EU AI Act · Regulation (EU) 2024/1689 · Governed BPM

EU AI Act and process automation: is your workflow high-risk?

It's the question every process owner asks: "if I put AI into my workflow, do I become a high-risk system?" The answer doesn't hinge on the technology but on what and whom the AI decides about.

This guide translates the EU AI Act into real workflows and shows how governed BPM turns compliance into a property of the process, not a separate project.

Book a guided demo See AI capabilities
EU AI Act applied to process automation: AI risk levels in a governed BPM workflow
D
Dokuflex AI Team
Updated: 5 June 2026

For process owners, DPOs and compliance leads. This guide is informational and does not replace legal advice. The final classification of each AI system requires analysing its specific use in light of Regulation (EU) 2024/1689.

What the EU AI Act is and when it affects you

The EU AI Act is Regulation (EU) 2024/1689, the world's first horizontal legal framework for artificial intelligence. It entered into force on 1 August 2024 and applies in phases, not all at once.

The timeline that matters for your automation projects:

  • 2 February 2025: prohibitions (unacceptable-risk practices) and staff AI literacy obligations apply.
  • 2 August 2025: obligations for general-purpose AI (GPAI) models.
  • 2 August 2026: general application, including Annex III high-risk systems. This is the key date for most enterprise workflows.
  • 2 August 2027: high-risk systems embedded in regulated products under Annex I.

The regulation distinguishes two roles: the provider, who develops or places the AI system on the market, and the deployer (professional user), who uses it under their own responsibility. Most companies automating processes act as deployers, and that changes which obligations apply to them.

The four risk levels, applied to real processes

The EU AI Act classifies systems by the risk of their use, not by model power. There are four levels:

  • Unacceptable risk (prohibited): social scoring, subliminal manipulation and certain biometric uses. Cannot be deployed in the EU.
  • High risk (Annex III): employment and worker management (screening applications, promotion or dismissal decisions, algorithmic task allocation), access to essential services, education, biometrics… Full obligations.
  • Limited risk: transparency obligation. A chatbot must identify itself as AI.
  • Minimal risk: everything else. Best practices, no specific obligations.

It's clearest on concrete processes. Four common workflows and their level:

High risk

CV screening in HR

A workflow that uses AI to filter or score job applications decides on people's access to employment. It's Annex III: high-risk, with all the provider and deployer obligations.

High risk

Credit scoring

Granting or denying access to an essential service through AI materially affects the person. High risk: it requires human oversight, risk management and traceability.

Limited risk

Internal chatbot

A conversational assistant that guides employees is limited risk. Its only material obligation: identify itself as AI to whoever uses it.

Minimal risk

Invoice OCR

Extracting and classifying invoice data does not decide about people. Minimal risk: best practices, no specific obligations under the regulation.

The mental rule: if AI decides about people in a sensitive area, it rises to high risk. If AI only processes documents or prepares drafts that a person validates, the regulatory risk drops sharply because the decision stays human.

What this means for your BPM automations

When a workflow uses AI to decide about people — filter candidates, evaluate employees, grant or deny something relevant — it probably falls into high risk. And high risk splits obligations across two roles:

  • System provider: risk management, data governance, technical documentation, logging, human oversight by design, and accuracy, robustness and cybersecurity guarantees.
  • Deployer / user: use in line with instructions, effective human oversight, monitoring of operation, and log retention.

The nuance that changes the project: if AI only extracts or classifies documents, or drafts content a person validates, the decision is human and the regulatory risk drops dramatically. That's why the process design — not the model — determines your exposure.

This is exactly the logic of governed AI agents inside the BPM: the AI proposes, executes scoped tasks and leaves a trail; the person decides at the sensitive points.

Obligations if you are a deployer of a high-risk system

Most companies are deployers, not providers. These are the obligations the regulation assigns you in that role when the system is high-risk:

  • Compliant use: use the system per the provider's instructions for use, without diverting it to purposes it was not assessed for.
  • Effective human oversight: assign people with real competence and authority to review, override or disregard the AI's output. An automatic "approve" is not enough.
  • Monitoring: watch operation and report serious incidents or detected risks to the provider and the authority.
  • Log retention: keep the logs generated automatically by the system for the applicable period, so you can reconstruct what it decided and why.
  • Informing affected people: where applicable, inform people that they are subject to a high-risk AI system.

Almost all of these obligations share the same denominator: human oversight and an auditable record. And that is where BPM makes the difference.

How to comply with governed BPM

The Dokuflex thesis is blunt: governed BPM is not an add-on to compliance, it is the compliance mechanism. When AI lives inside a modelled process, the EU AI Act obligations stop being documents and become properties of the workflow.

EU AI Act requirement How governed BPM solves it
Human oversight Native human-in-the-loop: AI proposes, a person validates at the steps that affect people before the process moves on.
Log retention Auditable log per execution: input, model output, the user who validated and a timestamp.
Documentation and governance Process versioning: every change to the workflow and its rules is recorded and reconstructable.
Model traceability Record of which model decided what, with what confidence level and which sources it used at each step.

The same principle governs document AI: to see how it applies to a corporate LLM with EU data residency, read LLM and RAG inside Dokuflex under EU GDPR, where traceability and source citation serve the same evidentiary function.

A 6-point checklist for your AI workflow

Ahead of the general application on 2 August 2026, review each AI automation against these six points:

  1. What does it decide about? If it influences relevant decisions about people (employment, credit, essential services), treat it as a high-risk candidate.
  2. Is there real human oversight? Ensure a human validation point with authority to override the AI's output.
  3. Are decisions logged? Each execution must leave a log with input, output, model and responsible person.
  4. Is the process versioned? Changes to rules and flows must be traced and reconstructable.
  5. Are you transparent? If it's a chatbot or a system that interacts with people, it must identify itself as AI.
  6. Is your role documented? Define whether you act as provider or deployer and document the obligations you take on in each workflow.

Frequently asked questions

Is my AI workflow high-risk under the EU AI Act? +

It depends on what the AI decides. If the workflow uses AI to make decisions about people in Annex III areas (screening job applications, promotion or dismissal decisions, algorithmic task allocation, access to essential services, credit scoring, education or biometrics), it is probably high-risk. If the AI only extracts or classifies documents, or drafts content a person validates, the risk drops sharply because the decision remains human.

When does the EU AI Act apply? +

Regulation (EU) 2024/1689 entered into force on 1 August 2024 with a phased application: prohibitions and AI literacy apply from 2 February 2025; obligations for general-purpose AI (GPAI) models from 2 August 2025; general application, including Annex III high-risk systems, on 2 August 2026; and high-risk systems embedded in regulated products under Annex I until 2 August 2027.

What obligations do I have as a deployer (user) of a high-risk AI system? +

As a deployer you must use the system in line with the provider's instructions, ensure effective human oversight, monitor operation, and keep the logs generated automatically for the applicable period. The provider, in turn, takes on risk management, data governance, technical documentation, logging, accuracy, robustness and cybersecurity of the system.

Are invoice OCR or an internal chatbot high-risk? +

No. An OCR that extracts data from invoices is typically minimal risk: it does not decide about people. An internal chatbot is limited risk and only has a transparency obligation: it must identify itself as AI to the user. High risk appears when AI influences relevant decisions about people, such as screening applications or granting or denying credit.

How does governed BPM help comply with the EU AI Act? +

Governed BPM is the compliance mechanism. It provides native human-in-the-loop so a person validates any decision affecting people, an auditable log per execution, process versioning, and traceability of which model decided what and with what confidence level. This covers the human oversight, log retention and documentation requirements the regulation places on both provider and deployer.

What are the penalties for breaching the EU AI Act? +

The regulation provides fines of up to EUR 35 million or 7% of global annual turnover for prohibited practices, and up to EUR 15 million or 3% for breaching other obligations, whichever is higher. That is why it is worth classifying every AI workflow and documenting governance measures before general application in August 2026.

Next step

Turn the EU AI Act into a property of your processes

We book a 60-minute guided session to review your AI workflows, classify their risk level and see how Dokuflex governed BPM provides human-in-the-loop, auditable logs and process versioning.

Book a guided demo See AI capabilities Start free