Limited-risk vs high-risk: how to stop overspending on EU AI Act compliance
Under the EU AI Act, the most expensive mistake is not under-compliance. It is treating a limited-risk system as high-risk, and paying for a stack of controls the law never asked for.
Most compliance budgets for the Act are too high, not too low. The reason is rarely negligence. It is caution: faced with a regulation that carries fines in the tens of millions, teams round everything up to high-risk and build accordingly. The result is a chatbot governed like a credit-scoring engine, and a budget several times larger than the law requires.
Getting the tier right is the single decision that controls cost. This guide explains what high-risk and limited-risk actually demand, where common systems land, and how to right-size without leaving real risk uncovered. For the full four-tier breakdown, see the risk classification guide, and for the wider picture, the EU AI Act explained.
Why teams over-classify
Three forces push organisations to over-classify. The first is fear: high penalties make caution feel safe, even when it is expensive. The second is vendor noise: suppliers market EU AI Act compliance as a single heavy programme, blurring the line between tiers. The third is a category error, treating uses AI and high-risk as the same thing. They are not. The Act reserves high-risk for specific, listed uses and leaves most AI in lighter tiers.
What high-risk actually demands
High-risk is the heavy tier, and it earns the name. A high-risk system carries a full stack of obligations: a risk management system maintained across its lifecycle, technical documentation, data governance and quality controls, logging, human oversight, accuracy and robustness testing, a conformity assessment, and in many cases registration in an EU database before it goes live. Building that file credibly takes months, not weeks, and the conformity assessment guide covers what it involves.
This is the right level of effort for a system that decides who gets hired, who gets credit, or who reaches an essential service. It is wildly disproportionate for a tool that summarises meetings.
What limited-risk actually demands
Limited-risk is a different order of magnitude. Its obligation is transparency, not the high-risk stack. Users must be told when they are interacting with AI, and AI-generated content must be labelled, under Article 50. There is no conformity assessment, no technical file, and no database registration. For most organisations, limited-risk compliance is a disclosure and a labelling step, not a programme.
Where common systems actually land
A few concrete examples make the gap clear. A customer-service chatbot is limited-risk: it owes an AI disclosure and nothing more, unless it is making high-risk decisions. An AI tool that screens or ranks job applicants is high-risk, because employment is a listed use. A credit-scoring model is high-risk for the same reason. An AI note-taker that transcribes meetings is minimal-risk. A marketing tool that generates images or video is limited-risk, owing labelling of the synthetic content it produces. Emotion recognition in a workplace is not a tier question at all: it is prohibited.
The pattern is that the tier follows the use, not the technology. The same underlying model can be minimal-risk in one product and high-risk in another. The risk classification guide works through the full process.
How to right-size: four questions
You can place most systems with four questions, in order. Does it perform a prohibited practice? If so, stop. Is it used in a high-risk context such as employment, credit, or essential services? If so, it is high-risk. Does it interact with people or generate content? If so, it is limited-risk, owing transparency. If none of these apply, it is minimal-risk. Answer honestly, document the reasoning, and you have both a defensible classification and a right-sized budget.
The cost of getting it wrong, both ways
Over-classification wastes money and slows adoption: teams spend high-risk budgets and impose high-risk friction on tools that never needed it, and AI projects stall under the weight. Under-classification is worse: a genuinely high-risk system run as if it were limited-risk is exactly the exposure regulators and enterprise customers look for. Right-sizing is not about doing less. It is about spending where the risk actually is.
Frequently asked questions
Does my chatbot need a conformity assessment?
Almost never. A general customer-service chatbot is limited-risk and owes a transparency disclosure under Article 50, not a conformity assessment. It only needs the high-risk treatment if it is used to make or support a high-risk decision, such as screening job applicants.
What does limited-risk compliance actually involve?
Transparency: telling users they are dealing with AI, and labelling AI-generated content. There is no technical file, conformity assessment, or EU database registration. For most organisations it is a disclosure and a labelling step rather than a programme.
How much does high-risk compliance cost?
It varies, but it is an order of magnitude more than limited-risk, because it requires risk management, technical documentation, data governance, human oversight, testing, and a conformity assessment built and maintained over the system's life. That cost is justified for genuinely high-risk uses and wasted on everything else.
Can a system change tiers?
Yes. The tier follows the use, so the same model can be minimal-risk in one product and high-risk in another, and a change of use can move a system up or down. Re-classify whenever a system's purpose or context changes.
Who decides which tier a system is in?
You do, as the provider or deployer, against the Act's criteria. The classification should be written down with its reasoning so it can be defended to an auditor or an enterprise customer.
Grasp classifies every AI system in your organisation by its EU AI Act tier, so you protect the high-risk ones and stop paying high-risk prices for limited-risk tools. See the EU AI Act solution →
