EU AI Act Prohibited AI Practices: Is Your System at Risk?

Most of the EU AI Act is about managing risk. Article 5 is different. Here the rules stop bargaining. Some AI practices are judged so dangerous to human rights, safety, and democratic life that no safeguard, no transparency notice, and no human-in-the-loop will ever rescue them. You cannot make them compliant. You can only stop doing them.

That puts the stakes higher than anywhere else in the regulation. Run a prohibited system and you are looking at the heaviest penalty the Act carries: up to 35 million EUR or 7% of annual worldwide turnover, whichever bites harder. And this is not a future problem you can park. The prohibition provisions have been live since February 2, 2025, so any organisation still operating a banned system is already exposed to enforcement right now.

So we wrote this guide to walk you through all eight prohibited categories one by one. We will lay out exactly what each ban covers, why the regulators drew the line where they did, and how to audit your own systems so you know, with confidence, that none of them have wandered across it.

The Eight Prohibited AI Practices

1. Subliminal Manipulation

Article 5(1)(a) prohibits AI systems that deploy subliminal techniques beyond a person's consciousness, or purposefully manipulative or deceptive techniques, with the objective or effect of materially distorting a person's behaviour, causing or being likely to cause that person or another person significant harm.

What this means in practice:

Strip away the legal language and this ban is about one thing: AI that steers people through channels they never notice. If a system is built to move human behaviour by slipping past conscious awareness, it is in scope. That covers things like:

• Dark patterns amplified by AI: Systems that use personalised psychological profiling to deploy manipulative interface designs tailored to exploit individual cognitive biases
• Subconscious persuasion engines: AI that analyses user behaviour in real time and dynamically adjusts stimuli (visual, auditory, haptic) to influence decisions without the user's awareness
• Algorithmic addiction engineering: Systems specifically designed to create compulsive behavioural loops by exploiting neurological reward mechanisms

The key legal elements are: (1) the technique operates beyond conscious awareness or is purposefully manipulative/deceptive, (2) it materially distorts behaviour, and (3) it causes or is likely to cause significant harm.

Here is the part people miss. The harm element is doing real work. Persuasive AI in advertising is not banned on sight. It crosses the line only when it reaches for subliminal or deceptive techniques that cause significant harm. Where ordinary personalisation ends and prohibited manipulation begins is a genuinely fuzzy boundary, and we fully expect regulators to test it hard in the early enforcement cases.

How to audit: Look for any component that deliberately works on a user's psychology without that user being aware of it. If a system is built to shift behaviour through mechanisms a person cannot perceive or understand, send it to legal review straight away.

2. Exploitation of Vulnerabilities

Article 5(1)(b) prohibits AI systems that exploit any of the vulnerabilities of a natural person or specific group of persons due to their age, disability, or a specific social or economic situation, with the objective or the effect of materially distorting the behaviour of that person or a person belonging to that group in a manner that causes or is likely to cause that person or another person significant harm.

What this means in practice:

This one is about protecting people when they are least able to protect themselves. It targets AI that spots a vulnerability and presses on it:

• Children: AI systems that exploit children's developmental vulnerabilities (limited critical thinking, susceptibility to authority figures, difficulty distinguishing advertising from content) to manipulate their behaviour
• Elderly users: Systems that exploit age-related cognitive decline, reduced digital literacy, or social isolation to influence purchasing decisions, financial transactions, or information consumption
• People with disabilities: AI that exploits disabilities (visual impairment, cognitive impairment, motor limitations) to create information asymmetries or manipulate interactions
• Economically disadvantaged groups: Systems that exploit financial desperation to drive acceptance of unfavourable terms, predatory lending, or exploitative employment arrangements

How to audit: Start by mapping who actually interacts with each system. Then ask whether its design, its outputs, or the way it nudges behaviour could land disproportionately on a vulnerable group. AI-driven pricing, content recommendation, and decision-making systems that touch a wide mix of people deserve the closest look.

3. Social Scoring by Public Authorities

Article 5(1)(c) prohibits AI systems used by public authorities, or on their behalf, for the evaluation or classification of natural persons or groups of persons over a certain period of time based on their social behaviour or known, inferred, or predicted personal or personality characteristics, where the resulting social score leads to detrimental or unfavourable treatment in social contexts unrelated to the contexts in which the data was originally generated, or treatment that is unjustified or disproportionate to the gravity of the social behaviour.

What this means in practice:

This is the prohibition aimed squarely at state-run "social credit" machinery. It catches government-operated or government-commissioned systems that:

• Aggregate behavioural data across multiple life domains (financial, social, civic, online) to generate a composite "trustworthiness" or "social" score
• Use such scores to restrict access to services, opportunities, or rights in contexts unrelated to the behaviour being scored
• Create chilling effects on lawful behaviour by making citizens aware that their actions are being aggregated into a score that affects their life prospects

One scope point matters here. This ban is written for public authorities and the entities acting for them. A private-sector scoring system is not caught by this particular prohibition, though depending on how it is built and what it does, it can still get swept up by others such as subliminal manipulation or exploitation of vulnerabilities.

How to audit: Sell AI into the public sector? Then check whether any of your systems pull personal data from multiple contexts to produce scores or classifications that shape who gets access to services or opportunities.

4. Real-Time Remote Biometric Identification in Public Spaces

Article 5(1)(h) prohibits the use of real-time remote biometric identification systems in publicly accessible spaces for the purposes of law enforcement, with strictly limited exceptions.

What this means in practice:

Think live surveillance that picks faces out of a crowd in real time. The prohibition reaches systems that identify people in public using biometric data, mostly facial recognition but also voice recognition, gait analysis, and similar modalities. Three conditions define what the ban covers:

• Real-time identification (as opposed to post-event analysis)
• In publicly accessible spaces (streets, parks, shopping centres, transport hubs)
• For law enforcement purposes

The narrow exceptions allow real-time biometric identification only for:

• Targeted search for specific victims of abduction, trafficking, or sexual exploitation
• Prevention of specific, substantial, and imminent threats to life or physical safety, or genuine and present or foreseeable threat of a terrorist attack
• Identification of suspects of specific criminal offences punishable by a custodial sentence of at least four years (within a defined list of offences)

Even these exceptions require prior judicial authorisation (or immediate use followed by authorisation within 24 hours in urgent cases) and a fundamental rights impact assessment.

How to audit: If you build or deploy biometric identification technology, check whether any deployment does real-time identification in publicly accessible spaces. And do not stop at your stated use case. Even a system you sell for non-law-enforcement purposes has to be assessed for the law enforcement uses someone could reasonably foresee.

5. Untargeted Facial Image Scraping

Article 5(1)(e) prohibits AI systems that create or expand facial recognition databases through the untargeted scraping of facial images from the internet or CCTV footage.

What this means in practice:

This is the Clearview-style problem written into law. The ban hits the practice of building facial recognition databases by hoovering up facial images en masse, with no knowledge or consent from the people in them. What it rules out:

• Scraping social media platforms, websites, or publicly available image repositories to collect facial images for training or populating facial recognition systems
• Capturing and storing facial images from CCTV or surveillance camera footage without specific, targeted authorisation
• Aggregating facial images from multiple sources to build complete biometric databases

The prohibition is absolute. There are no exceptions. It applies regardless of what you later do with the database, full stop.

How to audit: Trace where your biometric training data actually came from. If your AI systems use facial recognition, confirm that every facial image was gathered with proper consent and authorisation, never through untargeted scraping. And do not take your data vendors on trust: audit them too, so a prohibited collection method does not reach you secondhand.

6. Emotion Recognition in Workplaces and Educational Institutions

Article 5(1)(f) prohibits AI systems that infer emotions of natural persons in the areas of workplace and education, except where the AI system is intended to be put into service or placed on the market for medical or safety reasons.

What this means in practice:

Two places get special protection here: where you work and where you learn. In those settings, AI that reads emotions is off the table. The ban covers:

• Workplace emotion monitoring: Systems that analyse employee facial expressions, voice patterns, body language, or biometric signals to infer emotional states during work activities
• Educational emotion tracking: Systems that monitor students' emotional engagement, attention, frustration, or satisfaction during learning activities
• Emotion-based performance evaluation: Using inferred emotional data as an input to performance reviews, productivity assessments, or behavioural evaluations

The medical and safety exceptions are narrow:

• Medical systems that detect emotional distress for therapeutic purposes (e.g., mental health screening tools used in clinical settings)
• Safety systems that detect operator fatigue or impairment in safety-critical roles (e.g., drowsiness detection for truck drivers or heavy machinery operators)

These exceptions require the system to be specifically designed and validated for the medical or safety purpose.

How to audit: Pull up every AI system that reads human faces, voices, or body language. If it infers emotional states, even as a side feature, and it runs in a workplace or a classroom, treat it as prohibited unless the medical or safety exception genuinely applies. Attention analytics, engagement scoring, and sentiment analysis aimed at employees or students all belong on the watch list.

7. Biometric Categorisation on Sensitive Attributes

Article 5(1)(g) prohibits biometric categorisation systems that categorise individually natural persons based on their biometric data to deduce or infer their race, political opinions, trade union membership, religious or philosophical beliefs, sex life, or sexual orientation.

What this means in practice:

The line here is about what you try to read off someone's body. The ban hits AI that uses biometric data, things like facial features, voice characteristics, or gait, to guess at sensitive personal traits. For example:

• Facial analysis systems that attempt to infer race or ethnicity
• Voice analysis systems that purport to detect sexual orientation
• Gait or physiological analysis systems that claim to infer political or religious beliefs
• Any biometric system designed to categorise individuals by sensitive attributes listed in Article 9 of the GDPR

Notice exactly where the focus sits: on the act of deducing or inferring sensitive traits from biometric data. It does not prohibit biometric categorisation tied to non-sensitive attributes (e.g., age estimation for age verification purposes), and it does not prohibit non-biometric categorisation based on sensitive attributes. The biometric-to-sensitive inference is the thing that is out of bounds.

How to audit: Take every AI system that processes biometric data and ask two questions. Does it categorise people or infer characteristics about them? And does any inferred characteristic land in the sensitive categories the prohibition lists? If the answer to both is yes, the system has to be discontinued or redesigned so that inference capability is gone.

8. Predictive Policing Based on Profiling

Article 5(1)(d) prohibits AI systems used for making risk assessments of natural persons in order to assess or predict the risk of a natural person committing a criminal offence, based solely on the profiling of a natural person or on assessing their personality traits and characteristics.

What this means in practice:

This is the "Minority Report" prohibition, and the key word is solely. It targets predictive policing systems that:

• Predict an individual's likelihood of committing a crime based on their demographic profile, behavioural patterns, or assessed personality characteristics
• Generate risk scores for individuals based on profiling rather than on concrete evidence of criminal activity
• Feed such predictions into law enforcement targeting, surveillance allocation, or investigative prioritisation

That word does a lot of work. The prohibition bites on predictions based solely on profiling or personality assessment. A system that weighs criminal risk on objective evidence, such as material gathered during an active investigation, is not prohibited, though it may still land in the high-risk tier.

How to audit: Supply AI to law enforcement? Then check whether any system produces individual-level risk predictions from profiling. There is a useful dividing line here. Tools that forecast crime hotspots from historical incident data are location-based, not person-based, and generally escape this ban. Tools that pin a risk score on an identifiable individual because of their characteristics do not.

Conducting a Prohibition Audit

With penalties this steep (up to 35 million EUR / 7% of turnover) and the prohibitions already enforceable, guesswork is not an option. Every organisation should run a structured prohibition audit. Here is how we recommend you work through it:

Step 1: Scope the Audit

Review your complete AI system inventory. Include systems developed internally, third-party systems deployed by your organisation, and AI components embedded in products you distribute.

Step 2: Apply Each Prohibition

Take every system and run it past all eight categories, one at a time. For each, write down a clear yes or no: does this system engage in this prohibited practice? Then back that call with evidence about the system's design, purpose, data, and deployment context. A bare conclusion will not hold up; the reasoning behind it will.

Step 3: Escalate Borderline Cases

Sitting near a boundary? Escalate to legal counsel right away. Borderline cases are exactly the ones you should not try to read on your own.

Step 4: Remediate or Decommission

When a system falls inside a prohibition, the menu is short. You either redesign it to strip out the prohibited functionality completely, or you shut it down. There is no compliance pathway for prohibited practices: no licence to keep running, no mitigation that buys you time.

Step 5: Document and Monitor

Write down the audit results: the methodology, the evidence reviewed, the determinations made. Then keep a monitoring process running, so systems get re-evaluated as they evolve and as regulatory guidance clarifies the prohibition boundaries.

Assess Your Compliance Today

Prohibition screening is the very first thing any compliance programme should do, and the most urgent. That is exactly why we built it into AI Comply HQ. Our guided compliance interview includes a screening that takes your AI system's characteristics and tests them against all eight Article 5 categories, in plain language, one question at a time.

Walk through it once and you will know where you stand: whether any of your systems are at risk, and precisely what to do about it.

Start your free 7-day trial and screen your AI systems for prohibited practices today.

The prohibition provisions are already in force. This is not something to leave until the August 2, 2026 deadline. The exposure exists today, so screen your systems today.

Update: Where the Digital Omnibus Stands (June 12, 2026)

A quick note before you act on any date in this article. The Digital Omnibus is a simplification package the European Commission proposed on November 19, 2025. It would amend several EU digital laws at once, and for the AI Act it proposes two big changes: the high-risk obligations would apply later (December 2, 2027 for the stand-alone high-risk systems listed in Annex III, and August 2, 2028 for high-risk AI embedded in regulated products), and a number of requirements would be simplified along the way.

Here is the part that matters: none of this is law yet. The European Parliament and the Council reached a provisional agreement on May 7, 2026, and formal adoption is expected, but until the final text is adopted and published, nothing changes. The dates and obligations described in this article are the ones in force today. And the rules that already apply, like the prohibited practices and the AI literacy duty, stay exactly where they are no matter what happens to the Omnibus.

We are watching this closely. The moment the Omnibus is adopted, amended, or rejected, we will update this article to reflect the new EU AI compliance dates. Check back, or run the free 90-second risk check to see your obligations under the rules as they stand right now.