- What “High-Risk” Means Under the AI Act
- The Annex III Walkthrough for Academic AI Systems
- Common Questions on AI Act High-Risk Classification
- Implications for Research Administrators and Developers
Admissions-screening tools, exam proctoring software, and subject-profiling systems built or bought by universities are now squarely inside EU compliance scope. AI Act high-risk classification is not a label a developer chooses — it is determined by a fixed legal test set out in Article 6 and Annex III of Regulation (EU) 2024/1689, and most research-facing AI that touches education, employment, or biometric data will fail that test into the “high-risk” tier by default. This walkthrough applies the actual Annex III criteria to the tools research administrators are most likely to encounter.
What “High-Risk” Means Under the AI Act
The AI Act sorts systems into four tiers: unacceptable risk (banned outright, applicable since 2 February 2025), high risk, limited risk (transparency duties only), and minimal risk (unregulated). There is no fifth “probably fine” category for academic tools — a system either clears the high-risk gate or it does not.
Article 6 sets two separate high-risk routes. The first covers AI embedded as a safety component in products already regulated under Annex I product-safety law (medical devices, machinery, and similar). The second — the one that catches nearly all academic and research-administration tools — is Annex III: a fixed list of use cases that are always considered high-risk unless a narrow exemption applies.
Obligations tied to the Annex III route generally apply from 2 August 2026; the Annex I product-safety route gets an extra year, to 2 August 2027. Providers who conclude their own Annex III system is not high-risk must document that assessment and register it before deployment (Article 6(4)) — silence or informal judgement calls are not a defence.
The Annex III Walkthrough for Academic AI Systems
Annex III groups high-risk triggers into eight domains. Three of them account for almost every academic AI tool that raises a compliance question: education, employment, and biometrics. The table below maps common research-institution tools to the specific Annex III clause they hit.
| Annex III category | Example academic AI use | Clause | Verdict |
|---|---|---|---|
| Education and vocational training | Admissions-ranking or applicant-screening AI | Annex III(3)(a) | High-risk |
| Education and vocational training | Automated scoring that steers a student’s learning path | Annex III(3)(b) | High-risk |
| Education and vocational training | Exam-proctoring software flagging “prohibited behaviour” | Annex III(3)(d) | High-risk |
| Employment and workers management | AI screening postdoc, faculty, or research-staff applications | Annex III(4)(a) | High-risk |
| Biometrics | Emotion-recognition tool used in a lecture-engagement study | Annex III(1)(c) | High-risk, unless a narrow medical/safety exception applies |
| Biometrics | Biometric categorisation inferring ethnicity or political views from images for research subject profiling | Annex III(1)(b) | High-risk — the profiling override applies (see below) |
Education and Training Triggers
Annex III(3) lists four education triggers: access/admission decisions, evaluation of learning outcomes, assessment of the appropriate level of education a person can access, and monitoring of prohibited behaviour during tests. A tool only needs to match one clause — not all four — to be caught. An institutional dashboard that merely displays grades without influencing a decision is unlikely to trigger this route; a model that ranks or filters applicants does.
Employment and Research-Staff Triggers
Annex III(4) covers recruitment and selection tools (targeted job adverts, CV filtering, candidate scoring) and tools used in promotion, termination, task allocation, or performance monitoring of an existing workforce. Research institutions using AI to shortlist grant-funded researchers, PhD candidates, or lab staff sit inside this trigger on the same footing as any commercial employer.
Biometric-Categorisation and Profiling Triggers
Annex III(1) is the sharpest edge for research tools. It covers remote biometric identification, biometric categorisation systems that infer sensitive attributes (race, political opinion, trade union membership, religious belief, sex life, or sexual orientation) from biometric data, and emotion-recognition systems — with only a narrow carve-out for systems used purely for medical or safety purposes. A study instrument that infers demographic or affective attributes from facial or voice data for research subject profiling falls inside this trigger even when the researchers’ intent is purely academic.
The Narrow-Task Exemption — and Why Profiling Overrides It
Article 6(3) gives Annex III systems four possible escapes: performing a narrow procedural task, improving the result of work a human already completed, detecting deviations from a prior human decision without replacing it, or performing a preparatory task before a human assessment. A system that clears one of these tests can be treated as not high-risk — but the provider must still document that judgement.
Critically, Article 6(3) carries an override that most summaries omit: an Annex III system is always high-risk if it performs profiling of natural persons, regardless of whether it would otherwise qualify for the narrow-task exemption. Profiling is defined broadly under EU data-protection law as automated processing used to evaluate personal aspects such as performance, behaviour, preferences, or location. Any admissions tool, proctoring tool, or research instrument that builds a profile of an individual cannot use the narrow-task escape — it is high-risk by default.
One further nuance matters for university researchers: Article 2 excludes AI systems developed and used solely for scientific research and development from the Regulation’s scope entirely. That exclusion evaporates the moment the same tool is deployed operationally — for example, adapted from a lab study into a live admissions or proctoring product.
Common Questions on AI Act High-Risk Classification
What is high risk under the AI Act?
An AI system is high-risk if it is a safety component of a product regulated under Annex I, or if its use case appears in Annex III — covering biometrics, education, employment, and public services — unless a documented Article 6(3) exemption applies and no profiling occurs.
What are the four levels of risk in the AI Act?
The Regulation defines four tiers: unacceptable risk (prohibited outright), high risk (strict pre-market obligations), limited risk (transparency duties, such as disclosing AI-generated content), and minimal risk (largely unregulated, voluntary codes only).
What are high-risk use cases under the AI Act?
Annex III lists eight domains: biometrics, critical infrastructure, education and vocational training, employment and worker management, access to essential services, law enforcement, migration and border control, and administration of justice or democratic processes.
What are examples of high-risk AI systems?
Documented examples include admissions-screening AI, exam-proctoring software, CV-filtering recruitment tools, creditworthiness scoring, biometric categorisation systems, and remote facial-recognition identification tools used by public authorities.
Implications for Research Administrators and Developers
For institutions procuring or building these tools, the practical checklist is short but unforgiving:
- Map every AI tool touching admissions, assessment, proctoring, staff recruitment, or biometric data against the specific Annex III clause it might trigger.
- Test each candidate system against the four Article 6(3) exemption conditions — and check separately whether it performs profiling, which overrides any exemption.
- Document the classification assessment before deployment, even where the conclusion is “not high-risk,” and be ready to produce it to national competent authorities on request.
- Re-run the assessment when a research prototype moves from the Article 2 scientific-research exclusion into operational use — the exclusion does not travel with the tool.
- Track the compliance calendar: prohibited-practice bans applied from 2 February 2025; most Annex III obligations apply from 2 August 2026; the Annex I product-safety route follows in August 2027.
Research administrators sit at the intersection of procurement, ethics review, and data governance, which makes this classification exercise an institutional responsibility rather than a vendor’s alone. Bodies advancing research-administration practice — including CASRAI’s research administration resources — increasingly treat AI-tool risk mapping as a standard due-diligence step alongside existing data-protection and research-integrity checks, and institutions building internal glossaries can cross-reference definitions of profiling, biometric categorisation, and related terms in the CASRAI dictionary.
The European Commission is due to publish detailed implementation guidelines and worked examples for Article 6 classification. Until then, the safest institutional posture is to assume Annex III applies wherever an academic AI system reaches a decision about a person’s access, evaluation, employment, or biometric profile — and to document the reasoning either way.








