EU AI Act in HR

What “high-risk” means in practice

For HR-specific AI (Annex III, point 4 of the Act), high-risk classification triggers:

• Risk management system: the vendor must document risks and mitigations before deployment.
• Data governance: training data quality, bias-mitigation steps, validation procedures.
• Transparency to candidates: candidates must be told when an AI system is involved in a decision affecting them.
• Human oversight: a person must be able to review and override the AI’s decision.
• Logging and traceability: the AI’s decisions need to be auditable.
• Bias audits: regular fairness testing across protected attributes.

The Act distinguishes between the provider (the AI vendor) and the deployer (the employer using it). Most compliance falls on the provider, but the deployer is responsible for transparency and human-oversight obligations in their hiring process.

SMB obligations specifically

If you’re an SMB using a third-party ATS with AI features, you inherit most compliance through the vendor. Your specific responsibilities:

• Tell candidates when AI is involved (a line in the application form, a footnote on the rejection email).
• Keep a human in the loop for decisions — auto-rejections need explicit, narrow triggers.
• Document your usage — which features, for which decisions, at which stage.
• Pick vendors that comply — and ask for their conformity assessment.

Timeline

The Act entered into force in August 2024. The high-risk requirements (including HR) became fully applicable in August 2026. Most SMBs and their vendors are now in active compliance mode.

Where Join fits

Join is an AI-using ATS designed for EU AI Act compliance from the ground up. The conformity assessment, bias-audit results, and human-oversight controls are summarized at trust.join.com.