AI Inventory in HR: 6 Typical Tools and Risk Classification
TL;DR
- HR is the highest-risk AI domain for SMEs — multiple Annex III, 4 entries
- 6 typical tools covered: recruiting AI, ATS with ML scoring, video-interview AI, performance tools, pay-gap detection, onboarding chatbot
- Emotion-detection video AI at the workplace for selection: prohibited under Art. 5
- Mandatory bias testing for any AI that scores or ranks people (Section 22 AGG burden of proof; Article 26 EU AI Act deployer duties)
- Human final decision required for all high-risk HR uses
1. AI recruiting (Talent Scout, HireVue)
Risk: HIGH (Annex III, 4). Obligations: FRIA from Aug 2, 2026 (Digital Omnibus proposal of Nov 19, 2025: postponement to Dec 2, 2027 — trilogue ongoing, NOT adopted), bias test, algorithm-audit documentation, human final decision, candidate transparency.
2. ATS with ML score (Personio, Workday)
Risk: HIGH if used for auto-rejection. Obligations: human final decision, candidate privacy notice, statistical fairness review, anonymized first-stage screening.
3. Video-interview AI (with emotion detection)
Risk: partially prohibited (Art. 5). Emotion detection at the workplace for selection purposes is prohibited. Behavior analysis (e.g., communication clarity scoring) requires explicit consent and clear human review.
4. Employee performance tools
Risk: HIGH if used for automated evaluation. Obligations: FRIA, transparency to employees, right to object, works-council co-determination (in Germany under BetrVG).
5. Pay-gap detection tools
Risk: minimal to limited. Obligations: document in AI inventory, AUP. No high-risk classification because the tool aids compliance rather than ranking individuals.
6. Onboarding chatbot for employee FAQs
Risk: limited. Obligations: bot disclosure under Art. 50, escalation to a human, GDPR notice if personal data is processed.
Summary
An HR AI inventory typically combines high-risk tools (recruiting, ATS, performance) with limited-risk tools (chatbots, pay-gap analysis). Map each tool to its Annex III sub-area, exclude prohibited features (workplace emotion detection), and prepare FRIA plus bias testing for the high-risk tier. Works-council involvement is essential in Germany.
Frequently Asked Questions
Which HR AI is generally prohibited under EU AI Act Art. 5?
Art. 5(1)(f) EU AI Act has prohibited emotion detection in the workplace and in education since 02.02.2025 — when used for selection/evaluation. Exception: medical/safety purposes. Specifically affected: video interview AI with mood analysis (HireVue, especially older versions), voice stress analysis in phone interviews, webcam monitoring during tests. Social scoring by employers is also prohibited (Art. 5(1)(c)). Violation: up to EUR 35 million or 7% of global corporate group turnover (highest fine tier under Art. 99).
For which HR AI tool is a FRIA mandatory?
FRIA obligation (Art. 27 EU AI Act) from 02.08.2026 for high-risk AI under Annex III, 4 — i.e., recruiting + performance evaluation. Digital Omnibus proposal of 19.11.2025: postponement to 02.12.2027 — trilogue ongoing, not yet adopted. Filter mechanism (Art. 6(3)): only 'material contributions to the decision' = high-risk. ATS with pure data extraction: not high-risk. ATS with automated filtering: high-risk → FRIA. Also applies to tools such as Personio Recruiting Score, HrFlow.ai, Eightfold. FRIA effort: 8-15 person-days, template in EU AI Act Kit. Plus DPIA in parallel (GDPR Art. 35) — both assessments can usually be combined.
What must an HR AI bias assessment include at a minimum?
Seven mandatory components (Section 22 AGG (German General Equal Treatment Act) indicia line + EU AI Act Art. 10): 1) training data description with demographic distribution, 2) bias tests per AGG characteristic (age, gender, ethnicity, disability, religion) with sample size ≥500, 3) Statistical Parity or Equalized Odds as metric, 4) statistically significant disparity as an indicium within the meaning of Section 22 AGG, 5) re-test frequency (quarterly recommended), 6) measures in case of identified disparity, 7) responsible person with first and last name (liable for serious gaps). Documentation must be retained for 5 years.
How do provider and deployer obligations differ for HR AI?
Provider (Art. 16-26): develops/markets the tool — e.g., Personio, HrFlow.ai. Obligations: risk management system, training data documentation, technical documentation Annex IV, CE marking, conformity assessment. Deployer (Art. 26-29): uses the tool — you as an SME. Obligations: use according to provider instructions, human oversight, FRIA, informing affected persons + works council. 90% of SMEs are pure deployers. If you substantially modify the model (fine-tuning on your own data): you become a provider with all associated obligations.
Sources
- Regulation (EU) 2024/1689 (AI Act) — Annex III(4), Art. 5, Art. 26 (EUR-Lex) (As of: 2026-05-02)
- AI Act Annex III — employment and worker management (Service Desk) (As of: 2026-05-02)
- AI Act Article 27 — FRIA for HR recruiting (applies from 02 August 2026) (As of: 2026-05-02)
- European Commission — Digital Omnibus proposal (As of: 2026-05-02; trilogue ongoing)
- General Equal Treatment Act (AGG) — Section 22 (As of: 2026-05-02)