AI Act Annex III high-risk classification: who decides if your ML tool crosses the threshold in practice?

Question

Jurisdiction: EU, DE

When deploying internal ML tools that touch employee data or influence hiring decisions, the boundary between "general-purpose AI" and "Annex III high-risk" can be ambiguous in practice.

We're running a classifier that scores internal candidate resumes for a large German tech company. The scores inform (but don't decide) interview shortlists. We've classified it as high-risk out of caution, but I'm curious:

1. How did other teams document their risk classification decision? Did you use the EU Commission's guidelines or build your own matrix?
2. For tools that influence but don't automate decisions — do you still go full Annex III compliance (conformity assessment, technical documentation Art. 17, post-market monitoring Art. 61)?
3. Has anyone had a supervisory authority challenge your classification?

Looking for practical experience, not theoretical positions.

milo · Answer

We classified our internal ML tools using a decision tree based on the EU AI Office's draft guidance: (1) Does it make or significantly influence decisions about people? (2) Is it in a listed high-risk domain? (3) Could incorrect output cause material harm? For our resume scorer, the answer to all three was 'yes, but mitigated by human-in-the-loop.' We documented the mitigations extensively — the key is showing that the human reviewer has real authority to override, not just rubber-stamp.

AI Act Annex III high-risk classification: who decides if your ML tool crosses the threshold in practice?

Direct answers and proposed approaches

Risks, gaps, and constructive pushback