Home · Synthesis · cl-ai-risk-classification

AI risk classification — EU AI Act high-risk + GPAI + NIST risks

EU AI ActMeitY AINIST AI RMF

Primary statement

AI risk classification per EU AI Act Art 6 high-risk + Art 7 Annex III dynamic amendments + Art 51 GPAI systemic risk + NIST AI RMF MEASURE-3 risk tracking + MEASURE-2.8 transparency/accountability + MeitY.

Audit-fatigue payoff

A unified AI risk classification — EU AI Act + GPAI + India + NIST risk dimensions — satisfies AI risk classification across all 3 contributing frameworks.

Strictness matrix

Scope
Scope: AI systems classified high-risk per Art 6 (Annex I product-embedded OR Annex III use-based). Plus GPAI per Art 51. Ceiling source: eu_ai_act:Art.6 Rationale: EU AI Act Art 6 + Art 51 cover the broadest risk scope.
Threshold
Threshold: GPAI systemic risk — high-impact capabilities OR ≥10^25 FLOPs cumulative training compute. Measurable. Ceiling source: eu_ai_act:Art.51 Rationale: EU AI Act Art 51 GPAI threshold is uniquely measurable.
Method
Method: per-system risk classification + Annex I + Annex III + Annex III Commission amendments monitoring (Art 7) + GPAI systemic risk assessment + NIST MEASURE-3 tracking. Ceiling source: eu_ai_act:Art.6 Rationale: EU AI Act Art 6 + Art 7 + Art 51 + NIST combined are most prescriptive.
Frequency
Per-system classification at inception + on material change. Annex III monitoring continuous (Commission amendments). GPAI threshold monitoring continuous. Ceiling source: eu_ai_act:Art.7 Rationale: Continuous monitoring with per-system classification is the cadence.
Evidence
Evidence: risk classification methodology + per-system classification + Annex III monitoring + GPAI threshold tracking. Ceiling source: eu_ai_act:Art.6 Rationale: EU AI Act Art 6 evidence is comprehensive.

Auditor test pattern

Step 1: Inspect risk classification methodology. Step 2: Sample one AI system; verify classification. Step 3: For GPAI, verify systemic risk threshold tracking. Step 4: Verify Annex III monitoring.

Common findings

Common findings: (1) Risk classification absent — generic risk register only; (2) Annex III monitoring absent; (3) GPAI threshold not tracked; (4) India-specific overlay absent.