AI Governance Library

Assessing High-Risk Artificial Intelligence with Respect to Fundamental Rights

This report analyses how high-risk AI systems are assessed in practice under the EU AI Act, focusing on fundamental rights risks, current gaps, and the need for practical guidance for providers and deployers.
Jakub Szarmach
3 min read
Assessing High-Risk Artificial Intelligence with Respect to Fundamental Rights
ASSESSING HIGH-RISK ARTIFICIAL INTELLIGENCE
ASSESSING HIGH-RISK ARTIFICIAL INTELLIGENCE.pdf
1 MB
download-circle

⚡ Quick Summary

This FRA report is one of the most practically relevant early interpretations of how the EU AI Act’s high-risk regime should work in reality when fundamental rights are taken seriously. Based on interviews with providers, deployers, experts and affected individuals across several Member States, it shows a clear gap between the legal ambition of the AI Act and current assessment practices. While data protection and technical risks are commonly addressed, broader fundamental rights impacts remain inconsistently identified, weakly documented and poorly mitigated. The report does not merely restate legal obligations; it diagnoses where real-world governance breaks down and explains why Fundamental Rights Impact Assessments (FRIAs) risk becoming a box-ticking exercise unless clearer guidance, better expertise and stronger oversight are put in place. For anyone preparing for August 2026 compliance, this document is less about theory and more about what will actually fail if organisations do not change how they assess high-risk AI.

🧩 What’s Covered

The report starts by unpacking how the AI Act defines an “AI system” and what qualifies as “high-risk” under Articles 6 and Annex III, highlighting uncertainty and divergent interpretations already visible among market actors. It then maps high-risk use cases across areas such as employment, education, law enforcement, migration and access to public benefits, grounding the analysis in concrete deployment scenarios rather than abstract categories.

A core section analyses the AI Act’s fundamental rights safeguards, focusing on Article 9 risk management obligations for providers and Article 27 FRIAs for certain deployers. The report clearly distinguishes responsibilities along the value chain and explains how these obligations interact with, but go beyond, GDPR DPIAs.

Crucially, the report examines current assessment practices. It finds that most organisations focus on data protection, cybersecurity and business risks, while rights such as non-discrimination, human dignity, access to remedies, due process or freedom of expression are rarely assessed in a structured way. Even where risks are identified, mitigation measures are often generic, incomplete or disconnected from actual system design and use.

The final analytical chapter synthesises interview feedback into concrete building blocks for effective fundamental rights assessments. These include early risk identification, proportionality and necessity analysis, stakeholder involvement, documentation discipline, and continuous reassessment across the AI lifecycle. The report also situates the AI Act alongside Council of Europe methodologies and national FRIA models, showing convergence but also fragmentation in practical tools.

💡 Why it matters?

This report quietly sets the baseline for how regulators and oversight bodies are likely to judge “serious” compliance with the AI Act. It signals that formal adherence to technical standards or DPIAs will not be enough if fundamental rights risks are treated as secondary or symbolic. For organisations, it is an early warning that FRIAs will be scrutinised for substance, not format. For policymakers and auditors, it provides a shared language for identifying weak assessments, shallow mitigation and governance theatre. In short, it translates the AI Act from legal text into enforcement expectations.

❓ What’s Missing

The report deliberately stops short of offering a ready-to-use FRIA template, which some practitioners may find frustrating. It also does not deeply explore enforcement mechanisms, sanctions or the role of market surveillance authorities in correcting poor assessments. Sector-specific deep dives are limited, meaning deployers in niche domains may still struggle to operationalise the guidance without further tailoring.

👥 Best For

AI governance leads preparing internal FRIA frameworks, legal and compliance teams responsible for AI Act readiness, public sector deployers of high-risk AI, auditors and conformity assessment bodies, and policymakers developing secondary guidance or oversight practices.

📄 Source Details

European Union Agency for Fundamental Rights (FRA), 2025. Empirical report based on interviews, focus groups and comparative analysis of AI Act implementation practices across selected EU Member States.

📝 Thanks to

European Union Agency for Fundamental Rights and all interviewed providers, deployers, experts and rights holders who contributed practical insights into how high-risk AI is assessed in real-world settings.

Report
About the author
Jakub Szarmach

Jakub Szarmach

Read next

When AI Builds AI: Findings From a Workshop on Automation of AI R&D (CSET Workshop Report, January 2026)

The State of AI Security and Governance (CSA & Google Cloud, 2025)

The 2025 Responsible AI Governance Landscape: From Principles to Practice

The 2025 Peregrine Report – 208 Expert Proposals for Reducing AI Risk

Responsible AI Impact Report 2025 – Urgent risks, emerging safeguards, and public interest solutions impacting society

AI Governance Library

Curated Library of AI Governance Resources

AI Governance Library

Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to AI Governance Library.

Your link has expired.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.