The risk classification framework
Risk-based legislation classifies AI into four tiers - Prohibited, High, Limited, Minimal (mnemonic 'Please Handle Laws Mindfully') - and scales the rulebook so higher risk equals more duties, lower risk a lighter touch.
Risk-based legislation classifies AI into levels and scales the rulebook accordingly → proportionate regulation that keeps innovation alive under safeguards.
Prohibited · High · Limited · Minimal → higher risk = more duties, lower risk = lighter touch.
- ⛔ Prohibited / unacceptable → banned outright; threatens rights or safety.
- 🔺 High / high-impact → allowed but strict obligations (risk management, oversight, documentation).
- 🔸 Limited / transparency → lower risk; disclosure or labelling duties only.
- ▫️ Minimal / no risk → low concern; voluntary standards and codes of conduct.
The EU AI Act, South Korea's AI Basic Act, US state laws, China's Generative AI Measures and Japan's Guidelines all apply this logic in different ways, but the principle holds everywhere. As Mark Webber notes, the rule makers tried to craft legislation that does not regulate a particular technology but instead what use we make of that technology.