Represent Risk Level classifications for AI/Systems in AI Act

[coolharsh55]

Provide concepts to represent risk levels of AI/Systems as per the AI Act, for example as:

• Prohibited
• Classified as High Risk
  • as per Annex I
  • as per Annex III
• Classified as (moderate risk?) Transparency required
• Classified as none of the above (low risk?)

[coolharsh55]

Parent concept in AI Act extension: RiskClassificationLevel with specific concepts as -

1. RiskLevelUnacceptable or RiskLevelProhibited (AI Act term)
2. RiskLevelHigh (high-risk) (RiskLevel as common prefix, otherwise HighRisk, ModerateRisk are not alphabetically grouped together)
   a. RiskLevelHighAnnexI (AI Act term)
   b. RiskLevelHighAnnexIII (AI Act term)
3. RiskLevelModerate or RiskLevelLimited (industry term) or RiskLevelTransparencyRequired (AI Act term)
4. RiskLevelLow or RiskLevelMinimal (industry term)
5. RiskLevelUnclassified (not classified under above)
6. RiskLevelUnregulated (not regulated under AI Act i.e. not subject to AI Act)
7. RiskLevelUnknown (risk level under AI Act is unknown)

To represent specific instances of risk categorisations of activities, we have discussed templates that can be used e.g. to check if a process is high-risk or not. For this, we can have ProcessTemplate as a concept (somewhere) which is then extended in AI Act as HighRiskProcess and then as AnnexIHighRiskProcess and AnnexIIIHighRiskProcess where the process specifies the components and the risk level. E.g.

eu-aiact:XYZ a eu-aiact:AnnexIIIHighRiskProcess ;
  dpv:hasPurpose dpv:Something ;
  ai:hasTechnique ai:Something ;
  dpv:hasRisk risk:Something ;
  dpv:hasRiskLevel eu-aiact:RiskLevelHighAnnexIII .

[bact]

I wonder how this can be mapped to four risk levels in EU general risk assessment methodology ("serious", "high", "medium", "low").

https://ec.europa.eu/docsroom/documents/17107 (top of page 5)

[coolharsh55]

@bact that's a different categorisation of risk level (for a product) which is aligned with what we have in the RISK extension (see use of risk matrix there). The concepts proposed here are aligned to the AI Act, which isn't strictly a "risk level" (which is a misinterpreted term used by the community) but more accurately a "regulation level".

[bact]

That's clear. Thank you.

[coolharsh55]

(using dpvbot:) This was discussed in Meeting 2025-04-24
Agreed to add the risk levels aligned with AI Act as 1) Prohibited; 2) High-risk with further distinction between Annex I and III; 3) Transparency Required; and 4) Minimal; with 5) Unknown for completing the enumeration of possible states. There should be guidance clarifying these represent the level of regulation i.e. a deciding factor or an assessment of the obligations subject to under the AI Act even if the term risk level is used.

(edit: I accidentally deleted my previous comment from last week -- but it says pretty much the same stuff as above)