EU AI Act

With Article 5 of Regulation (EU) 2024/1689 banning unacceptable-risk AI systems from 2 February 2025, teams are in the final stretch of offboarding prohibited use cases. Boards must confirm that inventories are complete, shutdown steps are executed, and documentation shows compliance for both internal deployments and vendor-supplied services. Universal opt-out governance is central: individuals whose data was used in banned systems must have their rights respected during archival, deletion, or transition processes. The governance playbook coordinates portfolio reviews, evidence vaults, opt-out handling, and regulator-ready narratives that prove unacceptable-risk systems are gone for good.

Portfolio sweep methodology

A full offboarding program starts with an end-to-end inventory. Use a risk-tiered questionnaire covering system purpose, user base, decision impact, data sources, and linkage to biometric or behavioral analytics. Flag any system that infers sensitive traits from biometrics, scrapes facial images indiscriminately, scores individuals to control access to public services, or manipulates behavior by exploiting vulnerabilities. Include shadow AI projects, prototypes, proofs of concept, and vendor APIs integrated into products or back-office functions.

Once flagged, assign ownership to system sponsors, legal counsel, data protection officers, and product managers. Establish offboarding workstreams with defined milestones: access revocation, model retirement, dataset sanitisation, opt-out fulfillment, communication, and evidence collation. Maintain a central tracker that records status, blockers, and anticipated completion dates. Boards should review the tracker weekly during January 2025.

Technical shutdown execution

• Model retirement. Archive model artifacts (weights, architecture, training scripts) in tamper-evident repositories. Generate cryptographic hashes and record storage locations. Disable deployment endpoints, remove container images, and revoke API credentials. If systems operated within third-party platforms, obtain written confirmation of shutdown and log export.
• Data sanitisation. Identify all datasets feeding the prohibited system, including raw captures, derived features, and intermediate outputs. Execute deletion or anonymization consistent with retention schedules, legal obligations, and opt-out requests. Document destruction certificates, data lineage diagrams, and validation checks showing no residual references in downstream systems.
• Access control. Update identity and access management policies to revoke permissions for staff and vendors associated with the retired system. Implement monitoring to detect attempts to restore access or to create clones.

Universal opt-out orchestration

Respecting data subject rights is critical when retiring prohibited systems:

• Opt-out reconciliation. Cross-reference all data subjects captured in the prohibited system with consent and opt-out registries. Ensure withdrawals of consent, objections to processing, and Global Privacy Control signals are honored in both archival and transition processes. Document correspondence with individuals confirming fulfillment.
• Notification and transparency. Where legally required, inform affected individuals about the discontinuation of the system, how their data was handled, and how opt-out preferences were applied. Provide accessible channels (web, mobile, call center, in-person) and support for vulnerable groups. Maintain logs of notifications, responses, and escalations.
• Vendor compliance. Vendors supplying biometric or behavioral analytics must provide proof that they destroyed or returned data linked to opted-out individuals. Include clauses requiring confirmation of opt-out handling during contract termination. Audit evidence should include deletion certificates, system logs, and third-party attestations.

Evidence vault and documentation

Market surveillance authorities under the EU AI Act can request documentation long after systems are retired. Build an evidence vault with the following artifacts:

• Technical files. Capture system descriptions, intended purpose, training data specifications, performance metrics, risk assessments, and change logs. Annotate files to explain why the system was classified as unacceptable and how offboarding occurred.
• Decision records. Store board minutes, AI ethics committee notes, and approval workflows authorising shutdown. Highlight how universal opt-out compliance influenced decisions—for example, when high opt-out rates made continued operation untenable.
• Audit trails. Retain logs of system disablement, data deletion, access revocation, and control tests verifying success. Include time stamps, responsible personnel, and validation steps.
• Regulator correspondence. Archive communications with data protection authorities, market surveillance bodies, or sectoral regulators. Document requests received, responses provided, deadlines met, and follow-up actions.

Integration with governance frameworks

Offboarding should align with enterprise governance standards:

• NIST AI RMF. Map offboarding tasks to Govern, Map, Measure, and Manage functions. Show how opt-out registries and evidence vaults support governance outcomes.
• ISO/IEC 42001:2023. Update AI management system procedures to include unacceptable-risk retirement protocols. Ensure clause 8.4 change management, clause 9.1 monitoring, and clause 10 improvement reflect lessons learned.
• Data protection governance. Align with GDPR Article 17 (right to erasure), Article 21 (right to object), and national setups. Update Records of Processing Activities (ROPAs) and Data Protection Impact Assessments (DPIAs) to note that the system has been withdrawn.

Legal and contractual considerations

Shutting down prohibited systems intersects with contract law and liability management:

• Supplier agreements. Review termination clauses, intellectual property rights, and obligations to destroy or return data. Ensure suppliers indemnify the organization for breaches of Article 5 obligations that occurred during their service.
• Customer commitments. If the prohibited system supported customer-facing services, assess contractual obligations for service continuity. Provide alternative compliant solutions or compensation. Document communications and opt-out handling.
• Litigation readiness. Prepare for potential claims from individuals alleging harm. Assemble incident files, opt-out records, and expert reports demonstrating remedial actions taken during offboarding.

People and change management

Employees and contractors need clear guidance as systems are retired:

• Training. Provide targeted training on Article 5 requirements, offboarding procedures, opt-out handling, and evidence retention. Track completion and include assessments to confirm understanding.
• Role reassignment. Redeploy teams previously supporting prohibited systems to compliant initiatives. Document new responsibilities, access rights, and training needs.
• Speak-up channels. Encourage staff to report residual deployments or attempted bypassion. Maintain whistleblowing confidentiality, honor anonymity requests, and record investigative outcomes.

Regulator engagement playbook

Preparedness for supervisory inquiries is essential:

• Pre-briefing packages. Assemble concise dossiers summarizing inventories, shutdown status, opt-out compliance metrics, and evidence availability. Include contact points and escalation paths.
• Mock inspections. Conduct dry runs simulating regulator requests. Time how long it takes to retrieve evidence, show opt-out fulfillment, and explain governance structures.
• Notification criteria. Define thresholds for self-reporting residual use or incidents, including failures to honor opt-outs or discovery of duplicate systems. Ensure legal counsel reviews disclosures before submission.

Board oversight dashboard

Boards should review a dashboard tracking:

• Number of systems classified as unacceptable risk and percentage decommissioned.
• Opt-out reconciliation status, including any unresolved requests or complaints.
• Evidence vault completeness, broken down by technical files, governance records, and audit logs.
• Regulator interactions and upcoming deadlines.
• Resource allocation for remediation and redevelopment of compliant alternatives.

Directors should challenge management to confirm there are no residual deployments, demand independent validation where necessary, and record their oversight activities in board minutes.

Transition to compliant alternatives

Retiring prohibited systems often leaves capability gaps. Teams should develop compliant replacements while reinforcing universal opt-out commitments:

• Design principles. Embed privacy-by-design, human oversight, and opt-out default settings into replacement systems. Conduct DPIAs and Algorithmic Impact Assessments early in the design process.
• Pilot governance. Test replacements under controlled conditions with transparent communication to users. honor opt-out preferences and track feedback to iterate before scaling.
• Documentation continuity. Ensure technical files for new systems reference the retirement of prohibited predecessors and explain how lessons learned informed design choices.

Action checklist for January 2025

• Complete final validation of the unacceptable-risk inventory, including vendor attestations and opt-out reconciliations.
• Conduct an evidence-room walkthrough with legal, compliance, and audit teams to ensure retrieval processes are efficient.
• Publish stakeholder updates summarizing system retirement progress, opt-out protections, and pathways for raising concerns.
• Schedule post-mortem reviews to capture lessons learned and feed them into high-risk and general-purpose AI compliance programs due later in 2025.

By the time Article 5 enforcement begins, teams should have zero tolerance for prohibited AI within their estates. Thorough offboarding, universal opt-out stewardship, and regulator-ready evidence safeguard people, protect reputations, and set the stage for compliant innovation under the EU AI Act’s broader regime.

See also

Selected articles on related subjects.

AI · Credibility 94/100 · January 23, 2025

EU AI Act

Article 5 prohibitions hit February 2, 2025. If you are using third-party AI systems, now is the time to verify that banned capabilities are offline, universal opt-outs still work, and you have got evidence ready for…

AI · Credibility 94/100 · February 2, 2025

EU AI Act

EU AI Act prohibited practices enforcement began February 2, 2025. Social scoring, untargeted facial recognition scraping, and emotion recognition in certain contexts are now illegal. Verify your AI systems do not fall…

AI · Credibility 94/100 · February 10, 2025

EU AI Act

The EU AI Office can now audit your AI systems for prohibited practices. If they suspect you are running something banned—social scoring, manipulative AI, that kind of thing—they'll want proof you have shut it down. Get…

AI · Credibility 94/100 · January 30, 2025

EU AI Act

EU market-surveillance authorities are rehearsing Article 5 spot checks right now. If you are running AI systems that touch biometric categorization, social scoring, or behavioral manipulation, you need governance…

AI · Credibility 100/100 · February 3, 2025

EU AI Act

February 2, 2025 marked the enforcement date for the EU AI Act's prohibited practices. Social scoring, untargeted scraping for facial recognition databases, and emotion recognition in workplaces and schools are now…

Continue in the AI pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• AI Governance Implementation Guide

  Operationalise the EU AI Act, ISO/IEC 42001, and U.S. OMB M-24-10 requirements with accountable inventories, controls, and reporting workflows.

• AI Incident Response and Resilience Guide

  Coordinate AI-specific detection, escalation, and regulatory reporting that satisfy EU AI Act serious incident rules, OMB M-24-10 Section 7, and CIRCIA preparation.

• AI Procurement Governance Guide

  Structure AI procurement pipelines with risk-tier screening, contract controls, supplier monitoring, and EU-U.S.-UK compliance evidence.

Coverage intelligence

Published

January 13, 2025

Coverage pillar

AI

Source credibility

94/100 — high confidence

Topics

EU AI Act · Article 5 prohibited AI · Algorithmic risk management

Sources cited

3 sources (eur-lex.europa.eu, ec.europa.eu, data.consilium.europa.eu)

Reading time

6 min

Cited sources

1. Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonized rules on artificial intelligence — eur-lex.europa.eu
2. Questions and Answers: The EU's Artificial Intelligence Act — ec.europa.eu
3. EU AI Act: timeline of application — data.consilium.europa.eu