AI governance in HR: what the EU AI Act means for your hiring process

Most organisations are already using AI in recruitment, performance management, and development decisions. And according to our research 96% of HR leaders say employees already have personal access to generative AI tools. So why do only 39% have clearly defined AI guidelines for HR, and only 32% have a named governance role? More than half of those surveyed are deploying AI in consequential people decisions without the governance structures the EU AI Act now requires. 

The August 2026 date is confirmed. The obligations are specific, and the liability sits with your organisation. Here’s what you need to do to safeguard and future-proof your AI operations. 

Why ungoverned AI in HR is a business risk

The risks of ungoverned AI in HR fall into three categories: 

• Scaling bias. Ungoverned AI doesn’t introduce bias occasionally — it systematises it consistently. The same biased output applies to every candidate, in every role, across every hiring decision, until the pattern becomes visible in aggregate data. By then, it may have already shaped thousands of decisions.  
   
• Legal exposure. Under the EU AI Act, organisations that deploy AI in hiring and people decisions are legally accountable as deployers of high-risk AI systems. That liability cannot be transferred to your vendor. It sits with you, and Article 26 sets out exactly what that means in practice. 
   
• Loss of trust. 66% of candidates say they would avoid organisations that use AI in hiring without transparency. Ungoverned AI (where candidates can’t understand how decisions were made) erodes the trust that makes talent attraction and retention possible. 
   

For more on the effects of AI bias in HR, read AI bias in hiring: why it happens and 5 ways to prevent it

Key requirements under Article 26 of the EU AI Act 

Article 26 of the EU AI Act sets out the specific obligations for deployers of high-risk AI systems. In plain language, HR organisations must: 

Assign oversight personnel

Name a trained individual with the authority and time to review, intervene in, and override AI-driven decisions. This isn’t a job that can be absorbed into an existing role as a side responsibility – Article 26 requires demonstrable capability and capacity.

Conduct Fundamental Rights Impact Assessments

Complete Fundamental Rights Impact Assessments where required, evaluating how the AI system affects candidates and employees before deployment. The assessment must be repeated when the system, its context, or its use materially changes.

Consult workers and their representatives

Notify workers’ representatives and affected employees when AI is used in workplace decisions. In many EU jurisdictions this consultation must happen before deployment, not after.

Monitor systems and log decisions

Retain automatically generated logs for at least six months and monitor systems continuously for bias, accuracy, and performance drift. Static, point-in-time validation is no longer sufficient – the Act expects ongoing oversight.

They are legal obligations that apply to any organisation deploying high-risk AI in HR decisions.

The cost of non-compliance: fines up to €15M

The financial penalty for failing to meet high-risk AI obligations under the EU AI Act reaches up to €15 million or 3% of global annual turnover – whichever is higher. Enforcement sits with national market surveillance authorities, which means it can vary by country and sector. 

Beyond the fine, the operational costs of retrofitting governance after an incident – legal fees, reputational damage, candidate trust erosion, and the loss of data that was never properly logged – consistently exceed the cost of building governance infrastructure in advance. So it’s worth getting your house in order before it’s too late. 

The AI governance gap and why it’s dangerous 

The data from our research reveals a governance gap that most organisations don’t yet recognise. We found that while 66% of organisations claim to have a responsible AI strategy, only 34% actively monitor their AI tools for bias. That distance between policy and practice is what we call performative governance, i.e. the appearance of compliance without the reality. An organisation that has written an AI policy but hasn’t named a governance owner, trained its people, or built monitoring into its workflows has not done enough to mitigate this exposure – it’s only documented it  

For more on designing responsible AI tools, read AI with purpose: how Assessio builds smarter HR tech 

The organisations that have closed the gap look different, even in the data. Those with clearly defined AI guidelines are more than twice as likely to provide formal AI training – 68% versus 29%. They report considerably higher confidence in the accuracy of their AI outputs – 50% versus 14%. Governance structures don’t just reduce regulatory risk, they improve AI outcomes too. 

How to build an AI governance framework in HR 

Closing the governance gap requires four things. This isn’t a policy document, it’s operational infrastructure: 

• Assign ownership. Name a governance owner with defined authority over AI-driven HR decisions. This person should have the seniority to challenge vendor claims, the training to evaluate AI outputs, and the authority to pause or override any AI-assisted decision. Without a named owner, governance only exists on paper. 
• Define policies. Document which AI tools are currently in use, which decisions they influence, and what the review and override process is for each. Policies should describe what happens when an AI output is challenged. 
• Train teams. Our data shows organisations with formal AI training are far more likely to monitor for bias, trust their outputs, and identify problems early. Training isn’t a one-time onboarding exercise – it needs to keep pace with the tools and decisions it governs.  
   Monitor continuously. Pre-launch testing tells you whether a tool was fair at deployment. It tells you nothing about whether it remains fair as the candidate pool shifts, the model updates, or the role evolves. Adverse impact analysis should run as an ongoing practice, not a one-time sign-off. 

AI governance checklist for CHROs: 12 questions to ask

Use this checklist to assess your organisation’s current AI governance posture. Each item is a yes/no test. 

Ownership 

• Is there a named individual with defined authority over AI-driven HR decisions? 

• Does that person have the training and time to review and override AI outputs? 

• Is there a documented escalation process for challenged AI decisions? 

 Policies 

• Have you inventoried all AI tools currently in use across HR workflows? 

• Do you know which of those tools qualify as high-risk under EU AI Act Annex III? 

• Is there a documented process for reviewing new AI tools before deployment? 

• Can you explain to a candidate how any AI-assisted hiring decision was reached? 

 Training 

• Have HR teams received formal training on the AI tools they use? 

• Do staff understand their obligations under the EU AI Act as deployers? 

 Monitoring 

• Are AI-assisted decisions logged and retained for at least six months? 

• Is adverse impact analysis conducted on an ongoing basis — not just at launch? 

• Is there a process for notifying workers’ representatives when AI is used in workplace decisions? 

 If the answer to any of these is no – or you don’t know – that is where your governance audit should start. 

The organisations that build genuine AI governance infrastructure now won’t just avoid a regulatory fine. They’ll build the foundation for AI that works – validated, trusted, and defensible at every stage of the employment relationship.

For more on this topic, read The complete guide to responsible AI in HR

👉 This article draws on research from The Maturity Gap, Assessio’s data-driven guide to AI adoption, governance, and trust in HR. Download the full report to explore the findings in depth. Download The Maturity Gap here.