How Ariadne sits structurally outside EU AI Act high-risk categories

Editorial note. This article summarizes Ariadne's architectural position on the EU AI Act. It is not legal advice. Procurement teams and legal counsel should verify the analysis against their own circumstances and the latest guidance from the European Commission.

Most enterprise procurement teams are not yet asking vendors about EU AI Act readiness. By the time they are, the procurement window for camera-based people counting in regulated EU sectors will have changed shape. This article is for the buyer who wants the analysis early.

What the EU AI Act actually says

EU Regulation 2024/1689 (the AI Act) classifies AI systems by risk. The relevant parts for people counting are Article 5 (prohibited practices) and Annex III (high-risk AI system list).

• Article 5 (prohibited practices). Restricts certain biometric categorization systems (gender, age, ethnicity, political affiliation) and real-time remote biometric identification in public spaces. AI systems that infer protected attributes from biometric data are heavily restricted; some are banned outright.
• Annex III (high-risk list). Lists "biometric identification" and "biometric categorization" AI systems as high-risk. High-risk classification triggers risk-management documentation, data governance audits, human-oversight requirements, conformity assessments, and EU database registration.

Both provisions hinge on the same definition: "biometric data" is personal data resulting from specific technical processing of physical, physiological, or behavioural characteristics that allow or confirm the identification of a natural person.

How camera-based people counting is exposed

Camera-based people counting platforms capture optical images of visitors. Even when the platform claims to discard the raw frame after processing, the technical processing of facial or body features is in scope:

• Face detection (used to count distinct people) processes facial features as biometric data.
• Demographics inference (gender, age) sits inside Article 5 restrictions.
• Re-identification across cameras (used for journey analytics) is a biometric identification function.

Vendors offering gender or age recognition (V-Count, FootfallCam, Milesight via certain SKUs) are most exposed. Camera-based platforms that do not infer demographics still process biometric data and remain inside the Annex III high-risk perimeter; they require conformity assessment, EU database registration, and ongoing audit.

The procurement consequence: AI Act readiness statements are increasingly required in vendor questionnaires for EU retail, transit, and public-sector deals. Camera-based vendors face questionnaire friction every deal.

Why Ariadne sits structurally outside Annex III

Ariadne's Hybrid Fusion people counting combines a patented phone signal sensor with Time-of-Flight depth sensing. Three architectural properties keep the platform outside the high-risk perimeter:

1. No biometric capture

Time-of-Flight measures distance, not appearance. The sensor outputs a depth map, not an optical image; it cannot reconstruct a face or a body silhouette in identifying detail. The patented phone signal sensor detects radio emissions phones broadcast as they search for connections; it does not capture optical or biometric data.

Neither sensor records anything that the AI Act defines as biometric data. The architecture predates the regulation, but the property that places it outside the regulation is structural, not policy-driven.

2. No demographic detection

Ariadne deliberately does not offer gender, age, ethnicity, or any other protected-attribute inference. Article 5 restricts that class of inference; Ariadne sits outside the restriction because the sensors never observe the inputs the regulation governs.

Some competing vendors treat demographics as a feature differentiator. From an AI Act standpoint, those features actively reduce the platform's regulatory headroom.

3. Edge anonymization, no identifiers by default

MAC addresses and device IDs are not collected at sensor level. Aggregation happens before any data leaves the sensor. The sensor measures presence and movement without ever capturing an identifier.

Identifiers are captured only when a visitor explicitly opts in (for example, via guest Wi-Fi login) for features that require them, such as return-visit recognition. The opt-in path is a separate processing context with its own consent and legal basis under GDPR.

What this means for procurement

Three concrete implications for procurement teams in EU retail, transit, and public-sector deployments:

• Faster vendor questionnaires. Ariadne does not require an Annex III conformity assessment because the system is not subject to Annex III. Procurement reviewers can confirm the architectural position with the vendor and move on.
• Lower long-tail compliance cost. Camera-based platforms incur ongoing conformity-assessment maintenance, EU database updates, and audit cost as the platform evolves. A camera-free architecture removes that line item.
• Forward compatibility. The AI Act's enforcement guidance is still hardening. The safest procurement choice is the architecture that captures the least data; that architecture is also the one that survives whatever the next regulation looks like.

What we cannot claim

Calibration matters. Ariadne's position is defensible; the precise wording of public claims is not. Three claims we will not make:

• "EU AI Act compliant" or "AI Act certified." Conformity assessments do not exist yet for non-high-risk systems. The certification regime contemplated by the regulation is still under development. Calling Ariadne "compliant" implies a process that does not exist.
• "AI Act approved." There is no approval body that issues this designation. Any vendor making this claim is making it up.
• "Exempt from the AI Act." The AI Act applies to AI systems, including ours. The accurate framing is that Ariadne does not fall into the high-risk classifications inside Annex III, not that the regulation does not apply at all.

The defensible language we use: "Ariadne sits structurally outside Annex III high-risk biometric categories because the architecture does not capture or process biometric data." That is the claim this article supports.

How buyers should evaluate other vendors

If you are running a procurement against multiple people counting vendors, four questions cut through the marketing:

1. Does the platform process biometric data, including face detection, body silhouette, gait, or demographics? If yes, expect Annex III obligations.
2. Are MAC addresses or device IDs collected by default, and if so, what is the opt-in mechanism? GDPR Article 6 needs a lawful basis; default collection without consent is a problem.
3. Is the vendor's regulatory position published in writing, or is it a sales talking point? Written positions can be evaluated by counsel; talking points cannot.
4. Has the vendor commissioned a third-party AI Act gap analysis? Vendors that have done this work will share the methodology even if they do not share the report.

Closing

The AI Act is the most consequential regulatory event for analytics technology since GDPR. The architectures that will age best are the ones that capture less. Ariadne built Hybrid Fusion before the AI Act became law; the alignment is structural, not retrofitted.

If you are evaluating people counting platforms for an EU deployment, the EU AI Act section of the Ariadne pillar documents the position with the same wording. The camera-free thesis page is the longer-form companion. Schedule a demo if a vendor walkthrough is the next step.