EU AI Act by department: HR, finance, marketing, and operations

Updated: June 2026

Introduction: department-level AI compliance

The EU AI Act is a horizontal regulation, it applies across all sectors and all departments. But the practical compliance requirements vary significantly depending on the type of AI application. An HR department using AI for CV screening faces high-risk obligations including FRIAFRIAFundamental Rights Impact Assessment — required of public bodies and certain private deployers before using some high-risk AI systems under the EU AI Act.Open full entry → and human oversighthuman oversightDesigned-in human ability to monitor, intervene in, override or shut down an AI system — meaningful only when the human has authority, information and time to act.Open full entry →. A marketing department using AI for advertising copy has, in most cases, only the transparencytransparencyOpenness about the fact that AI is used and how it operates in general: disclosures, documentation, notices. Pairs with explainability, which addresses individual outcomes.Open full entry → obligation of Art. 50.

This guide analyses the most common AI applications by department against their EU AI Act status and compliance requirements. It is a diagnostic instrument, not a substitute for the full classification analysis required by Art. 6 for each specific system.

HR & recruitment

CV screening and candidate assessment: High-risk AI (Annex IIIAnnex IIIThe EU AI Act's list of high-risk use-case areas — biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, justice.Open full entry →, point 4). This is the most regulated HR application under the EU AI Act. AI that selects, scores, or ranks candidates based on their CV, cover letter, or online questionnaire responses falls without exception into the high-risk category. All Art. 26 obligations apply, including the four-eyes principle (human oversight), input data quality controls, and individual transparency (Art. 26.7).

Borderline: A tool that only checks CV formatting (completeness check) without any substantive assessment of the candidate probably falls outside Annex III. Once the system makes substantive judgements about suitability, it falls within point 4.

Performance evaluation systems: High-risk AI (Annex III, point 4). AI contributing to employee assessment for promotion, salary increase, or contract termination falls under point 4. Human oversight (Art. 26.2) requires genuine review, a manager who rubber-stamps AI assessments without substantive evaluation does not satisfy the obligation.

AI scheduling systems: Limited risk or minimal risk, depending on system autonomy. If the system generates a roster that a planner can freely modify, and does not affect employees' working hours or contract conditions, it is probably not high-risk. If the system effectively determines actual working conditions, further analysis is required.

Finance & risk

Credit scoring and credit allocation: High-risk AI (Annex III, point 5.b). Systems assessing creditworthiness or setting credit limits for individuals or small businesses are categorically high-risk. This applies to banks, leasing companies, buy-now-pay-later providers, and other financial institutions. Sector-specific regulations (Wft, EBA guidelines on AI in credit) apply alongside the EU AI Act.

Fraud detection: Context-dependent. If fraud detection AI is the sole or primary basis for blocking a bank account or refusing a transaction for an individual, it is likely high-risk (point 5). Fraud detection that generates internal alerts always reviewed by staff may fall outside high-risk via Art. 6.3, if the providerproviderThe actor who develops an AI system (or has it developed) and places it on the market or into service under its own name — carrying manufacturer-style duties: design controls, documentation, conformity.Open full entry → documents that assessment in writing.

Financial reporting AI and budget forecasting: Minimal risk in most cases. AI analysing financial data and generating forecasts for internal use without direct decision consequences for external persons generally falls outside the high-risk category. Transparency with management users about forecast limitations is good practice.

Marketing & communications

Generative AIgenerative AIAI systems that produce new content — text, images, audio, code — rather than only classifying or predicting. Large language models are the prominent example.Open full entry → for content production (text, images): Limited risk (Art. 50). AI-generated content must be labelled as such when it could be mistaken for human-created content. A fully AI-generated blog presented as "written by our editorial team" violates Art. 50. Systems that support human writers with AI assistance (co-pilot), where the human makes substantive contributions, require less clear labelling of the end content.

Personalised advertising targeting: Minimal to limited risk in most cases. Targeting algorithms that segment audiences based on clickstream behaviour are not high-risk AI. Watch out: if targeting specifically exploits vulnerable groups (Art. 5.1.b) or uses subliminal techniques (Art. 5.1.a), it is a prohibited AI practice regardless of risk class.

AI chatbots for customer service: Limited risk (Art. 50). Chatbots must identify themselves as AI. The risk level increases if the chatbot makes or supports decisions with significant consequences for the customer (e.g. credit limit adjustments, contract modifications), in that case, a classification analysis is required.

Operations & IT

AI for quality control in manufacturing: Context-dependent. If the system makes safety-related decisions for products covered by Annex I (machinery, medical devices), it is high-risk AI. If the system flags quality deviations that are always reviewed by an operator, Art. 6.3 may apply.

Predictive maintenance: Minimal risk in most cases. AI that predicts machine failures and advises maintenance for internal use is generally not high-risk, unless the system directly intervenes in critical infrastructure (Annex III, point 2).

IT security AI (anomaly detection, SIEM): Minimal to limited risk depending on automated action. If the system only generates alerts for security analysts, it is not high-risk AI. If the system automatically blocks accounts or denies access to employees or customers based on AI assessment, a classification analysis is required.

Healthcare

AI diagnostic support (imaging analysis, symptom checker): High-risk AI in most cases (Annex I if a MDR-regulated product, or Annex III for standalone AI advisory systems). Medical AI faces the highest compliance burden: conformity assessmentconformity assessmentThe pre-market process demonstrating a high-risk AI system meets the EU AI Act's requirements, leading to CE marking and registration.Open full entry → by a notified body (for MDR products), technical documentation, human oversight, and typically a FRIA.

Administrative AI in healthcare (scheduling, billing verification): Minimal risk in most cases, unless decisions directly affect the provision of care to individual patients.

Practical starting point: build your AI inventory

This overview is a starting point, not a definitive classification. For each AI systemAI systemA machine-based system that, for explicit or implicit objectives, infers from input how to generate outputs — predictions, content, recommendations or decisions — that can influence physical or virtual environments. The OECD-style definition followed by the EU AI Act.Open full entry → your organisation deploys, conduct a formal classification analysis per Art. 6. Start with the highest-risk categories: HR selection, credit assessment, and medical AI. These are most urgent and carry the heaviest compliance obligations.

Compliance checklist

1. Has your HR department inventoried all AI tools used in selection, assessment, or workforce management?
2. Are your finance AI tools for credit or risk assessment classified as high-risk?
3. Are your marketing chatbots configured to identify themselves as AI (Art. 50)?
4. Have AI tools in safety-critical operational systems been assessed for their impact on human safety?
5. Is there a central AI inventoryAI inventoryA register of all AI systems an organization builds, buys or embeds, with owners and risk tiers — the prerequisite for governing any of them.Open full entry → tracking all systems by department?
6. Is there a procedure for notifying new AI procurement to the AI Officer?
7. Are department heads informed about their responsibility for Art. 4 AI literacyAI literacySufficient understanding of AI's workings, capabilities and risks for one's role — an explicit expectation for provider and deployer staff under the EU AI Act.Open full entry → in their team?