AI in recruitment: risks, bias and what the EU AI Act already requires
The promise is irresistible for any overloaded HR department. Instead of manually reviewing hundreds of CVs, an algorithm reads, analyses and ranks candidates in seconds. The best-fitting talent rises to the top; the rest receive an automated rejection. It is efficient, scalable — and it feels objective.
But that objectivity is a dangerous illusion. Automated candidate screening is one of the most legally fraught applications of artificial intelligence in business. While HR managers celebrate the efficiency gains, their organisations are quietly entering the highest risk category of the EU AI Act — with obligations that are far-reaching and cannot be delegated to the software vendor.
The illusion of the objective machine
An algorithm has no intrinsic understanding of "talent" or "suitability". It recognises patterns in historical data — in this case, the hiring decisions your organisation has made in the past. The model does not learn who the best candidate is, but who most resembles the people who were successfully hired before.
If your IT department has historically been predominantly male, or if certain backgrounds were consistently and unconsciously rejected, the algorithm codifies these patterns and repeats them at industrial scale.
This is not theory. In 2018, Amazon discovered that its internally developed AI recruitment system systematically disadvantaged women for technical roles — because the model had been trained on ten years of hiring data from a male-dominated sector. The system did exactly what it was trained to do. That was precisely the problem. Amazon shut the project down.
What began as a tool to eliminate human bias functions in practice as an amplifier of historical inequality.
Annex III: recruitment and selection is explicitly high-risk
The European legislature recognises the societal impact of algorithmic decision-making in the labour market. Annex III of the EU AI Act explicitly classifies AI systems used for recruitment, selection, filtering of applications or evaluation of candidates as high-risk.
This is not a grey area. The moment your organisation deploys an AI tool that scores CVs, ranks candidates or supports hiring decisions, a demanding compliance regime takes effect. The core obligations for deployers under Article 26:
- Demonstrable human oversight — you designate per system a trained, authorised person who can override the AI outcome; their interventions are logged (Art. 26.2)
- Input data monitoring — you are responsible for the quality of the data the system works with (Art. 26.4)
- Ongoing monitoring — you actively monitor whether the system performs as intended, even after deployment (Art. 26.5)
- Log retention — decisions and interventions are demonstrably recorded for the full period of use (Art. 26.6)
- Fundamental Rights Impact Assessment (FRIA) — a prior, documented assessment of the impact on fundamental rights (Art. 27)
When does the FRIA apply — and for whom?
Following the AI Omnibus agreement of May 2026, the FRIA obligation (Art. 27) is mandatory for public authorities and for private deployers in critical sectors. For HR applications in business, the FRIA is required by law when the system makes decisions with a significant impact on individuals — such as selection for a role. In practice, this applies to virtually every serious AI screening tool.
The FRIA is not a short questionnaire, but a structured examination across seven fundamental rights dimensions: equality, non-discrimination, privacy, human dignity, freedom of occupational choice, the right to a fair process and protection of personal data. For each dimension, you assess the potential impact, the associated risks and the control measures you apply.
The FRIA must be completed before deployment and periodically reviewed. A FRIA produced after an incident does not constitute compliance.
The myth of the certified vendor
The most common defence offered by HR directors: "We use a tool from a major, reputable software vendor. They are certified, so we are compliant."
This is a fundamental misreading of the law. When you procure an AI system for recruitment and selection, you are the deployer under the AI Act. Your vendor can guarantee that the software was correctly built — the CE marking or declaration of conformity covers their share of the responsibility. But you are responsible for how and on whom you deploy that system.
No vendor can conduct your FRIA. No vendor can establish your human oversight protocol. No vendor is responsible for the quality of the input data your HR department supplies. These obligations are structurally the deployer's.
Transparency towards applicants (Art. 50)
Article 50 of the AI Act requires deployers to inform individuals who are assessed by an AI system. This information obligation applies at the moment of assessment — not buried in small print in the privacy policy, but actively and comprehensibly.
In a recruitment context, this means applicants must know that their CV is being assessed by an algorithm, what information is used and how they can contest the outcome. Failing to do so violates both the AI Act and potentially GDPR rights regarding automated decision-making (Art. 22 GDPR).
AI Literacy as a legal obligation (Art. 4)
Article 4 of the AI Act has been in force since 2 February 2025. It requires organisations to provide employees working with AI systems an appropriate level of AI knowledge — tailored to the specific system and their role within it.
For an HR employee who uses the output of a screening algorithm daily, this means: understanding how the system arrives at a ranking, which factors carry the most weight, how bias can arise and when professional judgement should take precedence over the algorithmic outcome. Demonstrably — with training records you can produce at audit. Generic "AI awareness training" does not suffice.
Five steps to workable governance
Step 1 — Inventory comprehensively. Start with an honest overview of all AI functionality that touches your recruitment process. Not just the visible screening tool, but also the AI features in your Applicant Tracking System, the "smart" search on your careers site, scheduling assistants and video analysis in digital interviews. Shadow AI — AI operating outside the view of IT and compliance — is particularly prevalent in HR environments.
Step 2 — Conduct the FRIA before going live. Treat the FRIA not as a formality but as a substantive exercise. Involve not only HR but also your privacy officer, legal adviser and — where applicable — the works council. In many jurisdictions, the works council has co-determination rights over the introduction of systems that assess employees or applicants.
Step 3 — Establish human oversight as a process, not a principle. "Human-in-the-loop" is not a philosophical position — it is an operational requirement with a named individual, defined authority and documented evidence. Designate an oversight officer per system, establish how their interventions are recorded and ensure they can genuinely override the AI outcome.
Step 4 — Inform your applicants actively. Build the information obligation into your recruitment communications: state in the confirmation email after an application that the initial screening is partially algorithmic, what information is used and how the individual can contest the outcome.
Step 5 — Monitor for distributional bias. Periodically analyse whether AI outcomes systematically diverge along demographic lines. Record the findings and the measures taken. This simultaneously satisfies your monitoring obligation under Art. 26.5 and provides your strongest defence against a discrimination claim.
Timeline: when do you need to act?
| Date | Obligation | Status |
|---|---|---|
| 2 Feb 2025 | Art. 4 AI Literacy in force | ✅ Required now |
| 2 Aug 2026 | Art. 50 Transparency obligations (incl. information duty towards individuals) | ⚠️ In 2 months |
| 2 Dec 2027 | Full high-risk obligations (Art. 26, FRIA, log retention) | 🔜 Prepare now |
The December 2027 deadline for full high-risk compliance sounds distant, but a FRIA process, establishing human oversight procedures and ensuring AI Literacy each require months of preparation. Organisations that start in 2026 are ahead of the curve; those who wait until 2027 will be building under time pressure.
What is actually at stake
Organisations deploying AI for recruitment and selection without the corresponding governance are accumulating a compliance liability that can be called in on two fronts: by the supervisory authority through fines of up to €15 million or 3% of global annual turnover, and through the courts via discrimination proceedings brought by rejected candidates who can demonstrate that an algorithm determined their chances.
Organisations that do build the governance achieve something harder to quantify but equally valuable: they can demonstrate that their recruitment process is fair — not because they say so, but because they can prove it.