The EU AI Act (Regulation (EU) 2024/1689) is the world's first comprehensive legal framework for artificial intelligence, and it is the most consequential piece of legislation you will encounter on the AIGP exam. Yet most candidates approach it as a list of definitions to memorise. That is the wrong frame. The Act is a risk architecture — a structured hierarchy of harm, obligation, and enforcement that you must be able to navigate quickly under exam pressure.
This guide maps every tier of the risk pyramid to its real-world regulatory impact, enforcement dates, and the specific exam traps that separate passing candidates from failing ones. All content is aligned to the 2025/2026 AIGP Body of Knowledge (v2.0.1) and reflects the "AI Omnibus" updates that expanded the list of prohibited practices in force since February 2025.
The Risk-Based Architecture: Why It Matters for the Exam
The Act's foundational principle is proportionality: the more dangerous the AI system, the heavier the compliance burden. Risk is not determined by the underlying technology or the sophistication of the model. It is determined by the intended purpose and deployment context. A chatbot is a limited-risk system when used for customer service; it becomes a high-risk system the moment it is deployed to triage medical patients. This context-dependence is the single most tested concept across all AIGP exam forms.
The Act also has extraterritorial reach. It applies to any provider, deployer, importer, or distributor whose AI system's outputs affect persons within the European Union — regardless of where that organisation is headquartered. A company based in Singapore that uses a credit-scoring model affecting EU residents is fully within scope.
Tier 1: Unacceptable Risk — The Nine Prohibitions
Prohibited practices represent AI applications the EU legislature determined pose such a fundamental threat to human dignity and fundamental rights that no compliance framework can adequately mitigate them. The "AI Omnibus" update expanded the original list to nine prohibited categories, all enforceable since February 2025.
The exam tests candidates' ability to identify the boundary conditions — the narrow exceptions that make a prohibited practice legal in very specific circumstances. Memorising the prohibitions is necessary but insufficient. You must know where the exceptions sit.
⚠ High-Probability Exam Trap: The Article 25 Provider Shift
A Deployer becomes a Provider — and assumes all provider obligations — in three specific scenarios: (1) they place their own name or trademark on a high-risk AI system already on the market, (2) they make a substantial modification to a high-risk system that keeps it high-risk, or (3) they modify the intended purpose of a non-high-risk system so that it becomes high-risk. Exam questions frequently present a scenario where a company "rebrands" a vendor's model — the correct answer is that they have become the provider.
Tier 2: High-Risk AI — The Compliance Core
High-risk AI represents the regulatory centre of gravity in the Act. The compliance obligations here — risk management systems, data governance, technical documentation, human oversight — are the subject of the majority of AIGP exam questions. A system reaches high-risk status through one of two channels.
Channel 1 — Annex I Products: The AI system is used as a safety component in a product already governed by existing EU safety legislation, such as medical devices, machinery, or toys. The risk classification flows from the product category.
Channel 2 — Annex III Use Cases: The system falls within one of eight specific deployment contexts that the legislature identified as carrying a significant risk of harm or discrimination, regardless of the underlying technology.
The Eight High-Risk Annex III Use Cases
Article 6(3) — The Narrow Non-High-Risk Exception
A system otherwise falling within an Annex III area is not classified as high-risk if it performs a narrow procedural task (e.g. converting unstructured data to structured format), merely improves the tone of a document, or detects patterns without overriding human review. Critical exam rule: this exception never applies if the system is used for profiling. Candidates frequently overlook this absolute carve-out and select the exception when a profiling element is present.
Mandatory Obligations for High-Risk Providers
For every high-risk system that clears Article 6(3), the provider must implement and maintain a comprehensive compliance stack before placing the system on the EU market. The exam frequently asks which obligation applies in a specific fact pattern — understanding the purpose behind each requirement is more reliable than rote memorisation.
Four Case Studies That Defined the Risk Tiers
The AIGP exam is case-study-driven. The EU AI Act's high-risk categories were not invented by legal theorists — they emerged directly from documented failures that caused real harm to real people. Knowing the case that corresponds to each sector allows you to answer scenario questions with precision rather than guesswork.
Tier 3: Limited Risk — Transparency Under Article 50
Limited-risk systems are not regulated out of existence — they are regulated into honesty. The obligation is disclosure, not conformity assessment. Article 50 requires that humans know when they are interacting with AI, when content is AI-generated, and when AI is analysing their emotions or biometric characteristics.
Transparency violations carry fines of up to €7.5M or 1.5% of annual global turnover, whichever is higher. This is the lightest penalty tier in the Act — but for small organisations, €7.5M can be existential. The 1.5% floor means large corporations face proportionally heavier consequences for what may seem like administrative failures.
The GPAI Model Overlay: A Separate Regulatory Track
General-Purpose AI models — systems trained on vast datasets capable of performing a wide range of tasks — operate under a parallel regulatory track rather than slotting neatly into the four-tier hierarchy. The GPAI rules became enforceable in August 2025.
Oversight of GPAI is centralised under the EU AI Office, supported by a Scientific Panel of independent technical experts and an Advisory Forum representing industry and civil society. The AIGP exam tests the distinction between these bodies — the AI Office supervises GPAI providers directly, while the AI Board (composed of Member State representatives) coordinates national enforcement authorities.
Enforcement Timeline and the Fine Structure
The Act's phased implementation schedule is a high-frequency exam topic. Candidates must know not just what each rule requires, but precisely when it became or becomes enforceable. Confusing the enforcement dates is a common error in scenario-based questions that specify a particular date.
Exam Readiness: The Five Rules You Cannot Afford to Forget
The AIGP exam rewards candidates who can reason through the Act's architecture quickly and apply it to novel fact patterns. These five synthesis rules represent the most common failure points across all examination domains.
Five Rules for the Exam Room
- Risk is contextual. Classification flows from the deployment purpose, not the model architecture.
- Article 25 changes who is responsible. Trademarking or substantially modifying a system converts a Deployer into a Provider with full provider obligations.
- The Article 6(3) exception never applies to profiling. If profiling is present, high-risk classification stands regardless of how narrow the task appears.
- Documentation is the evidence of compliance. An organisation can have a perfectly fair algorithm and still be non-compliant if the Quality Management System and Technical Documentation do not exist.
- Know your governance bodies. EU AI Office supervises GPAI. AI Board coordinates Member States. Scientific Panel provides technical expertise. These are not interchangeable on exam questions.
The EU AI Act does not regulate algorithms — it regulates decisions. Every obligation in the Act traces back to a fundamental question: who is harmed, how badly, and who is accountable? Approach every exam scenario with that question first, and the risk tier answers itself.
Continue reading: How to Prepare for the August 2, 2026 EU AI Act Deadline and DPIA vs. AIA vs. FRIA: AI Governance Acronyms Explained.