The EU AI Act is not a general ethics framework. It’s a specific compliance regime with registration requirements, technical documentation mandates, human oversight obligations, and financial penalties. For HR leaders operating AI in talent acquisition and workforce management, the requirements are concrete and operational.

This list covers the nine requirements that apply to high-risk HR AI systems—classified under Annex III of the Act as “employment, workers management and access to self-employment.” Each requirement is described in operational terms, not regulatory language.

HR compliance under the EU AI Act requires systematic architecture, not policy documents. Here is what that architecture includes.

1. EU AI System Database Registration

High-risk AI systems must be registered in the EU AI public database before deployment. Registration requires: system name and description, intended purpose and deployment context, risk management system documentation, and designated responsible person within the EU. This is not optional and cannot be deferred post-deployment.

2. Technical Documentation (Annex IV)

Annex IV specifies the exact contents of required technical documentation: general description, intended purpose, version history, interaction with other systems, training data description, validation and testing methodology, accuracy metrics, and known risks. This documentation must be maintained and updated throughout the system’s operational life.

3. Risk Management System

A continuous risk management process must be established and maintained. This includes: identification and analysis of known and foreseeable risks, estimation and evaluation of risks, adoption of risk mitigation measures, and residual risk evaluation. The risk management system must be documented and revisited when the system is updated.

4. Data Governance and Management

Training, validation, and testing data must meet specific requirements: relevance, representativeness, freedom from errors, and completeness for the intended purpose. Bias examination practices must be documented. Data provenance (origin, collection methodology, processing steps) must be traceable. Jeff’s consulting practice has found this requirement catches most organizations unprepared—vendor-provided training data often lacks the provenance documentation required.

5. Human Oversight Mechanisms

Designated, trained individuals must be able to understand system capabilities and limitations, monitor system operation, intervene and override outputs, and report malfunctions. The human oversight requirement is not satisfied by having a “review button”—it requires documented training for oversight personnel, defined escalation procedures, and logged override events.

6. Transparency and Candidate Rights

Individuals subject to AI-assisted decisions must be informed that AI is being used. They have the right to explanation of the logic, an ability to contest the outcome, and access to human review. These rights must be operationally implemented, not just stated in a privacy policy. Build the workflows that handle explanation requests and override procedures before deployment.

7. Accuracy, Robustness, and Cybersecurity

The Act requires that high-risk AI systems achieve appropriate levels of accuracy, robustness against errors and inconsistencies, and resilience against adversarial attacks. For HR AI, this means documented accuracy benchmarks, testing against edge cases and adversarial inputs, and security architecture that prevents manipulation of screening outputs through data poisoning or model inversion attacks.

8. Conformity Assessment

Before deploying a high-risk AI system, providers must conduct a conformity assessment demonstrating compliance with the Act’s requirements. For AI systems in employment contexts, this typically requires internal assessment with an authorized representative, though third-party assessment may be required for systems with significant risk. The conformity assessment must be documented and available to authorities on request.

9. Post-Market Monitoring

Ongoing monitoring of deployed systems is required. This includes collecting and analyzing data on system performance, identifying emerging risks, reporting serious incidents to national authorities, and implementing corrective action when performance deteriorates. The OpsCare™ operational maintenance framework provides the structure for continuous monitoring that satisfies this requirement.

Frequently Asked Questions

When does the EU AI Act enforcement begin for HR systems?

The EU AI Act entered into force in August 2024. The provisions governing high-risk AI systems—including employment AI—became fully applicable in August 2026. Organizations operating high-risk HR AI systems without registration, technical documentation, and human oversight procedures face fines up to €15 million or 3% of global turnover.

What makes an HR AI system ‘high-risk’ under the EU AI Act?

AI systems used in recruitment, hiring, promotion decisions, performance evaluation, task allocation, and monitoring of work performance are classified as high-risk. The classification is based on intended purpose, not technical architecture. If your AI tool affects employment decisions, assume high-risk classification and comply accordingly.

How do GDPR and the EU AI Act interact for HR AI compliance?

They operate as layered requirements: GDPR governs personal data processing (legal basis, data minimization, retention, subject rights) while the EU AI Act governs the AI system itself (documentation, transparency, human oversight, accuracy). Compliance with GDPR alone does not satisfy the EU AI Act. Both frameworks apply simultaneously to HR AI deployments.