The EU AI Act Turns Your Product Positioning Into a Compliance Surface

The fine print will not save you.

That is what the European Commission's draft high-risk AI classification guidelines, published May 19, tell any company that has spent years describing its AI tool as a decision-support system while the tool quietly makes the decision. The consultation on those guidelines closes June 23. After that, the Commission's interpretation becomes the de facto enforcement standard.

The core mechanism is provider self-assessment. Under the AI Act, a company decides for itself whether its AI system is high-risk, based on the system's intended purpose. What the guidelines make newly explicit is that intended purpose is not just what the terms of service say it is. It is what the promotional materials describe, what the documentation states, what the product page implies.

The shape of the problem is not hypothetical. HireVue, one of the largest AI hiring platforms, describes its platform as providing "powerful data that supports smarter hiring decisions" and enabling "strong and objective decision support." Its platform page states algorithms "can then help to reduce hiring bias and make the process more fair." The language is consistent: the AI assists the human, who decides.

But the Ropes & Gray analysis cites a UK Information Commissioner's Office finding that employers routinely believe they use decision-support tools when, in practice, those tools are making fully automated decisions with no meaningful human involvement. The gap between how a tool is marketed and how it functions is exactly what the Commission's self-assessment mechanism targets. The question a regulator will ask is not what the marketing says the tool does — it is what the tool actually does to the outcome.

Under the new guidelines, that gap becomes legally consequential. A vendor cannot describe an AI as "decision support" in its marketing, build a product that produces ranked candidate lists with no meaningful human override, and then rely on a ToS clause excluding automated decision-making to escape high-risk classification. The marketing language is evidence of intended purpose. The two must be consistent. If they are not, the regulator reads both and asks what the tool actually does.

Human-in-the-loop, the guidelines confirm, is a compliance obligation after classification. It is not a mechanism to avoid classification in the first place. The only way to avoid high-risk obligations is to not cross the threshold in the first place.

The narrower escape route also closes more than it opens. The Article 6(3) filter allows a system to avoid high-risk classification even after falling within a listed use case if it performs only narrow procedural tasks. But the guidelines are direct: systems that rank, score, or make value judgments on individuals do not qualify. If the AI produces a ranked candidate list, the filter does not apply. If the AI profiles candidates under the GDPR definition, the system is high-risk automatically. There is no procedural workaround.

The consequences are not abstract. High-risk classification requires building a risk management system, maintaining technical documentation, implementing data governance controls, enabling human oversight, and completing a conformity assessment before a single sale. The fines for getting it wrong are \u20ac30 million or 6% of global annual turnover, whichever is higher.

The implementation timeline gives companies room to act, but not much. Annex III obligations for standalone systems — biometrics, critical infrastructure, education, employment, migration, asylum, and border control — apply from December 2027. Annex I obligations for embedded products apply from August 2028.

The strategic question is what happens in the consultation window. Vendors who believe their products cross the high-risk threshold face a choice: narrow the stated intended purpose in their consultation submissions and product materials before June 23, or begin building the compliance infrastructure the guidelines require. The Commission will see what vendors say in this window. The next round of guidance — on the substantive compliance obligations — will be calibrated against what it observes.

The guidelines are non-binding. Only the Court of Justice of the EU can give authoritative interpretations of the Act. But the Commission's position is the opening move in an enforcement conversation that will run for years. The fine print will not save you. The question is what your marketing says.