Visual walkthrough — AI governance and regulation (EU AI Act)
Everything here builds on the parent topic. We go slower and draw more.
Step 1 — Start with the only thing that matters: possible harm
WHAT. Forget rules for a moment. Take any AI system and ask one question: if this thing goes wrong, how badly can a human be hurt? We put that on a single line — a number line of harm, from "nobody cares" on the left to "someone's life is ruined" on the right.
WHY this and not something else? We could have sorted AI by how it works (neural net vs. decision tree), or by who built it, or by how much it costs. But the law's job is to protect people, not to grade engineering. So the sorting axis must be the thing people actually feel: harm. Every later decision falls out of this one choice.
PICTURE. Look at the amber arrow. It only points one way — increasing harm. A spam filter sits near the left (worst case: a real email lands in junk). A tool that decides who goes to prison sits near the far right.

Here is not a formula you compute — it is the axis everything else hangs on. Hold onto it.
Step 2 — Rules cost something, so we can't apply them everywhere
WHAT. Now introduce a second, opposing quantity: compliance burden — the paperwork, testing, audits, and money a rule costs the builder. Every rule has a price.
WHY? If rules were free we'd slap the strictest ones on everything and be done. They aren't free. Crushing a harmless spam filter with the same audits as a cancer detector would kill useful, safe AI for no gain. So we now have a tension:
- — how much a person can be hurt (from Step 1).
- — how heavy the rulebook is on the person who builds the AI.
WHY these two and not more? Because good regulation is exactly the act of balancing these two. Too little where is high → people get hurt. Too much where is low → innovation dies. The whole law is the search for the right match between them.
PICTURE. Two arrows pulling opposite ways on the same system. The Act's genius is to make follow .

Step 3 — The core rule: make burden track harm
WHAT. State the central principle in one line. The rule-load should rise with the harm:
Read the symbol as "goes up together with." It says: as harm gets bigger, the burden gets bigger too. Where is tiny, should be tiny. Where is huge, should be huge.
WHY proportional, not equal, not flat?
- Flat ( = constant, same rules for all) — treats a chess bot like a bail-decision engine. Absurd.
- Equal (, exact match) — we can't measure either precisely enough. We only know rough bands of harm.
- Proportional in bands — group systems into a few harm-brackets, give each bracket its own rule-weight. This is the risk-based approach named in the parent note.
PICTURE. A staircase, not a smooth ramp — because we sort into brackets, not exact numbers. Each step up in harm is a step up in burden.

Step 4 — Cut the harm axis into four brackets
WHAT. Take the harm line from Step 1 and place three cut-lines on it, splitting it into four regions. Reading left (safe) to right (dangerous):
- Minimal — harm so small the law shrugs.
- Limited — harm is mostly being fooled: you think you're talking to a person, you're not.
- High — harm hits your rights or safety: your job, your health, your freedom.
- Unacceptable — harm is so deep it attacks human dignity itself.
WHY four, and why these cuts? The cut-lines aren't arbitrary — each sits where the kind of harm changes, not just the amount:
- Minimal → Limited: the harm becomes deception (you didn't know it was AI).
- Limited → High: the harm becomes material damage to a life (lost job, wrong diagnosis).
- High → Unacceptable: the harm becomes incompatible with fundamental rights — no amount of paperwork can make it OK.
PICTURE. The same amber harm-axis, now chopped into four coloured bands with the cut-lines labelled by why each cut exists.

Step 5 — Read off the burden for each bracket
WHAT. Apply Step 3's rule () to each of the four bands. Higher band → heavier rulebook:
| Band | Harm | Burden |
|---|---|---|
| Minimal | tiny | none |
| Limited | deception | transparency only ("this is AI") |
| High | rights/safety | full compliance kit (docs, testing, human oversight, logs) |
| Unacceptable | dignity | banned — infinite burden = forbidden |
WHY does "banned" fit the same rule? Watch the top of the staircase. As dignity-level, the burden needed to make it safe goes to infinity — there is no paperwork that makes government social-scoring acceptable. A burden you can never satisfy is a prohibition. So the ban isn't a special case bolted on — it's the staircase's last step going straight up off the page.
PICTURE. The staircase from Step 3, now with each step named and the top step turned into a red wall.

Step 6 — Edge case: what happens exactly on a cut-line?
WHAT. A system that sits right on the High/Unacceptable boundary — e.g. facial recognition. Is it banned or just heavily regulated?
WHY this needs its own step. A staircase edge is a degenerate point — the reader must never hit it unprepared. The Act resolves it by asking a sub-question: is the harm always present, or only in a narrow use?
- Real-time face-scanning of crowds in public → dignity-level harm, always → banned wall.
- Post-event review of one recording, with a judge's approval → harm is bounded and overseen → drops one step down into High.
So the same technology lands in different bands depending on how it's used. The classification axis was never "the tech" — it was always (Step 1), and depends on deployment.
PICTURE. One camera icon splitting into two arrows — one hitting the red wall (real-time, public), one dropping to the High step (post-hoc, judge-approved).

Step 7 — Degenerate case: the zero-harm and general-purpose systems
WHAT. Two boundary inputs that break naive sorting:
- (truly harmless AI, e.g. a game's enemy pathfinding). Where does it go?
- A model that could be used for anything (a general-purpose model — today's large language models), so isn't fixed.
WHY. Step 1 assumed every system has a definite harm value. These two break that:
- : falls into Minimal — the staircase's ground floor, burden = 0. The rule still works; it just outputs "no obligations."
- General-purpose: is undefined because it depends on the downstream use. The Act's fix: regulate the capability with a separate transparency-and-documentation layer, then let each deployment be re-sorted into a band. One model can therefore create obligations in several bands at once.
PICTURE. The ground floor (H = 0) plus a general-purpose model shown as a fan of arrows landing in multiple bands.

The one-picture summary
Everything above compressed into a single blueprint: the harm axis (Step 1), the two opposing arrows and (Step 2), the proportional rule (Step 3), the four brackets and their cut-reasons (Step 4), the named burdens with the ban as an infinite wall (Step 5), and the two edge cases folded in (Steps 6–7).

Recall Feynman retelling — say it like you'd tell a friend
Imagine one long ruler. On the left end sit AI toys that can't really hurt anyone; on the right end sit AIs that could ruin a life or crush a right. That ruler is the only thing we sort by — how much harm if it breaks.
Now, rules cost money and effort. So we make a simple deal: the more harm an AI can do, the more rules it has to follow. Little harm, few rules. Big harm, big rules.
We chop the ruler into four pieces. The tiny-harm piece gets zero rules. The next piece is stuff that could fool you — chatbots, deepfakes — so the only rule is "you must be told it's AI." The third piece is stuff that touches your job, your health, your freedom — that gets the full kit: prove it's accurate, keep logs, let a human overrule it. The last piece attacks human dignity itself — social scoring, mass face-scanning — and there's no amount of paperwork that fixes it, so it's just banned. A ban is really "infinite rules": a bar you can never clear.
Two tricky bits: a face-scanner can be banned if it watches crowds live, but merely heavily regulated if it reviews one old recording with a judge's sign-off — because the danger depends on how you use it, not the gadget. And a do-everything model like a big chatbot doesn't sit in one slot; each way you point it gets sorted separately.
That's the whole law: one ruler of harm, rules that grow with it, four steps, and a wall at the top.
Recall
What single axis does the EU AI Act sort systems by? ::: Harm potential — the worst realistic damage to a person if the system fails or is misused. In one relation, what is the core principle? ::: Rule-load (burden ) is proportional to harm potential : . Why is "prohibited" not a separate idea from the staircase? ::: A ban is the burden going to infinity — a requirement you can never satisfy, i.e. the top step turning into a wall. Same face-recognition tech, two bands — what decides which? ::: How it's used: real-time public mass surveillance → banned; post-event, targeted, judge-approved → High-risk but allowed. Where does a truly harmless () system land? ::: Minimal risk — the ground floor, zero obligations.
Connections: AI governance and regulation (EU AI Act) (EU AI Act) · 6.4.5-AI-safety-research · 6.4.3-Interpretability-and-explainability · 6.4.4-Robustness-and-adversarial-examples · 6.4.2-Reward-hacking · 6.4.12-Long-term-existential-risks