Art. 26.2 EU AI Act: Human Oversight of High-Risk AI

Updated: June 2026 — full revision to Validai quality standard

Introduction: The Meaning of Human Oversight

Art. 26.2 requires deployers to "ensure that the natural persons to whom human oversight of high-risk AI systems is assigned have the necessary competence, training, and authority to perform that oversight." This is the legal anchor for what is commonly called the "four-eyes principle" in AI governance.

Human oversight is not a bureaucratic formality. It is the mechanism through which the EU AI Act maintains human agency in high-stakes automated decision-making. An oversight process that is nominally in place but substantively ineffective — because the overseer lacks the competence to evaluate AI output — does not satisfy Art. 26.2.

Three Requirements for Valid Oversight

1. Competence

The overseer must understand the AI system sufficiently to critically evaluate its outputs. This is a substantive requirement, not a formal one. A manager who rubber-stamps AI credit decisions without understanding the scoring model's methodology does not provide qualified oversight.

Competence is assessed relative to the risk level: a higher-risk system (e.g. AI used in criminal justice) requires deeper technical understanding than a lower-risk high-risk system. The supervisory authority will evaluate whether the competence of the oversight function matched the complexity and risk level of the system.

2. Training

Oversight requires formal training covering: the AI system's functioning and limitations, the types of errors the system is known to make, the interpretation of AI outputs and confidence scores, the process for overriding AI outputs, and the procedure for escalating concerns and reporting incidents.

Training must be documented (connecting to Art. 4 literacy obligations) and must be refreshed when the AI system is updated or when performance data reveals new failure modes.

3. Authority

The overseer must have genuine decision-making authority. If an organisation's process requires AI output to be approved by a junior analyst whose recommendations can be overridden by a system automatically, there is no effective human oversight. The person with oversight responsibility must have the organisational authority to accept, reject, or modify AI-generated outputs.

Practical Implementation

The Four-Eyes Principle in HR Selection

For CV screening AI (Annex III, point 4), a compliant oversight process might look like: AI generates a ranked shortlist → HR officer (trained, documented) reviews each shortlisted and excluded candidate → HR officer approves final shortlist with written confirmation → manager independently reviews before interview invitation.

Non-compliant process: AI generates shortlist → system automatically sends interview invitations to top 5 candidates without human review.

Oversight Logging

Art. 26.2 compliance requires documentation of oversight decisions. For each significant AI-assisted decision, log: the AI output, the overseer's assessment, whether the overseer agreed or overrode the output, and the rationale for override if applicable. This log is subject to the Art. 26.6 retention requirements.

Compliance Checklist

1. Is there a named oversight function for every high-risk AI system?
2. Does the oversight function have documented competence in the AI system?
3. Has the oversight function received and documented training on the system?
4. Does the oversight function have organisational authority to override AI outputs?
5. Is there a log of oversight decisions with rationale for overrides?
6. Is oversight training refreshed when the AI system is updated?