Understand risk-based AI obligations and why education use cases need care.
AI Act risk depends on intended use, affected people, actor role, and market context.
AI Act risk depends on intended use, affected people, actor role, and market context.
Why this matters: Explain the risk-based structure in practical terms.
Problem anchor: Agentic Learning Studio wants to offer an AI lesson coach to EU schools. The same model can be low-risk in a private drafting demo, transparency-relevant in a public chatbot, or potentially high-risk if used to evaluate students or influence educational access. The intended purpose matters.
As of June 23, 2026, the EU AI Act is Regulation (EU) 2024/1689. It uses a risk-based structure that includes prohibited practices, high-risk systems, transparency obligations, and general-purpose AI model provisions. This lesson teaches product literacy, not legal advice; a real launch needs qualified counsel.
System: AI lesson coach for secondary-school learners in the EU. Intended purpose: explain concepts, give practice feedback, and recommend next lessons. Not intended purpose: grade students, decide admission, allocate scholarships, or discipline learners. Users: students, teachers, school administrators. Actor role: likely deployer for a school using a third-party model, but provider duties may arise if packaging and marketing a system under the Studio brand.
Initial risk note: tutoring and feedback require transparency, data governance, and human override. If the system is used to evaluate learning outcomes or influence access to education, counsel must review high-risk classification and obligations before launch.
The AI Act creates different duties depending on risk category and the actor placing or using the system.
The AI Act creates different duties depending on risk category and the actor placing or using the system.
Why this matters: Describe the main risk buckets without overclaiming.
A practical worksheet separates questions. Is any prohibited practice implicated? Is the intended purpose in a high-risk area? Does the user need to know they are interacting with AI or seeing generated content? Does the product rely on a general-purpose AI model with its own documentation chain? Which party is provider, deployer, importer, distributor, or product manufacturer?
Actor role matters because the same company may have different duties when building a system, customizing it, deploying it internally, or reselling it. Product teams should not guess role from vibes; they should document facts and route the memo to counsel.
If the lesson coach only suggests practice resources and clearly lets teachers override it, the worksheet may focus on transparency, privacy, safety, and vendor governance. If the same system scores learners and those scores influence placement, access, or certification, the risk analysis changes materially and high-risk obligations may be in scope.
This reinforces module 1: intended purpose is not decorative metadata. It decides which evidence, controls, and legal questions matter.
| Option | Bucket | Product question | Evidence hint | When to choose | Cost | Complexity |
|---|---|---|---|---|---|---|
| Prohibited | Practices the regulation bans or restricts severely | Could the system manipulate, exploit vulnerability, or enable banned scoring or biometric use? | Block by design and document why feature is out of scope | Use at idea review. | Medium | Medium |
| High-risk | Regulated uses with stricter obligations | Does intended purpose affect education, employment, credit, law enforcement, migration, or similar listed domains? | Risk management, data governance, documentation, logging, human oversight, monitoring | Use before requirements freeze. | Medium | Medium |
| Transparency or GPAI | Disclosure and model-chain duties | Must users know AI is involved, or do upstream model obligations matter? | Notices, model cards, summaries, provider documentation, content labeling where relevant | Use before launch copy and vendor review. | Medium | Medium |
A readiness memo becomes useful when it names the controls and evidence a team must maintain.
A readiness memo becomes useful when it names the controls and evidence a team must maintain.
Why this matters: Connect risk class to implementation artifacts.
Decision this forces: Choose the right level of rigor for EU AI Act Basics: baseline, production design, or advanced optimization.
For a serious AI system, evidence lives in ordinary engineering artifacts: requirements, data governance records, evaluation results, incident reports, logs, human-oversight flows, monitoring dashboards, vendor documentation, and change-management notes. The goal is to prove the system was designed, tested, launched, and updated responsibly.
Even when a system is not high-risk, the same artifacts help. Transparency notices, data minimization, user feedback, and model-version logs make it easier to explain behavior and respond to incidents.
Controls: clear AI-use notice in the product; teacher-visible settings for feedback mode; no automated grading without explicit separate review; source citations for factual claims; learner-data retention rules; prompt and retrieval version logs; human escalation for contested feedback; monitoring for unsafe content, hallucinations, and fairness slices.
Evidence: classification memo, vendor/model documentation, data inventory, eval report, safety release checklist, incident playbook, and dated legal-review note. The memo says which controls are product commitments and which are legal assumptions awaiting counsel.
A lightweight classifier cannot replace counsel, but it can prevent product teams from skipping essential questions.
A lightweight classifier cannot replace counsel, but it can prevent product teams from skipping essential questions.
Why this matters: Write a simple readiness worksheet check.
worksheet = {
"system": "EU lesson coach",
"intended_purpose": "practice feedback and lesson recommendations",
"not_intended": ["grading", "admissions", "discipline"],
"eu_users": True,
"actor_role_guess": "deployer/provider facts need counsel",
"uses_student_data": True,
"human_oversight": "teacher can review and override",
"legal_review_required": True,
}
required = ["intended_purpose", "eu_users", "actor_role_guess", "human_oversight"]
missing = [k for k in required if not worksheet.get(k)]
assert not missing, f"missing AI Act classification facts: {missing}"
if worksheet["eu_users"] and worksheet["uses_student_data"]:
print("route to privacy and legal review before launch")The intended purpose changes, so the risk analysis and likely evidence obligations must be reopened before launch.
Check that any AI-generated summary cites Regulation (EU) 2024/1689 or official EU guidance, states the date of the claim, distinguishes risk categories, avoids legal advice certainty, and tells the team when counsel must review actor role and intended purpose.
AI Act readiness is a change-management habit, because intended purpose, vendors, guidance, and product scope evolve.
AI Act readiness is a change-management habit, because intended purpose, vendors, guidance, and product scope evolve.
Why this matters: Recall the AI Act worksheet from memory.
Decision this forces: Choose the right level of rigor for EU AI Act Basics: baseline, production design, or advanced optimization.
Answer this from memory: "How do I start an EU AI Act readiness review for an AI product?" Include intended purpose, users, EU exposure, actor role, risk bucket, transparency, GPAI dependency, data governance, human oversight, logging, monitoring, dated assumptions, and legal review.
Spaced recall: module 1 classified the lesson coach by intended purpose. The final memo must reopen if the product becomes a grader, admissions aid, employment screener, or other user-impacting system.
Pick one AI feature. Fill in system name, intended purpose, excluded uses, user groups, geography, actor role facts, risk category questions, transparency needs, data-governance controls, human oversight, logs, monitoring, vendor dependencies, legal-review owner, and date. Add a red box for facts that would change the classification.
Next rung: connect this to the safety release checklist so regulatory questions become launch gates rather than afterthoughts.
From memory, reconstruct an AI Act readiness worksheet: identify intended purpose, EU exposure, actor role, risk category, transparency duties, high-risk evidence, GPAI dependency, dated assumptions, and legal review path.
Create a one-page release-ready plan for EU AI Act risk classification worksheet for a customer-facing assistant. Include: the user problem, realistic input, mechanism, design choice, runnable or reviewable check, metric (risk category and obligations documented before release), failure case (the team treats all AI systems as equal and misses high-risk obligations), owner, and the next rung after this lesson.
An edtech startup builds an AI tool that gives students personalised study tips. Under the EU AI Act's risk-based structure, what is the FIRST question the team should answer before deciding on controls?
The Act's risk classification is driven by intended purpose first — the sector, use case, and affected population determine which risk bucket applies before any technical or organisational controls are chosen.
A university deploys a third-party AI tool to screen student scholarship applications. Under the EU AI Act, which statement best describes the university's role and its main obligation?
Deployers (organisations that put an AI system into use in their own context) carry distinct obligations — including impact assessments and human oversight — separate from the provider who built the system.
An education tool is classified as high-risk. Which combination of evidence artifacts is most directly required to support that classification?
High-risk systems require a risk management file, technical documentation, and evidence of human oversight — the Act ties the evidence burden directly to the risk class.
You originally classified your AI tutoring tool as 'limited risk' because it only answered general curriculum questions. The product team now wants to add a feature that automatically flags students as 'at risk of dropping out' and shares that flag with academic advisors. Why does this change in intended purpose require a fresh classification analysis, and what risk bucket might the tool now fall into?
Intended purpose is not static — adding a consequential decision-making feature (dropout flagging) can move a tool from a lower risk tier into the high-risk category, triggering a completely different set of compliance obligations.
A colleague shares an AI-generated summary of the EU AI Act and says 'this covers everything we need to know.' What is the most important caveat to raise before relying on that summary for compliance decisions?
AI Act guidance evolves as implementing acts and national authority interpretations are published; an undated or uncaveated AI-generated summary may be stale or oversimplified, making source-date verification and professional legal review essential before acting on it.