EU AI Act by Department: HR, Finance, Marketing, and Operations

Updated: June 2026 — full revision to Validai quality standard

Introduction: Department-Level AI Compliance

The EU AI Act is a horizontal regulation — it applies across all sectors and all departments. But the practical compliance requirements vary significantly depending on the type of AI application. An HR department using AI for CV screening faces high-risk obligations including FRIA and human oversight. A marketing department using AI for advertising copy has, in most cases, only the transparency obligation of Art. 50.

This guide analyses the most common AI applications by department against their EU AI Act status and compliance requirements. It is a diagnostic instrument, not a substitute for the full classification analysis required by Art. 6 for each specific system.

HR & Recruitment

CV screening and candidate assessment: High-risk AI (Annex III, point 4). This is the most regulated HR application under the EU AI Act. AI that selects, scores, or ranks candidates based on their CV, cover letter, or online questionnaire responses falls without exception into the high-risk category. All Art. 26 obligations apply, including the four-eyes principle (human oversight), input data quality controls, and individual transparency (Art. 26.7).

Borderline: A tool that only checks CV formatting (completeness check) without any substantive assessment of the candidate probably falls outside Annex III. Once the system makes substantive judgements about suitability, it falls within point 4.

Performance evaluation systems: High-risk AI (Annex III, point 4). AI contributing to employee assessment for promotion, salary increase, or contract termination falls under point 4. Human oversight (Art. 26.2) requires genuine review — a manager who rubber-stamps AI assessments without substantive evaluation does not satisfy the obligation.

AI scheduling systems: Limited risk or minimal risk, depending on system autonomy. If the system generates a roster that a planner can freely modify, and does not affect employees' working hours or contract conditions, it is probably not high-risk. If the system effectively determines actual working conditions, further analysis is required.

Finance & Risk

Credit scoring and credit allocation: High-risk AI (Annex III, point 5.b). Systems assessing creditworthiness or setting credit limits for individuals or small businesses are categorically high-risk. This applies to banks, leasing companies, buy-now-pay-later providers, and other financial institutions. Sector-specific regulations (Wft, EBA guidelines on AI in credit) apply alongside the EU AI Act.

Fraud detection: Context-dependent. If fraud detection AI is the sole or primary basis for blocking a bank account or refusing a transaction for an individual, it is likely high-risk (point 5). Fraud detection that generates internal alerts always reviewed by staff may fall outside high-risk via Art. 6.3 — if the provider documents that assessment in writing.

Financial reporting AI and budget forecasting: Minimal risk in most cases. AI analysing financial data and generating forecasts for internal use without direct decision consequences for external persons generally falls outside the high-risk category. Transparency with management users about forecast limitations is good practice.

Marketing & Communications

Generative AI for content production (text, images): Limited risk (Art. 50). AI-generated content must be labelled as such when it could be mistaken for human-created content. A fully AI-generated blog presented as "written by our editorial team" violates Art. 50. Systems that support human writers with AI assistance (co-pilot), where the human makes substantive contributions, require less clear labelling of the end content.

Personalised advertising targeting: Minimal to limited risk in most cases. Targeting algorithms that segment audiences based on clickstream behaviour are not high-risk AI. Watch out: if targeting specifically exploits vulnerable groups (Art. 5.1.b) or uses subliminal techniques (Art. 5.1.a), it is a prohibited AI practice regardless of risk class.

AI chatbots for customer service: Limited risk (Art. 50). Chatbots must identify themselves as AI. The risk level increases if the chatbot makes or supports decisions with significant consequences for the customer (e.g. credit limit adjustments, contract modifications) — in that case, a classification analysis is required.

Operations & IT

AI for quality control in manufacturing: Context-dependent. If the system makes safety-related decisions for products covered by Annex I (machinery, medical devices), it is high-risk AI. If the system flags quality deviations that are always reviewed by an operator, Art. 6.3 may apply.

Predictive maintenance: Minimal risk in most cases. AI that predicts machine failures and advises maintenance for internal use is generally not high-risk, unless the system directly intervenes in critical infrastructure (Annex III, point 2).

IT security AI (anomaly detection, SIEM): Minimal to limited risk depending on automated action. If the system only generates alerts for security analysts, it is not high-risk AI. If the system automatically blocks accounts or denies access to employees or customers based on AI assessment, a classification analysis is required.

Healthcare

AI diagnostic support (imaging analysis, symptom checker): High-risk AI in most cases (Annex I if a MDR-regulated product, or Annex III for standalone AI advisory systems). Medical AI faces the highest compliance burden: conformity assessment by a notified body (for MDR products), technical documentation, human oversight, and typically a FRIA.

Administrative AI in healthcare (scheduling, billing verification): Minimal risk in most cases, unless decisions directly affect the provision of care to individual patients.

Practical Starting Point: Build Your AI Inventory

This overview is a starting point, not a definitive classification. For each AI system your organisation deploys, conduct a formal classification analysis per Art. 6. Start with the highest-risk categories: HR selection, credit assessment, and medical AI. These are most urgent and carry the heaviest compliance obligations.

Compliance Checklist

1. Has your HR department inventoried all AI tools used in selection, assessment, or workforce management?
2. Are your finance AI tools for credit or risk assessment classified as high-risk?
3. Are your marketing chatbots configured to identify themselves as AI (Art. 50)?
4. Have AI tools in safety-critical operational systems been assessed for their impact on human safety?
5. Is there a central AI inventory tracking all systems by department?
6. Is there a procedure for notifying new AI procurement to the AI Officer?
7. Are department heads informed about their responsibility for Art. 4 AI literacy in their team?