High-Risk AI Classification for Law Firms: 2026 Practical Guide
Most law firms are not trying to build frontier AI systems. But many are deploying AI in workflows that may be close to high-risk boundaries under the AI Act, especially in justice-adjacent tasks (1). The challenge in 2026 is classification discipline: knowing when an AI workflow should be treated as high-risk, and documenting the reasoning.
Why 2026 is a classification year
In May 2026, the European Commission published draft guidelines specifically aimed at clarifying high-risk classification under Article 6. These draft materials include practical examples and emphasize consistent interpretation for providers, deployers, and authorities (2).
For law firms, this means internal classification should be explicit and documented, not implicit in procurement assumptions.
The two Article 6 pathways at a glance
High-risk status can arise through two broad paths:
- Annex I pathway: where the AI is a safety component of a product (or the product itself) under harmonization legislation requiring third-party conformity assessment.
- Annex III pathway: where the AI falls within listed high-risk use-case areas, including administration of justice contexts (3).
Legal teams should separate these pathways in their analysis, because controls and evidence may differ.
Law-firm use cases that deserve extra scrutiny
- AI systems used to structure legal findings that can shape adjudicative outcomes.
- Tools that materially influence high-stakes legal decision paths in justice-adjacent settings.
- Workflow automation that may profile individuals in legally consequential contexts.
Not every legal-tech tool will be high-risk. But if a workflow can meaningfully affect rights, legal outcomes, or adjudication quality, classification should be reviewed with higher rigor.
Build a defensible internal classification memo
Every substantial AI workflow should have a short classification memo that includes:
- intended purpose and user role,
- decision context and potential legal impact,
- data categories involved,
- whether Annex I or Annex III logic may be triggered,
- reasoned conclusion and review date.
This is not bureaucracy for its own sake. It reduces ambiguity in procurement, audit, and incident review moments.
Common classification mistakes in legal teams
- Vendor default trust: assuming the vendor's marketing classification is enough.
- Task fragmentation: classifying only one micro-step instead of the end-to-end legal workflow.
- Static analysis: never revisiting classification after feature or scope changes.
- No evidence trail: teams conclude "not high-risk" without a written rationale.
Control depth should follow classification confidence
Where classification is uncertain, firms should apply stronger temporary controls by default: tighter review, narrower scope, and explicit escalation to governance/legal operations leadership. Waiting for perfect certainty is less safe than applying conservative controls early.
How to operationalize this in 90 days
- Create a register of AI-enabled workflows in legal and justice-adjacent tasks.
- Apply a standard Article 6 screening questionnaire.
- Escalate borderline cases to a small review panel (legal, risk, privacy, operations).
- Document decisions and set mandatory re-review triggers.
- Align training so workflow owners understand what changes can alter classification status.
Classification is governance infrastructure. If your firm cannot explain why a workflow is or is not high-risk, you do not yet have operational AI governance.
Practical conclusion
The 2026 guidance cycle gives law firms a practical opportunity: move from abstract AI policy to evidence-backed classification practice. Teams that do this early will be far better positioned as enforcement expectations mature.