AIAdopt
HomeInsightsAI in recruitment and selection: why HR has become the critical function
articleApril 2026· 6 min reading time

AI in recruitment and selection: why HR has become the critical function

Recruitment is high-risk AI under Annex III of the EU AI Act. What HR must arrange now: human oversight, bias control, supplier checks and the 2027 deadline.

AI in recruitment and selection: why HR has become the critical function
Updated 1 July 2026. Recruitment and selection is a high-risk AI application under Annex III of the EU AI Act. Through the Digital Omnibus on AI (adopted by Parliament on 16 June 2026 and the Council on 29 June 2026, still awaiting publication in the Official Journal), the application of the high-risk AI requirements moves from 2 August 2026 to 2 December 2027. The AI literacy obligation of Article 4 has applied unchanged since 2 February 2025. Postponing the high-risk AI requirements is not the same as cancelling them: the preparation HR has to make stays the same and takes time.

Why HR is suddenly the most sensitive function in the organisation

Until recently, HR was mainly a GDPR topic for compliance people. Personal data, processing agreements, retention periods, familiar territory. With the EU AI Act, that changes fundamentally. Recruitment and selection appears literally in Annex III of the regulation, in the list of high-risk AI applications. That means it is the HR department, rather than the IT department or senior management, that is likely to become one of the first places where questions from auditors, candidates and supervisory authorities arise.

That is not an abstract legal move. It is a direct consequence of something HR professionals themselves know best: in two years, AI has become the beating heart of modern recruitment. The legislator has decided that this one function has so much impact on people's lives that the heaviest compliance requirements for permitted AI apply.

What you may not consider "AI", but the law does

In conversations with HR managers, almost the same reaction always comes up: "We do not really use AI." However, a closer look typically reveals that the organisation does, in fact, work with:

An ATS (applicant tracking system) that automatically ranks CVs by "match score"
A screening tool that scans motivation letters for keywords or style
An interview platform that analyses recordings of candidates for speech patterns, word choice or facial expression
An assessment tool that automatically scores cognitive tests or personality profiles
A chatbot that asks candidates questions in a first round and passes on the answers
LinkedIn Recruiter or similar platforms that "suggest" candidates based on algorithms
ChatGPT or Copilot in the hands of a recruiter who uses it to write job profiles or feedback emails

Each of these may qualify as an AI system under the EU AI Act, depending on its functionality. If such a system is used for recruitment, selection, promotion, termination or worker evaluation, Annex III can make it high-risk.

What high-risk AI means in practice for your HR department

When the high-risk AI requirements become applicable (with the Digital Omnibus that is 2 December 2027, unless publication in the Official Journal changes that date), your organisation must have demonstrably arranged the following for each high-risk AI system in HR:

Human oversight. There must always be a person who can override the AI outcome, and who is also trained to do so. "The recruiter gets a list, picks the top 5 and schedules interviews" is not enough if that recruiter has no idea how the AI arrived at that list or what to watch out for.

Transparency towards candidates. Applicants must know that AI is used in their assessment. Not in the small print, but clearly and at the right moment in the process. Where an Annex III high-risk AI system contributes to a decision that legally or similarly significantly affects a candidate, the candidate can have a right under Article 86 to a clear and meaningful explanation of the AI system's role and the main elements of the decision. If a high-risk AI system is used in the workplace, the employer must also inform workers' representatives and the affected workers before putting it into service or using it.

Bias control. Demonstrably. How do you know that your screening tool does not systematically score women, older people, non-Western names or people with a disability lower? "Our supplier says the system is unbiased" is not a defence. As deployer, you cannot simply rely on the supplier's reassurance. You must organise competent human oversight, monitor the system in use, keep the necessary logs and document how bias risks are handled in your own recruitment process.

Logging and retention periods. You must be able to reconstruct which candidate was assessed by which AI system, when, and how. In the event of a complaint or audit, that file has to be on the table.

Data quality. The input data you control must be relevant and sufficiently representative for the intended purpose. For training data and system design, you need adequate documentation and assurances from the provider.

The three lines of defence HR needs

One AI literacy training for "everyone in HR" is not enough. As with other high-risk functions, there has to be differentiation:

Recruiters and HR business partners who work with AI tools daily need practical, in-depth knowledge: how to interpret a match score, how to recognise bias signals, when to pull the brake, how to explain it to a candidate who asks.
HR managers and HR leadership must be able to oversee the legal responsibility: which systems the department has, who the supplier is, what the contract says about responsibility, how human oversight is arranged, who signs off.
General HR staff (administration, support, payroll) need the basics: what may and may not be entered into an AI tool, which data is sensitive, where the line with the GDPR lies.

Anyone who does not cover these three layers separately supports AI literacy insufficiently, as Article 4 requires, and is certainly not ready for the high-risk AI requirements that come on top. How you get to work with Article 4 in practice is something we describe in a separate insight.

The silent time bomb: supplier contracts

An issue that goes largely unnoticed in almost every HR department: most recruitment tools come from external suppliers, and those contracts were signed years ago without any clause about AI Act compliance. As soon as the high-risk AI requirements apply, that becomes a problem. Because even if your supplier calls itself a "provider", the law makes you as the deployer responsible for what happens in your recruitment process. Ignorance does not release you.

This is perhaps the most important action HR must take in the coming period: a supplier check. Which tools do we use, what does the supplier say about AI Act compliance, which documentation can they provide, and, critically, which responsibility can they take on contractually? Suppliers who grow evasive at the first sign of questioning will inevitably become your problem later on. The extra time until 2027 is precisely meant to do this kind of contract work carefully.

What you realistically have to do now

The deadline for the high-risk AI requirements is further away than first thought, but the task remains. Those who use the time rather than wait will be in a strong position later:

Now: map which AI systems are in your recruitment and HR processes. Do not forget the "hidden" ones (AI features in existing tools, ChatGPT use by recruiters, LinkedIn Recruiter algorithms).
Now: arrange the AI literacy of your HR team. That obligation (Article 4) has applied since February 2025 and is independent of the postponement of the high-risk AI requirements.
Second half of 2026: do a risk assessment per system: does it fall under Annex III, how is human oversight arranged, what is the supplier situation? Train your HR staff in a differentiated way, recruiters separately, management separately, general HR separately. Make sure the training evidence fits the high-risk context, not just general AI literacy.
Towards 2027: document everything in one HR file and do an internal dry run: can we demonstrate what we do, with which systems, with which human oversight?

In closing

In two years, HR has changed from an administrative function into a function where the heaviest compliance requirements will land. That is not a punishment, it is a recognition of how much impact recruitment and selection has on people. The HR organisations that take this seriously now do more than compliance. They build a recruitment practice that candidates can trust, and that will become the standard other employers are compared against.

At AIAdopt, we developed the HR sector extension (M3-HR) specifically for recruiters, HR business partners and HR management. The training covers recognising bias, human oversight, the high-risk AI requirements under Annex III, and the supplier issue, ending with an assessed certificate that lists the AI Act articles covered.

👉 See our approach for HR or build your own package tailored to your organisation.

Want to know where your organisation stands?

Download our free EU AI Act Compliance Checklist or view our AI literacy training.

Want to know more?

Get in touch for a no-obligation conversation about what AIAdopt can do for your organisation.