I've been learning about client server communication and read that according to OSI there are several layers where protocols are implemented. For example, TCP happens at layer 4 and HTTP at layer 7.
In what layer is GraphQL implemented?
I've been using it "over" HTTP so it seems it should be in layer 8 but it doesn't exist in OSI.
Although still frequently used as a basis for analysing protocols, the OSI model was intended as a framework for designing protocol stacks. It was designed in the 1980s, before the Internet became the dominant networking system, and long before the invention of HTTP by Tim Berners-Lee et al in the mid-1990s. Its relevance and applicability to current protocols is questionable.
The actual protocol stack in common use is TCP/IP, which was not designed based on those definitions, and doesn't map cleanly to them. In TCP/IP, there is a single "application layer", which corresponds roughly to "the OSI application layer, presentation layer, and most of the session layer" (Wikipedia summary). HTTP is commonly called "layer 7" simply because that's the closest match, but it doesn't explicitly rely on the existence of any layer 5 and 6 protocols, as was envisioned by the OSI model.
Neither definition captures the modern reality that many protocols are layered not directly onto TCP/IP, but onto HTTP. As you say, there is no "layer 8" in the standard OSI model. The use of HTTP is more a matter of pragmatic code reuse than theoretical division of responsibilities.
A similar problem applies to traditional TLS: it sits somewhere in between TCP (transport layer) and HTTP (application layer), but doesn't correspond to the definitions for layer 5 or 6 in the original OSI model. In modern usage, it also negotiates aspects needed by the application layer (e.g. Server Name Indication).
The picture is further muddied by HTTP/3, which bypasses TCP completely, building a new stack on top of UDP and a new protocol called QUIC. QUIC incorporates features that were previously part of TCP, TLS, and HTTP, such as a combined handshake, rather than separately establishing TCP, TLS, and HTTP/2 sessions.
Running GraphQL over HTTP/3 gives you IP -> UDP -> QUIC -> HTTP/3 -> GraphQL, a set of layers with completely different responsibilities to those envisioned by the OSI 40 years ago.