EU AI Act + maritime — what high-risk classification means.

1. The shortest accurate summary

The EU AI Act became enforceable in stages from 2024 onward. High-risk AI systems used in safety-critical decisions — including AI that informs structural integrity assessments, inspection-prep evidence, and regulatory reporting (EU ETS, IMO CII, PSC inspection prep) — fall under the strictest obligations: conformity assessment, data governance, human oversight, transparency, robustness, and post-market monitoring.

Hullproof is a high-risk AI system when used in those contexts. The same tool used for a self-serve drydock heuristic is not — but the moment its output feeds a regulatory submission or a class-survey conclusion, it is.

2. What “high-risk” actually triggers

• Risk management. A documented process identifying foreseeable risks of the AI system + mitigations.
• Data governance. Training, validation, and test data must be relevant, representative, and free of errors. For VLM-based inspection tools this includes footage-set curation, label provenance, and known-bias documentation.
• Technical documentation. The model card, architecture overview, training methodology, and performance metrics, kept up to date.
• Record-keeping. Automatic logging of every inference: input hash, model version, output, timestamp. Auditable for the lifetime of the asset.
• Transparency. Confidence scores, uncertainty ranges, and human-reviewable findings. No hidden “intelligent defaults.”
• Human oversight. A defined review workflow for any safety-critical decision the AI informs.
• Accuracy, robustness, cybersecurity. The model must perform consistently and degrade gracefully on edge cases (low-quality footage, occlusion, unusual materials).
• Post-market monitoring. Detect drift, false-positive rate growth, edge cases the training set missed. Report serious incidents to authorities.

3. How CoatingPassport satisfies this by construction

• Every finding carries confidence, n_frames_supporting, image_quality_score, and ai_model_version. That is the lineage trail the regulation asks for.
• The compliance section carries eu_ai_act_class, model_card_uri, data_lineage_uri, and review_workflow_completed. Conformity dossier-ready, not retrofit.
• Every passport is versioned (history array). Drift is observable across inspections.
• The platform is multi-tenant from day one — tenant isolation enforces data-governance scope.

4. What operators (you) need to do

The high-risk classification follows the use, not the tool. An operator using Hullproof passport data as input to an EU ETS submission, a class-survey conclusion, or a PSC inspection prep document is themselves running a high-risk workflow. What that means in practice:

• Capture the lineage. Keep the passport JSON, not just the PDF. The PDF is a renderer; the JSON is the evidence.
• Run a human review. Hullproof flags high-severity findings; your engineering or class review workflow signs off. The human_reviewed flag on each finding closes that loop.
• Retain. Audit retention for the lifetime of the asset — vessel scrapping, structure decommissioning. Multi-decade.

5. When in doubt

Treat any AI-assisted condition assessment that feeds a regulatory submission, class-survey conclusion, or insurance decision as high-risk. The cost of over-treating is paperwork; the cost of under-treating is fine + revocation.