AI in recruitment: risks, bias and what the EU AI Act already requires
AI recruitment systems fall under Annex III of the EU AI Act as high-risk, which triggers the full deployer obligations of Article 26, human oversight, data quality, monitoring, log retention, and a Fundamental Rights Impact Assessment under Article 27. These duties cannot be transferred to the software vendor.
For any overloaded HR department the promise is appealing. Instead of manually reviewing hundreds of CVs, an algorithmalgorithmThe learning procedure (e.g. gradient descent, tree induction); running it on training data produces a model. Controls attach to models and systems, not algorithms in the abstract.Open full entry → reads, analyses and ranks candidates in seconds. The best-fitting talent rises to the top; the rest receive an automated rejection. It is efficient, scalable, and it appears objective.
But that objectivity is misleading. Automated candidate screening is one of the most legally exposed applications of artificial intelligence in business. While HR managers welcome the efficiency, their organisations quietly enter the highest risk category of the EU AI Act, with obligations that are far-reaching and cannot be delegated to the software vendor.
The objective machine is an illusion
An algorithm has no intrinsic understanding of "talent" or "suitability". It recognises patterns in historical data, in this case, the hiring decisions your organisation made in the past. The model does not learn who the best candidate is, but who most resembles the people who were hired successfully before.
If your IT department has historically been predominantly male, or if certain backgrounds were consistently and unconsciously rejected, the algorithm encodes these patterns and repeats them at scale.
This is not theory. In 2018, Amazon found that its internally developed AI recruitment system systematically disadvantaged women for technical roles, because the model had been trained on ten years of hiring data from a male-dominated sector. The system did exactly what it was trained to do. That was the problem. Amazon ended the project.
A tool meant to remove human bias works in practice as an amplifier of historical inequality.
Annex III: recruitment and selection is explicitly high-risk
The European legislature recognises the societal impact of algorithmic decisions in the labour market. Annex IIIAnnex IIIThe EU AI Act's list of high-risk use-case areas — biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, justice.Open full entry → of the EU AI Act explicitly classifies AI systems used for recruitment, selection, filtering of applications or evaluation of candidates as high-risk.
This is not a grey area. The moment your organisation deploys an AI tool that scores CVs, ranks candidates or supports hiring decisions, a demanding compliance regime takes effect. The core obligations for deployers under Article 26:
- Demonstrable human oversighthuman oversightDesigned-in human ability to monitor, intervene in, override or shut down an AI system — meaningful only when the human has authority, information and time to act.Open full entry →, you designate per system a trained, authorised person who can override the AI outcome; their interventions are logged (Art. 26.2)
- Input data monitoring, you are responsible for the quality of the data the system works with (Art. 26.4)
- Ongoing monitoring, you actively monitor whether the system performs as intended, even after deployment (Art. 26.5)
- Log retention, decisions and interventions are recorded for the full period of use (Art. 26.6)
- Fundamental Rights Impact Assessmentimpact assessmentThe design-time discipline of describing a system, mapping stakeholders, identifying harms, rating probability × severity, choosing mitigations and documenting a signed decision — the skeleton under DPIAs, FRIAs and AIAs.Open full entry → (FRIAFRIAFundamental Rights Impact Assessment — required of public bodies and certain private deployers before using some high-risk AI systems under the EU AI Act.Open full entry →), a prior, documented assessment of the impact on fundamental rights (Art. 27)
When does the FRIA apply, and for whom?
Following the 2026 Omnibus amendments, the FRIA obligation (Art. 27) applies to public authorities and to private deployers in critical sectors. For HR applications in business, the FRIA is required by law when the system makes decisions with a significant impact on individuals, such as selection for a role. In practice, this applies to almost every serious AI screening tool.
The FRIA is not a short questionnaire, but a structured examination across seven fundamental rights dimensions: equality, non-discrimination, privacy, human dignity, freedom of occupational choice, the right to a fair process and protection of personal data. For each dimension, you assess the potential impact, the associated risks and the control measures you apply.
The FRIA must be completed before deployment and reviewed periodically. A FRIA produced after an incident does not constitute compliance.
The certified vendor is a myth
The most common defence offered by HR directors: "We use a tool from a major, reputable software vendor. They are certified, so we are compliant."
This misreads the law. When you procure an AI systemAI systemA machine-based system that, for explicit or implicit objectives, infers from input how to generate outputs — predictions, content, recommendations or decisions — that can influence physical or virtual environments. The OECD-style definition followed by the EU AI Act.Open full entry → for recruitment and selection, you are the deployerdeployerAn organization using an AI system under its own authority in its activities — carrying operator duties: use per instructions, oversight, input relevance, monitoring, notices.Open full entry → under the AI Act. Your vendor can guarantee that the software was built correctly, the CE markingCE markingThe mark affixed to products (including high-risk AI systems) indicating conformity with applicable EU requirements.Open full entry → or declaration of conformity covers their share of the responsibility. But you are responsible for how and on whom you deploy that system.
No vendor can conduct your FRIA. No vendor can establish your human oversight protocol. No vendor is responsible for the quality of the input data your HR department supplies. These obligations are structurally the deployer's.
Transparency towards applicants (Art. 50)
Article 50 of the AI Act requires deployers to inform individuals who are assessed by an AI system. This information obligation applies at the moment of assessment, not buried in small print in the privacy policy, but active and comprehensible.
In a recruitment context, applicants must know that their CV is assessed by an algorithm, what information is used and how they can contest the outcome. Failing to do so violates both the AI Act and potentially GDPR rights on automated decision-makingautomated decision-makingDecisions based solely on automated processing with legal or similarly significant effects — restricted by GDPR Article 22 to three exception grounds, with human-intervention safeguards.Open full entry → (Art. 22 GDPR).
AI literacy as a legal obligation (Art. 4)
Article 4 of the AI Act has applied since 2 February 2025. It requires organisations to give employees who work with AI systems an appropriate level of AI knowledge, tailored to the specific system and their role.
For an HR employee who uses the output of a screening algorithm daily, this means understanding how the system reaches a ranking, which factors weigh most, how bias can arise and when professional judgement should take precedence over the algorithmic outcome. Demonstrably, with training recordstraining recordsEvidence of who completed which training content version, when, with results — the artefact that makes training function as a compliance control.Open full entry → you can produce at audit. Generic "AI awareness training" does not suffice.
Five steps to workable governance
Step 1, Inventory comprehensively. Start with an honest overview of all AI functionality that touches your recruitment process. Not just the visible screening tool, but also the AI features in your Applicant Tracking System, the "smart" search on your careers site, scheduling assistants and video analysis in digital interviews. Shadow AI, AI operating outside the view of IT and compliance, is especially common in HR environments.
Step 2, Conduct the FRIA before going live. Treat the FRIA not as a formality but as a substantive exercise. Involve not only HR but also your privacy officer, legal adviser and, where applicable, the works council. In many jurisdictions, the works council has co-determination rights over the introduction of systems that assess employees or applicants.
Step 3, Establish human oversight as a process, not a principle. "Human-in-the-loophuman-in-the-loopOversight configuration where a human approves or decides each case the system recommends — fitting high-stakes individual decisions, and meaningful only with authority, information and time.Open full entry →" is not a philosophical position, it is an operational requirement with a named individual, defined authority and documented evidence. Designate an oversight officer per system, establish how their interventions are recorded and ensure they can genuinely override the AI outcome.
Step 4, Inform your applicants actively. Build the information obligation into your recruitment communications: state in the confirmation email after an application that the initial screening is partially algorithmic, what information is used and how the individual can contest the outcome.
Step 5, Monitor for distributional bias. Periodically analyse whether AI outcomes systematically diverge along demographic lines. Record the findings and the measures taken. This satisfies your monitoring obligation under Art. 26.5 and provides your strongest defence against a discrimination claim.
Timeline: when do you need to Act?
| Date | Obligation | Status |
|---|---|---|
| 2 Feb 2025 | Art. 4 AI LiteracyAI literacySufficient understanding of AI's workings, capabilities and risks for one's role — an explicit expectation for provider and deployer staff under the EU AI Act.Open full entry → in force | ✅ Required now |
| 2 Aug 2026 | Art. 50 TransparencytransparencyOpenness about the fact that AI is used and how it operates in general: disclosures, documentation, notices. Pairs with explainability, which addresses individual outcomes.Open full entry → obligations (incl. information duty towards individuals) | ⚠️ Approaching |
| 2 Dec 2027 | Full high-risk obligations (Art. 26, FRIA, log retention) | 🔜 Prepare now |
The December 2027 deadline for full high-risk compliance sounds distant, but a FRIA process, establishing human oversight procedures and ensuring AI Literacy each require months of preparation. Organisations that start in 2026 are ahead; those who wait until 2027 will build under time pressure.
What is actually at stake
Organisations deploying AI for recruitment without the corresponding governance accumulate a compliance liability that can be called in on two fronts: by the supervisory authority through fines of up to €15 million or 3% of global annual turnover, and through the courts via discrimination proceedings brought by rejected candidates who can show that an algorithm determined their chances.
Organisations that do build the governance achieve something harder to quantify but equally valuable: they can demonstrate that their recruitment process is fair, not because they say so, but because they can prove it.