The prohibitions in Article 5 of the EU AI Act became enforceable on February 2, 2025. That means every system on this list is already illegal to place on the EU market or put into service, and has been for over a year. As of mid-2026, no public enforcement actions have been announced under Article 5, but multiple investigations are reportedly underway, particularly around workplace emotion recognition systems and predictive policing tools.
Your organization may already be using tools that touch these categories. Sentiment analysis software in your contact center. AI-powered recruitment screening. Productivity monitoring platforms that track behavioral patterns. Fraud scoring models that draw on social behavior signals. None of these are inherently prohibited, but each one has configurations and use cases that are. The difference between compliant and non-compliant often sits in a feature your vendor enabled by default.
TL;DR
- Article 5 of the EU AI Act outright prohibits eight categories of AI practice, enforceable since February 2, 2025, with fines reaching €35 million or 7% of global annual turnover.
- Workplace emotion recognition, social scoring, real-time facial identification in public spaces, and systems that exploit user vulnerabilities are all prohibited without narrow exceptions.
- The EU Commission published guidelines on prohibited practices (finalized July 2025) that clarified some grey areas around emotion recognition for training and safety use cases, but left others unresolved.
- A new prohibition on AI-generated non-consensual intimate imagery (NCII) and child sexual abuse material (CSAM) takes effect December 2, 2026 under the Digital Omnibus amendments.
- Organizations need to audit their AI portfolio against the eight prohibited categories now, before national market surveillance authorities begin enforcement actions.
The Eight Prohibited Practices, Translated for Business
Article 5 of the EU AI Act bans eight specific AI applications. The legal text is precise but technical; below is what each prohibition means in practice for organizations deploying AI tools.
(a) Subliminal and deceptive manipulation
Prohibited: AI systems that "deploy subliminal techniques beyond a person's consciousness or purposefully manipulative or deceptive techniques" to materially distort a person's behavior in a way that causes or is likely to cause significant harm.
In practice, this targets AI systems designed to exploit cognitive biases or nudge users toward decisions through mechanisms they cannot perceive or resist. A legitimate personalization engine that shows relevant product recommendations is not this. A system that exploits a user's documented psychological vulnerability by timing prompts around emotional state data is.
The "significant harm" requirement is where most grey-area disputes will concentrate. The Commission's guidelines make clear that harm need not be realized: a risk of significant harm is sufficient. They also clarify that personalized advertising is not inherently manipulative if it is transparent and based on openly disclosed preferences — the prohibition targets covert exploitation of unconscious biases, not all forms of preference-based targeting.
(b) Exploitation of vulnerabilities
Prohibited: AI systems that exploit vulnerabilities specific to a group of people, including age (children), disability, or socioeconomic circumstances, to materially distort their behavior in a way that causes or is likely to cause significant harm.
This prohibition is closely related to (a) but is specifically concerned with targeting. An AI system that applies the same marketing pressure to all users might not be prohibited under (a); the same system configured to identify and apply higher-pressure techniques specifically to individuals identified as financially distressed, cognitively impaired, or under eighteen is prohibited under (b).
For financial services companies using credit or insurance AI: scoring models that incorporate socioeconomic vulnerability indicators to push higher-cost products warrant careful review against this prohibition.
(c) Social scoring by public authorities
Prohibited: AI systems used by or on behalf of public authorities to evaluate or classify natural persons or groups based on social behavior or personal characteristics, resulting in detrimental, unjustified, or disproportionate treatment unrelated to the context of the original data collection.
This is the provision most associated with government "social credit" systems. It applies to public authorities, not private organizations, though sub-contractors acting on behalf of public bodies fall within scope. Private companies using behavioral scoring systems for credit, insurance, or tenancy decisions are more likely to engage the high-risk AI provisions (Annex III) than Article 5(c), unless a public authority is directing the processing.
(d) Predictive policing based solely on profiling
Prohibited: AI systems that "make risk assessments of natural persons" for the purpose of predicting criminal offenses "based solely on the profiling of a natural person or on assessing their personality traits and characteristics."
The critical word is "solely." An AI system that predicts crime risk based on a person's demographic profile, social media behavior, or past convictions without any independently verifiable objective facts linked to criminal activity is prohibited. A system that supplements a human investigator's assessment with objective, verified behavioral evidence is not. The line is narrow, and the Commission's guidelines indicate it will be interpreted strictly.
Law enforcement authorities using any predictive policing AI tool should audit it against this standard before August 2026, when national market surveillance authorities gain full enforcement powers.
(e) Facial image databases built through untargeted scraping
Prohibited: AI systems that "create or expand facial recognition databases through the untargeted scraping of facial images from the internet or CCTV footage."
This provision specifically targets how databases are built, not necessarily how they are used. Building a facial recognition training dataset by systematically scraping social media profiles, news photo archives, or public CCTV feeds is prohibited. The "untargeted" qualifier leaves room for some law enforcement uses (targeted scraping for identified suspect images), but the Commission's guidelines note that this exception is narrow and must be justified by a specific investigation, not speculative future use.
Clearview AI's practices are the archetypal example: harvesting billions of facial images from public sources to build a recognition database without any individualized targeting. Dutch DPA fined Clearview €30.5 million in 2024 for GDPR violations arising from the same conduct.
(f) Emotion inference in workplaces and educational institutions
Prohibited: AI systems inferring the emotions of a natural person in workplaces or educational institutions, except where used for medical or safety reasons.
This is the prohibition generating the most compliance questions in mid-2026, because the category of "emotion recognition" overlaps with tools many organizations already use: sentiment analysis in customer service, engagement scoring in e-learning platforms, and attention detection in proctoring software.
The EU Commission's July 2025 guidelines clarified several points:
Scope of "workplace." The prohibition applies to any setting where work is performed, including remote workplaces, and covers hiring and recruitment processes. A vendor assessment platform that scores candidates' emotional displays during a recorded interview is prohibited under Article 5(f).
Safety and medical exceptions are real but narrow. A fatigue detection system in a heavy machinery or vehicle context is permitted under the safety exception. The Commission's guidelines clarified that the safety exception is not a general door for industrial wellness monitoring — it requires a genuine, specific safety justification.
Training use: a contested grey area. The Commission's guidelines suggested that emotion recognition tools used for employee training purposes might be permissible if results are not shared with HR, do not affect employment decisions, and have no impact on the work relationship. However, this carve-out is not in the Act's text or recitals, and legal commentators have questioned whether this guidance will survive scrutiny if challenged. Organizations relying on it should document the specific training purpose rigorously and ensure no HR impact can be attributed to the system.
Emotion recognition does not include physical state detection. A system that detects whether a driver is drowsy, or whether a worker is showing signs of heat exhaustion, is detecting physical states, not emotions, and falls outside Article 5(f).
If your organization uses any sentiment analysis or affect detection tool in a workplace or educational context, review whether it falls within the medical or safety exceptions — and if it doesn't, assess whether it should be shut down or replaced with a compliant alternative. The EU's overall AI governance framework links Article 5 compliance back to your broader risk management structure.
(g) Biometric categorization to infer sensitive attributes
Prohibited: AI systems that categorize natural persons individually based on biometric data to deduce or infer their race, political opinions, religious or philosophical beliefs, trade union membership, or sexual orientation.
This targets a specific use of biometric data: using physical appearance, facial geometry, voice, or gait as inputs to infer protected characteristics. Note that the biometric data being categorized here almost always also constitutes special category data under GDPR Article 9, meaning EU AI Act Article 5(g) and GDPR Article 9 violations are typically concurrent. The prohibition applies to the inferential output, not the biometric input itself. An identity verification system that reads a fingerprint to confirm "this is person X" is not prohibited here. A system that reads facial geometry to infer "this person is probably a member of a trade union" or "this person's racial origin is likely Y" is prohibited.
The exception for "lawful dataset labeling" in law enforcement contexts is narrow: it applies to the labeling of existing biometric training data for legitimate law enforcement purposes, not to general research or commercial use.
(h) AI-generated non-consensual intimate imagery and CSAM
Prohibited (effective December 2, 2026): AI systems that generate or manipulate realistic depictions of an identifiable person's intimate parts or sexually explicit activities without their explicit, freely given consent. A parallel prohibition applies to systems generating child sexual abuse material.
This prohibition was added by the Digital Omnibus package adopted in May 2026. The effective date is December 2, 2026. AI providers placing systems on the EU market must implement technical safeguards preventing these uses before that date, not after enforcement begins.
Common Enterprise Tools and Where Article 5 Applies
| Tool category | Potential Article 5 trigger | Verdict | What to check |
|---|---|---|---|
| Contact center sentiment analysis | Art. 5(f): emotion inference in workplace | Likely compliant if analyzing conversation quality, not employee emotional state; prohibited if inferring employee emotions for performance scoring | Is the system analyzing customer sentiment or employee emotional state? |
| HR recruitment AI with behavioral scoring | Art. 5(f): emotion inference in hiring; Art. 5(a): manipulation via deceptive assessment | High risk — hiring is explicitly in scope for Art. 5(f) | Does the system infer emotional states from video/audio of candidates? |
| Workplace productivity monitoring | Art. 5(a)/(b): manipulation, vulnerability exploitation | Depends on configuration — pattern analysis prohibited if used to apply coercive pressure based on inferred vulnerability | Does the system identify and respond differentially to vulnerable employees? |
| Fraud scoring with behavioral signals | Art. 5(c)/(d): social scoring, criminal profiling | Risk if scoring based solely on behavioral/social patterns with no objective corroborating facts | Is scoring corroborated by objective, verifiable facts, or purely behavioral? |
| Facial recognition for access control | Art. 5(e): database expansion via scraping | Prohibited if building database through untargeted image collection; access control using pre-enrolled images is not in scope | How was the facial recognition database built? |
| Proctoring and exam monitoring AI | Art. 5(f): emotion inference in education | High risk if inferring emotional states to flag cheating or engagement | Does the system infer emotions, or just attention direction or screen activity? |
| Ad targeting with socioeconomic signals | Art. 5(b): vulnerability exploitation | Prohibited if targeting financially distressed individuals with high-cost product offers based on inferred vulnerability | Does the model identify financially vulnerable users for differential treatment? |
What the Commission's Guidelines Clarified (and What They Didn't)
The European Commission published its guidelines on prohibited AI practices in July 2025. The document clarified several genuinely contested points but left others unresolved.
Clarified: the scope of "workplace" for emotion recognition. The Commission confirmed that "workplace" should be interpreted broadly to include remote working environments and hiring processes. This resolved industry uncertainty about remote employee monitoring tools.
Clarified: the training exception for emotion recognition. The Commission suggested (though did not formally codify) that emotion recognition tools used purely for employee training, without HR impact, might fall outside the prohibition. The status of this guidance remains legally uncertain.
Clarified: social scoring targets public authorities specifically. Article 5(c) applies to public authorities and those acting on their behalf. Private sector behavioral scoring does not fall under 5(c) but may engage Annex III high-risk provisions.
Not clarified: proportionality under the vulnerability exploitation ban. The guidelines did not provide clear thresholds for when a behavioral targeting system exploits "vulnerabilities" versus lawfully targeting affinity groups. This is where financial services and insurance AI compliance questions remain open.
Not clarified: what constitutes "untargeted" scraping. The Commission did not define what scale or specificity of facial image collection transitions from targeted to untargeted. Research institutions and security companies building proprietary datasets for legitimate purposes face continuing uncertainty.
For organizations with complex AI portfolios, the AI governance platform you need must map these grey areas against your specific tools, not just check a list of obvious violations.
How to Audit Your AI Portfolio for Article 5 Exposure
Running an Article 5 audit requires more than reviewing vendor documentation. Many tools that touch prohibited categories are sold under neutral names ("behavioral analytics," "smart recruitment," "workforce intelligence") that don't surface the prohibited functionality in the product description.
Step 1: Inventory every AI tool in use across the organization. This means procurement records, IT shadow-spend analysis, and department-level discovery. AI tools adopted directly by HR, marketing, security, and customer service teams without central IT involvement are common sources of Article 5 exposure that compliance teams miss. A systematic AI inventory is the foundation everything else depends on.
Step 2: Map each tool against the eight prohibited categories. For each tool, ask: does this system infer emotional states (Article 5(f))? Does it derive protected characteristics from biometric data (Article 5(g))? Does it generate criminal risk scores based on behavioral profiling without objective corroborating facts (Article 5(d))? Does it differentially target users based on vulnerability signals (Article 5(b))?
Step 3: Assess the prohibited function, not the product category. A fraud detection tool is not prohibited because fraud detection falls under Article 5(d). It's prohibited only if it makes criminal risk assessments "based solely on profiling" without objective, verifiable facts. The audit question is always about how the tool works, not what category the vendor markets it as.
Step 4: Review vendor documentation and request the technical file. For high-risk AI systems (Annex III), providers are required to maintain technical documentation under Article 11. For prohibited categories, the relevant question is whether the vendor's documentation discloses the functionality that might trigger Article 5. If a vendor cannot or will not disclose how their risk scoring or emotion detection works, that is itself a procurement red flag — third-party AI vendor due diligence should include Article 5 screening as a standard checkpoint.
Step 5: Withdraw or modify non-compliant systems before enforcement begins. The prohibition has been in force since February 2025. The enforcement infrastructure at national level (market surveillance authorities) became fully operational in August 2026. Organizations that identify prohibited systems need to withdraw or reconfigure them now, not after a complaint is filed. The EU AI Act's overall compliance calendar shows Article 5 as the earliest and highest-stakes deadline in the entire regulation.
Step 6: Document your analysis. An Article 5 compliance audit without documentation provides no protection. If a regulator investigates a complaint about a tool your organization uses, your defense is the paper trail showing when you identified the issue, what analysis you did, and what action you took. A Fundamental Rights Impact Assessment for any tool touching these categories creates that paper trail.
How Secure Privacy Supports EU AI Act Article 5 Compliance
Managing Article 5 compliance across a real enterprise AI stack requires more than a one-time legal review. AI tools are adopted continuously, vendor capabilities change, and the same platform can be configured in ways that are compliant or prohibited depending on which features are enabled.
Secure Privacy's Privacy & AI Governance Platform provides the operational structure for ongoing Article 5 management:
AI Governance module: Register and classify AI systems across the organization, mapping each against the EU AI Act's risk tiers and specifically flagging systems with characteristics associated with the eight prohibited categories. The module tracks vendor changes, configuration updates, and new AI procurement against the registered risk profile.
AI Impact Assessments: The platform's assessment workflows include Fundamental Rights Impact Assessment templates aligned to EU AI Act Article 9(9) requirements and the Commission's guidance on prohibited practices. For tools in grey-area categories, a documented FRIA serves as the compliance record demonstrating good-faith analysis.
Vendor Management for AI procurement: Article 5 exposure often enters through the vendor supply chain. The Vendor Management module supports AI-specific due diligence checklists that surface prohibited functionality before procurement is completed, rather than during a post-incident audit.
Regulation tracking across 60+ regulations: The platform's multi-regulation coverage keeps Article 5's evolving compliance picture updated as the Commission issues further guidelines and national authorities begin publishing enforcement positions. The December 2026 Article 5(h) deadline is tracked as a workflow milestone.
Frequently Asked Questions
Are all eight Article 5 prohibitions already in force?
Seven of the eight original prohibitions have been enforceable since February 2, 2025. The eighth, covering AI-generated non-consensual intimate imagery and CSAM (added by the Digital Omnibus package), takes effect on December 2, 2026. All seven original prohibitions apply to both systems placed on the market after February 2025 and to systems that were already in service before that date.
What is the penalty for violating Article 5?
Up to €35 million or 7% of total global annual turnover, whichever is higher. This is the highest penalty tier in the EU AI Act and applies specifically to the prohibited practices in Article 5. It is calculated on total worldwide turnover, not EU-specific revenue.
Does Article 5 apply to organizations outside the EU?
Yes, if the AI system is placed on the EU market or put into service in the EU, or if the output of the AI system is used in the EU. A US company deploying a social scoring or emotion recognition tool that is used by employees, customers, or citizens in the EU is within scope.
Is our contact center sentiment analysis tool prohibited under Article 5(f)?
It depends on what the system analyzes. If the sentiment analysis tool analyzes customer emotional tone to improve service quality or route calls effectively, Article 5(f) likely does not apply (the prohibition targets workplace emotion inference, meaning employee emotional states, not customer sentiment). If the same tool also analyzes contact center agents' emotional states for performance monitoring or HR scoring purposes, that component is prohibited. Most enterprise sentiment analysis platforms serve both purposes: check which use case is being deployed.
What does "solely" mean in the predictive criminal risk prohibition?
"Solely" in Article 5(d) means the criminal risk assessment is based entirely on profiling, personality traits, or personal characteristics, with no independently verifiable objective facts directly linked to criminal activity. A system that factors in verified past criminal convictions as one data point among others is not automatically prohibited, though it may engage Annex III high-risk provisions. A system that predicts future criminality purely from behavioral profiling, location history, or social network analysis, without objective corroborating evidence, is prohibited.
Can we use facial recognition for access control without triggering Article 5(e)?
Yes, if the facial recognition database was built using enrolled images with the consent or knowledge of the individuals enrolled, and if the images were not scraped untargeted from the internet or CCTV feeds. Article 5(e) prohibits the creation or expansion of facial recognition databases through untargeted scraping. It does not prohibit all use of facial recognition systems or all facial recognition databases. The relevant question is how the database was constructed.
How does Article 5 interact with GDPR for systems that process special category data?
Article 5 prohibitions are independent of GDPR compliance. A system can violate Article 5 without violating GDPR (for example, a social scoring system that processes only publicly available data with a GDPR-valid basis) or violate both simultaneously (a workplace emotion recognition system that also processes biometric data without Article 9 consent). Organizations auditing Article 5 compliance should run parallel GDPR special category checks, particularly for emotion recognition and biometric categorization systems that involve special categories of personal data under Article 9.




