EU AI Act compliance for HR and recruitment AI: building the audit trail

Written by Catalina Turlea
25 Apr 2026
If your product screens CVs, ranks candidates, allocates work based on personal traits, or scores employee performance, the EU AI Act now classifies you as high-risk. Annex III, point 4 names it directly: AI for "recruitment or selection," "decisions affecting terms of work-related relationships, promotion or termination," "task allocation based on individual behaviour or personal traits," and "monitoring and evaluating performance and behaviour" are all in.
The full high-risk regime is in force. Fines run to €15 million or 3% of worldwide annual turnover for breaches of the provider obligations.
The audit trail you have to hand a regulator on request is the documentation you have to be producing every day.
What HR AI is on the hook for
Recruitment and workforce-management AI almost never fails loudly. A model returns a ranking. A score appears. A candidate is filtered. The hiring manager sees a list. Nobody throws an error. Nobody knows the right answer.
That is exactly the problem the Act addresses. Under Annex IV, high-risk AI providers must maintain technical documentation covering, among other things, "the appropriateness of the performance metrics" and "foreseeable unintended outcomes." Under Article 12, the system must "technically allow for the automatic recording of events ("logs") over the lifetime of the system" in a way that enables risk identification and post-market monitoring. Under Article 14, it must be designed for effective human oversight — a person must be able to "decide not to use the system or otherwise disregard, override or reverse its output."
For HR AI, that means:
- - You must prove your CV ranker performs comparably for protected sub-groups, not just on the dataset you tested in your sprint demo.
- - You must log every scoring decision in a way that lets you reconstruct it months later for a candidate complaint or a regulator audit.
- - You must keep those logs for at least six months, and for as long as employment-law or GDPR rules require — typically longer.
- - Your deployer customers must inform candidates and workers that AI is involved, and must conduct a Fundamental Rights Impact Assessment under Article 27 before deployment.
"We tested it on our sample data and it looked reasonable" is not a defence in front of a market-surveillance authority. It is the textbook example of what the Act was written to stop.
The audit trail you actually need
Stack the relevant articles together and the audit trail for an HR AI product looks like this:
- - Annex IV technical documentation — a living document of the system's intended purpose, architecture, training data, accuracy metrics by sub-group, known limitations, and the rationale for the chosen performance thresholds.
- - Automatic event logs under Article 12 — every scoring decision, the input that produced it, the model and prompt version, the threshold applied, the reviewer who saw it.
- - Risk-management records under Article 9 — the analysis of foreseeable misuse, the bias testing you ran, the mitigations you put in place.
- - Quality-management records under Article 17 — the policies, SOPs, change logs, and reviewer training that produced the system.
- - Post-market monitoring data under Article 72 — evidence you are watching the system in production, not just at launch.
- - Serious-incident reports under Article 73 — filed within 15 days for any event that infringes fundamental rights obligations.
If you cannot produce that on demand, you are out of compliance regardless of how good the model is.
Where most HR AI teams break
The villain is Ship and Pray. The pattern is familiar.
Engineering writes the prompt. The PM reviews three happy CVs and approves. The model goes live. A month later a candidate writes in saying she was filtered out for what looks like a maternity-leave gap. There is no log of why she was filtered. There is no evaluation of how the model behaves on women returning from leave. There is no rationale on file for the scoring threshold. There is no version history showing what changed between the version tested and the version running today.
A regulator will reject it. Enterprise buyers in Europe will reject it too — they are now writing AI Act readiness into procurement questionnaires. If you cannot answer the questionnaire in writing, you do not win the deal.
What changes when domain experts run the evaluation
The Act keeps repeating one phrase: human oversight. Article 14 names it. Article 26 names it for deployers. Article 27 names it inside the Fundamental Rights Impact Assessment. The Act is structured around the assumption that a person with the right expertise looks at the output and makes a call.
HR AI teams do not work this way. The compliance officer has no login for the evaluation interface. The DEI lead has never seen a single model output. The recruitment leader who could spot the maternity-gap problem in five seconds gets a dashboard built for engineers, six weeks after the model is already live.
Lovelaice is built for exactly this gap. Domain experts — recruitment leads, compliance officers, DEI specialists — define the criteria for what "good" looks like before the model sees any data. They review outputs directly through a simple interface, rating and flagging issues. Their decisions become the audit trail.
Every evaluation is captured: who reviewed, what they saw, what they decided, why. Prompt versions are immutable. Acceptance criteria are documented. Results are exportable. When the regulator or the procurement team asks "how do you know this works for women returning from maternity leave," you do not improvise. You export the report.
Retention and reporting windows to design for
- - 6-month minimum log retention under Article 19, longer where employment or data-protection law requires.
- - 10-year retention of technical documentation and the EU declaration of conformity under Article 18 and Article 47.
- - 15 days to report a serious incident — 10 days if a person dies or there is widespread infringement.
You do not get to start collecting the audit trail on the day the regulator asks. You collect it from the moment you start building. The teams that win the next two years of European HR-tech procurement are the teams that can hand over the documentation file without flinching.
Speed without proof is risk. In an Annex III industry, it is also a fine.
Sources
- - Regulation (EU) 2024/1689 — official text (EUR-Lex)
- - Annex III — high-risk AI categories
- - Annex IV — technical documentation
- - Article 12 — record-keeping
- - Article 14 — human oversight
- - Article 19 — automatically generated logs
- - Article 26 — deployer obligations
- - Article 27 — Fundamental Rights Impact Assessment
- - Article 47 — EU declaration of conformity
- - Article 72 — post-market monitoring
- - Article 73 — serious-incident reporting
- - Article 99 — penalties
More in this series
The EU AI Act audit-trail series — one article per Annex III high-risk category:
- - Biometrics: remote identification, categorisation, and emotion recognition
- - Critical infrastructure: safety-component AI
- - Education and EdTech: admissions, assessment, and proctoring
- - Credit scoring and insurance: essential financial services
- - Law enforcement: risk assessment, polygraphs, and profiling
- - Migration, asylum, and border control
- - Justice and democratic processes
You might also like

EU AI Act compliance for critical infrastructure: the audit trail for safety-component AI
Safety-component AI in road, water, energy, and digital infrastructure is high-risk under the EU AI Act. Here's the audit trail required.

EU AI Act compliance for law-enforcement AI: the audit trail for risk assessment, polygraphs, and profiling
Law-enforcement AI carries the heaviest documentation requirements under the EU AI Act. Here's the audit trail providers and deployers must produce.

EU AI Act compliance for credit scoring and insurance AI: what the audit trail looks like
Credit scoring and life-and-health insurance pricing are high-risk under the EU AI Act. Here's the audit trail providers and deployers must produce.