Range Scenario · crucible · 35 min
EU AI Act Applicability: Classify Five AI Deployments
This cybersecurity training scenario simulates a working incident. Five proposed AI deployments are on your cybersecurity governance review queue. Classify each under the EU AI Act risk tiers and identify the compliance obligations. The legal team will use your assessment to decide ship.
Scenario briefing
You are an AI cybersecurity governance analyst at a multinational that deploys to EU customers. The EU AI Act creates four risk tiers: prohibited, high-risk, limited-risk, and minimal-risk. Each tier has different obligations. Your job: classify each proposed deployment correctly and name the obligations that follow.
Five deployments are queued for review. The legal team will use your assessment to decide whether to ship, what disclosures are needed, and what conformity assessments must run before launch. Misclassification creates regulatory exposure.
This scenario tests AI governance literacy. Real classification decisions involve legal counsel, but technical teams have to surface the right facts and apply the obvious classifications correctly. The Act covers deployments inside the EU and any system whose output is used in the EU, so US-based companies need this skill too.
What you will practice
- Recognize the four EU AI Act risk tiers and what triggers each
- Identify obligations that follow from each tier
- Distinguish prohibited use cases from high-risk use cases
- Surface the right facts for legal counsel to make a final call
How this scenario is scored
The scenario has 7 ordered steps. Most steps are exact-match (a MITRE ATT&CK technique ID, a tool name, or a yes/no decision) or multiple choice. Free-text steps queue for manual review and do not affect the auto-final-score in the MVP.
Each step has a max score of 100 points. Hints deduct points up front, listed before you reveal them. Your final score is the sum across steps. Range Elo updates on completion based on scenario difficulty (Beginner) and your final score percentage.
Frequently asked questions
What are the four EU AI Act risk tiers?
Prohibited: AI uses banned outright (social scoring by public authorities, real-time biometric ID in public except narrow exceptions, manipulation that causes harm). High-risk: AI in regulated sectors (health, law enforcement, employment, credit, education, infrastructure). Limited-risk: AI that interacts with humans, generates synthetic media, or detects emotions, requiring transparency. Minimal-risk: everything else.
What obligations apply to high-risk AI?
Risk management system, data governance, technical documentation, record-keeping, transparency, human oversight, accuracy and robustness, conformity assessment before market entry, post-market monitoring, and registration in the EU AI database. The list is long because the use cases involve fundamental rights and safety.
Does the EU AI Act apply to US companies?
Yes if the AI system is placed on the EU market or its output is used in the EU. A US company providing an AI chatbot to EU customers is subject to the Act. Extraterritorial scope is similar to GDPR. Operating only inside the US does not exempt you if EU users access the system.
Course content is for educational purposes only and does not constitute professional advice. All claims are supported by cited peer-reviewed academic research. DecipherU does not teach or reproduce any proprietary sales methodology. Verify all referenced sources independently.
Get cybersecurity career insights delivered weekly
Join cybersecurity professionals receiving weekly intelligence on threats, job market trends, salary data, and career growth strategies.
By subscribing you agree to our privacy policy. Unsubscribe anytime.