On 2 February 2025, Article 5 of the EU AI Act made eight categories of AI use illegal across the EU. Your company has been operating under that law for over a year.

Does your AI inventory map to those eight prohibitions?

Most companies cannot answer that cleanly. They have an approved-tools list. They have procurement tickets. They have a policy PDF nobody opens.

What they do not have is a live inventory of where AI is inferring traits, classifying people, or scoring behaviour across HR, support, sales, and operations.

That gap matters now. Article 5 is already in force. The penalties are not theoretical either: under EU AI Act Article 99, infringements of prohibited practices can reach up to €35 million or 7% of worldwide annual turnover, whichever is higher.

What Article 5 already bans

Article 5 covers prohibited practices, not high-risk systems that need paperwork later. Illegal means illegal.

The list includes subliminal or deceptive manipulation, exploitation of vulnerabilities, social scoring by public authorities or on their behalf, certain law-enforcement uses of real-time remote biometric identification in public spaces, individual predictive policing, emotion recognition in workplaces and education, untargeted scraping of facial images to build recognition databases, and biometric categorisation using sensitive characteristics such as race, political opinions, religion, or sexual orientation.

Two points get missed in practice.

First, the enforcement machinery is still settling. Member States are still designating supervisory authorities under Article 70. That does not delay Article 5. The prohibitions themselves have applied since 2 February 2025.

Second, many non-EU companies assume this is somebody else's problem. If your team sells into the EU, hires in the EU, monitors EU-based staff, or processes data tied to EU operations, that assumption is how expensive surprises happen.

The workplace catch most teams miss

The enterprise exposure is usually not predictive policing or public-authority social scoring. It is HR tech.

EU AI Act Article 5(1)(f) prohibits placing on the market, putting into service, or using AI systems to infer emotions of a natural person in the workplace or in educational institutions. The carve-out is narrow: medical or safety reasons.

That means a surprising amount of familiar software deserves a hard second look.

The most common catches are:

If your vendor says it does not detect emotion, only engagement, fatigue, confidence, enthusiasm, resilience, or cultural fit, read the product docs twice. Then read the contract.

Cosmetic relabelling is not compliance. It is branding.

A few prompts make the issue obvious:

Analyse this Zoom recording of the sales team standup and rate each rep's engagement and confidence.

Score these 600 applicant video interviews on enthusiasm and cultural alignment.

Flag the customer service reps whose voice patterns suggest burnout this quarter.

The first and third map directly to Article 5(1)(f). The second raises Article 5(1)(f) issues and also points toward employment-related high-risk use under Annex III, Section 3(a), because it concerns recruitment or selection of natural persons.

Prompt-layer controls stop looking optional at this point. The intervention has to happen before the prompt leaves the browser.

!Prytive popup intercepting a prompt that maps to a prohibited Article 5 practice

Social scoring and GDPR Article 22 are different problems

Article 5(1)(c) bans AI for evaluating or classifying natural persons over a certain period based on social behaviour or personal or personality characteristics, where that social score leads to detrimental or unfavourable treatment in unrelated social contexts, or where the treatment is unjustified or disproportionate. The text is aimed at public authorities or parties acting on their behalf.

Most private employers will not trip Article 5(1)(c) directly. Some product teams working with public-sector clients might. If you build ranking, trustworthiness, or behavioural scoring tools for government workflows, this article belongs on your desk this afternoon.

Do not confuse that with GDPR Article 22. GDPR Article 22 already restricts solely automated decision-making, including profiling, where it produces legal effects or similarly significant effects on a person. Hiring rejection, disciplinary action, or denial of access to benefits can fall into that zone depending on the setup.

The EU AI Act does not replace GDPR Article 22. It adds another layer. If a use case is prohibited by Article 5, you do not get to rescue it with a better lawful basis, more transparent notices, or a cleaner DPIA. Prohibited means prohibited.

If the use case is not prohibited but still materially affects a worker or applicant, GDPR Article 22, transparency duties, purpose limitation, and data minimisation still apply. Different legal hooks. Same bad outcome if ignored.

What to build first if you have no AI inventory

Start small. Start ugly. Start this week.

Your first inventory does not need perfect architecture diagrams. It needs answers to four operational questions:

| Question | What you need to capture | |---|---| | Where is AI used? | HR, recruiting, support QA, sales coaching, productivity monitoring, security, product analytics | | What input goes in? | Video, audio, chat, keystrokes, mouse activity, CVs, performance notes, tickets | | What output comes out? | Scores, rankings, labels, flags, recommendations, summaries, alerts | | Who acts on it? | Managers, recruiters, supervisors, automated workflows, public-sector clients |

Then tag every use case against Article 5. Not with vague labels like "medium concern." With plain language.

If you need a template for the internal rule set that sits behind this exercise, the one-page AI usage policy template is a useful starting point. Short beats aspirational.

A three-step audit to find Article 5 exposure

1. Pull the HR and workplace-monitoring stack first

Review ATS platforms, interview intelligence tools, meeting analytics, call-centre QA software, employee listening products, productivity monitoring tools, and any add-on inside Microsoft 365 Copilot, ChatGPT, Gemini, or Claude workflows.

Search vendor materials for words like engagement, sentiment, morale, confidence, energy, burnout, attentiveness, cultural alignment, trust, and fit. Vendors love euphemisms. Regulators love screenshots.

2. Review real prompts and actual outputs

Do not stop at contracts. Look at usage.

Sample prompts from HR, people managers, and support supervisors. If staff are pasting recordings, transcripts, applicant videos, or performance notes into AI tools, inspect what the model is being asked to infer. This is where browser-layer controls earn their keep. The 72-hour AI incident response playbook is helpful if you find prompts that should never have left the browser in the first place.

3. Classify each use case: prohibited, high-risk, or needs GDPR review

Be blunt.

If it looks like workplace emotion recognition, put it in the prohibited bucket and stop using it pending legal review. If it is hiring or worker-management AI without emotion inference, it may still be high-risk under Annex III. If a system materially affects individuals through automated outputs, test it against GDPR Article 22 as well.

This is not overreaction. It is housekeeping that should have happened before 2 February 2025.

The practical bottom line

Most compliance teams do not need a grand AI governance programme this quarter. They need an inventory that can answer one simple question: are any current tools or employee prompts triggering an Article 5 prohibition already in force?

For DPOs, Heads of HR, and Compliance Managers, Article 5(1)(f) is the fastest place to look. Emotion recognition in workplaces catches more ordinary enterprise software than vendors want to admit.

Some of it is sold as wellness. Some as coaching. Some as productivity science, which should make your legal team reach for coffee and a red pen.

Use a 7-day Prytive audit to see whether any of your in-use tools are running Article 5-prohibited inferences.