Feature
White Paper
The Future of Leadership Development: AI-Driven Manager Enablement
In Brief
- Most AI hiring tools — including common ATS platforms, CV screeners and performance dashboards — are classified as "high-risk" under the EU AI Act, which applies to any company whose AI affects people in the EU, not just European firms.
- Compliance falls on the employer, not the vendor. Most organizations lack the documented oversight, risk management and AI inventories the Act requires.
- The main deadline has moved to December 2027, but obligations around AI literacy, employee notification and GDPR transparency are already live.
Many companies deploying AI in their hiring process may not be aware that they don’t comply with European law.
The EU AI Act took effect on Aug. 1, 2024. Its most consequential obligations, covering “high-risk” AI systems used in hiring, performance evaluation and workforce management, were scheduled to go into effect Aug. 2, 2026. A provisional political agreement reached on May 7, 2026 put off that date to Dec. 2, 2027.
But for HR teams, that extension is not a reprieve. Several obligations are already in force, and regulators are already moving.
Annex III of the Act flags tools used in recruitment, candidate screening, performance evaluation and decisions about promotion or termination. Complying with the Act requires documented risk management systems, Data Protection Impact Assessments and mandatory human oversight. Workers must be notified before high-risk AI is deployed, and systems must be registered in an EU database. Fines for serious violations run to €35 million or 7% of global annual turnover, whichever is higher.
To be clear, this isn't just a European problem. The Act applies extraterritorially: if an AI system's output affects anyone in the EU, the company behind it is in scope, no matter where it's based. U.S. employers using AI to screen EU candidates, evaluate EU-based workers or run global HR tools that touch EU teams are covered. Legal advisors are drawing a direct comparison to GDPR, which caught many American companies off guard. The mechanism is the same. So is the risk of treating it as someone else's problem.
Table of Contents
- What Counts as ‘High-Risk’ AI Tools for HR
- Enterprises Are Responsible for Compliance, Not Just Vendors
- What Human Oversight Means for HR Teams
- The Deadline Shift Is for 'Preparation, Not a Pause'
- The Liability In Your Past AI-Based Decisions
- Where to Start Today
What Counts as ‘High-Risk’ AI Tools for HR
“High-risk” AI sounds like something futuristic and powerful, but the Act refers to tools already running inside many HR departments.
Applicant tracking systems from platforms including Workday, Greenhouse and iCIMS that use AI features to screen, rank, filter or shortlist candidates are classified as “high-risk” under Annex III, Category 4. So are automated CV screeners, psychometric assessors and productivity scoring dashboards.
The classification depends on what a tool does, not what the vendor calls it, said Constantin Razvan Gospodin, a regulatory advisor at Lexara Advisory who works with organizations on EU AI Act readiness. Any system that significantly affects decisions about hiring, scoring, promotion, task allocation, performance evaluation or workforce monitoring is “high-risk” by default.
"The chatbot nobody officially procured, the third-party assessment tool that came through procurement and the performance analytics module bundled within a larger platform, all count," Gospodin said.
One category is in an even harder legal position. Video interview platforms that analyze facial expressions or tone of voice to infer emotional states are not merely “high-risk,” but are prohibited under Article 5 of the Act, which bans emotion recognition in the workplace. That ban has been in effect since February 2025.
HireVue, one of the most widely used AI hiring platforms, dropped the feature in 2021 following an FTC complaint filed by the Electronic Privacy Information Center, which argued the tool was unproven, invasive and prone to bias. The EU AI Act now makes that kind of tool not just controversial but illegal. If your hiring stack includes anything that scores candidates on emotional or behavioral signals inferred from video, remove it.
Enterprises Are Responsible for Compliance, Not Just Vendors
You might think that AI compliance is the vendor's problem, but it isn’t.
"The obligation sits with the deployer — you — not just the developer,” said David Viney, a fractional CIO and AI governance advisor who has worked across WPP, Arup, the BBC and Heathrow Airport, and whose organization, Article 19, helped defined the human rights provisions of the Act. “Don't assume your vendor has handled this."
Here’s why that distinction matters. A compliant vendor does not transfer compliance to the employer using the system. How the tool is implemented, whether it maintains human oversight is maintained and whether warnings from the system are acted on are the deployer's responsibility.
For “high-risk” systems, the documentation requirements are specific: Organizations must have a documented risk management system covering the AI lifecycle. They need evidence of data governance including bias controls, technical documentation created before deployment and a conformity assessment for the highest-risk categories.
Most mid-sized businesses don’t have any of it, Viney said. Many do not even have an inventory of the AI systems they are running. "You cannot govern what you don't know about," he said.
HR teams should be pressing vendors now for technical documentation, conformity assessments and bias testing results. If a vendor cannot produce these on request, that is a red flag.
Contracts signed going forward should include warranties for AI Act compliance, audit rights, incident notification clauses and indemnification provisions linked to provider obligations. Even a vendor that clears every one of those bars does not absorb your liability as deployer.
What Human Oversight Means for HR Teams
Human oversight is required under the Act, but the standard is more exacting than most HR teams realize. Under Article 14, a human reviewer must understand a system's outputs, recognize when they are unreliable, and be able to override or disregard them before they have any material effect. A manager approving an AI-generated shortlist without understanding the algorithm's reasoning does not satisfy the requirement.
Viney has a term for what most organizations are doing instead: "process theater." The label targets the gap between a review process that exists on paper and one that gives a human genuine understanding and authority. If your HR team approves an AI shortlist without being able to explain the algorithm's reasoning or override it in practice, that is not oversight. Regulators, Viney says, know the difference.
Gospodin adds a structural dimension. Oversight personnel need documented authority to disagree, access to the reasoning behind the output and a recorded decision trail. Organizations must also specifically train those individuals on automation bias — research consistently shows that people tend to follow AI recommendations even when they should not. That training is not optional under the Act. It is a compliance requirement.
Conference
Jun
2
Gartner Application Innovation & Business Solutions Summit Las Vegas 2026
Register
Webinar
Jun
17
Engaged, But Not Convinced: What's Eroding Beneath Your Strongest Engagement Numbers
Perceptyx EX Benchmark '26: leadership trust, change confidence and conviction gap truths at large enterprises.
Register
Webinar
On demand
Retention Is a Communication Problem: New Data from 6,000+ Employees
This session gives leaders a clear diagnosis and practical path to treat retention as an infrastructure problem.
Watch Now
Webinar
On demand
Do Learning Programs Really Work? How to Turn Education Into Engagement In Healthcare
See how leaders are using learning programs to build trust with healthcare professionals and create measurable engagement.
Watch Now
The Deadline Shift Is for 'Preparation, Not a Pause'
The Omnibus agreement confirmed on May 7 that the full high-risk compliance deadline for Annex III systems has moved to December 2027. For organizations that have done nothing, this looks like a reprieve. It is not, or at least not entirely.
Several obligations are already in effect and unaffected by the delay. AI literacy requirements under Article 4 have applied since February 2025. The requirement to consult employee representatives before deploying high-risk AI in HR contexts — Article 26(7) — applies now.
GDPR obligations around data protection impact assessments and transparency notices for candidates and employees are active and running in parallel. There is also a grandfathering trap: the extension covers systems already on the market, but only until they undergo significant design changes. What counts as significant remains undefined — and regulators will be the ones making that call.
The Omnibus window is real but narrower than it looks. Technical documentation built from scratch takes three to six months under the most favorable conditions. An AI system inventory — the prerequisite for any compliance program — requires dedicated resource and organizational will. As Saskia Vermeer de Jongh, a partner and AI and digital law leader at HVG Law at EY, puts it: "The December 2027 deadline is for preparation, not a pause." Organizations that begin in late 2027 will not finish in time.
The Liability In Your Past AI-Based Decisions
One dimension that HR leaders are largely avoiding is the liability that has already accumulated. Employees and candidates whose data has been processed by AI-assisted hiring or performance tools without their knowledge have rights under GDPR — rights around transparency, access and in some cases the right to challenge automated decisions under Article 22. If those disclosures were not made, the exposure is present-tense, not future.
The enforcement machinery is already moving. France's data protection authority, the CNIL, has named recruitment as one of its three main enforcement priorities for 2026, with inspections specifically targeting automated decision-making tools used in hiring. Large companies and recruitment agencies are first in line. Regulators examining a complaint will ask whether disclosure infrastructure existed, when it was built, and why it was not built earlier.
Where to Start Today
Every expert consulted for this piece gave the same first answer: build the inventory. Map every AI system involved in any HR decision — its purpose, vendor, data inputs, outputs, decision impact and the human involvement at each stage. Most organizations find their exposure is significantly broader than leadership assumed.
From there, four steps define the critical path. Audit your tools against Annex III and flag anything that screens, scores, ranks or monitors employees or candidates. Contact every flagged vendor and request their technical documentation and conformity assessment — and log their responses, because a vendor that goes quiet is itself a data point. Review every current contract for AI Act compliance warranties and audit rights, and build those clauses into any new procurement. Finally, establish documented human oversight procedures for every high-risk tool, with named individuals who have genuine authority to override — not rubber-stamp.
Governance structure then determines whether any of that holds. Legal handles regulatory interpretation. IT and security manage technical documentation and monitoring. Procurement owns vendor due diligence. HR owns human oversight procedures and impact assessments.
The companies that will struggle in December 2027, Gospodin says, are those where each function assumed someone else was managing it.
The tools are already running. The clock is already moving. The question is whether anyone in the organization knows that.
Editor's Note: Read more on the complicated intersection of HR processes and AI tools:
- Why AI Hiring Discrimination Lawsuits Are About to Explode — AI is reshaping hiring — and the courtroom. Job seekers are suing over biased screening tools, and experts say a wave of lawsuits is just beginning.
- If We Want AI to Help HR, HR Has to Join the Conversation — Engineers are designing AI systems to address problems that are rooted in the very systems HR understands best.
- NYC's New Bias Law Is in Effect. Here's What it Entails — Local Law 144 means NYC employers are now required to conduct bias audits of their AI employment decisions. Here's what that looks like in practice.