission the power to add new use cases to Annex III through delegated acts, after consultation. The Commission has signalled interest in monitoring generative AI deployments in sensitive sectors and may propose additions where market surveillance identifies risks the current Annex III does not cover. Deployers should monitor the Commission's annual review of Annex III for any additions that affect their deployments.

EU AI Act Annex III: What the High-Risk Use Case List Actually Covers

Annex III of the EU AI Act enumerates the AI use cases that trigger high-risk classification under Article 6(2). The list runs across eight areas: biometrics, critical infrastructure, education, employment, essential public and private services, law enforcement, migration and border control, and the administration of justice and democratic processes. Any AI system used in one of these areas, with limited exceptions, inherits the full obligation set under Articles 9 through 15 for providers and Article 26 for deployers. The August 2, 2026 deadline for the high-risk obligations applies to the systems covered.

The eight Annex III points read at the use-case level. The classification turns on what the system does, who it serves, and what decision it informs.

I want to walk through what each Annex III category actually covers, where the most common enterprise deployments fall inside the scope, and how the classification triggers the downstream obligations on logging, monitoring, and disclosure.

The eight Annex III categories

Point 1: Biometrics

The biometrics category covers remote biometric identification systems, biometric categorisation systems that infer sensitive attributes, and emotion recognition systems. The scope is narrower than commonly assumed: not every biometric authentication system is high-risk under Annex III. A login system that compares a face to a stored template for identity verification is not classified as remote biometric identification unless it operates at scale on a population without their direct cooperation. The scope expands when the system infers attributes such as political opinion, sexual orientation, or religion, or when it claims to detect emotion.

Point 2: Critical infrastructure

The critical infrastructure category covers safety components of critical digital infrastructure, road traffic management, and the supply of water, gas, heating, and electricity. The scope is the safety function. An AI system that optimizes scheduling for a power grid is in scope when the system's output affects the safety of the supply, and out of scope when the system runs purely commercial dispatch decisions. The classification follows the safety relevance, not the commercial relevance.

Point 3: Education and vocational training

The education category covers AI systems that determine access to educational and vocational training institutions, evaluate learning outcomes, assess the appropriate level of education a person should receive, and monitor prohibited behavior during tests. Admissions screening systems are in scope. Proctoring systems are in scope. Adaptive learning systems that grade student work for high-stakes decisions are in scope. Tutoring systems that produce non-binding suggestions are at the edge of scope, with the classification depending on whether the output feeds a decision that affects access.

Point 4: Employment, workers management, and access to self-employment

The employment category covers AI systems used to recruit or select candidates, screen applications, evaluate applicants during interviews, make decisions affecting terms of employment, allocate tasks based on personal traits or behaviour, and monitor worker performance and behaviour. The category captures most of the recruitment AI stack from sourcing through performance management. The August 2, 2026 deadline means deployers using AI in HR pipelines face the full Article 12 logging and Article 26 monitoring obligation in less than two months.

Point 5: Access to essential private and public services

Point 5 has four sub-categories with broad enterprise impact. Point 5(a) covers AI used to evaluate eligibility for essential public benefits. Point 5(b) covers AI used to evaluate creditworthiness or establish credit scores, with an explicit exception for AI used to detect financial fraud. Point 5(c) covers AI used for risk assessment and pricing in life and health insurance. Point 5(d) covers AI used to dispatch emergency services and triage patients in emergency healthcare.

Point 5(b) is the one most financial services deployers face directly. The credit-scoring use case has been at the center of supervisory attention since the Act was published, and the August 2, 2026 deadline applies the full high-risk obligation chain to AI systems used for credit underwriting at any scale.

Point 6: Law enforcement

The law enforcement category covers risk assessments for individuals likely to commit a crime, polygraph and similar deception detection, evidence reliability evaluation, profile-based crime prediction, and AI used to assist law enforcement decisions during investigations. The category is narrow in scope but high in regulatory attention. Deployments by private contractors supporting law enforcement agencies inherit the high-risk obligations through the deployer role.

Point 7: Migration, asylum, and border control

The migration category covers AI systems used by competent authorities to assess security risks, examine applications, detect false documents, and inform decisions in migration and asylum proceedings. The category is concentrated in government deployers, with private-sector contractors in the supply chain.

Point 8: Administration of justice and democratic processes

The justice category covers AI systems intended to assist judicial authorities in researching and interpreting facts and the law, and AI systems used to influence the outcome of elections or voters' behaviour. The scope is limited in current commercial deployments, with the most active area being the use of AI in legal research and case preparation for judicial proceedings.

The obligation chain that Annex III classification triggers

Once an AI system is classified as high-risk under Annex III, the provider obligations under Articles 8 through 17 attach to the entity that puts the system on the market. The deployer obligations under Article 26 attach to the entity that uses the system in operation. The chain runs through Article 9 risk management, Article 10 data governance, Article 11 technical documentation, Article 12 record-keeping, Article 13 transparency to deployers, Article 14 human oversight, Article 15 accuracy and security, and the conformity assessment under Article 43.

The deployer obligations under Article 26 include using the system according to the provider's instructions, ensuring human oversight is provided by competent natural persons, monitoring the system's operation, keeping the automatically generated logs that Article 19 requires for at least six months, and reporting serious incidents under Article 73.

The Article 12 logging obligation is where the operational evidence layer for the entire chain sits. Whatever the provider designs into the system at conformity assessment, the deployer has to operate in a way that produces records of how the system was used and what decisions it informed.

The exception that limits scope

Article 6(3) provides an exception to the Annex III classification when the AI system performs only a narrow procedural task, improves the result of a previously completed human activity, detects decision-making patterns without replacing the human assessment, or performs preparatory tasks for assessments relevant to the listed use cases. The exception is meant to keep low-stakes AI tooling out of the high-risk regime.

Providers that want to rely on the exception have to assess the AI system, document the assessment, and register the system in the EU database under Article 49. The competent authorities can disagree with the assessment and reclassify the system as high-risk during market surveillance. In practice, most enterprise AI deployments in HR, credit scoring, and access decisions have failed to qualify for the exception, since the system's output typically informs the human decision rather than merely organizing it.

DeepInspect

This is the architecture the Annex III obligation chain expects. DeepInspect sits at the AI request boundary as a stateless proxy between the application and the LLM. For an AI system classified as high-risk under Annex III, the proxy produces the per-decision audit records that satisfy the Article 12 automatic recording requirement and the Article 19 retention floor. The records include the verified identity of the natural person, the data classification, the policy version in effect, the decision outcome, and a timestamp.

For Article 14 human oversight, the proxy enforces the policy that defines what the human reviewer has to approve and what the AI system can do without review. For Article 26 deployer monitoring, the proxy is the operational point where the deployer's monitoring runs and where the evidence is produced. The Annex III classification is the upstream signal that the obligation chain applies. The architecture has to operate at the per-decision level the chain requires.

If you are deploying an AI system in one of the Annex III categories and the August 2, 2026 deadline is in scope, the Article 12 and Article 19 readiness rests on the per-decision record produced at the AI request boundary. Book a demo today.