Artificial intelligence is transforming human resources and employment decisions at an accelerating pace. From resume screening and video interview analysis to performance evaluation and workforce planning, AI tools are embedded in the modern hiring pipeline. However, the European Union has classified employment AI systems as high-risk under the EU AI Act, and the General Data Protection Regulation imposes additional obligations on automated decision-making. This article examines what employers need to know about the high-risk classification of employment AI and how to build a compliance program that addresses both EU and US requirements.
What This Means
Annex III(4) of the EU AI Act (Regulation (EU) 2024/1689) lists employment and worker management as a high-risk category. This means that AI systems used for recruitment and selection, promotion and termination decisions, task allocation based on individual behavior or characteristics, and performance monitoring are all subject to the full compliance obligations of the EU AI Act. The classification reflects the EU's assessment that employment decisions affect fundamental rights, including the right to non-discrimination, fair treatment, and dignity at work. For employers, the high-risk classification has immediate consequences. Any AI system used in the employment context must meet requirements for risk management, technical documentation, data governance, transparency, human oversight, accuracy, and conformity assessment. These obligations apply to the employer as a deployer and, if the employer developed the system, as a provider. The obligations are not satisfied by procuring an AI tool from a vendor that claims compliance. The employer remains responsible for how the system is deployed, monitored, and used in decisions affecting workers. The extraterritorial reach of the EU AI Act means that US employers are not exempt. If a US company uses AI to screen candidates for EU-based positions, evaluate EU employees, or make workforce decisions affecting individuals in the EU, the Act applies. The EU nexus test under Article 2(1)(c) follows the output, not the company's headquarters. A New York-based multinational using AI for global hiring is likely in scope for its EU hiring activities. The overlap with GDPR Article 22 adds another layer of complexity. Employment AI systems that make decisions about candidates or employees based solely on automated processing may trigger Article 22 protections, including the right to obtain human intervention, express one's point of view, and contest the decision. For US employers, this creates a dual compliance obligation: the EU AI Act governs the system's classification and market access, while GDPR governs the processing of personal data and the rights of affected individuals. For New York City employers, there is a third layer. NYC Local Law 144 requires annual independent bias audits of AEDTs, notification of candidates at least 10 business days before use, and public disclosure of audit results. The overlap between the EU AI Act, GDPR, and NYC LL144 creates a complex compliance landscape that requires careful coordination.
Key Requirements
Risk management system.
Article 9 of the EU AI Act requires providers of high-risk AI systems to implement a risk management system that operates throughout the entire lifecycle of the system. For employment AI, this means identifying and analyzing risks of discrimination, bias, and unfair outcomes; estimating and evaluating risks at the design, deployment, and monitoring stages; and adopting mitigation measures that are proportionate to the risk level. The risk management system must be documented and regularly updated.
Technical documentation.
Article 11 and Annex IV require comprehensive technical documentation before the system is placed on the market. For employment AI, this includes: a general description of the system and its intended purpose; a detailed description of the system's design and architecture; information about the data used for training, validation, and testing; a description of the system's performance and limitations; and information about the human oversight measures implemented. This documentation must be maintained for the lifetime of the system and made available to competent authorities upon request.
Human oversight.
Article 14 requires that high-risk AI systems are designed to allow effective human oversight. For employment AI, this means the human overseer must have the authority and competence to understand the system's capabilities and limitations, monitor its operation, correctly interpret its outputs, and decide not to use the system or to override or reverse its output. The human overseer must not be placed in a position where they simply confirm decisions made by the AI system. Organizations must document oversight procedures, train overseers, and build oversight into the technical design of the system.
Transparency and information.
Article 50 requires that deployers of high-risk AI systems inform individuals that they are subject to AI systems. For employment AI, this means candidates must be informed that an AI system is being used to screen their application or evaluate their interview. The information must be clear, accessible, and provided in a timely manner. Under GDPR Articles 13 and 14, candidates must also receive information about the logic of automated decision-making and the envisaged consequences.
Data governance.
Article 10 requires that training, validation, and testing datasets meet quality criteria. For employment AI, this means the data must be relevant, sufficiently representative, and as free of errors as possible. Organizations must document data collection procedures, data preparation, and any assumptions about the data. Particular attention must be paid to historical bias in training data: if past hiring decisions were biased against certain groups, the AI system may learn and reproduce that bias.
Fundamental rights impact assessment.
Under Article 27, deployers of high-risk AI systems must conduct a fundamental rights impact assessment before putting the system into use. For employment AI, this assessment must evaluate the impact on the rights of workers and candidates, including the right to non-discrimination, the right to fair treatment, and the right to privacy. The assessment must be documented and made available to the competent authority upon request.
Practical Steps
Inventory all employment AI systems.
Create a comprehensive list of every AI system used in your hiring and workforce management processes. Include vendor tools, internal tools, and embedded AI features in HR platforms. For each system, document: what decisions it influences, what data it processes, what outputs it produces, and which jurisdictions' regulations apply. Do not assume that a vendor's compliance certification covers your obligations as a deployer.
Classify each system by risk level.
Map each employment AI system against the Annex III categories. Recruitment and selection, promotion and termination, task allocation, and performance monitoring are all high-risk. If a system falls into any of these categories, it is high-risk regardless of whether the organization considers the risk low in practice. Document the classification rationale and the date of classification.
Conduct a bias audit.
For systems that evaluate candidates or employees, conduct a bias audit that tests for disparate impact across demographic groups. Document the methodology, the test results, and any mitigation measures implemented. In New York City, this audit must be conducted by an independent auditor. For EU compliance, the audit may be conducted internally but must be documented as part of the risk management system. The two requirements are not identical, but they share common ground.
Establish human oversight procedures.
For each high-risk employment AI system, document who the human overseer is, what their authority is, what training they have received, and how they can override or reverse AI decisions. Ensure that the overseer has access to all relevant information, not just the AI output. Build oversight into the workflow so that the human review occurs before the decision is communicated to the affected individual.
Prepare candidate and employee notices.
Draft notices that inform individuals about the use of AI systems in decisions affecting them. The notices must comply with both EU AI Act transparency requirements and GDPR information requirements. They should explain what the AI system does, what data it uses, what the decision criteria are, and how the individual can exercise their rights. Avoid generic statements that provide no meaningful information.
Assess cross-border compliance obligations.
If your organization operates in multiple jurisdictions, map the compliance requirements for each. A New York-based company hiring EU employees may need to comply with NYC Local Law 144, the EU AI Act, and GDPR simultaneously. Identify gaps between the frameworks and develop a unified compliance program that addresses the most demanding requirements in each area. Do not assume that compliance with one framework satisfies the others.
Related Resources
HR AI Compliance
NYC LL144 Bias Audit
EU AI Act Compliance
GDPR and AI Compliance
Frequently Asked Questions
Why is employment AI classified as high-risk under the EU AI Act?
Under Annex III(4) of Regulation (EU) 2024/1689, AI systems used in employment and worker management are classified as high-risk because they can affect access to economic opportunities, career progression, and livelihoods. The categories include recruitment and selection, promotion and termination decisions, task allocation, and performance evaluation. The EU AI Act recognizes that employment decisions have significant consequences for individuals' fundamental rights, including non-discrimination and fair treatment.
Does the EU AI Act apply to AI used by US companies for hiring?
Yes. Under Article 2(1)(c) of the EU AI Act, the regulation applies to providers and deployers established in third countries (including the United States) if the output produced by the AI system is used in the Union. A US company using AI to screen candidates for EU-based positions, evaluate EU employees, or make promotion decisions affecting EU workers is likely in scope. The company does not need a physical presence in the EU.
What is the overlap between the EU AI Act and NYC Local Law 144?
NYC Local Law 144 requires annual independent bias audits of automated employment decision tools (AEDTs), candidate notification, and public disclosure of audit results. The EU AI Act requires a broader governance framework: risk management, technical documentation, human oversight, conformity assessment, and EU database registration. A New York-based company using AI for hiring that also affects EU employees must comply with both frameworks. The bias audit under LL144 may partially satisfy some EU AI Act requirements, but it does not replace them.
What human oversight is required for employment AI systems?
Under Article 14 of the EU AI Act, high-risk AI systems must be designed to allow effective human oversight. For employment AI, this means the human overseer must understand the system's capabilities and limitations, be able to monitor its operation, correctly interpret its outputs, and have the authority to override or reverse decisions. The human overseer must not simply rubber-stamp AI outputs. Organizations must document oversight procedures, train personnel, and ensure that oversight is practically possible in the workflow.
What should employers do before deploying AI hiring tools?
Before deploying AI hiring tools, employers should: conduct an AI system inventory and classify the system as high-risk under Annex III; complete a risk management assessment under Article 9; prepare technical documentation under Article 11; establish human oversight procedures under Article 14; conduct a fundamental rights impact assessment if required; and, if applicable, register the system in the EU database. US employers should also ensure compliance with NYC Local Law 144 if they operate in New York City.