Your AI hiring tool might be high-risk under the AI Act. Here's what that means.

Friday morning at a mid-size company. Your HR team opens the applicant tracking system. Two hundred CVs for a junior developer role. Someone clicks "AI ranking" and within 40 seconds the system surfaces the top 15 candidates. Fast, convenient, and starting August 2, 2026, regulated.

The EU AI Act (Regulation 2024/1689) classifies AI systems by risk level. Everything touching employment falls into the "high-risk" category. That same ranking feature your team relies on daily now carries documentation, transparency, and human oversight obligations. And because this is a regulation (not a directive), it applies directly across all EU member states without needing local transposition.

What counts as high-risk AI in employment

Annex III of the AI Act explicitly lists these employment use cases:

• Targeting job advertisements with AI (who sees the ad and who does not)
• Filtering and sorting job applications
• Evaluating candidates during interviews or assessment centres
• Decisions about promotion and termination
• Monitoring worker performance and allocating tasks

If your ATS, HR platform, or internal tool does any of this with an automated component, you have a high-risk AI system. It does not matter whether it is a commercial SaaS product or a custom Python script someone wrote during a hackathon.

This applies broadly. LinkedIn's recruiter AI? High-risk. The sentiment analysis tool your call centre uses to score agents? High-risk. The internal dashboard that recommends which employees should be promoted based on performance metrics? Also high-risk.

What a high-risk AI system must do

The requirements are specific and auditable. They are not principles. They are rules an auditor can check:

Risk management system. Before deployment, you must identify risks to employees' fundamental rights. Review them periodically. Document the measures you took. This is not a one-time exercise. It runs for the entire operational lifetime of the system.

Training data quality. If you train or fine-tune the AI model, you must demonstrate that the data is relevant, sufficiently representative, and free of systematic bias. In practice: if you trained on CVs of successful hires from the past five years and 90% were male, you have a problem. The model learned to prefer male candidates, and now you have to prove it does not.

Technical documentation. Model description, intended purpose, training data, accuracy metrics, known limitations. A GitHub README does not qualify. The documentation must be detailed enough for a supervisory authority to understand how the system works and where it might fail.

Event logging. The system must automatically log when it ran, what inputs it received, and what outputs it produced. Logs must be retained for a minimum of six months. For companies that previously logged only HTTP requests, this requires a shift in thinking about what "audit trail" means.

Transparency toward workers. Employees and candidates must know that AI participates in decisions about them. A sentence buried in an internal policy nobody reads is not enough. The information must be actively communicated. This matters legally, because a person who does not know AI was involved cannot meaningfully challenge the decision.

Human oversight. Final decisions about hiring, firing, or promotion cannot be made by AI alone. A human must have a genuine ability to change the decision, not just a formal "approve" button. This is the point where many companies will struggle. They technically have "human in the loop," but in practice nobody questions the AI output.

Cybersecurity and robustness. The AI system must be resistant to manipulation. In an HR context: what happens if a candidate intentionally formats their CV to trick the parser? What if someone discovers which keywords the system prioritizes and embeds them in white text?

The gap between current tools and compliance

I work with companies deploying AI into internal workflows. Most HR AI tools on the market do not meet these requirements yet. Not because the tools are bad, but because they were built before regulation existed.

Common gaps I see across deployments:

• No logs explaining why AI ranked or rejected a specific candidate
• Missing documentation about training data (the vendor often does not have it or will not share it)
• Candidates are not informed that AI is part of the process
• "Human in the loop" exists on paper only. In practice, the HR manager clicks "approve all"
• No Fundamental Rights Impact Assessment, which the AI Act requires from deployers of high-risk systems

That last point matters. The AI Act distinguishes between the provider (who built the system) and the deployer (who uses it). Even if you only purchased the AI tool, you have obligations. You cannot claim that "the vendor is responsible."

Beyond hiring: call centres, workforce management, internal tools

The AI Act does not stop at recruitment. If you use AI to monitor call centre performance (call scoring, sentiment analysis, automatic agent rating), that is also a high-risk system. Same applies when AI decides which employee gets a shift, what workload they carry, or who gets sent to training.

These use cases are especially common in sectors with large workforces: manufacturing, logistics, shared service centres. Exactly where companies deploy AI most aggressively.

Where AI Act meets pay transparency

From June 2027, the Pay Transparency Directive (2023/970) also applies. If AI determines an employee's pay grade or bonus amount, it falls under both regulations simultaneously. HR systems will need to prove that AI does not create gender-based pay disparities. We wrote about this overlap in our article on pay transparency.

Companies that wait for enforcement before acting will face two major compliance changes within a single year. A better strategy is to start now and address AI Act and pay transparency in one project.

A practical checklist for the next four months

1. Map AI in your HR processes. Where does automated decision-making happen? Which tools? Commercial or custom-built? Include tools that the HR team does not think of as "AI" (e.g., keyword-based CV filtering).
2. Request documentation from vendors. If you use a commercial ATS with AI features, ask for technical documentation per AI Act requirements. If they cannot provide it, that is a warning sign.
3. Implement logging. Every AI decision in HR must be recorded and traceable. That means inputs, outputs, and model version, not just the final result.
4. Inform employees and candidates. Prepare clear, accessible notices about where and how AI enters HR processes.
5. Ensure real human oversight. Not ceremonial. The person must understand the AI output and have actual authority to override it. Train your HR team on what the AI output means and when to question it.
6. Conduct a Fundamental Rights Impact Assessment. This is the deployer's obligation, not the vendor's.

What this means for your company

The AI Act is not about banning AI from HR. You can use it. You probably should, if it saves time and improves hiring quality. But you need to be able to show how the system works, why it made a specific decision, and that a human had the final say.

If you are unsure whether your HR tools meet the requirements, reach out for an AI compliance audit. We review AI systems for companies that want to be ready before the deadline, not after.

You may also be able to fund compliance work through EU digitalization grants that cover AI compliance projects.