Recruitment AI and the EU AI Act: What Article 26 Means for HR

# Your CV-screening tool is already high-risk

Recruitment AI under the EU AI Act lands in the highest-scrutiny category from day one. If you use any AI system to shortlist, score, or rank job applicants, that system falls under Annex III, point 2, which lists AI used for employment, worker management, and access to self-employment as high-risk. This is not a grey area. It does not matter whether the tool is a standalone product or a feature buried inside your ATS. If it makes or influences a decision about a candidate, Annex III applies.

The practical consequence is that your company, as the deployer, inherits a defined set of obligations under Article 26. Those obligations are not optional add-ons. They are legal requirements with enforcement backed by fines of up to €15 million or 3% of global annual turnover under Article 99.

The good news: Article 26 is structured and specific. You can build a compliance program around it in weeks, not months.

# What Article 26 actually requires from you

Article 26 splits deployer obligations into five practical areas. Each one maps to something your HR or operations team can own.

1. Use the system as intended

You must use the AI system only within the scope defined by the provider in their technical documentation and instructions. If your vendor says the tool is validated for screening software engineers and you apply it to marketing roles, you are operating outside the intended purpose. That shifts liability toward you. Get the provider's instructions in writing and keep them on file.

2. Assign human oversight

Article 26(1) requires you to implement human oversight measures. This means a named person with the authority and competence to understand the AI system's outputs, to pause or override its recommendations, and to refuse to act on a result that seems wrong. A checkbox saying "HR reviewed" is not enough. The oversight must be real and documented. In practice, this means your HR team needs brief structured training on how the tool works, what its known limitations are, and how to escalate concerns.

3. Monitor for unexpected behaviour

You are required to monitor the AI system's operation on an ongoing basis. Specifically, Article 26(5) asks deployers to monitor for risks to health, safety, or fundamental rights that were not anticipated in the conformity assessment. For recruitment AI, the most concrete risk is discriminatory output: the system systematically downranking women returning from parental leave, or candidates with non-Western names. You do not need a data science team to do this. A quarterly audit comparing shortlist demographics against applicant pool demographics is a credible start.

4. Keep logs

Where you have control over the logging function, Article 26(6) requires you to retain logs for at least six months. These logs are your evidence trail if a candidate challenges a decision or a regulator investigates. Check with your ATS or recruitment tool vendor: do they give you access to decision logs? If not, that is a gap you need to close in the vendor contract before the August 2026 compliance deadline.

5. Inform affected workers and candidates

Article 26(7) is the transparency obligation that HR directors often underestimate. You must inform the workers or job applicants who are subject to the AI system. This does not require a lengthy legal notice. It requires a clear, plain-language statement: that an AI system is being used, what it does, and that a human is involved in the final decision. The most natural place for this is your job application confirmation email or your careers page. Add one short paragraph and you have met the basic obligation.

# Article 86: the right to explanation

Separate from Article 26, Article 86 gives any person who has been subject to a high-risk AI decision the right to request a meaningful explanation of the role the AI played. For recruitment, this means a rejected candidate can ask you: why did the AI rate me the way it did, and how did that affect the outcome?

You need to be able to answer that question. Not with a technical model card, but in plain language a non-specialist can understand. Work with your vendor now to get a plain-language explanation of the model's inputs and weighting logic. Draft a one-page internal script for your HR team so they can respond to an Article 86 request within a reasonable timeframe. A response time of 30 days, mirroring GDPR subject access request timelines, is a sensible benchmark.

# The GDPR connection you cannot ignore

Recruitment AI processes personal data. That means the EU AI Act obligations sit on top of, not instead of, your GDPR obligations. Article 22 of the GDPR already restricts fully automated decision-making that produces legal or similarly significant effects. A hiring decision is clearly significant. If your AI system is making final calls without human involvement, you likely have a GDPR problem as well as an AI Act problem.

The fix is the same for both: genuine human oversight, documented clearly. A Fundamental Rights Impact Assessment (FRIA), which Article 27 of the AI Act requires deployers to conduct for certain high-risk systems used in employment contexts, should be conducted alongside your existing DPIA. Many of the questions overlap. Run them together and you save significant time.

# A practical compliance template for HR teams

Here is a straightforward four-step checklist you can start this week.

Step 1: Inventory your tools. List every piece of software your HR team uses that ranks, scores, or filters candidates. Include ATS features, LinkedIn Recruiter scoring, video interview analysis tools, and any third-party integrations. Flag which ones involve automated or AI-assisted ranking.

Step 2: Request vendor documentation. For each flagged tool, ask your vendor for their EU AI Act conformity documentation: the EU declaration of conformity, technical documentation summary, and instructions for use. Providers of high-risk AI systems are legally required to provide this under Article 13. If a vendor cannot supply it, that is a red flag.

Step 3: Update your candidate communications. Add a short disclosure to your application confirmation email or careers page stating that AI-assisted screening is used and that all final decisions involve human review. Keep it plain, keep it short, keep it honest.

Step 4: Document your oversight process. Write a one-page internal procedure: who reviews AI outputs, what criteria trigger an override, how overrides are recorded, and who is responsible for the quarterly demographic audit. This document is the backbone of your Article 26 compliance file.

# The deadline is August 2026

The high-risk obligations under Chapter III, Section 3 of the AI Act apply to deployers from 2 August 2026. That is the date by which your compliance file, oversight procedures, candidate disclosures, and logging arrangements need to be in place. Eighteen months sounds comfortable. It is not, because the FRIA, vendor negotiations, and staff training all take longer than expected when you start from zero.

Start the inventory now. The Article 26 obligations are not technically complex. They are organisationally complex. Building the habits, the documentation, and the vendor relationships takes time that the calendar is already consuming.

Run your free 2-minute compliance check at comply.khairos.ai to see exactly which AI Act obligations apply to your specific recruitment tools and get a prioritised action list tailored to your company size and sector.