Decoding the AI Act: A first look at the Commission’s "high-risk" draft guidelines

Show Notes

The European Commission just dropped its highly anticipated first set of draft guidelines on high-risk AI classification under the AI Act—all 150 pages of them. Published for stakeholder consultation on May 19th, 2026, this document is the closest thing we have to a compliance manual for navigating Article 6 and Annex III of the Act. 

In this episode of the Privacy Partnership Podcast, Robert Bateman digs into the details to explain what the Commission considers "high-risk," how the exemption filters actually work, and why some common loopholes that tech companies might hope to rely on are being firmly closed. 

In this episode, we discuss:

* The Two Routes to "High-Risk": Understanding the difference between product safety components (Annex I) and stand-alone use cases (Annex III).

* The Article 6(3) Filter Mechanism: How to exempt your system if it performs narrow procedural or preparatory tasks—and why making a "value judgment" instantly voids the exemption.

* The Profiling Red Line: Why any AI system that performs profiling (as defined by the GDPR) is automatically classified as high-risk, with no exceptions.

* The "Terms of Service" Trap: Why general-purpose AI providers can't simply slap a disclaimer in their fine print to dodge a high-risk classification if their marketing says otherwise.

* Agentic AI & Complex Systems: How the Commission plans to treat multi-component AI systems that coordinate linked actions. (Spoiler: You can't partition your way out of compliance).

* The "Human in the Loop" Myth: Why human oversight is a post-classification compliance requirement, not a ticket out of a high-risk designation. 

* Shifting Deadlines: A look at the newly postponed enforcement dates for Annex I and Annex III obligations.