AI Regulation — How Risk-Based Rules Actually Work
Ask a project team if they are “AI Act compliant” and watch what happens. Someone quotes a deadline.
Someone else says it moved. Nobody in the room can actually tell you what the law requires — only that a date is coming.
That is not a knowledge gap you fix by memorising deadlines. Deadlines move.
This one has moved twice in 2026 already. What does not move is the logic underneath it: every AI system gets classified by how much harm it could cause, and the rules scale with that harm.
Once you understand that one idea, every AI regulation on the planet — EU, Korean, Colorado, whatever comes next — reads the same way. This post explains the model, not the calendar.
🔗 Foundation posts
If responsible AI is new territory for you, start with Ethics and Responsible AI , which covers the fairness, bias and accountability side of this topic. AI Data Sovereignty covers the parallel question of where your AI data is allowed to live. This post covers the third piece — how the rules themselves are built.
Why AI needed a law of its own
Older regulation assumes a human somewhere in the decision chain who can be asked why. A loan officer who rejects your application can explain the reason. A hiring manager who passes you over can be questioned.
AI collapses that assumption. A credit-scoring model can reject thousands of applications an hour, using patterns nobody explicitly wrote into a rule. Nobody sat down and coded “reject applicants from this postcode.” The model learned it from data, and even its own builders often cannot point to the exact reason for one decision.
Existing sector law — banking, employment, product safety — still applies to AI. None of it, though, was written with a system that learns behaviour rather than following instructions. Regulators needed a way to answer one question before writing anything new: how much can go wrong here?
The core idea — regulate the risk, not the technology
Here is the insight that makes the rest of this post make sense: the law does not care whether you built a neural network, a simple decision tree, or an if-then rule engine. It cares what happens when the system gets it wrong.
This is the part almost everyone misses. A spam filter and a hiring algorithm can run on the exact same underlying technology and land in completely different regulatory categories.
The technology is irrelevant. The consequence of failure is everything.
📌 Key takeaway
The question that matters legally is never “what kind of AI is this?” It is “what happens to a real person if this system gets it wrong?” Every risk tier in every AI law is really just a graded answer to that one question.
The four risk tiers, with real examples
Every risk-based AI law — the EU AI Act included — sorts systems into some version of these four bands. The names vary slightly by jurisdiction. The logic does not.
| Risk tier | What it means | Real examples | What it triggers |
|---|---|---|---|
| Unacceptable | Banned outright — no compliance path exists | Government social scoring, real-time public biometric surveillance, manipulation of vulnerable people, AI-generated CSAM or non-consensual intimate imagery | Prohibition. You simply cannot deploy it. |
| High risk | Significant impact on rights, safety or access to essential services | Hiring and recruitment tools, credit scoring, education access, law enforcement systems, critical infrastructure control | Risk management system, technical documentation, human oversight, conformity assessment before market |
| Limited risk | Transparency matters more than restriction | Chatbots, deepfakes, AI-generated content, emotion recognition systems | Disclosure — tell the user they are dealing with AI, label synthetic content |
| Minimal risk | Everyday AI with no special legal exposure | Spam filters, recommendation engines, most internal productivity tools | No specific AI obligations beyond the law that already applied |
⚠️ Warning
The mistake I see most often: teams assume “we use an LLM” automatically means high-risk. It does not. The tier depends on what the system is used for, not what it is built from. A chatbot answering FAQ questions is limited risk. The same chatbot screening job candidates is high-risk — same model, completely different obligations.
Who carries the obligation — provider vs deployer
This is the second thing people get wrong, and it costs more than the risk tier does. Building an AI system and using one are legally different roles, and the law puts different weight on each.
A provider designs, trains or places an AI system on the market. A deployer uses that system under their own authority — often without changing a line of its code.
| Role | What you actually do | What you owe |
|---|---|---|
| Provider | Builds the AI system, or has it built, and puts it on the market under its own name | Technical documentation, risk management, conformity assessment, instructions for safe use |
| Deployer | Uses an AI system in a professional capacity — often one bought from someone else | Human oversight, monitoring for misuse, using the system only as instructed, incident reporting |
💡 Practical tip
If you buy an off-the-shelf hiring tool and plug it into your recruitment process, you are the deployer — and you inherit real obligations, not just the vendor’s terms and conditions. Ask any AI vendor for their conformity documentation before you sign, not after an audit finds you do not have it.
Why this pattern is spreading well beyond Europe
This is why the risk-tier model is worth learning properly rather than treating as an EU quirk. It is becoming the default grammar of AI regulation worldwide, even where the exact wording differs.
South Korea’s AI Basic Act took effect in January 2026 and explicitly follows the same tiered logic, with separate tracks for high-impact and generative AI. Colorado passed a comparable risk-based duty of care in 2024 — though not for long, as you’ll see below. Brazil’s AI framework and a growing list of US state bills — Connecticut, Massachusetts, New York, Virginia — are drafted against the same template.
None of these laws are identical. Korea has no outright prohibited category the way the EU does.
Colorado is the exception worth knowing: in May 2026 it scrapped its own risk-tier duty-of-care model in favour of a narrower disclosure law, delayed to January 2027. Even that retreat proves the point — regulators keep circling back to the same question: how much can go wrong, and who is responsible if it does?
✅ Best practice
Build one internal AI governance framework mapped to risk tiers, not a separate compliance checklist per country. A system classified as high-risk under your own framework will map cleanly onto the EU, Korean or US version of the same idea — you are translating, not rebuilding.
What this means in practice — classify before you build
Every AI governance engagement I have run starts with the same three-step sequence, done in this order and never skipped.
1. Identify your role
Are you building the system, or using one someone else built? Most enterprise teams are deployers far more often than they realise — the AI is usually embedded in a product they bought, not written in-house.
2. Classify the system’s risk tier
Not the technology. The use case.
The same summarisation model is minimal risk in a marketing tool and high risk in a clinical triage tool. Classify by consequence, not by architecture.
3. Let the obligations follow
Once the tier is set, the obligations are not a matter of opinion — they are largely prescribed. This is the step teams try to shortcut, and it is the one that actually saves time. Guessing at obligations wastes far more effort than classifying properly first.
📝 Where the EU AI Act stands right now (2026)
This section is a snapshot, not the model. The reasoning above will still be accurate in 2035. These specific dates will not — check the AI Act Service Desk before you rely on any of them.
Timeline so far: The Act entered into force 1 August 2024. Prohibited practices and AI literacy obligations became binding from 2 February 2025. Governance rules and obligations for general-purpose AI models started 2 August 2025.
What changed in mid-2026: The Digital Omnibus on AI was formally adopted by the European Parliament and Council in June 2026, deferring the toughest obligations. Standalone high-risk systems (Annex III — hiring, credit, education and similar) now have until 2 December 2027, not 2 August 2026. High-risk systems embedded in regulated products (Annex I — medical devices, lifts, machinery) now have until 2 August 2028.
What did not move: Transparency and watermarking obligations for AI-generated content still apply from 2 August 2026, with a grace period to 2 December 2026 for systems already on the market. A new prohibition on AI-generated non-consensual intimate imagery and CSAM takes effect 2 December 2026, regardless of the wider deferral.
Penalties: Up to €35 million or 7% of global annual turnover for the most severe violations, whichever is higher. This is not a fine you budget around.
At a glance — AI regulation essentials
| Concept | One-line summary |
|---|---|
| Risk-based regulation | AI systems are classified by potential harm, not by the technology used to build them |
| Unacceptable risk | Banned outright — social scoring, mass biometric surveillance, exploitative manipulation |
| High risk | Significant impact on rights or safety — triggers documentation, oversight and conformity assessment |
| Limited risk | Transparency obligations — disclose that content or interaction is AI-generated |
| Minimal risk | No specific AI obligations beyond whatever law already applied |
| Provider | Builds or places the AI system on the market — carries the heaviest documentation duties |
| Deployer | Uses an AI system under their own authority — carries oversight and monitoring duties |
| Extraterritorial reach | If your AI affects people in a jurisdiction, the jurisdiction’s rules can apply regardless of where you are based |
| The Brussels effect | The EU AI Act’s risk-tier model is being adopted or adapted by South Korea, Colorado, Brazil and others |
| EU AI Act deadlines (2026) | High-risk obligations deferred to Dec 2027 / Aug 2028; transparency rules still land Aug 2026 |
What to take away
Regulation is not a checklist you survive once and forget. It is a proxy — a formal, legally binding version of the question any good engineer should already be asking: what happens if this is wrong, and who does it happen to?
Once you see it that way, you stop needing a new compliance program every time a new country legislates. You already know the shape the law will take, because the shape has been the same since Brussels wrote it down first.
You are classifying consequences. Everything else is paperwork.
That is the difference between a team that panics at every regulatory headline and one that already knows where a new system will land before the law catches up to it.
🔗 Related posts on this site
Ethics and Responsible AI — The Essentials Every Organisation Needs to Know — the fairness, bias and accountability principles that sit alongside the legal obligations covered here.
AI Data Sovereignty — The Three Concepts That Matter — where your AI data is allowed to live, and why that is a separate question from risk classification.
AI Alignment — The Problem Every AI Model Has to Solve — the technical side of making an AI system behave safely, which regulation assumes but does not itself guarantee.
AI in the Enterprise — A Practical Map — where organisations are actually deploying AI in 2026, which is exactly where these risk tiers get tested.
Published on rakeshnarayan.com — Articles
URL: https://rakeshnarayan.com/articles/ai-regulation-how-risk-based-rules-actually-work/



Did you enjoy this article?
Let me know — it takes one click.
0 Comments
Leave a Comment
Your comment has been submitted and will appear after review.