Skip to main contentSkip to main content
AI
AIAuditRef
High-Risk — Annex III Cat. 4Provider + DeployerArt. 13 · 14 · 26 · 72

HR Recruitment AI

How TalentBot Ltd, a UK-based HR tech company, and the EU employers using its product both navigate EU AI Act obligations — covering candidate screening bias, deployer duties under Art. 26, human oversight design, and post-market discrimination monitoring.

Company

TalentBot Ltd

Jurisdiction

United Kingdom (London)

Role

Provider (Art. 3(3))

Risk category

High-risk (Annex III)

Company Profile

About TalentBot Ltd

TalentBot Ltd sells a SaaS recruitment screening platform to HR departments across the EU. The product ingests CV data, cover letter text, LinkedIn profiles, and responses to pre-screening questionnaires to produce a ranked shortlist of candidates for each role. Employers use the shortlist to decide which candidates to invite to interview. TalentBot is headquartered in London but places AI systems on the EU market — meaning the EU AI Act applies to it as a provider despite being a UK company, by virtue of Art. 2(1)(c) (output used in the EU).

Business model

  • • SaaS platform licensed to ~350 EU employers
  • • Customers range from 50-person SMEs to 10,000+ enterprise
  • • ~180,000 candidate screening decisions per month in EU
  • • Sectors: retail, logistics, financial services, healthcare

Technical profile

  • • NLP pipeline + fine-tuned BERT model for CV parsing
  • • Scoring model trained on historical hiring decisions
  • • Output: ranked shortlist + fit score per candidate
  • • Integrated with Workday, SAP SuccessFactors, Greenhouse ATS

EU AI Act — Annex III, Category 4

Why This System Is High-Risk

Legal basis

Annex III, Category 4 covers AI systems used in employment, worker management, and access to self-employment. Specifically, Category 4(a) covers systems used to make or assist in decisions on recruitment and selection of natural persons — including CV screening, shortlisting, and interview scheduling. TalentBot's system directly determines which candidates reach the interview stage, materially affecting their access to employment. This is exactly the scenario the EU AI Act was designed to regulate, given well-documented evidence of algorithmic bias in hiring systems (e.g., Amazon's discontinued internal tool, which penalised CVs containing the word “women's”).

The two-party compliance structure

This case study is unusual because both TalentBot (as provider) and each EU employer (as deployer) carry distinct legal obligations under the EU AI Act. A provider cannot simply hand over a high-risk AI system and walk away — Art. 26 imposes specific obligations on deployers, and TalentBot must design its system and documentation to enable deployer compliance.

Obligation Split

Provider (TalentBot) vs. Deployer (EU Employers)

TalentBot Ltd — Provider
  • Art. 9Risk management system covering entire development and deployment lifecycle
  • Art. 10Training data bias analysis and data quality governance
  • Art. 11Annex IV technical documentation
  • Art. 13Instructions for use — deployer manual with intended purpose, limitations, and human oversight requirements
  • Art. 14Design measures enabling human oversight — override functionality, explainable scores
  • Art. 43Conformity assessment (self-assessment) + Declaration of Conformity + CE marking
  • Art. 72Post-market monitoring framework — fairness metrics collected from deployers
EU Employers — Deployers (Art. 26)
  • Art. 26(1)Use the system only in accordance with TalentBot's instructions for use
  • Art. 26(2)Assign human oversight to qualified staff — HR managers must be trained on the system and its limitations
  • Art. 26(5)Inform workers and candidates that AI is used in the selection process (transparency)
  • Art. 26(6)Register as deployer of high-risk AI in EU database
  • Art. 26(7)Conduct fundamental rights impact assessment before deployment (employment sector)
  • GDPRLawful basis for processing candidate data; respect Art. 22 rights where applicable

Art. 13 — Instructions for Use

What TalentBot Must Tell Deployers

Plain English

Art. 13 requires providers to supply deployers with instructions for use sufficient for the deployer to understand the system, use it as intended, and comply with their own Art. 26 obligations. For TalentBot, this means a deployer manual that covers far more than a typical SaaS help document. It must address the system's intended purpose, known performance limitations, bias characteristics, required human oversight procedures, and what deployers must not do with the system.

Must be included in deployer manual

  • • Identity and contact details of TalentBot as provider
  • • System capabilities and intended purpose (CV screening only — not performance management)
  • • Known limitations and error rates by job category
  • • Demographic group performance disparities and how to monitor
  • • Prohibited uses (e.g., not to be used for redundancy decisions)
  • • Human oversight requirements — who must review, how, and when
  • • Candidate disclosure obligations — what deployers must tell candidates
  • • Data retention requirements and deletion procedures

What TalentBot added in its v2 manual

  • • Role-specific accuracy metrics (model performs better for technical roles than creative ones)
  • • Explicit warning: do not use shortlist as sole basis for rejection
  • • Sample candidate disclosure notice (ready to use)
  • • HR manager training checklist — minimum competency before operating the system
  • • Incident reporting procedure — how to notify TalentBot of anomalous outputs
  • • FRIA template — pre-drafted fundamental rights impact assessment for deployers

Art. 14 — Human Oversight

Designing Effective Human Oversight

Art. 14 requires that high-risk AI systems are designed so that natural persons assigned to oversight can: (a) fully understand the system's capabilities and limitations; (b) monitor its operation and detect anomalies; (c) interpret the system's output; (d) decide not to use it in a particular case; and (e) intervene and override. For TalentBot, this required significant product redesign.

What TalentBot built for Art. 14 compliance

  • Score explanations: Each candidate score is accompanied by the top five contributing factors and their direction of impact (e.g., “Relevant experience: +18 points”, “Employment gap >12 months: -11 points”).
  • Override functionality: HR managers can promote or demote any candidate in the shortlist with a mandatory reason-for-override field. Override rates are tracked and surfaced in the admin dashboard.
  • Anomaly flags: The system flags roles where the AI score distribution looks anomalous (e.g., unusually low diversity in shortlist) for HR manager review before the shortlist is surfaced.
  • Confidence indicators: A confidence level is displayed alongside each score, and low-confidence assessments (e.g., sparse CV, novel role type) are visually flagged.
  • Human-in-the-loop gate: The system does not allow bulk-rejection of candidates below a threshold score without HR manager confirmation and a reason code.

Art. 10 + Art. 72

Candidate Screening Bias & Monitoring

Recruitment AI trained on historical hiring decisions inherits the biases of those decisions. If past hiring managers disproportionately selected candidates from certain universities, genders, or age groups, a model trained on those decisions will replicate and often amplify those patterns. TalentBot discovered during its Art. 10 data governance audit that its training data — sourced from 12 years of customer hiring decisions — contained a significant gender imbalance in shortlisting rates for technical roles (male candidates selected at 1.7× the rate of female candidates with equivalent qualifications).

Bias remediation steps taken

  • • Removed gender-proxying features (name-based gender inference, university gender ratio data)
  • • Applied adversarial debiasing during fine-tuning to reduce correlation between protected attributes and score
  • • Established minimum demographic parity thresholds as a model deployment gate — models that fail the threshold cannot be released
  • • Introduced per-role bias reports surfaced to HR managers showing shortlist composition vs. applicant pool

Post-market monitoring — discrimination metrics

  • • TalentBot tracks aggregate shortlisting rates by inferred gender and age group across all deployments
  • • Monthly fairness report generated internally — any metric outside agreed tolerance triggers a model review
  • • Deployers are contractually required to report if they observe anomalous or discriminatory outputs
  • • Serious incident reporting procedure in place for Art. 73 notifications to market surveillance authority

Key Challenges

What Made Compliance Difficult

Deployer compliance is not guaranteed by provider compliance

TalentBot can produce perfect instructions for use, but if an employer deploys the system without training its HR managers, uses it outside its intended purpose, or ignores override flags, the deployer is in breach — not TalentBot. TalentBot has responded by building compliance nudges into the product UI itself (warning banners, mandatory training confirmation on setup) and by requiring compliance attestation in customer contracts.

GDPR intersection — candidate data and lawful basis

Processing candidate CVs through an AI scoring model is automated processing of personal data for the purpose of employment decisions. Employers need a lawful basis (typically legitimate interests or, for special category data, explicit consent or a specific legal basis). TalentBot now includes GDPR guidance in its deployer documentation, but it cannot control whether customers implement it. This is a known residual risk documented in TalentBot's risk register.

Fundamental rights impact assessments (Art. 26(7))

Art. 26(7) requires deployers using Annex III Category 4 systems to conduct a fundamental rights impact assessment before deployment. Most of TalentBot's SME customers had never heard of this obligation and had no resources to conduct one. TalentBot responded by producing a pre-drafted FRIA template specific to recruitment AI, included in the onboarding documentation. Uptake is monitored but not yet universal.

Third-country provider status

As a UK company, TalentBot is a third-country provider placing a high-risk AI system on the EU market. This triggers the obligation under Art. 22(1) to appoint an authorised representative established in the EU, who acts as the contact point for market surveillance authorities. TalentBot appointed its Amsterdam-based commercial partner as EU authorised representative in March 2025.

Lessons Learned

What TalentBot Would Do Differently

Compliance tooling in the product

Embedding compliance into the product (override flows, anomaly flags, training gates) is more effective than relying on documentation alone. Deployer compliance improves when the product makes the right thing the easy thing.

EU authorised rep — appoint early

Third-country providers must appoint an EU authorised representative. Finding a suitable and willing partner took several months. This should be done before the compliance deadline, not after.

Bias work takes longer than expected

Debiasing a model trained on years of biased historical data while preserving predictive performance is genuinely hard. Budget at least 50% more time than initial estimates. Fairness and accuracy involve real trade-offs.

Employment law varies across member states

France, Germany, and the Netherlands each have different works council consultation requirements before introducing AI into HR processes. A single deployer manual cannot fully address all 27 member states — provide country-specific addenda for major markets.

Build your compliance checklist

Generate a customised checklist for provider and deployer obligations for recruitment AI.

Checklist Builder →

Classify your AI system

Confirm whether your HR AI system is high-risk under Annex III and which obligations apply.

Risk Classifier →