EU AI Act Prohibited Practices: What Article 5 Bans and How Enforcement Catches It
Article 5 of the EU AI Act lists the practices the regulation prohibits outright. Subliminal manipulation, exploitation of vulnerability, social scoring by public authorities, predictive policing based on profiling, untargeted facial scraping, emotion inference in workplaces and schools, biometric categorisation by protected characteristic, and most real-time biometric identification in public spaces. The prohibitions took effect February 2, 2025. The €35 million / 7% penalty tier applies. This article walks through the eight prohibitions and the architecture that catches them at the AI request boundary.
Article 5 of the EU AI Act lists the AI practices the regulation prohibits outright. The prohibitions took effect February 2, 2025, ahead of the August 2, 2026 high-risk obligations. The penalty tier under Article 99 is €35 million or 7% of global annual turnover, whichever is higher, the highest in the entire regulation. Most enterprise discussions of the EU AI Act focus on Annex III high-risk classification, which makes sense because most enterprise deployments fall in that bucket. The Article 5 prohibitions are a smaller and sharper risk surface. The architecture that catches a prohibited practice in production is the same architecture that catches an Article 12 logging gap.
I want to walk through the eight prohibitions, the foreseeable ways an enterprise system trips one without intending to, and the runtime pattern that prevents it.
The eight prohibitions
Article 5 lists eight categories. Each one has carve-outs and definitional caveats, but the contours are stable.
Subliminal manipulation that causes harm
Article 5(1)(a) prohibits AI systems that deploy subliminal techniques beyond a person's consciousness or purposefully manipulative techniques, with the objective or effect of materially distorting behavior in a way that causes harm. The clause is narrower than it reads. An advertising recommendation system that uses transparent techniques and does not cause material harm is not in scope. A system that exploits cognitive bias outside the person's awareness, in a way that produces material harm, is.
Exploitation of vulnerability
Article 5(1)(b) prohibits AI systems that exploit any vulnerabilities of a person or group based on age, disability, or socio-economic situation, in a way that materially distorts behavior and causes harm. The clause covers, among other things, predatory targeting of older adults, children, or low-income households.
Social scoring by public authorities
Article 5(1)(c) prohibits social scoring by public authorities, where the scoring leads to detrimental treatment of people in contexts unrelated to the original data or disproportionate to the social behavior assessed. The clause applies to public authorities. Most enterprise risk on this prohibition sits inside vendor-supplied tooling sold into government.
Predictive policing based on profiling
Article 5(1)(d) prohibits assessing or predicting the risk of a person committing a criminal offense solely on the basis of profiling or personality traits. The clause does not prohibit predictive risk modeling that uses objective and verifiable facts directly linked to criminal activity.
Untargeted facial-image scraping
Article 5(1)(e) prohibits the creation or expansion of facial recognition databases through untargeted scraping of facial images from the internet or CCTV. The clause targets a specific technique used by certain vendors.
Emotion inference in workplaces and education
Article 5(1)(f) prohibits AI systems that infer emotions of a natural person in workplaces and educational institutions, except for medical or safety reasons. The clause has direct implications for HR analytics, customer service routing, and student monitoring deployments.
Biometric categorisation by protected characteristic
Article 5(1)(g) prohibits biometric categorisation systems that infer race, political opinion, trade union membership, religious or philosophical belief, sex life, or sexual orientation. Lawful labelling of biometric data in datasets is carved out.
Real-time biometric identification in public spaces
Article 5(1)(h) prohibits real-time remote biometric identification in publicly accessible spaces for law enforcement purposes, subject to narrowly defined exceptions for serious crime, search for victims, and prevention of substantial threats.
How an enterprise system trips a prohibition without intending to
The Article 5 categories sound exotic. The ways enterprise deployments accidentally fall into one are not.
HR analytics drift into emotion inference
A customer service routing system that uses sentiment scoring on call recordings to flag "difficult" customers and steer them to senior agents may be doing emotion inference. If the same scoring is then used to evaluate the call center agent's performance, the workplace prohibition under Article 5(1)(f) applies.
Marketing personalization drifts into vulnerability exploitation
A recommendation system tuned on engagement signals that targets users showing signs of financial distress with high-interest credit products may trip Article 5(1)(b). The system was not designed to exploit vulnerability. The training objective produced the outcome.
Vendor-embedded analytics import a prohibited capability
A vendor SaaS tool used for student engagement analytics that infers attention or affect from webcam input may put the school district inside Article 5(1)(f). The district acquired the tool to support pedagogy. The vendor's model carries the prohibited capability.
Internal copilots inherit upstream data with prohibited inferences
An internal HR copilot that pulls candidate profiles from a sourcing tool that categorises by inferred religion or political opinion inherits the prohibited inference. The HR team using the copilot was not aware of the upstream inference path.
What the architecture has to catch
The Article 5 prohibitions are runtime properties. The deployer cannot rely on procurement attestations or model documentation. The architecture has to detect the practice in the actual traffic.
Prompt-level classification before the request leaves the deployer's boundary
The prompt content that reaches the model is the most reliable signal of what the system is actually doing. Identity-aware DLP at the AI request boundary classifies the prompt for biometric inputs, emotion-inference instructions, profiling instructions on protected characteristics, and credit-scoring instructions tied to vulnerability indicators.
Per-route and per-role policy attached to the model endpoint
Policies attach to the API route and the calling role. A clinical decision support endpoint accessed by a licensed clinician carries different policy than the same endpoint accessed by a marketing analyst. The same endpoint, the same model, different policy, different decision.
Fail-closed posture on undefined cases
When the request matches none of the explicitly permitted policy templates, the proxy fails closed. The Article 5 prohibitions are absolute. The deployer cannot afford a default-allow posture on undefined inputs.
Per-decision audit record for the deployer's defense
When a regulator asks whether a prohibited practice was deployed, the deployer has to produce the evidence. A per-decision audit record showing the policy that fired, the data classification of the prompt, and the outcome of the decision is the evidence layer. Application logs are insufficient.
DeepInspect
This is exactly what DeepInspect does. DeepInspect sits inline between users or agents and the LLM APIs they call. For every request and response, it evaluates identity, data classification, model authorization, and organizational policy, and makes a pass or block decision before the traffic reaches the model.
For Article 5, the relevant property is that the prohibition can be expressed as a policy rule attached to the AI request boundary. A clause that prohibits emotion inference on workforce voice data becomes a rule that blocks prompts containing the inference instruction and the workforce data class together. A clause that prohibits biometric categorisation by protected characteristic becomes a rule that blocks prompts containing biometric data and the categorisation instruction together.
The per-decision audit record persists regardless of the application's runtime state. If a regulator inquires whether the deployment performed a prohibited practice, the deployer produces the record showing the policy fired and the request was blocked. If a request slipped through, the deployer produces the record showing what was sent, by whom, under which policy, and the corrective measure taken.
If you are running enterprise AI in 2026 and your Article 5 controls depend on documentation rather than enforcement, the regulator will find the gap before you do. Book a demo today.
Frequently asked questions
- Did Article 5 take effect on the same date as the high-risk requirements?
No. Article 5 took effect February 2, 2025, six months after the regulation entered into force on August 1, 2024. The high-risk system requirements under Articles 8 through 15, 16, and the related obligations take effect August 2, 2026. The prohibitions have been enforceable for over a year as of the deadline that the broader compliance program targets. Many enterprise programs missed the earlier date because attention focused on the August 2026 milestone.
- What is the penalty for an Article 5 violation?
Article 99 sets the prohibited-practices tier at €35 million or 7% of global annual turnover, whichever is higher. The tier is the highest in the regulation, above the €15 million / 3% tier for high-risk non-compliance and the €7.5 million / 1% tier for supplying misleading information. A single violation can carry multi-hundred-million-euro exposure for a multinational. National competent authorities set the actual fine in line with the proportionality rules in Article 99.
- Do the Article 5 prohibitions apply to a US company without EU customers?
Article 5 applies to AI systems placed on the Union market, put into service in the Union, or producing output used in the Union. A US company without EU customers and without EU users of its output is outside the scope. A US company whose product is resold by an EU partner, or whose output reaches EU end users through any path, is in scope. The extraterritorial reach is broad. Most B2B SaaS companies have to do the analysis carefully before concluding the prohibitions do not apply.
- How does the emotion inference prohibition affect customer service AI?
Article 5(1)(f) prohibits emotion inference of natural persons in workplaces and educational institutions, except for medical or safety reasons. The workplace clause covers employees of the deployer. A customer service routing system that infers customer emotion is not in the workplace category, because the customer is not in the deployer's workplace. The same routing system, if used to evaluate the agent's own emotional state, is in scope. The distinction is the natural person being inferred about.
- Does prompt-injection defense intersect the Article 5 prohibitions?
It can. A prompt-injection attack that attempts to manipulate the model into performing a prohibited practice on behalf of the attacker (for example, instructing the model to infer protected characteristics or emotion in a workplace context) is both an Article 5 risk and a security incident. The enforcement layer that blocks prompt injection on policy grounds also blocks the underlying Article 5 violation. The two controls share infrastructure.