The AI Act assigns different roles, such as providers and users, each with specific responsibilities – detailed further in the chapter 'Who must observe which rules from the AI Act?' For example, a provider could be a company developing a language model or integrating another provider's language model into its own user interface, creating an AI system. A user might be a business employing this AI system as a chatbot for handling product inquiries. Responsibilities and liabilities vary based on the role and risk level.

Five Risk Levels

The regulation classifies AI systems and models into five risk levels:

• Prohibited AI Systems: Applications with an unacceptable risk are completely banned within the EU. These include systems that manipulate or exploit individuals, such as AI targeting children and encouraging dangerous behaviour. Other examples are social-scoring systems, real-time facial recognition for law enforcement, emotion detection in the workplace, and remote biometric identification.
   
• High-Risk AI Systems: These can significantly impact health, safety, or fundamental rights. Examples include AI in automated recruitment processes, targeted job advertisements, medical diagnostics, and educational applications.
  Providers of high-risk AI systems must establish risk and quality management, ensure event logging, and guarantee robustness, accuracy, and cybersecurity. Users' obligations include conducting fundamental rights assessments, assigning human oversight, and adhering to usage guidelines.
   
• Limited Risk AI Systems: These, like customer service chatbots or deepfake generators for marketing, are subject to transparency obligations. Users must be informed they are interacting with AI.
   
• Minimal Risk AI Systems: Examples include AI-powered spam filters or spellcheckers, which can be freely used but must adhere to fundamental principles such as fairness, data protection, transparency, and technical security.
   
• General Purpose AI (GPAI): These cover broadly applicable AI models, such as OpenAI's GPT or Google's Gemini. Transparency regarding training data, technical documentation, and data management must be ensured. GPAI models exist 'outside' of the AI Act's risk levels and have their own specific obligations, distinguishing between 'regular' GPAI models and those with systemic risk (the latter being particularly powerful, large models).

Focus on Usage

The risk category of AI depends primarily on its intended application:

• The well-known AI model GPT from OpenAI serves as the foundation for the ChatGPT AI system and is treated as a GPAI model.
   
• When this AI model is integrated with a user interface (like ChatGPT) for communication with humans as a chatbot, it becomes a limited risk AI system.
   
• The same AI system, if used for recruitment purposes, is categorized as a high-risk AI system.