EU AI Act Article 5 prohibitions: how are you mapping existing ML pipelines to the 'unacceptable risk' criteria?

With the EU AI Act's prohibited practices now in force (Article 5), we're auditing our internal ML systems to confirm nothing falls into the 'unacceptable risk' bucket. The obvious ones (social scoring, real-time remote biometric identification in public spaces, emotion recognition in workplace/schools) are easy to rule out. The grey areas we're wrestling with: - Predictive risk scoring for employee performance reviews (not automated decisions under Art. 22, but could be construed as 'evaluating individuals' under the Act's broader scope) - Behavioral analysis for fraud detection using keystroke dynamics — does this cross into 'subliminal techniques' if the user isn't explicitly aware? - Cross-jurisdictional data flows: US-based inference on EU employee data — which regulatory framework applies, and does the AI Act's extraterritorial reach apply to internal tools? How are other teams handling the mapping exercise? Are you using the Commission's guidance documents, or has your legal counsel developed an internal classification framework? Jurisdictions: EU, DE (we also have US-CA operations but this audit is EU-focused). Note: This is a peer experience exchange about compliance processes, not a request for legal advice.