v2.4.0 | Report Errata
docs getting-started docs getting-started

Phase 1: Discovery & Classification — Owner & Outputs

Phase 1 runs during Weeks 1 to 3. The AI System Assessor owns this phase.

The objective is to determine whether the system falls within the AI Act’s scope, classify its risk tier, and produce the Classification Decision Record. The Assessor examines the system against the Article 3(1) definition by asking three questions: (1) is the system designed to operate with varying levels of autonomy; (2) may it exhibit adaptiveness after deployment; and (3) does it infer from inputs how to generate outputs such as predictions, content, recommendations, or decisions? All three elements must be present for the system to fall within scope. The Assessor then classifies in-scope systems against the four risk tiers: prohibited (Article 5), high-risk (Articles 6–7 and Annex III), limited risk, or minimal risk.

For systems falling within Annex III categories, the Assessor evaluates the Article 6(3) exception by testing the functional criterion and the risk criterion separately. The functional criterion covers whether the system performs narrow procedural tasks, improves previously completed human activities, or detects decision-making patterns without replacing human assessment. The risk criterion covers whether the system poses a significant risk of harm to health, safety, or fundamental rights.

The Classification Reviewer independently reviews the Assessor’s determination. Disagreements are escalated to the AI Governance Lead. This independent review is a structural safeguard against classification bias, where the team developing a system may have incentives to classify it at a lower risk tier.

Key outputs

  • Classification Decision Record (CDR)
  • Initial risk profile identifying triggered regulatory obligations
  • Evidence pack with source materials informing the classification

Phase 1: Governance Gate (CDR Approval)

Phase 1 concludes with a governance gate: the AI Governance Lead must approve the Classification Decision Record before Phase 2 begins.

This gate serves several purposes. It ensures that the classification has been independently reviewed and that any disagreement between the AI System Assessor and the Classification Reviewer has been resolved. It confirms that the CDR is current, that no reclassification triggers have been activated, and that the classification rationale remains sound given the system’s deployment context. Where the Article 6(3) exception is claimed, both the Legal and Regulatory Advisor and the AI Governance Lead must review the claim.

The gate also establishes the scope of subsequent work. A high-risk classification triggers the full twelve-module AISDP, conformity assessment, CE marking, and EU database registration. A limited-risk classification triggers a Standard AISDP: a reduced documentation package addressing the transparency obligations under Article 50, covering system identity, intended purpose, transparency measures, and the classification rationale. A minimal-risk classification requires only a Baseline AISDP: a lightweight record confirming the classification analysis, the system’s intended purpose, and the date of determination. Misclassification at this stage propagates through the entire lifecycle; a system incorrectly classified as limited-risk that later proves to be high-risk will lack the documentation, testing, and governance infrastructure that should have been in place from the outset.

A system that has drifted from its intended purpose into a higher-risk domain since its original classification requires reclassification before risk assessment proceeds. The gate enforces this check explicitly.

Key outputs

  • Approved CDR with AI Governance Lead sign-off
  • Confirmed scope for subsequent AISDP preparation
On This Page