Risk-based regulation is the idea that rules governing AI should be calibrated to how much harm a given system could cause, rather than applying the same requirements to every application. The most prominent example is the European Union’s AI Act, whose official explanation says it tailors rules “to the intensity and scope of the risks that AI systems can generate.” Instead of regulating the technology in the abstract, this approach asks what a system is used for and who could be hurt.
The European Commission describes four tiers. Systems that pose what it calls “a clear threat to the safety, livelihoods and rights of people” fall into an unacceptable-risk category and are banned outright, including practices such as social scoring and certain manipulative or biometric techniques. High-risk systems, which can pose “serious risks to health, safety or fundamental rights” in areas like medical devices, hiring, credit scoring, and critical infrastructure, are permitted but must meet strict obligations such as risk assessment, data-quality controls, logging, and human oversight. A limited-risk tier imposes mainly transparency duties, such as telling people they are talking to a chatbot and labeling AI-generated content. The large remaining minimal-risk category, which the Commission says covers most AI uses, carries no specific requirements.
The appeal of the risk-based model is that it concentrates regulatory effort where the stakes are highest while leaving low-stakes uses largely free. It has become an influential template, echoed in US state laws like Colorado’s and in international standards. For businesses, the practical task is classification: knowing which tier a given AI use falls into largely determines what compliance, if any, is required.