GovCompass
Knowledge base
ReferenceHuman oversight

Art. 26.2 EU AI Act: human oversight of high-risk AI

By Michel Venniker· · Aligned with the consolidated EU AI Act, including the 2026 Omnibus amendments.

Art. 26.2 requires deployers to ensure that the people assigned to oversee a high-risk AI system have the competence, training, and authority to do so effectively. Valid oversight is substantive, not formal: the overseer must understand the system, be trained on its limitations, and hold genuine authority to override its outputs.

Updated: June 2026

Introduction: the meaning of human oversight

Art. 26.2 requires deployers to "ensure that the natural persons to whom human oversighthuman oversightDesigned-in human ability to monitor, intervene in, override or shut down an AI system — meaningful only when the human has authority, information and time to act.Open full entry → of high-risk AI systems is assigned have the necessary competence, training, and authority to perform that oversight." This is the legal anchor for what is commonly called the "four-eyes principle" in AI governance.

Human oversight is not a bureaucratic formality. It is the mechanism through which the EU AI Act maintains human agency in high-stakes automated decision-makingautomated decision-makingDecisions based solely on automated processing with legal or similarly significant effects — restricted by GDPR Article 22 to three exception grounds, with human-intervention safeguards.Open full entry →. An oversight process that is nominally in place but substantively ineffective, because the overseer lacks the competence to evaluate AI output, does not satisfy Art. 26.2.

Three requirements for valid oversight

1. competence

The overseer must understand the AI systemAI systemA machine-based system that, for explicit or implicit objectives, infers from input how to generate outputs — predictions, content, recommendations or decisions — that can influence physical or virtual environments. The OECD-style definition followed by the EU AI Act.Open full entry → sufficiently to critically evaluate its outputs. This is a substantive requirement, not a formal one. A manager who rubber-stamps AI credit decisions without understanding the scoring model's methodology does not provide qualified oversight.

Competence is assessed relative to the risk level: a higher-risk system (e.g. AI used in criminal justice) requires deeper technical understanding than a lower-risk high-risk system. The supervisory authority will evaluate whether the competence of the oversight function matched the complexitycomplexityThe governance-challenging characteristic where risk lives in the interactions of many components, suppliers and environments that no one can reason about whole — answered by system-level assessment and end-to-end testing.Open full entry → and risk level of the system.

2. training

Oversight requires formal training covering: the AI system's functioning and limitations, the types of errors the system is known to make, the interpretation of AI outputs and confidence scores, the process for overriding AI outputs, and the procedure for escalating concerns and reporting incidents.

Training must be documented (connecting to Art. 4 literacy obligations) and must be refreshed when the AI system is updated or when performance data reveals new failure modes.

3. authority

The overseer must have genuine decision-making authority. If an organisation's process requires AI output to be approved by a junior analyst whose recommendations can be overridden by a system automatically, there is no effective human oversight. The person with oversight responsibility must have the organisational authority to accept, reject, or modify AI-generated outputs.

Practical implementation

The four-eyes principle in HR selection

For CV screening AI (Annex IIIAnnex IIIThe EU AI Act's list of high-risk use-case areas — biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, justice.Open full entry →, point 4), a compliant oversight process might look like: AI generates a ranked shortlist → HR officer (trained, documented) reviews each shortlisted and excluded candidate → HR officer approves final shortlist with written confirmation → manager independently reviews before interview invitation.

Non-compliant process: AI generates shortlist → system automatically sends interview invitations to top 5 candidates without human review.

Oversight logging

Art. 26.2 compliance requires documentation of oversight decisions. For each significant AI-assisted decision, log: the AI output, the overseer's assessment, whether the overseer agreed or overrode the output, and the rationale for override if applicable. This log is subject to the Art. 26.6 retention requirements.

Compliance checklist

  1. Is there a named oversight function for every high-risk AI system?
  2. Does the oversight function have documented competence in the AI system?
  3. Has the oversight function received and documented training on the system?
  4. Does the oversight function have organisational authority to override AI outputs?
  5. Is there a log of oversight decisions with rationale for overrides?
  6. Is oversight training refreshed when the AI system is updated?
Legal referencesArt. 26Art. 14Art. 4

More on Human oversight

Art. 14 EU AI Act: designing high-risk AI for human oversight

Reference

Art. 14 requires providers to design and build high-risk AI systems so that they can be effectively overseen by humans during use. The system must let an overseer understand its capabilities and limits, watch for anomalies, resist automation bias, correctly interpret outputs, decide not to use the system, and intervene or stop it through a kill switch (Art. 14(4)(e)). It is the design obligation that makes the deployer oversight duty of Art. 26.2 possible.

Art. 27 EU AI Act: Fundamental Rights Impact Assessment (FRIA)

Reference

Art. 27 requires certain deployers, public bodies and private deployers in defined sectors such as credit and insurance, to conduct a Fundamental Rights Impact Assessment (FRIA) before deploying a high-risk AI system, examining the impact on fundamental rights and the mitigation measures.

Art. 4 EU AI Act: AI literacy obligations for organisations

Reference

Art. 4 has required organisations since 2 February 2025 to ensure a sufficient level of AI literacy among staff who operate or use AI systems, proportionate to the system and the role. It applies to all AI use, not only high-risk systems, and must be demonstrable.

Agentic AI: governing actions, not just decisions

Analysis

Data governance asks whether you can trust the data. AI governance asks whether you can trust the decision. Agentic governance asks a third question that neither was built to answer: can you contain what the system does? Agentic AI is the eighth GovCompass element. It binds the other seven under the conditions that autonomy creates, because an AI system that takes actions on your behalf must satisfy all seven elements continuously, across multi-step and multi-agent chains, without a human checkpoint between each step.