Regulatory Overlay

EU AI Act Exposure Instrument

Identify high-risk classification signals and governance obligations before regulatory enforcement deadlines.

With high-risk obligations expected to apply from August 2026 (subject to evolving guidance), boards must ensure AI investments are defensible against anticipated regulatory requirements.

Assess Your EU Exposure

Classification

What Constitutes High-Risk AI?

The EU AI Act defines high-risk AI systems primarily through Annex III, which identifies use-case categories where AI deployment carries elevated regulatory obligations. Key categories include:

  • Employment and workforce management systems — recruitment, performance evaluation, task allocation
  • Credit scoring and financial access — creditworthiness instrument, insurance risk pricing
  • Biometric identification and categorisation — remote identification, emotion recognition in certain contexts
  • Critical infrastructure management — energy, transport, water, and digital infrastructure
  • Public services and benefits administration — eligibility instrument, emergency dispatching, asylum processing

Classification determination depends on specific deployment context, not the technology itself. The AI Capital Risk Instrument (ACRI) maps your use cases against these signals.

Impact

Capital Risk Implications

High-risk classification creates concrete obligations that affect capital deployment timelines, governance structures, and operational requirements.

  • Documentation and record-keeping requirements — technical documentation, data governance records, usage logs
  • Governance oversight structures — designated human oversight, clear accountability chains, incident reporting
  • Risk management frameworks — systematic identification, instrument, and mitigation of foreseeable risks
  • Human oversight mandates — qualified personnel with authority to override or halt system operation
  • Auditability and transparency — conformity instrument readiness, regulatory inspection preparedness

Each of these obligations translates directly into capital exposure. Governance gaps, documentation deficiencies, or missing oversight structures can independently constrain the framework posture assigned to an organization's AI investment.

Methodology

The Stratify EU Overlay

As part of the broader Capital Risk Instrument, the EU AI Act overlay provides a focused regulatory exposure analysis:

  • Maps organizational AI use cases against Annex III classification signals
  • Assesses governance maturity relative to anticipated compliance obligations
  • Flags documentation sufficiency gaps across technical and operational records
  • Identifies capital-constraining risk — where regulatory exposure independently constrains posture

The EU overlay is integrated into the standard instrument for organizations with EU footprint. No separate engagement required.

Context

Regulatory Timeline

February 2025Prohibited practices provisions became applicable
August 2025GPAI model provider obligations and governance structure requirements applicable
August 2026High-risk system obligations anticipated to apply (subject to evolving regulatory guidance)
OngoingRegulatory clarification and potential scope adjustments under active review by EU institutions

Timelines reflect current regulatory publications and are subject to change. This instrument does not constitute legal advice. Organizations should consult qualified legal counsel for compliance decisions.

EU exposure is capital exposure.

Schedule Executive BriefingView Full Instrument