Several points on a chart, and a line drawn through them: a linear regression. It is the first thing anyone learns in a statistics class, and one of the oldest tools in quantitative work. Ask whether it counts as artificial intelligence and you sound as though you are posing a trick question. You are not. In the European Union, this is a live regulatory question, and the answer carries real weight.
Generalised linear models — GLMs — have been the working tools of insurance for decades, long before anyone reached for the word “AI”. They sit behind tariffs, risk models and scoring: Poisson and Gamma regression for how often claims occur and how large they are, logistic regression for yes-or-no outcomes such as lapse or fraud. Ordinary linear regression — the straight line above — is simply the most elementary member of the same family. What unites them is that they are fully specified and parametrically interpretable: you can read off exactly how each variable moves the result. They are reproducible, auditable, and long embedded in mature processes of validation and governance — the opposite of the black box the AI Act was written to tame.
Here is what turns a question of vocabulary into a question of consequence. The AI Act attaches its heaviest obligations not to a technique but to a field of use. Risk assessment and pricing in life and health insurance sit squarely on its high-risk list. And there is no middle gear. Where a model drives a decision about a person — pricing, underwriting — the narrow exemption that might otherwise rebut a high-risk classification does not apply, because such a decision is precisely the kind the Act refuses to treat as incidental. So if an ordinary regression counts as “AI” in that setting, it is automatically high-risk AI, with the full apparatus that follows: risk-management systems, technical documentation, human oversight, conformity assessment, registration. If it does not count as “AI”, none of that applies. The entire weight rests on a single definitional question — is a regression “AI”? — with no intermediate landing.
That question is not settled. The European Commission’s February 2025 guidelines on the definition of an AI system pointed in the right direction: regression used to improve mathematical optimisation, they said, does not go beyond “basic data processing”, and so falls outside the Act’s scope. But the carve-out was conditional — tied to that optimisation purpose and to standalone use — and a conditional exclusion is a contestable one. The line between “basic” and “advanced” was never drawn sharply. As the rules approach application and national supervisors begin to interpret them, the boundary is being tested again.
It would be too easy to cast this as industry against regulator. There is a real argument on the other side. A generous carve-out can become a loophole: a genuinely consequential system, re-described as “ordinary software”, slipping out of scope. Civil-society voices have argued that classification should turn on a system’s impact, not merely its technical form. And the picture cuts both ways — the OECD’s definition, which the Act is meant to track, expressly excludes simple statistical techniques such as linear and logistic regression. An honest account holds both of these in view at once.
What is striking is that the financial supervisor itself is arguing for restraint. Speaking at insureNXT in May 2026, BaFin’s executive director for insurance, Julia Wiens, made the point plainly: the relevant definitions — what counts as an AI system, and what counts as high-risk — are still in motion; the Commission’s proposals are drawn too broadly; and the time now available should be used to argue for narrower, more pragmatic definitions. Common statistical methods, she said, such as simple linear and logistic regression, should not be swept into the high-risk net. When the regulator and the regulated agree that proportionality is the issue, it is worth pausing over.
Strip the question back and the resolution has little to do with the word “regression”. It has to do with how a system actually behaves. Good governance does not classify by label; it classifies by function. Does the system learn and change on its own after it is deployed? Is its reasoning opaque even to those who built it? Does it shape its own decision logic from data, beyond the fixed rules a person has written down? A disclosed straight line through several points does none of these things — and, tellingly, the Act’s own definition already turns on exactly these properties: autonomy, adaptiveness, inference that goes beyond basic processing. Holding to that test is what keeps the regulation aimed at risk rather than at vocabulary.
Regulating AI is the right instinct, and the AI Act sets a sensible frame for it. But to call a decades-old, fully transparent statistical method “AI” — and to load it with obligations designed for genuinely autonomous, opaque systems — protects no one. Whether the regulation ends up catching the risk or merely the craft will be decided by the precision of a definition, not the reach of a label. Get the definition right, and the rest follows.
Sources & further reading
- European Commission, Guidelines on the definition of an artificial intelligence system established by Regulation (EU) 2024/1689 (C(2025) 924, 6 February 2025).
- BaFin, address by Julia Wiens at insureNXT, Cologne, 21 May 2026.
- Center for Democracy & Technology Europe, AI Bulletin: May 2025 — on the conditional nature of the regression carve-out and the loophole concern.
- European Parliament, written question E-002564/2024 (Voss, Hahn) on aligning the AI-system definition with the OECD standard, which excludes simple statistical techniques.