EU AI Act Year One: Prohibited Practices Review and What's Coming Next
The Commission's mandatory review of prohibited AI practices may expand the ban list. Here's what enterprises should monitor.
February 2, 2026 marks the one-year anniversary of the EU AI Act's prohibited practices enforcement — and triggers Article 112's mandatory Commission review of the prohibited AI categories. This review may expand the list of banned AI applications based on evidence of emerging risks, creating new compliance obligations for enterprises that thought they were safely outside the prohibited categories.
The current prohibited categories include social scoring by public authorities, real-time remote biometric identification in public spaces (with narrow exceptions), AI systems that exploit vulnerabilities of specific groups, and subliminal manipulation techniques that cause harm. The Commission's review will assess whether these categories should be expanded based on the past year's enforcement experience.
Several high-profile investigations are reportedly underway. Workplace emotion recognition systems deployed by multinational corporations are under scrutiny. Predictive policing algorithms used by EU law enforcement agencies face examination. Social scoring elements embedded in employee management platforms are being evaluated.
For enterprises, the review creates forward-looking compliance risk. AI systems that are lawful today may fall under expanded prohibitions based on the Commission's findings. Organizations should audit their AI portfolio against not just current prohibited categories but plausible expansion areas, including employee surveillance, educational assessment, and algorithmic management.
The operational requirement is clear: enterprises need AI governance infrastructure that can rapidly adapt to regulatory changes. When a new prohibition takes effect, every AI system in the enterprise needs to be evaluated against the new criteria. Organizations with centralized AI inventories and automated policy engines can make this assessment in days. Organizations relying on manual reviews will take months — time they may not have under enforcement deadlines.
The broader signal from the February review is that the EU AI Act is not a static regulation. It is a living framework designed to evolve with the technology it governs. Enterprises that build governance for today's requirements without capacity to adapt to tomorrow's will find themselves perpetually behind the compliance curve.
