← Blog

EU AI Act Article 5 Prohibited Practices: The Eight AI Use Cases That Cannot Be Deployed in the EU

EU AI Act Article 5 prohibits eight categories of AI use that the regulation treats as incompatible with Union values. The prohibition has been in force since February 2, 2025. Penalties under Article 99 reach EUR 35 million or 7 percent of global annual turnover, the highest tier in the regulation. Enterprises preparing for the August 2, 2026 high-risk deadline often skip Article 5 because the prohibitions sound like edge cases. The operational reality is that several prohibitions catch mainstream enterprise use cases when the system is examined against the actual statutory text.

ByParminder Singh· Founder & CEO, DeepInspect Inc.
Compliance & Regulationeu-ai-actarticle-5prohibited-aicomplianceregulationai-governance
EU AI Act Article 5 Prohibited Practices: The Eight AI Use Cases That Cannot Be Deployed in the EU

Article 5 of the EU AI Act prohibits eight categories of AI use that the regulation treats as incompatible with Union values. The prohibition has applied since February 2, 2025, six months after the regulation entered into force. The penalty tier under Article 99(3) for breaching Article 5 is EUR 35 million or 7 percent of global annual turnover, the highest tier in the regulation. Enterprises focused on the August 2, 2026 high-risk obligations often treat Article 5 as resolved background. The operational reality is that several prohibitions catch enterprise use cases that look ordinary until the system is examined against the statutory text.

I want to walk through the eight prohibitions as the regulation writes them, the enterprise patterns that recur near the boundary, the exceptions where they exist, and the operational evidence that supports a defensible "not prohibited" determination.

The eight prohibitions

Article 5 lists eight categories of prohibited AI practice. Each has a specific definition and, in some cases, narrow exceptions.

Subliminal techniques beyond a person's consciousness or purposefully manipulative or deceptive techniques that materially distort behavior in a manner that causes or is reasonably likely to cause significant harm. The prohibition under Article 5(1)(a) covers AI that nudges behavior in ways the affected person cannot perceive.

Exploitation of vulnerabilities of specific groups (age, disability, social or economic situation) in a manner that materially distorts behavior and causes significant harm. The Article 5(1)(b) prohibition covers AI that targets vulnerable groups, including children and the elderly.

Social scoring by public authorities or on their behalf, where the score produces detrimental or unfavorable treatment that is unrelated to the context where the data was generated or that is unjustified and disproportionate. The Article 5(1)(c) prohibition specifically targets state-led social scoring.

Risk assessment of natural persons in order to assess or predict the risk of a person committing a criminal offense, based solely on the profiling or assessment of personality traits and characteristics. The Article 5(1)(d) prohibition covers predictive policing systems based on personal traits.

Untargeted scraping of facial images from the internet or CCTV footage to create or expand facial recognition databases. The Article 5(1)(e) prohibition covers systems like Clearview AI in their EU operation.

Emotion recognition in workplaces and educational institutions, except for medical or safety reasons. The Article 5(1)(f) prohibition covers AI that infers emotional state from facial expressions, voice, or other signals in employment or schooling contexts.

Biometric categorization that infers race, political opinions, trade union membership, religious or philosophical beliefs, sexual orientation, or sex life. The Article 5(1)(g) prohibition covers AI that uses biometric data to draw sensitive inferences.

Real-time remote biometric identification in publicly accessible spaces for law enforcement, with narrow exceptions for specific serious crimes and missing-person cases under prior judicial authorization. The Article 5(1)(h) prohibition is the most-discussed in the public debate and is the only one with detailed exception conditions.

The enterprise edge cases

Three of the eight prohibitions catch mainstream enterprise use cases more often than the casual reading suggests.

The exploitation-of-vulnerabilities prohibition. Article 5(1)(b) covers AI that exploits vulnerabilities of specific groups. Online lending and financial-product recommendation systems sometimes deploy targeting that produces materially worse outcomes for people in precarious economic situations. The boundary question is whether the system "materially distorts" behavior in a way that "causes significant harm." A system that pushes high-cost credit products to users identified as financially stressed is in the zone where the prohibition can apply.

The workplace emotion-recognition prohibition. Article 5(1)(f) covers AI emotion recognition in workplaces and educational institutions. Workforce analytics products that infer engagement from camera feeds, that track sentiment from voice analysis on customer calls, or that flag mood patterns from messaging-platform activity fall in the prohibition unless they qualify under the medical or safety exception. The safety exception is narrowly read; "team productivity" is not safety.

The biometric categorization prohibition. Article 5(1)(g) covers biometric categorization that infers protected characteristics. Marketing analytics that use facial recognition to infer demographics, age estimation systems used in retail, and identity verification systems that profile users by inferred characteristics fall in scope. The prohibition applies regardless of whether the categorization is presented as a primary feature or as a secondary inference inside a broader analytics product.

The exceptions where they exist

Two of the eight prohibitions have explicit statutory exceptions.

Article 5(1)(f) emotion recognition exempts medical and safety reasons. The medical exception covers systems used in clinical or therapeutic contexts. The safety exception covers narrowly safety-related use, for example a system that detects driver fatigue in a commercial transport context. The exception does not extend to general workforce wellbeing programs.

Article 5(1)(h) real-time remote biometric identification has the most elaborate exception structure. The exceptions are limited to specific objectives (targeted search for victims of specific crimes, prevention of a specific and substantial threat to physical life, identification of perpetrators of a closed list of serious crimes), require prior judicial authorization (with limited urgency exceptions), and require national implementing legislation. The exceptions are narrowly construed.

The other six prohibitions have no exceptions in the statutory text. A system that falls within the definition is prohibited. There is no compliance path.

How the Commission and supervisory authorities will enforce

Enforcement of Article 5 sits with the AI Office at Commission level for cross-border cases and with member state market surveillance authorities for national enforcement. The Commission has signaled that Article 5 enforcement will be high-priority because the prohibitions reflect what the regulation treats as the most serious harms.

The enforcement pattern in the first 18 months of application has emphasized two areas. Investigation of complaints, where individuals or civil society organizations have flagged specific systems for Article 5 review. Market sweeps, where the supervisory authorities have proactively examined sectors with a high incidence of edge cases (employment, education, financial services, advertising).

The supervisory authority's investigation typically requests three categories of evidence. The system documentation that describes the function (Article 11 documentation if the system is also high-risk, internal documentation otherwise). The operational record that shows what the system actually does (logs of inputs, outputs, and decisions). The intended use record that shows how the deployer markets and operates the system.

The operational record that supports a "not prohibited" determination

For systems near the boundary of an Article 5 prohibition, the deployer needs a defensible "not prohibited" determination on file. The determination is supported by three operational artifacts.

The function description. A precise statement of what the system does, in language that maps to the statutory definition of the prohibition. The description is reviewed by counsel and updated when the system changes.

The use record. Evidence that the system is used in the way described. The use record draws on the operational logs that show the actual inputs, the actual outputs, and the actual deployer behaviors that surround the system.

The boundary monitoring. Active monitoring that detects drift from the documented function into the prohibited zone. For an AI marketing system, the monitoring detects when the targeting pattern starts exploiting protected characteristics. For an HR system, the monitoring detects when emotion recognition signals start influencing decisions.

The boundary monitoring is the operational control. The function description and the use record are paper artifacts. The monitoring is the system that catches drift before the drift becomes an Article 5 incident.

How architecture supports the boundary monitoring

The boundary monitoring runs against the operational record. The richer and more independent the operational record, the stronger the monitoring.

Application-internal monitoring runs against application logs. The application that performs the AI action is also the application that monitors itself. The monitoring is blind to the prompt and response payloads that the application strips before logging. The monitoring is dependent on the application team to instrument correctly.

Gateway-level monitoring runs against the gateway records. The gateway sees every prompt, every response, every identity, every policy decision. Boundary monitoring sits at the gateway as policy that detects characteristic-based inferences in outputs, that flags emotion-recognition signals in prompts, that catches drift from documented function. The monitoring is independent of the application and produces the operational evidence the supervisory authority will ask for.

DeepInspect

DeepInspect is a stateless policy gateway between authenticated users or agents and any LLM. Every AI request and response passes through the gateway and produces a signed, tamper-evident audit record with identity, policy version, model version, data classes detected, and timestamps.

For Article 5 boundary monitoring, DeepInspect serves three functions. The gateway's full visibility of prompts and responses supports detection of inferences that drift into prohibited territory. Policy at the gateway can block requests that produce protected-characteristic inferences without authorization. The audit record supports the "not prohibited" determination by documenting what the system actually did across every call.

If you are facing the August deadline, let's talk.

Frequently asked questions

When did Article 5 take effect?

Article 5 has applied since February 2, 2025. The prohibition has been enforceable for over a year as of mid-2026. Enterprises that deployed systems in the prohibited categories during that period and have not retired or remediated those systems are in active non-compliance.

What is the penalty for breaching Article 5?

Article 99(3) sets the penalty for Article 5 breaches at EUR 35 million or 7 percent of global annual turnover, whichever is higher. This is the highest penalty tier in the regulation, above the EUR 15 million or 3 percent for high-risk non-compliance and the EUR 7.5 million or 1 percent for supplying misleading information.

Does Article 5 apply to systems already in operation before February 2, 2025?

Article 5 applies to all systems in operation in the EU regardless of when they were placed on the market. There is no grandfathering. A system that fell within an Article 5 prohibition before the prohibition took effect had to be withdrawn or remediated by February 2, 2025.

Is workforce sentiment analysis prohibited?

Article 5(1)(f) prohibits emotion recognition in workplaces and educational institutions, with narrow medical and safety exceptions. Workforce sentiment analysis that infers emotional state from facial expressions, voice analysis, or other biometric signals is in scope. Sentiment analysis based solely on text content (without biometric inference) is not within the Article 5(1)(f) prohibition, although it can still trigger GDPR and Article 88 (employment-context processing) considerations.

Does Article 5 apply to non-EU companies?

Article 5 applies extraterritorially under Article 2(1)(c) where the output of the system is used in the EU. A US company that operates a prohibited system whose output is consumed by users in the EU is within scope. The enforcement mechanism is the appointment of an EU representative under Article 22 and the market surveillance authorities of the affected member states.

How does a deployer document an Article 5 self-assessment?

The deployer documents the assessment with three components: the system description in the function-description language; the analysis against each of the eight Article 5 prohibitions with the basis for the conclusion; and the operational evidence (logs, use record, boundary monitoring) that supports the conclusion. The documentation is part of the deployer's quality management system and is produced on request to the supervisory authority.