The EU AI Act and Your Workforce: What CHROs Need to Know

The EU AI Act is already in effect. If you employ workers in the EU, it applies to your workforce operations, regardless of where your company is headquartered.

For most CHROs, the compliance conversation has been happening in legal and IT. However, the Act's highest-risk classifications sit squarely inside HR: hiring and candidate screening, performance evaluation, task allocation, and worker monitoring. These are core to how enterprise HR operates today, and they're now regulated.

The risk of a governance gap is high. Most organizations have accumulated AI-driven tools gradually, vendor by vendor, renewal by renewal, without mapping which tools influence workforce decisions or whether they meet the Act's requirements. Responsibility for compliance doesn't transfer to your software provider. If a tool affects your workers, accountability sits with your organization.

Even if your AI-driven recruitment or HR strategies are evolving or still in their pilot stages, this kind of compliance isn’t something that can wait. In this guide, we’ll walk you through what CHROs managing global workforces need to understand about the EU AI Act, and what to do about it now.

Why your EU headcount determines your compliance obligations

The EU AI Act uses a risk-based classification system. At the top of that framework sits a category of AI applications deemed high-risk, meaning they require the most rigorous governance, documentation, and oversight before and during deployment.

HR is one of the most heavily represented functions in that high-risk category. The Act specifically covers AI used in recruitment and candidate selection, employee performance assessment, task allocation, and workplace monitoring. For global enterprises, that covers a significant portion of the people tech stack.

But it’s the extraterritoriality point that’s easy to miss; the Act applies based on where your workers are located, not where your company is incorporated. If you have employees or contractors based in the EU, the Act governs how AI tools interact with them, even if your HR systems were procured, configured, and are managed entirely outside of Europe.

While legislation around AI may evolve along with the technology on a country-level, this is not a future compliance consideration. The high-risk provisions are phasing in now, and organizations that are waiting for full implementation before assessing their exposure are already behind.

The most common misread is that this sits with legal counsel or the IT security team to resolve. Those functions have a role, but the obligations the Act creates around worker transparency, human oversight, and decision accountability require HR to own the governance model. No other function has the mandate or the context to do that work.

What high-risk classification requires from HR

High-risk doesn't mean prohibited. It means regulated, documented, and governed to a specific standard. For CHROs, understanding what that standard requires in practice is more useful than understanding the regulatory framework in the abstract.

Three obligations sit directly with the HR function.

1. Workers must be informed when AI is being used in decisions that affect them. That covers hiring decisions, performance assessments, promotion considerations, and termination risk scoring. The notification requirement isn't a footnote in an employee handbook. It needs to be a deliberate, documented part of how your people processes work.
2. Employees have the right to challenge automated decisions. That means your organization needs a process for receiving, reviewing, and responding to those challenges. Most enterprises don't have one today because they haven't needed one. Building that process requires HR to define what human review of an AI-influenced decision actually looks like, who owns it, and how it gets documented.
3. Organizations must demonstrate meaningful human oversight across high-risk AI applications. The operative word is demonstrate. Policy documentation stating that human oversight exists isn’t enough. Regulators are looking for evidence that it occurs consistently, is built into the workflow, and can be audited.

The table below maps how each of these areas shifts in practice for HR teams.

Taken together, these obligations require HR to do something most functions haven't done yet: build a complete picture of where AI touches workforce decisions, and put governance infrastructure around each of those touchpoints. That work starts with knowing what's in your people tech stack and how it's being used.

The vendor accountability problem

Most enterprise HR functions didn't build a deliberate AI strategy. They built a people tech stack, and AI came with it. An ATS upgraded its matching algorithm, a performance platform added predictive analytics, and a workforce planning tool started making recommendations based on behavioral data. Each decision made sense in isolation, but collectively, they created an AI footprint that most CHROs may not have fully mapped.

The EU AI Act creates a specific and immediate problem for enterprises managing complex vendor landscapes. The questions you need to be able to answer are straightforward, but getting to the answers requires work most organizations haven't done yet.

Start by getting your team to answer these questions across every tool in your people tech stack:

On your internal systems:

• Which tools in our HR and people tech stack use AI, and in what capacity?
• Which of those AI applications influence decisions that affect workers directly?
• Do we have documentation of human oversight for AI-influenced decisions, and how far back does it go?
• If a regulator asked us to evidence an AI-influenced hiring or performance decision made six months ago, could we produce it?

On your vendors:

• Can each vendor confirm whether their tool falls under the EU AI Act's high-risk classification?
• Can they provide documentation of their own compliance posture?
• Do they use third-party sub-processors or AI models built by other providers, and if so, are those covered?
• What data from our workers is being used to train or improve their AI models?

On your extended workforce:

• Do our AI tools interact with contractors, temps, or other non-permanent workers in ways that bring those relationships into scope?
• Are our contingent workforce management processes — including any VMS or MSP arrangements — covered in our compliance assessment?

For many enterprises, working through these questions will surface gaps. Not because oversight hasn't been happening, but because the infrastructure to document and evidence it doesn't exist yet. That infrastructure needs to be built, and the inventory above is where it starts.

The CHRO's action agenda

The core obligations for high-risk AI systems apply from August 2026, with some already in effect. That's a shorter runway than it sounds when you account for the time needed to inventory your tools, engage vendors, build governance processes, and train your teams.

It’s a significant time investment, so starting now is essential not just for demonstrating readiness but for protecting your teams against regulatory risk. Here’s how to get started:

1. Build your AI use inventory

Before any governance framework can be put in place, you need a complete and honest picture of where AI touches your people processes. That means going beyond the tools HR procured directly. Any system that influences a workforce decision — candidate sourcing, screening, assessments, performance management, scheduling, or compensation — belongs in the inventory. That includes identifying whether outputs are used for or affect EU candidates, employees, or contingent workers.

For each tool in scope, the inventory should capture:

• What the tool does and which AI capabilities it uses
• Which worker populations it affects, including contractors and non-permanent workers
• Which decisions it influences, directly or indirectly
• Whether those decisions currently have documented human oversight
• Whether the tool falls under the Act's high-risk classification

One area that requires immediate attention, regardless of where you are in your broader compliance timeline: certain AI practices in the workplace were banned outright as of February 2025. Emotion recognition systems that attempt to infer a candidate's or employee's emotional state during interviews or assessments are prohibited. AI that rates individuals based on social behavior or predicted personal characteristics is banned. If any tool in your stack has these capabilities, it needs to be addressed now.

The inventory is also where GDPR alignment becomes critical. The AI Act layers on top of GDPR rather than replacing it. If your AI system makes or heavily influences decisions with legal or similarly meaningful effects on individuals, GDPR Article 22 imposes additional restrictions requiring meaningful human involvement. Your data governance strategy needs to account for both frameworks simultaneously.

Pressure-test your vendor relationships

Employers should be careful about relying on vendor assurances of compliance without independent validation. Most vendors will tell you they're compliant, and so the due diligence work is in verifying that claim independently, and knowing what to look for when the answers don't hold up.

Start with documentation requests rather than conversations. A vendor who can demonstrate compliance will have written evidence of it: technical documentation of how their AI models are trained and validated, bias testing results they're willing to share, and audit trail capabilities that are configurable and exportable.

Watch for these red flags in particular:

• The vendor can confirm their tool is compliant, but can't specify which provisions it meets or provide supporting documentation
• Compliance assurances are buried in terms of service rather than surfaced proactively in your account management relationship
• The vendor uses third-party AI models or sub-processors, but can't confirm whether those components have been assessed under the Act
• Human oversight is described as a feature of the tool rather than a configurable workflow that your team actually controls
• The vendor's compliance posture is described in the present tense, but references a roadmap for documentation and audit capabilities that don't yet exist

When evaluating tools, prioritize vendors that can provide documentation on how their AI models are trained and validated, demonstrate bias testing processes and share results, offer configurable human-in-the-loop workflows, and support logging, audit trails, and explainability features out of the box. Under the act, these are the new baseline expectations for any high-risk AI system operating in your people function.

Build the governance infrastructure before it's mandated

The AI Act requires that high-risk AI systems be designed and used in a way that allows for effective human oversight. Persons responsible for this oversight must be properly trained and qualified, ongoing training is required to maintain compliance over time, and supervisors must have the effective capacity to intervene and modify the system's decisions.

In practice, building that infrastructure means making four things operational before the August 2026 deadline:

1. Worker disclosure processes. Article 26(7) of the AI Act already requires employers to inform employee representative bodies before deploying high-risk AI systems, regardless of any postponement of broader deadlines. Define how your organization will communicate AI use to workers, what that disclosure covers, and who owns the process.
2. Human oversight protocols. Define what a meaningful human review of an AI-influenced decision actually looks like in your organization. Who reviews it, what authority do they have to override the system's output, and how is that review documented? A policy that asserts oversight exists is not the same as a process that makes it happen consistently.
3. Audit trails and record retention. You must keep logs generated by AI systems for at least six months, or longer if required by other EU or national laws. If that logging infrastructure doesn't exist today in your current tools, that's a gap to close with your vendors.
4. AI literacy across HR. Full compliance for high-risk AI systems is required from August 2026, at which point employers must conduct Data Protection Impact Assessments, maintain technical documentation, and ensure human oversight of AI-driven decisions. The teams responsible for running those processes need to understand what the tools do, their limitations, and the legal obligations surrounding their use — well before that deadline arrives.

Global workforces need a global standard

For CHROs managing workforces across multiple regions, the EU AI Act creates a decision that needs to be made deliberately rather than by default: apply EU standards globally, or manage a two-tier compliance model where EU workers are governed differently from workers elsewhere.

Two-tier governance models are exactly the kind of fragmentation enterprise HR teams have been trying to eliminate. Different disclosure processes by region, different oversight protocols by worker type, and different documentation standards depending on where a contract sits. That complexity is difficult to audit, difficult to sustain, and difficult to defend if a decision gets challenged.

The more defensible posture is to treat the EU AI Act's requirements as a global baseline for AI governance across your entire workforce. The organizations that make that call now, and build toward it systematically will be significantly better positioned as other jurisdictions develop their own AI governance frameworks. The EU AI Act is the first comprehensive regulation of this kind, but certainly not the last.

The CHRO who leads this conversation wins it

The EU AI Act is a signal that AI in the workplace has moved past the experimental phase. Regulators have drawn a line. Employees are increasingly aware that algorithms influence their careers, and boards are starting to ask questions about AI governance that HR functions aren't always prepared to answer.

What the compliance work will make clear quickly is that fragmented workforce infrastructure creates a governance liability. Organizations that have accumulated their people tech stack vendor by vendor, region by region, will find that building consistent AI oversight across that landscape is significantly harder than it needs to be. It leads to audit trails that don't connect,, oversight protocols that vary by tool, and documentation standards that differ by country. The compliance effort exposes the fragmentation, and the fragmentation makes the compliance effort harder.

The organizations best positioned to meet the Act's requirements are the ones that have already done the consolidation work. A single global layer of visibility across workforce operations, owned infrastructure rather than aggregated third parties, and in-house compliance expertise rather than a chain of sub-vendors give HR leadership the foundation that makes consistent governance achievable at scale.

Regulations like the EU AI Act reflect a broader direction of travel toward greater accountability for how technology influences people's working lives. The enterprises that respond by consolidating their workforce infrastructure will be better positioned for whatever comes next, because they built the kind of foundation that makes compliance achievable rather than chaotic.

Deel works with enterprises across 150+ countries to manage workforce operations through owned entities and in-house compliance expertise. If you're mapping your organization's exposure under the EU AI Act, we can help you think through what that looks like across your global workforce.

Get in touch with our team, and start exploring the benefits of a consolidated system.