EU AI Act high-risk classification: draft guidelines

Q: What does the draft say about Article 12 record-keeping?

Almost nothing. The draft guidelines are scoped to classification only. Paragraph 4 of the General Principles states the scope is limited to whether an AI system is high-risk or not. The Guidelines will be complemented in the future with other Commission guidelines aimed to facilitate compliance with the requirements for high-risk AI systems and the obligations for providers and deployers. Article 12 appears in the Annex III chapter as an operational cross-reference, not interpretive guidance. The substantive interpretation of what Article 12 requires sits with the harmonised standards in development under CEN-CENELEC JTC 21 (prEN 18229-1, in Enquiry from 23 January 2026) and ISO/IEC JTC 1/SC 42 (ISO/IEC DIS 24970, DIS ballot closed 11 February 2026).

01 · THE DRAFT, THE CONSULTATION

The 19 May 2026 draft · what it is, what it is not.

The Commission tabled the draft guidelines on 19 May 2026 under Article 6(5) of the AI Act, in three documents: a General Principles section, an Annex I chapter on the regulated-product route, and an Annex III chapter on the use-case-list route. The Annex III chapter runs to 148 pages. The targeted consultation runs to 23 June 2026, 22:00 CET. Anyone with an interest in the development, deployment, supervision or use of AI systems may contribute via the EUSurvey form linked from the Commission's Digital Strategy consultation page.

Paragraph 4 of the General Principles fixes the scope of the document.

"The scope of these Guidelines is limited only to high-risk classification whether an AI system is high-risk or not. The Guidelines will be complemented in the future with other Commission guidelines aimed to facilitate compliance with the requirements for high-risk AI systems and the obligations for providers and deployers." Commission draft guidelines · General Principles §4 · 19 May 2026

The guidelines tell a provider whether the system is in scope. They do not tell the provider what to do once it is. The obligations chapter — Article 11 technical documentation, Article 12 record-keeping, Article 13 transparency, Article 14 human oversight, Article 15 accuracy and robustness and cybersecurity, Annex IV — is left to a separate future Commission instrument. The draft is the door. The obligations are the room.

The guidelines are not binding. The Commission's framing at §6 is unambiguous: any authoritative interpretation of the AI Act may ultimately only be given by the Court of Justice of the European Union. The draft also notes that the AI Office is available to provide additional support to operators and authorities through the AI Act Service Desk on the Single Information Platform, and through the AI regulatory sandboxes to be established by 2 August 2027 under the Omnibus deferral.

02 · THE AGENTIC LINE

Paragraph 75 · the unit of assessment is the system, not the step.

The most consequential paragraph in the Annex III chapter for any builder shipping agents into regulated work is paragraph 75. It extends the Act's unified-assessment principle to agentic AI directly.

"Where several AI systems form part of a more complex AI system, so that their combined intended purpose or joint outputs materially influence an individual decision, the combined configuration is treated as a single AI system for the purpose of high-risk classification. To avoid circumvention of the high-risk classification rules by system design, split architectures are assessed as a whole. Where the components of an AI system are configured as intended to be used for a use case listed in Annex III AI Act, the combined system will be classified as high-risk pursuant to Article 6(2) AI Act. Even if certain modules on their own may be exempt under Article 6(3) AI Act, these exemptions do not apply if the overall system's configuration and functioning influence key aspects of the decisions made with the AI system's support in the context of the high-risk use case. This principle also extends to complex, interconnected setups like agentic AI systems that coordinate and interact through linked actions as long as these linked actions or components serve in conjunction an intended high-risk purpose." Commission draft guidelines · Annex III chapter §75 · 19 May 2026

The reading is direct. Where the linked actions in conjunction serve an intended high-risk purpose, the unit of assessment is the system, not the step. An agent is not exempt because no single step looks high-risk. If the linked actions together serve a high-risk purpose, the whole system is classified high-risk.

The principle is conditional, not universal. Not every agentic system is automatically assessed end-to-end. Only those whose linked components in conjunction serve an Annex III purpose. The conditional matters. It is the same conditional that runs through the rest of the classification logic: intended purpose is read from the totality of how the provider presents and configures the system, not from any single component's nominal label.

03 · TWO ROUTES IN

Two routes to high-risk · Article 6(1) + Annex I, or Article 6(2) + Annex III.

The AI Act classifies a system as high-risk through one of two routes. The first runs through Article 6(1) and Annex I: the AI is itself a product, or a safety component of one, covered by Union harmonisation legislation listed in Annex I, and required to undergo third-party conformity assessment. Annex I includes, among other regulated product files, machinery, toys, lifts, equipment and protective systems intended for use in potentially explosive atmospheres, radio equipment, pressure equipment, recreational craft, cableway installations, appliances burning gaseous fuels, medical devices, in vitro diagnostic medical devices, and products in the automotive and aviation sectors. A system in this route inherits the AI Act high-risk obligations on top of the existing sectoral file.

The second route runs through Article 6(2) and Annex III. The system's intended purpose falls within one of the eight listed areas. Annex III enumerates them.

area 1

Biometrics — remote biometric identification, biometric categorisation, emotion recognition (in scope where permitted under other Union law). READING · Annex III point 1, subpoints (a), (b), (c)

area 2

Critical infrastructure — safety components of critical digital infrastructure, road traffic, supply of water / gas / heating / electricity. READING · Annex III point 2

area 3

Education and vocational training — admission decisions, learning-outcome evaluation, level-of-education assessment, monitoring and detecting prohibited behaviour of students. READING · Annex III point 3, subpoints (a)–(d)

area 4

Employment, workers' management and access to self-employment — recruitment / selection, managing work-related relationships. READING · Annex III point 4, subpoints (a)–(b)

area 5

Access to essential private and public services and benefits — eligibility for essential public assistance, creditworthiness, life and health insurance risk-assessment and pricing, emergency-call triage. READING · Annex III point 5, subpoints (a)–(d)

area 6

Law enforcement — victim-risk assessment, polygraph-equivalent tools, evidence reliability, offending / reoffending assessment, profiling for the detection / investigation / prosecution of criminal offences. READING · Annex III point 6, subpoints (a)–(e)

area 7

Migration, asylum and border control management — polygraph-equivalents, risk assessment of persons seeking entry, asylum / visa / residence application assistance, detection / recognition / identification (excluding travel-document verification). READING · Annex III point 7, subpoints (a)–(d)

area 8

Administration of justice and democratic processes — assisting judicial authorities or in alternative dispute resolution, influencing the outcome of elections or referendums. READING · Annex III point 8, subpoints (a)–(b)

Point 5(b) of Annex III, the financial-services anchor, classifies AI systems intended to evaluate the creditworthiness of natural persons or establish their credit score (with a narrow exception for fraud detection). The guidelines are blunt on the reach of this provision at §297.

"Where an AI system is intended to be used to establish such a score for the purpose of determining the access to financial resources or essential services such as housing, electricity, and telecommunication services, it should be classified as high-risk regardless of other purpose the AI system may have." Commission draft guidelines · Annex III chapter §297 · 19 May 2026

Doing creditworthiness as a side-effect does not save the system. The intended purpose includes the high-risk use case where the system is configured to materially support it.

04 · THE FILTER, THE FLOOR

Article 6(3) · the exemption mechanism, and the one floor inside it.

Article 6(3) lets a provider exempt a system from high-risk classification, even where the system would otherwise fall in Annex III, if at least one of four alternative conditions is met. The conditions are alternative, not cumulative. They are exhaustive. The General Principles set them out at paragraphs 84 through 90.

§ 6(3)(a)

The AI system is intended to perform a narrow procedural task. READING · categorising, formatting, structuring, or de-duplicating data without performing a value judgement on it

§ 6(3)(b)

The AI system is intended to improve the result of a previously completed human activity. READING · ex-post refinement that does not revert or replace the underlying human assessment

§ 6(3)(c)

The AI system is intended to detect decision-making patterns or deviations from prior decision-making patterns, and is not meant to replace or influence the previously completed human assessment without proper human review. READING · quality-assurance comparative pattern detection on previously completed human work

§ 6(3)(d)

The AI system is intended to perform a preparatory task to an assessment relevant for the purposes of the use cases listed in Annex III. READING · indexing, searching, processing, or linking — adding structure to inputs without producing an assessment itself

The filter narrows. One hard floor lives inside it.

Paragraph 89 of the General Principles establishes that floor.

"Third, the third sub-paragraph of Article 6(3) AI Act provides that an AI system referred to in Annex III shall always be classified as high-risk where the system performs profiling within the meaning of Article 4(4) of Regulation (EU) 2016/679 or Article 3(4) of Directive (EU) 2016/680 or Article 3(5) of Regulation (EU) 2018/1725." Commission draft guidelines · General Principles §89 · 19 May 2026

Profiling under GDPR Article 4(4) is automated processing of personal data carried out to evaluate personal aspects relating to a natural person. If the system performs profiling, the Article 6(3) filter does not apply. The system is high-risk. The floor is hard.

Paragraph 90 closes the second escape: even where a single module of an AI system performs a narrow procedural task on its own, that module cannot benefit from the filter where it forms part of a complex interconnected setup whose combined intended purpose materially influences a high-risk decision. This is the same logic that runs through paragraph 75. The classification regime treats the system as a whole.

05 · INTENDED-PURPOSE DEEMING

Paragraph 12 and paragraph 14 · the deeming rule, and the deployer-becomes-provider rule.

The most operationally consequential pair of paragraphs in the entire draft, for any provider whose product is general-purpose by construction, sits at paragraphs 12 and 14 of the General Principles. Together they close the two main routes a vendor might otherwise use to disclaim the high-risk classification: writing the disclaimer into the terms of service, and pushing the high-risk use case onto the deployer.

"If the instructions for use, contractual arrangements, terms of service, usage policy, promotional and sales materials, or the technical documentation present the AI system as broadly applicable across a generality of contexts and functions, and do not consistently limit its application or exclude high-risk uses, the system's intended purpose will be deemed to also encompass high-risk use cases and therefore qualify as high-risk. … merely asserting (for example in the terms of service) that high-risk uses are excluded is insufficient to avoid the system from being considered high-risk, where the provider's overall presentation, examples, or product positioning effectively provides for or promotes such uses." Commission draft guidelines · General Principles §12 · 19 May 2026

The ToS disclaimer does not save the provider. The intended purpose is read from the totality of how the system is presented and configured, not from any single sentence the provider asserts about its scope.

Paragraph 14 closes the chain to deployers. Under Article 25(1) AI Act, a deployer or third party becomes subject to the provider's obligations if any of three things happen: the deployer puts their name or trademark on a high-risk AI system already placed on the market or put into service; the deployer makes a substantial modification to such a system in a way that it remains high-risk; or the deployer modifies the intended purpose of an AI system, including a general-purpose AI system, in a way that the system becomes high-risk under Article 6.

For agents — general-purpose by construction, deployed by someone else into a specific context — that is most deployments. The model provider, the orchestration vendor, and the deploying enterprise can each end up holding provider obligations under paragraph 14 / Article 25(1) depending on whose name lands on the system and how the intended purpose is configured at the customer site.

06 · THE CALENDAR MOVED

The Digital Omnibus · application moved, content did not.

Paragraph 448 of the General Principles records the calendar shift directly inside the draft text.

"According to Article 113 AI Act, Article 6(2) and the corresponding obligations for high-risk AI systems classified under that provision will apply as from 2 August 2026, whereas Article 6(1) and the corresponding obligations for high-risk AI systems classified under that provision will apply as from 2 August 2027. These dates are now postponed with the AI Omnibus to 2 December 2027 and 2 August 2028 respectively." Commission draft guidelines · General Principles §448 · 19 May 2026

For Annex III high-risk obligations, the application calendar moved. The substantive obligations did not. Article 12 still binds the provider to technically allow for the automatic recording of events over the lifetime of the high-risk system. Article 13 still binds the same provider to ship instructions for use sufficient to enable the deployer to interpret outputs. Annex IV still specifies the nine-section technical documentation file under Article 11.

The 2026-05-07 Council and Parliament provisional agreement on the Digital Omnibus is the political agreement behind the date shift. Until Council formal endorsement, Parliament formal endorsement, legal-linguistic revision, and publication in the Official Journal complete, the AI Act as enacted in Regulation (EU) 2024/1689, with its Article 113 application calendar, is the binding instrument. The draft guidelines treat the deferred dates as effective, which signals progress in the adoption process. Provisional, pending OJEU, remains the legally accurate status.

"For Annex III high-risk obligations, the application calendar moved; the substantive obligations did not."Warrant Compliance · 2026-05-22

07 · WHAT THE GUIDELINES DO NOT COVER

The classification-versus-obligations gap · and where it lands.

The guidelines are explicit about what they do not cover. Paragraph 4 limits their scope to classification. The obligations side — Article 11 documentation, Article 12 record-keeping, Article 13 transparency, Article 14 oversight, Article 15 accuracy and robustness and cybersecurity, Annex IV — sits in a future Commission guidance instrument that has not yet been tabled.

The asymmetry is structural, not accidental. Article 12 sits in the deferred bucket. The interpretive work on what Article 12 actually requires — what counts as adequate records, how lifetime is measured, what the deployer must retain under Article 26(6), and what makes a record independently verifiable without contacting the provider — is the work that the harmonised standards are still doing.

The CEN-CENELEC harmonised standard for Article 12 / 13 / 14, prEN 18229-1 (Trustworthiness Framework Part 1 — Logging + Transparency + Human Oversight), entered CEN Enquiry on 23 January 2026. The international companion, ISO/IEC DIS 24970 (AI System Logging), closed its DIS ballot on 11 February 2026. Neither has yet been published as a final harmonised standard. With prEN 18229-1 still in Enquiry / draft and ISO/IEC DIS 24970 not yet at FDIS, the boundary between what a system logs and what becomes a record mapped to a specific EU AI Act obligation is not yet a settled industry pattern.

That boundary is an evidence-engineering question, not a classification one. Classification decides whether the system is in the room. The audit trail is what the provider says when the regulator asks what happened. The two questions are adjacent, not the same.

Sample EU evidence package · Warrant registerINDEPENDENTLY VERIFIABLE WITHOUT CONTACTING WARRANT

→ /v/7de85ceaeac42a47

The work the Commission has chosen to defer to a future instrument — the interpretation of Article 12 record-keeping under Annex III — is the work warrant addresses. The evidence package is a record mapped to a specific EU AI Act obligation, independently verifiable without contacting Warrant. It is the answer to what happened, not the answer to is the system high-risk. Classification is the door. The audit trail is what is said in the room.

08 · FAQ

Questions a compliance officer asks first.

Is the 19 May 2026 draft binding law?

No. The draft is the Commission's interpretation of Article 6 with practical examples, issued under Article 6(5) AI Act for stakeholder consultation. The guidelines are not binding. They are open for input from anyone with an interest in the development, deployment, supervision or use of AI systems, with submissions via EUSurvey until 23 June 2026, 22:00 CET. After the consultation closes the Commission consults the AI Board, may issue a further round of stakeholder feedback, and then adopts a finalised version. Authoritative interpretation of the AI Act remains with the Court of Justice of the European Union.

What does paragraph 75 actually say about agentic AI?

Paragraph 75 of the Annex III chapter extends the unified-assessment principle to interconnected setups: where the components of an AI system are configured as intended to be used for a use case listed in Annex III, the combined system is classified as high-risk under Article 6(2). The closing sentence is explicit on agentic systems: this principle also extends to complex, interconnected setups like agentic AI systems that coordinate and interact through linked actions, as long as these linked actions or components serve in conjunction an intended high-risk purpose. The principle is conditional, not universal. It applies where the linked actions in conjunction serve an Annex III purpose.

Can a provider exempt their system from high-risk via the Article 6(3) filter?

Yes, where one of the four alternative conditions in Article 6(3) is met. The conditions are: the system performs a narrow procedural task; or improves the result of a previously completed human activity; or detects decision-making patterns or deviations without replacing or influencing the previously completed human assessment; or performs a preparatory task to an assessment relevant for the Annex III use cases. The conditions are alternative, not cumulative. The self-assessment is the provider's responsibility, supervised by the competent market surveillance authority. The provider must also register the system in the EU database under Article 49(2) and retain documentation of the assessment for ten years.

Does profiling allow the Article 6(3) filter?

No. Paragraph 89 of the General Principles sets a hard floor: the third sub-paragraph of Article 6(3) provides that an AI system referred to in Annex III shall always be classified as high-risk where the system performs profiling within the meaning of Article 4(4) of Regulation (EU) 2016/679. Profiling under GDPR Article 4(4) is automated processing of personal data carried out to evaluate personal aspects relating to a natural person — performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location, movements. If the system performs profiling, the Article 6(3) filter does not apply.

Does the Digital Omnibus deferral change the substantive obligations?

No. The 2026-05-07 Council and Parliament provisional agreement defers the Annex III standalone high-risk application date from 2 August 2026 to 2 December 2027, and the Annex I embedded high-risk date from 2 August 2027 to 2 August 2028. The substantive obligations under Articles 9, 11, 12, 13, 14, 15, 17, 26, 47 and Annex IV are not amended. For Annex III high-risk obligations, the application calendar moved; the substantive obligations did not. Until Council formal endorsement, Parliament formal endorsement, legal-linguistic revision, and publication in the Official Journal complete, the AI Act as enacted continues to govern. The provisional agreement is recorded inside the draft guidelines at paragraph 448, indicating the Commission is treating the deferred dates as effective for interpretive purposes.

What does the draft say about Article 12 record-keeping?

Almost nothing of interpretive substance. The draft guidelines are scoped to classification only. Paragraph 4 of the General Principles states the scope is limited to whether an AI system is high-risk or not. The Guidelines will be complemented in the future with other Commission guidelines aimed to facilitate compliance with the requirements for high-risk AI systems and the obligations for providers and deployers. Article 12 appears in the Annex III chapter as an operational cross-reference, not interpretive guidance. The substantive interpretation of what Article 12 requires sits with the harmonised standards in development under CEN-CENELEC JTC 21 (prEN 18229-1, in Enquiry from 23 January 2026) and ISO/IEC JTC 1/SC 42 (ISO/IEC DIS 24970, DIS ballot closed 11 February 2026). Neither standard is yet published.

09 · READ THE SOURCE

Read the source directly.

Authored by Warrant Compliance. [email protected]. Statutory reading on a draft Commission interpretation. Not legal advice. The 19 May 2026 guidelines are not binding; they are the Commission's interpretation under Article 6(5) AI Act, open for stakeholder consultation until 23 June 2026, 22:00 CET. The Digital Omnibus on AI is provisional pending Council and Parliament formal endorsement, legal-linguistic revision, and publication in the Official Journal of the European Union. We will update this entry as the consultation concludes and the formal-adoption process proceeds.