AI Act glossary — key terms in plain language

The EU AI Act (Regulation 2024/1689) brings its own vocabulary: four risk levels, the provider and deployer roles, and transparency and oversight obligations. Below are the key terms in one sentence each — no bureaucratic jargon. Most obligations start to apply on 2 August 2026; some prohibitions — since February 2025.

Risk levels

• AI system (Art. 3) — software that, from input data, generates outputs (predictions, content, recommendations, decisions) with some autonomy. A plain rule-based script is not an AI system.
• Prohibited practices (Art. 5) — banned uses (e.g. social scoring, manipulation exploiting vulnerabilities, emotion recognition at work and in education); the ban has applied since February 2025.
• High-risk system — a system under Annex III (e.g. recruitment, scoring, education, biometrics) or a safety component of a product (Annex I); full obligations, most from 2 August 2026.
• Transparency obligations (Art. 50) — a chatbot must disclose it is AI, and AI-generated content (including deepfakes) must be labelled; this is the limited-risk level.
• Minimal risk — most business uses (search, summaries, document assistants); no legal obligations under the AI Act.
• GPAI (general-purpose AI model) — a foundation model (e.g. a large language model) with a separate layer of obligations, mostly on the model provider, in force since 2 August 2025.

Roles and obligations

• Provider — whoever develops a system or model and places it on the market under their own name (including when the build is outsourced).
• Deployer — a company that uses an AI system under its own control; most companies that “just use” off-the-shelf tools are deployers and have their own obligations.
• AI literacy (Art. 4) — the duty to ensure that the people operating AI have a practical understanding of where it helps and where it errs; it is not a prompt-writing course.
• Human oversight (Art. 14) — for high-risk systems there must be a person who understands the system, can challenge its output and stop it before it causes harm.

Operational terms

• Shadow AI — AI tools used by employees outside the company’s knowledge and control; they raise the risk of data leaks and make compliance harder.
• KRiBSI — Poland’s proposed supervisory body (Commission for the Development and Safety of Artificial Intelligence). The Sejm passed the law on 11 June 2026, but as of mid-2026 it is not yet in force (Senate, the President’s signature, publication).

What next

How to use these terms in practice — to walk system by system and assign each to a risk level — is in our AI Act risk-classification method. How to keep compliance over time is in governance for regulated industries. For a diagnosis of your own company, start with an EU AI Act compliance audit.