Most EU AI Act compliance work focuses on the high-risk AI categories in Annex III: what documentation to prepare, which conformity procedures apply, how to register systems in the EU database. That is the right focus for most companies because most AI systems, if they fall under the Act at all, fall into the high-risk tier.
But Article 5 is different. The eight prohibited practices in Article 5 are not a risk management question. There is no documentation you can prepare, no conformity assessment you can pass, no risk mitigation you can apply that makes a prohibited AI practice compliant. The prohibition is categorical.
They have been in force since February 2025. Enforcement is active. The penalties are the highest in the Act, up to 35 million euros or 7% of global annual turnover. If you have not audited your AI systems against this list, that audit is overdue.
TL;DR: EU AI Act Article 5 lists 8 categories of AI that are flatly banned. No risk assessment, no mitigation, no conformity procedure makes them compliant. They became binding in February 2025 and carry fines up to 35 million euros or 7% of global annual turnover. The 8 prohibited practices are: subliminal manipulation, exploitation of vulnerabilities, biometric categorization by sensitive characteristics, real-time remote biometric identification in public spaces (with narrow law enforcement exceptions), social scoring leading to unjustified detrimental treatment (by public or private actors), crime prediction based solely on profiling, emotion recognition in workplaces or schools, and mass facial image scraping for recognition databases. Audit your AI systems against this list before any EU deployment.
Why Article 5 is different from everything else in the EU AI Act
The EU AI Act uses a risk-based approach for almost everything. High-risk AI can be deployed if requirements are met. Limited-risk AI can be deployed with disclosure obligations. Minimal-risk AI has no mandatory requirements.
Article 5 breaks this pattern. The eight prohibited practices are not high-risk AI that requires extra scrutiny. They are AI uses the EU legislature decided should not exist at all, regardless of safeguards.
The policy logic is that some AI applications pose risks so serious, or affect rights so fundamental, that no business justification or technical mitigation can make them acceptable. Manipulating people below their awareness. Exploiting children's vulnerability. Mass-scale surveillance of public space. Social scoring of citizens. These are not just risky, they are incompatible with the rights framework the EU AI Act is designed to protect.
This means the compliance question for Article 5 is binary: is this prohibited or not? There is no middle path.
The 8 prohibited practices: definition, scope, and exemptions
1. Subliminal manipulation
What it covers: AI systems that deploy subliminal techniques operating below the threshold of conscious perception to materially distort behavior in a way that causes or is likely to cause harm. Three conditions must all be met: below-conscious-awareness technique, material behavioral distortion, and harm.
What is not caught: Recommendation algorithms, personalized advertising, and persuasive content are not automatically prohibited even if highly effective. The prohibition targets exploitation of unconscious psychological mechanisms, not effective persuasion. The line is under active interpretive development.
Examples inside the ban: AI that embeds imperceptibly timed visual stimuli to trigger responses; systems exploiting microsleep states; advertising techniques targeting unconscious processes to drive harmful behavior changes.
2. Exploitation of vulnerabilities
What it covers: AI systems that exploit specific vulnerabilities of persons due to their age, disability, or social/economic situation to materially distort behavior in a way that causes harm.
What is not caught: Accessibility features, age-appropriate content, and marketing based on genuine product relevance are not caught. The prohibition targets exploitation of vulnerability, not awareness of it.
Examples inside the ban: Identifying elderly users with cognitive decline to push unsuitable financial products; detecting economic precarity to drive high-interest loan uptake; targeting children with addictive design patterns via AI-identified vulnerability signals.
3. Biometric categorization by sensitive characteristics
What it covers: AI systems that categorize persons based on biometric data to infer race, political opinions, trade union membership, religious or philosophical beliefs, sexual orientation, or health.
What is not caught: Biometric identification for authentication (confirming who someone is) is not prohibited. The prohibition covers inference of sensitive characteristics, not identity verification.
Examples inside the ban: Systems that analyze facial features or gait to classify political affiliation; inferring religious identity from physical appearance; using biometric signals to enrich profiles with special-category data.
4. Real-time remote biometric identification in public spaces
What it covers: Real-time remote biometric identification (RTBI) in publicly accessible spaces for law enforcement purposes.
Narrow exceptions: Law enforcement may use RTBI in three circumstances only: finding missing persons or trafficking victims; preventing an imminent terrorist threat; identifying serious criminal suspects. Each requires prior judicial or independent administrative authorization.
What is not caught: Post-event footage analysis is treated separately under Article 10. Private-sector facial recognition for access control on consenting users is not caught by this provision, though GDPR still applies. This prohibition primarily affects law enforcement technology vendors, not most private companies.
5. Social scoring
What it covers: AI that evaluates or classifies persons over time based on social behavior or personal/personality characteristics, where the resulting social score leads to detrimental or unfavorable treatment in social contexts unrelated to where the data was generated, or to treatment that is unjustified or disproportionate. Contrary to a common misconception, this prohibition applies to both public and private actors, not only governments. State-run social credit systems are the clearest example, but a private platform that scores users across unrelated contexts can also fall within it.
What is not caught: Context-specific, lawful scoring within a single justified domain. Private lender credit scoring is regulated as high-risk AI under Annex III rather than prohibited, because it is confined to the credit context and a legitimate purpose. Rideshare driver ratings and benefit-eligibility determinations within a specific legal context are similarly outside the ban. The distinguishing feature of prohibited social scoring is cross-context evaluation producing disproportionate or unrelated detriment, not the identity of the operator.
6. Prediction of crime or reoffending risk based solely on profiling
What it covers: AI that assesses crime or reoffending risk based solely on profiling or personality trait assessment, without individualized behavioral evidence.
Key word: Solely. Systems that use profiling as one input alongside actual criminal history or specific circumstantial evidence are not automatically caught. The prohibition targets purely algorithmic demographic profiling, not evidence-informed risk tools that include individualized data.
7. Emotion recognition in workplace and educational settings
What it covers: AI systems that infer the emotional states of persons in workplace or educational settings. The exception covers medical or safety applications: drowsiness detection for heavy equipment operators, vital sign monitoring in safety-critical roles.
What is not caught: Customer service emotion analysis (directed at customers, not workers) and text-based sentiment analysis that does not infer individual emotional state.
Examples inside the ban: Analyzing employee facial expressions or voice tone to infer mood or engagement; student attention-monitoring that infers emotional state; AI interview tools scoring candidates on inferred emotional signals.
8. Scraping facial images for recognition databases
What it covers: Untargeted scraping of facial images from the internet or CCTV footage to build or expand facial recognition databases.
What is not caught: Targeted collection with individual consent or under specific law enforcement authorization.
Examples inside the ban: Scraping social media at scale to populate a facial recognition system; buying datasets assembled through scraping; using CCTV footage to build recognition enrollment databases without consent.
How to audit your AI systems against Article 5
Article 5 compliance requires a systematic audit of your AI portfolio. Here is a four-step process:
Step 1: List all AI systems deployed or under development that will be used in the EU. Include vendor-supplied systems where you are the deployer. The prohibition applies to both providers and deployers.
Step 2: For each system, answer eight binary questions. Does this system use subliminal techniques? Does it target specific vulnerabilities? Does it categorize by sensitive biometric characteristics? Does it conduct real-time biometric identification in public spaces? Is it a social scoring system for a public authority? Does it predict crime risk solely from profiling? Does it detect emotion in workers or students? Does it scrape facial images at scale? Yes to any means prohibited.
Step 3: For any system that raises a question, get legal review before deployment. The grey areas (especially subliminal manipulation boundaries and emotion detection edge cases) require legal interpretation, not just a technical assessment. Document the legal review.
Step 4: Document the audit. For each system, record that the Article 5 audit was conducted, by whom, when, and the outcome. For systems that were audited and found clear, that record is evidence of due diligence. For systems that were modified or discontinued based on the audit, document what changed.
Edge cases to watch
Persuasive AI and recommendation engines: The subliminal manipulation prohibition does not ban effective persuasion, but the line between highly effective persuasion and techniques operating below conscious awareness is genuinely unclear in some implementations. If your AI uses techniques from behavioral science that specifically exploit cognitive biases rather than providing information and making a case, get legal review.
Customer service emotion detection: Sentiment analysis of customer interactions that infers emotional state from voice patterns or language is not covered by the workplace prohibition (which covers workers, not customers) but may be caught by the biometric categorization prohibition if the emotional inference is derived from biometric-like signals. The safest position is to avoid inferring emotional state of specific individuals from voice patterns without explicit consent and a clear lawful basis under GDPR.
AI-assisted hiring tools: These raise multiple Article 5 questions. Emotion detection during AI video interviews is prohibited. Biometric categorization from video is prohibited. Personality profiling as a sole basis for rejection is close to the crime prediction prohibition by analogy, though hiring is not explicitly covered by that provision. EU-deployed AI hiring tools need thorough Article 5 review as well as separate high-risk AI compliance under Annex III.
Penalties and enforcement
Article 5 violations carry the highest penalty tier: up to 35 million euros or 7% of total worldwide annual turnover, whichever is higher. For context, this is more than twice the maximum for high-risk AI violations (15 million euros / 3%) and reflects the absolute nature of the prohibition.
National market surveillance authorities (each EU member state designates one) enforce the AI Act. The European AI Office has direct oversight of GPAI models and systemic-risk AI. Complaints can be brought by affected individuals, consumer organizations, or competitors. There is no private right of action under the Act itself, but violations can be used as evidence in GDPR complaints and national civil litigation.
Given that the prohibitions took effect in February 2025, any company that deployed a prohibited AI practice in the EU between February 2025 and now has retroactive exposure. This does not mean enforcement will be retroactive as a practical matter, but it is a material disclosure and liability question for companies evaluating their compliance posture.
Related reading
- EU AI Act August 2026 compliance checklist
- EU AI Act Annex III high-risk AI systems 2026
- EU AI Act Article 50 watermarking and deepfake disclosure
- AI data privacy for small teams, GDPR and CCPA
- EU AI Act GPAI August 2026 compliance checklist
- EU AI Act deployer evidence gaps for SMEs
- EU AI Act high-risk AI documentation templates
- EU AI Act digital omnibus: will the August deadline hold
- EU AI Act: what is delayed vs what applies August 2026
- EU AI Act compliance guide for small teams
