← Contract review, done honestly

Insight · Compliance and the EU AI Act

Is AI for contract review “high-risk” under the EU AI Act? Mostly no, and that matters.

Most internal contract work sits in the Act’s two lowest risk tiers. Knowing which tier each use case sits in is what unfreezes the project.

There is a meeting where legal AI projects go to die. Someone proposes extracting key terms from the contract repository. Someone else says the words “EU AI Act.” Nobody in the room can say with confidence which part of the Act applies, so the safe move is to park the project pending review. Parked projects rarely come back.

The assumption doing the damage is that the Act treats all AI the same way: conformity assessments, registrations, audits, the full weight of a product-safety regime. For a legal team already short on hours, that reads as “not worth it.”

The Act does not work that way. It sorts AI systems into four risk tiers by what they are used for, and most internal contract work sits in the lowest two. Knowing that changes the question from “are we allowed to do this?” to “which of our use cases are cheap to clear, and which need real design work?” The first question freezes projects. The second one plans them.

Four tiers, sorted by use, not by technology

The Act regulates uses, not models. The same language model can sit in three different tiers depending on what its output is allowed to decide. That is why “is AI allowed?” is the wrong question, and “what does this system decide?” is the right one.

The line that matters: automated decisions about people sit above it

Internal contract extraction generally sits here

Transparency obligations.

What lands here

  • Chatbots and assistants that interact with people
  • AI-generated content shown to humans

What the Act asks

Tell people when they are dealing with AI, and mark AI-generated content as such.

Where contract review AI stands

A contract-assist tool that surfaces terms to a lawyer typically sits here. Disclose the AI involvement, keep a person in the loop, and the obligation is met.

The four EU AI Act risk tiers, sorted by use, not by technology. Select a tier to see what lands there and what the Act asks.

Want to see where contract review actually lands? See this in the demo →

Internal contract extraction, the kind where a system reads agreements your team already holds, proposes structured values with citations, and a lawyer reviews before anything depends on the output, generally lands in limited to minimal. Nobody’s loan is denied. Nobody’s job application is filtered. No biometric is scanned. The uses that earn the high-risk label are a different category of thing, and a renewal-date tracker is not in it.

One plain caveat: this is practical guidance for planning and sequencing, not legal advice. The tier call on a specific production system belongs with your counsel.

A prioritization tool wearing a compliance costume

The risk tier is one gate among several that an AI contract-review project has to clear. You still need extraction you can trace back to a clause, a system honest enough to route its uncertain work to a person, and a straight answer on where your contract data goes. Each of those is its own discipline, and each one fails projects independently of the Act.

But the tier question deserves to come first, because it is not really a compliance hurdle. It is a sorting function. Map your candidate use cases against the tiers and the build order falls out on its own: the safe, buildable work first, the oversight-heavy work second, the automated decisions about people not at all.

The boundary worth watching

Tiers attach to uses, and uses drift. The pipeline that fills a renewal tracker today can be wired tomorrow to auto-reject vendors, score counterparties, or feed a decision about an individual employee. The moment output stops being reviewed by a person and starts deciding something about a person, the use case starts moving up the map, and the obligations climb steeply.

Assist

Extraction fills the renewal tracker. A lawyer reviews flagged terms before anyone acts on them.

Stays limited / minimal

Decide

The same pipeline auto-rejects vendors, scores counterparties, or triggers action on an employee, with no person between output and outcome.

Drifts toward high-risk

Same model, same pipeline. The tier follows the decision, not the technology.

The protection has to be built in, not promised. If the human checkpoint is designed into the system from the start, drift cannot happen quietly: removing the reviewer becomes a deliberate, visible decision someone has to make and defend, instead of a configuration change nobody noticed.

What still applies in the lower tiers

Limited and minimal does not mean nothing. A handful of baseline duties still apply: transparency, human oversight, data governance, record-keeping. GDPR and professional duty point the same way regardless, and they are what a system you can defend looks like. The data-governance side of that gets the full treatment in where does our contract data go?

A system that can show these duties on screen makes the AI Act conversation short. If a tool you are evaluating cannot show them, the Act is not your obstacle. The tool is.

Sequence by tier: what to build first

This is what the map buys you. Sort candidate use cases by tier and by how much oversight design they need, and the build order is mostly decided for you.

1 · Fast yes

Build first

Internal assist, a human reviews the output. Limited to minimal tier; the obligations are met by good engineering you would want anyway.

  • Key-term extraction into a contract register
  • Clause lookup across the existing repository
  • Renewal and obligation date tracking
  • Duplicate and anomaly checks against prior contracts

2 · Oversight first

Design the checkpoint, then build

Buildable, but the human checkpoint and the disclosure have to be designed before the pipeline, not bolted on after.

  • Risk scoring that feeds an approval workflow
  • Anything counterparty-facing, where AI use must be disclosed
  • Drafting that leaves the building

3 · Leave the decision human

Do not automate the call

Where automating the final decision invites the high-risk tier, and is a bad idea regardless of regulation.

  • Decisions about individual employees
  • Credit-like judgments about people
  • Any output that, unreviewed, changes someone’s rights
A build order that falls out of the tier map. Column one alone is usually a year of useful work.

Most legal teams find the first column alone holds a year of genuinely useful work. Read correctly, the Act is not a reason to wait. It is a decent map of where to start.

The proof

See where it lands on the map.

The working demonstration that accompanies this series places contract extraction on this exact map. Open the “How this scales in your org” tab: the risk-tier framing sits alongside the deployment and data-governance questions that come after it.

See an example: extracting key terms, done right

Twenty synthetic contracts, no sign-up, and the accuracy numbers are published, gaps included.

Prefer to talk first? Book a 20-minute fit call.

Related questions

Earlier stage? Run any workflow through the Litmus Test →