← Back to all briefings

AI · Credibility 94/100 · · 2 min read

AI Governance Briefing — January 13, 2025

With the EU AI Act’s six-month transition ending on 2 February 2025, Zeph Tech is steering teams through accelerated audits, offboarding, and evidence packs for Article 5 prohibited systems.

Executive briefing: Regulation (EU) 2024/1689 bans unacceptable-risk AI systems on , closing the six-month grace window granted by Article 113(2)(a). Public authorities and private operators must finish decommissioning biometric categorisation, untargeted facial scraping, social scoring, and manipulative AI services or prove lawful redesigns. Zeph Tech is running portfolio-level sweeps that trace each use case back to Article 5 criteria, secure executive sign-off on retirement or remediation, and capture evidentiary artefacts for market-surveillance authorities.

Regulatory checkpoints

  • Article 5 prohibitions. Providers and deployers must eliminate biometric categorisation that infers sensitive attributes, social scoring by public authorities, behaviour-manipulating systems exploiting vulnerabilities, and untargeted facial-recognition scraping.
  • Transition deadline. Article 113(2)(a) sets as the last day to operate unacceptable-risk systems; enforcement escalates immediately afterward.
  • Supervisory expectations. Commission guidance highlights inventories, human-rights impact analyses, and decommissioning logs as baseline documentation for national authorities.

Control alignment

  • NIST AI RMF (Govern/Map). Use AI RMF profiles to classify each system against Article 5 risk factors and document decision rationales.
  • ISO/IEC 42001:2023 clause 8.4. Record policy changes, risk treatment plans, and stakeholder approvals governing prohibited features.
  • EU AI Act Article 71. Maintain technical files and documentation even for withdrawn systems so authorities can audit past behaviour.

Detection and response priorities

  • Instrument monitoring that flags unauthorised biometric inference, covert scraping, or persuasive manipulation patterns against Article 5 definitions.
  • Stage termination playbooks that revoke API keys, disable datasets, and archive models when prohibited functionality is detected.
  • Test regulator notification channels and counsel reviews in case residual deployments or vendors fail to comply by the deadline.

Enablement moves

  • Brief boards and executive committees on fines and enforcement powers so decommissioning receives resourcing.
  • Extend the audit programme to suppliers and subsidiaries, collecting attestations that no Article 5 capabilities persist.
  • Capture lessons learned to feed 2025 AI Act workstreams on general-purpose and high-risk obligations.
  • EU AI Act
  • Article 5 prohibited AI
  • Algorithmic risk management
Back to curated briefings