The EU AI Act is a landmark piece of legislation that governs deployment and use of AI systems. Within its risk-based regime of regulation, prohibited AI practices face the strictest requirements, being entirely banned to be deployed or used within the Union. The provisions for prohibited systems have been applied since 2 February 2025. While authoritative guidelines have been published for prohibited systems, there is still no systematic approach that facilitates determination of such systems in a simplified and automated manner. To fill this gap, we specify the prohibited AI conditions, articulated in Art. 5, using combination of a minimal set of semantic concepts. We further show how these conditions can be described in a machine-readable format using semantic constraint and rule languages, such as SHACL and N3. This approach to representing prohibited rules supports a more open, interoperable, and transparent implementation of the AI Act, while also enabling partial automation of enforcement processes.
systems might be unlikely, the rapid pace of changes in AI systems requires adaptable approaches
that enable ongoing assessment the system’s risk level to avoid any non-compliance. Motivated by
the EU’s initiatives for regulatory simplification [
Existing studies on the AI Act’s prohibited AI practices (Art. 5) are primarily focused on interpreting
the prohibited conditions. Some notable analyses were published prior to the publication of the
AI Act in oficial journal of the EU, including Neuwirth’s analysis of prohibited categories stated
in the Commission’s proposal [11], Bermúdez et al.’s efort to provide a definition for subliminal
techniques [
In regard to the codification of rules for AI Act’s risk categorisation, the Decision-Tree-based
framework [14] is a static framework that aims to assist in classification of AI systems based on the AI Act.
The framework is based on a decision tree comprising 20 questions for determining the risk category
associated with an AI system. Our pervious work [
Identification of classification rules for the AI Act’s prohibited AI practices is guided by our contributions
in [
To be able to provide open data specifications for prohibited systems, we add the identified additional concepts (step 3) to the AI Risk Ontology (AIRO) [15]1 and further populate the Vocabulary of AI Risks (VAIR)2 with the instances identified from the annotation process.
Demonstrating how the prohibited AI rule-checking can be automated for supporting compliance
tasks, we utilise existing Semantic Web languages and standards with rule-checking capabilities. While
there are multiple languages and standards ofering such capabilities, including the Shapes Constraint
Language (SHACL) [
The analysis Art. 5(1) aims to identify the minimum set of concepts that are adequate to uniquely describe prohibited AI practices. Following the steps outlined above, Art. 5(1) clauses were manually annotated to identify the 5 following concepts: domain, purpose, AI capability, deployer, AI subject. Then, additional concepts were identified in each clause. An example of annotating Art. 5(1a) is shown in Figure 1. The manual annotation was carried out by the lead author and validated through discussions with co-authors.
The annotation exercise revealed that among the 5 previously identified concepts, AI deployer is not a decisive factor in determining prohibited AI systems. Additionally, we identified the following additional concepts: data processed by the system, locality of use, consequence, impact and its severity, and impacted stakeholder(s). Locality of use defines the environment in which the system is used, e.g. work place. Consequence refers to the direct immediate efect of using an AI system, whether it leads to harms to individual, groups, and society or not. Impact refers to the overall ultimate efect of an AI system on impacted stakeholders, such as individual, groups, and society. We treat the combination of consequence, impact and its severity, and impacted stakeholder as (harmful) risk requirement
on the basis that these concepts can only be determined through risk assessment. Our analysis shows that among the prohibited conditions in Art. 5(1), points (a), (b), and (c) depend on the results of a risk assessment process that identifies consequences, associated impacts, their severity, and the stakeholders afected.
The minimal set concepts for determining prohibited AI systems are expressed in a form of questions in the following: 1. In which domain is the AI system used? 2. What is the purpose of using the AI system? 3. What is the capability of the AI system? 4. What data is processed by the AI system? 5. Who is the AI subject? 6. What is the locality of use? 7. what is the harmful risk caused by the AI system? a) What is the consequence of using the system? b) What is the impact of using the AI system? c) What is the severity of the impact? d) Who is the impacted stakeholder?
These concepts and their relations are modelled in our previously developed ontology for AI risks, AIRO, and are illustrated in Figure 2. As shown in the figure, concepts from the Data Privacy Vocabulary (DPV) [18] are reused for expressing the data processed by the system.
The detailed analysis of the prohibited conditions is presented in Appendix A and a summary of the conditions is illustrated in Figure 3. It should be noted that in our analysis of Art. 5(1) points (a) and (b), we consider materially distorting behaviour as a consequence rather that purpose of the system, even though the wording of the AI Act suggests that it can be either an objective or an efect of employing the AI system. This interpretation is based on the reality that AI providers rarely, if ever, explicitly state that their system’s purpose is “behaviour distortion” or “impairing decision making”. Further, in development of emerging technologies such efects of AI are often identified after deployment as (unintended) consequences.
In our framework, prior to rule-checking, an RDF-based specification of an AI systems should be created
to enable determination of its risk category. In Listing 1, machine-readable specification of an AI chatbot
that impersonates a friend of a person for scamming, described in the Commission’s guideline [
To show how SHACL can be used for describing prohibited rules, we provide an example of a shape graph specifying Art. 5(1a) condition in Listing 2. As it is clear in the listing, the shape graph is expressed as negation of the condition using sh:not. This is due to the fact that SHACL’s validation report (sh:ValidationResult) is only generated in case of non-conformance. We used the validation report to enhance transparency by providing guiding information about the clause based on the which the system is determined to be prohibited. The SHACL shapes for prohibited AI systems are published on GitHub4 under permissive licences. 3This use case, along with additional examples, is available at: https://github.com/DelaramGlp/airo/tree/main/usecase 4https://github.com/DelaramGlp/airo/tree/main/prohibited-shacl
As shown in the listing expressing the the harm requirement within a SHACL shape graph requires nested NodeShapes which adds to complexity of the shape and further efects its readability and performance. To address this issue, we use N3 to provide more flexible and simplified representation of the rules. Listing 3 illustrates the encoding of the Art. 5(1a) in N3. For simplicity, the listing is restricted to NaturalPersons as AI subjects and impacted stakeholders. The N3 rules are made available online5. 5https://github.com/DelaramGlp/airo/tree/main/prohibited-n3 @prefix rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#> . @prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#> . @prefix sh: <http://www.w3.org/ns/shacl#> . @prefix airo: <https://w3id.org/airo#> . @prefix vair: <https://w3id.org/vair#> . @prefix terms: <http://purl.org/dc/terms/> . @prefix ex: <https://example.com/ns#> . @prefix risk: <https://w3id.org/dpv/risk#>. ex:Art5-1-a a sh:NodeShape ; sh:targetClass airo:AISystem ; sh:message "Prohibited as per AI Act, Art. 5(1a): AI system that deploys subliminal ˓→ techniques beyond a person’s consciousness or purposefully manipulative or ˓→ deceptive techniques, with the objective, or the effect of materially distorting ˓→ the behaviour of a person or a group of persons by appreciably impairing their ˓→ ability to make an informed decision, thereby causing them to take a decision that ˓→ they would not have otherwise taken in a manner that causes or is reasonably likely ˓→ to cause that person, another person or group of persons significant harm"@en ; sh:description "AI systems that AI system that deploys subliminal techniques beyond a ˓→ person’s consciousness or purposefully manipulative or deceptive techniques"@en ; sh:not [ sh:and (
Listing 2: SHACL shape for identifying prohibited AI systems from Art. 5(1a)
As mentioned earlier, an initial validation of the analysis of prohibited practices, i.e. results of the manual annotation, was conducted. However, further consultation with subject matter experts, including lawyers and policymakers, is required to ensure the validity of our interpretation of the AI Act. Nevertheless, since our proposed framework for determining prohibited practices leverages Semantic Web technologies, it is flexible and can accommodate future enhancements.
In the case of our research, manual annotation of clauses describing prohibited practices was possible given the limited number of these clauses. However, manually annotating a large number of AI use cases to determine their risk level under the AI Act might not be possible. To address this challenge, a combination of Large Language Models (LLMs) and ontologies can provide a scalable solution. However, this requires appropriate measures to avoid hallucinations.
Our proposed framework is designed to support regulatory simplification and automation by adopting an open, standards-based, and interoperable approach. It is important to not that our framework does not substitute legal advice and determining some of the concepts, in particular the risk requirement, require legal interpretation as well as technical analysis. Given the high stakes involved in determining risk levels under the AI Act, our framework should be viewed as a supporting tool to assist in identifying prohibited practices, not as a replacement for legal expertise.
In this paper, we presented a Semantic Web-based framework to assist with determining prohibited AI
systems according to the AI Act. This paper followed the approach we took in our previous work for
determining high-risk applications [
In our future work, we also aim to include the specificities from the Commission’s guidelines on
prohibited systems [
This work has received funding from the European Commission’s Horizon Europe Research and Innovation Programme under grant agreement No. 101177579 (FORSEE), the European Union’s Horizon 2020 research and innovation programme under the Marie Skłodowska-Curie grant agreement No. 813497 (PROTECT ITN), and from the ADAPT Centre for Digital Media Technology, which is funded by Research Ireland and is co-funded under the European Regional Development Fund (ERDF) through Grant#13/RC/2106_P2. Harshvardhan J. Pandit is a member of AI Accountability Lab, which is funded under John D. and Catherine T. MacArthur Foundation grant with project #216001 and award #19034.
During the preparation of this work, the first author used OpenAI’s ChatGPT and Anthropic’s Claude for language refinement and Microsoft’s Copilot for code debugging assistance. These tools were used in a limited capacity and lead author reviewed and edited the generated content as needed and takes full responsibility for the publication’s content. [11] R. J. Neuwirth, Prohibited Artificial Intelligence Practices in the Proposed EU Artificial Intelligence
Act (AIA), Computer Law & Security Review 48 (2023). [12] M. Leiser, Psychological Patterns and Article 5 of the AI Act:AI-Powered Deceptive Design in the System Architecture and the User Interface, Journal of AI Law and Regulation 1 (2024). doi:10.21552/aire/2024/1/4. [13] I. Barkane, L. Buka, Prohibited AI Surveillance Practices in the Artificial Intelligence Act: Promises and Pitfalls in Protecting Fundamental Rights, in: Critical Perspectives on Predictive Policing, Edward Elgar Publishing, Cheltenham, UK, 2025, pp. 110 – 129. doi:10.4337/9781035323036. 00011. [14] H. Hanif, J. Constantino, M.-T. Sekwenz, M. van Eeten, J. Ubacht, B. Wagner, Y. Zhauniarovich, Navigating the EU AI Act Maze using a Decision-Tree Approach, ACM Journal on Responsible Computing (2024). doi:10.1145/3677174. [15] D. Golpayegani, H. J. Pandit, D. Lewis, AIRO: An Ontology for Representing AI Risks Based on the Proposed EU AI Act and ISO Risk Management Standards, in: Towards a Knowledge-Aware AI, volume 55, IOS Press, 2022, pp. 51–65. [16] I. Horrocks, P. F. Patel-Schneider, H. Boley, S. Tabet, B. Grosof, M. Dean, SWRL: A Semantic Web Rule Language Combining OWL and RuleML, 2004. URL: https://www.w3.org/submissions/2004/ SUBM-SWRL-20040521/, w3C Member Submission. [17] E. Prud’hommeaux, I. Boneva, J. E. L. Gayo, G. Kellogg, Shape Expressions Language 2.1, 2019.
URL: http://shex.io/shex-semantics/, w3C Final Community Group Report. [18] H. J. Pandit, B. Esteves, G. P. Krog, P. Ryan, D. Golpayegani, J. Flake, Data Privacy Vocabulary (DPV) – Version 2.0, in: G. Demartini, K. Hose, M. Acosta, M. Palmonari, G. Cheng, H. Skaf-Molli, N. Ferranti, D. Hernández, A. Hogan (Eds.), The Semantic Web – ISWC 2024, Springer Nature Switzerland, Cham, 2025, pp. 171–193. doi:10.1007/978-3-031-77847-6_10.
(1g) Concepts