Key Takeaways
-
The EU AI Act classifies AI used in recruiting, screening, performance evaluation, and workforce management as high-risk, with full compliance obligations enforceable as early as August 2, 2026.
-
Emotion recognition in hiring and personality inference from social media have been illegal since February 2025. If your vendor’s tool scores candidates on “enthusiasm” or “cultural fit” through video analysis, you’re already in violation.
-
Compliance is the deployer’s obligation, not the vendor’s. Your ATS provider shipping an “AI-compliant” label doesn’t cover you. You need your own bias audits, documentation, human oversight processes, and employee notification systems.
-
This applies to any company that recruits, evaluates, or manages workers in the EU, regardless of where the company is headquartered. US multinationals with European operations cannot opt out.
Your HR AI Is Probably Illegal in Four Months.
The EU AI Act is about to make most HR teams’ AI practices a compliance liability. The question isn’t whether it applies to you. It’s whether you’ll be ready.
Your applicant tracking system added an AI screening feature sometime last year. Recruiting turned it on. It’s been filtering candidates for months now, sorting resumes, ranking applicants, maybe even scheduling interviews based on some model’s assessment of “fit.” Nobody documented how it scores people. Nobody tested it for demographic bias. Nobody told candidates it was being used. And nobody checked whether the thing actually predicts job performance or just pattern-matches on writing style and keyword density.
In roughly four months, all of that becomes a compliance violation carrying fines up to €35 million or 7% of global annual turnover, whichever is higher.
The EU AI Act’s high-risk obligations for employment AI systems become enforceable on August 2, 2026. And “employment AI” covers almost everything HR teams have been casually adopting: resume screening, candidate ranking, video interview analysis, performance evaluation tools, workforce monitoring, turnover prediction, promotion scoring. If an AI system influences a decision about someone’s livelihood, the EU has something to say about it.
This isn’t a future problem. It’s a four-month problem.
The Regulation Nobody in HR Read
The EU Artificial Intelligence Act entered into force in August 2024, with obligations phased in over three years. The phasing was supposed to give organizations time to prepare. In practice, it gave them time to ignore it.
Here’s the timeline that matters. In February 2025, the first set of prohibitions took effect. These banned the most egregious uses of AI: social scoring systems, exploitation of vulnerable groups, and, critically for HR, emotion recognition in workplace contexts and biometric categorization of employees. That means AI tools that claim to assess a candidate’s “enthusiasm,” “confidence,” or “cultural fit” by analyzing facial expressions, voice tone, or body language have been illegal in the EU for over a year. If your video interview platform does this, you have a problem that predates the August deadline.
The bigger wave hits on August 2, 2026. That’s when the full compliance framework for high-risk AI systems becomes enforceable. The Act classifies AI used in “employment, workers management and access to self-employment” as high-risk under Annex III. The list is specific: automated candidate selection, resume filtering, ad targeting for job postings, performance evaluation, task allocation based on individual behavior or traits, and monitoring or evaluation of people in work-related contractual relationships.
There is one wrinkle worth noting. The European Commission’s proposed Digital Omnibus Package, currently under trilogue negotiation, could tie enforcement timing to the availability of harmonized technical standards. If those standards aren’t finalized, the effective deadline could shift six to sixteen months beyond August 2026. But “could shift” is not “will shift,” and the Omnibus Package might not pass in its current form. Any HR leader planning around a delay is gambling with the house’s money.
What “High-Risk” Actually Requires
The label “high-risk” isn’t just a classification. It’s a set of specific, documented obligations that most HR teams have never contemplated, let alone implemented.
Bias detection and mitigation. Before deploying any high-risk AI system, you must examine it for possible biases that could affect health and safety, negatively impact fundamental rights, or lead to discrimination prohibited under EU law. This isn’t optional. It isn’t a one-time check. The Act requires appropriate measures to detect, prevent, and mitigate those biases on an ongoing basis. If your AI screening tool has never been audited for disparate impact across gender, age, ethnicity, or disability status, you’re starting from zero.
Technical documentation. Providers must produce detailed technical documentation explaining how the AI system works, what data it was trained on, and how it reaches decisions. But here’s the part that catches HR teams off guard: deployers (that’s you, the company using the tool) also have documentation obligations. You need records of how you’ve assessed the system, what oversight you’ve implemented, and how you’ve verified the tool is appropriate for your use case.
Data quality requirements. Training, validation, and testing datasets must be relevant, sufficiently representative, and, to the best extent possible, free of errors and complete. If your vendor trained their model on data that doesn’t represent your applicant pool, the compliance burden falls on you to identify and address that gap.
Human oversight. High-risk AI systems must be designed to allow human oversight, and deployers must ensure that the people responsible for oversight are properly trained and qualified. “We have a recruiter who reviews the shortlist” doesn’t cut it if that recruiter doesn’t understand how the AI generated the shortlist, what it weighted, or what it excluded.
Transparency and notification. Article 26(7) is blunt: employers must inform both employee representatives (works councils, trade unions where applicable) and directly affected employees, in a clear and comprehensive manner, that they will be subject to a high-risk AI system. Most organizations haven’t told their candidates anything. Many haven’t told their own employees.
Some of Your Tools Are Already Illegal
The February 2025 prohibitions aren’t getting enough attention. These aren’t future requirements. They’re current law.
The Act prohibits AI systems that infer emotions of employees or candidates in workplace contexts, except for narrow medical or safety purposes. If your video interview platform analyzes facial expressions, voice modulation, or body language and returns a score, a sentiment indicator, or a “communication style” rating, that system is likely prohibited. The fact that the vendor relabeled “emotion detection” as “behavioral signal analysis” does not change the legal classification. Rebranding the feature doesn’t change the function. And the function is what the Act regulates.
The Act also prohibits AI systems that infer personality traits from social media activity, writing style, or non-work behavior and use those inferences to filter candidates. Scraping a candidate’s LinkedIn posts to assess “thought leadership” or analyzing their writing samples for personality indicators falls squarely in this category. So does any system that ingests a candidate’s online presence and outputs a compatibility score, a risk rating, or a “values alignment” metric.
These prohibitions aren’t obscure edge cases. They describe features that were actively marketed by HR tech vendors as recently as 2024. Some of those features are still live in production systems. The vendors quietly renamed them or buried them in settings panels, but the underlying models haven’t changed. An HR team that turned on “AI-enhanced candidate insights” eighteen months ago and never looked back may already be in violation.
Gartner projects that by 2028, a quarter of candidate profiles could be fake, driven partly by the AI arms race in recruiting. The EU’s response is not to make AI recruiting smarter. It’s to make organizations accountable for what their AI does.
The Extraterritorial Trap
If you’re reading this from a US office thinking this doesn’t apply to you, think again.
The EU AI Act has explicit extraterritorial reach. It applies to any organization that places AI systems on the EU market or puts them into service in the EU, regardless of where the organization is established. Crowell & Moring’s 2026 legal analysis confirms it plainly: US employers are covered if AI outputs are intended to be used within the EU, meaning if you recruit EU candidates, evaluate EU-based workers, or deploy global HR tools that EU-based employees interact with.
For a multinational running a single Workday instance with AI-powered talent management features across 30 countries, the EU AI Act effectively governs the entire system. You can’t carve out the EU employees from a globally integrated platform without building separate workflows, which most organizations haven’t done and don’t plan to.
This is also where the interaction with GDPR intensifies. AI systems processing EU employee or candidate data must comply with both frameworks simultaneously. The Digital Omnibus Package is attempting to clarify this overlap, but until it’s finalized, companies operate under both sets of obligations independently.
Your Vendor Won’t Save You
Here’s where the conversation goes sideways. The natural response from most HR leaders is to ask their vendor: “Are you compliant?”
The answer is almost always some version of yes. The vendor built the system. They’re the “provider” under the Act. They have documentation obligations. But the Act draws a sharp line between providers (who build the system) and deployers (who use it). Deployer obligations are separate and non-delegable.
As a deployer, you must conduct your own assessment of whether the system is appropriate for your context. You must implement your own human oversight processes. You must maintain your own logs of the system’s operation. You must ensure your own employees are trained on how the system works and its limitations. And you must notify your own workers and candidates.
Your vendor shipping a compliance document with their product is a starting point, not a finish line. The compliance gap between what vendors provide and what deployers need is where most organizations will get caught.
Meanwhile, Gartner reports that 79% of large US companies are using generative AI in at least one HR process, but only 11% have integrated it into core systems. That means the majority are using AI tools informally, sometimes at the individual employee level, with no centralized documentation, no bias auditing, and no oversight processes. These shadow AI deployments are compliance nightmares.
Consider the recruiting manager who signed up for a free trial of an AI sourcing tool, connected it to LinkedIn, and has been using it to pre-screen candidates for six months. IT doesn’t know about it. Legal doesn’t know about it. There’s no documentation, no bias testing, no candidate notification. Under the AI Act, the organization is still liable for that tool’s outputs. The “I didn’t know my team was using it” defense doesn’t appear anywhere in the regulation.
This is the 79% problem in miniature. The majority of AI use in HR isn’t sanctioned enterprise deployments with governance frameworks. It’s individual tools adopted by individual teams solving individual problems, with nobody connecting the dots on cumulative compliance exposure.
The Four-Month Playbook
Four months is not enough time to build a world-class AI governance program. It is enough time to avoid the most egregious violations.
Audit your AI inventory. Start by figuring out what AI you’re actually using across the employee lifecycle. This includes your ATS, your HRIS, your performance management system, your workforce analytics tools, and whatever your recruiting team signed up for on a free trial. Every system that touches an employment decision is potentially in scope. Don’t forget the tools your managers adopted without IT’s blessing.
Classify by risk level. Map each system to the Act’s four risk tiers: prohibited, high-risk, limited risk, and minimal risk. If a system influences who gets hired, promoted, evaluated, or terminated, it’s almost certainly high-risk. If it detects emotions or infers personality, it’s probably prohibited. Kill the prohibited ones immediately.
Demand documentation from your vendors. Under the Act, providers must supply technical documentation, training data information, and conformity assessments. Request these now. If a vendor can’t produce them, that tells you something important about the system you’ve been using.
Build human oversight processes. For each high-risk system, define who reviews AI-generated outputs before they become decisions. Train those people on what the AI does, what it doesn’t do, and how to override it. Document the process. “A human looked at it” isn’t oversight. Oversight requires understanding and the authority to intervene.
Notify your people. Draft clear communications for candidates and employees explaining which AI systems are in use, what they do, and how decisions are reviewed. This isn’t just a legal requirement. It’s the right thing to do.
Start a bias audit now. For your highest-risk systems (anything that screens, ranks, or scores candidates), commission an independent bias audit. Test for disparate impact across protected characteristics. If you find bias, you have a documented basis for remediation. If you don’t find bias, you have a documented basis for compliance. Either way, you’re better off having done it than not. Four months isn’t enough for a comprehensive audit of every system, but it’s enough to assess the two or three tools with the largest exposure.
Engage legal and compliance. If you haven’t already involved your legal team, start today. The intersection of the AI Act, GDPR, and national labor law creates complexity that HR can’t navigate alone. Belgium, for instance, has collective bargaining obligations triggered by new technology deployment that predate and compound the AI Act requirements.
The Bigger Question
You could read this entire article as a compliance checklist. Map your systems, document your processes, notify your employees, and hope the Omnibus Package pushes the deadline out.
But the more interesting question is whether you should be doing this work regardless of the regulation.
The EU AI Act didn’t invent the idea that AI systems used in employment decisions should be tested for bias. It didn’t create the principle that people deserve to know when a machine is influencing decisions about their livelihood. It didn’t originate the concept that human judgment should remain in the loop when the stakes are high. These are things that responsible HR practitioners should have been doing from the moment they deployed AI in hiring. The regulation exists because most didn’t.
Ethan Mollick’s jagged frontier research shows that AI excels at some tasks that seem hard and fails at others that seem easy. Resume keyword matching is inside the frontier. Predicting job performance from a 30-second video clip is not. Ranking candidates by objective qualifications is inside the frontier. Assessing “culture fit” from writing style is not. The EU AI Act is, in a sense, the regulatory system catching up to the research: if you’re using AI in high-stakes decisions, you should be able to prove it works and doesn’t discriminate.
The organizations that treat August 2026 as a compliance exercise will spend the next four months generating paperwork. The organizations that treat it as a catalyst will spend the next four months asking harder questions about whether their AI actually improves hiring outcomes or just automates existing biases faster. The paperwork will protect you from fines. The harder questions will protect you from building systems that confidently hire the wrong people.
Four months. The clock is running.
The Real Question
There are two versions of how HR teams will respond to the EU AI Act. In the first version, this is a compliance project: map the systems, produce the documents, check the boxes, move on. In the second version, this is the moment HR finally confronts whether the AI tools they’ve adopted are any good.
The evidence suggests most organizations will choose the first version, because compliance is cheaper than self-examination and less threatening to the vendor relationships they’ve already invested in. But the organizations that choose the second version, the ones that ask whether their AI screening tool actually predicts performance, whether their “AI-powered” interview analysis does anything a structured interview guide couldn’t do better, will come out of this with something more valuable than a compliance certificate.
They’ll come out of it knowing which of their tools are worth keeping.