Artificial intelligence applied to human resources promises to shorten hiring processes, anticipate voluntary departures, and personalise professional development. At the same time, it is one of the areas subject to the strictest European regulation: the EU AI Act classifies as high-risk systems those used to recruit, screen applications, decide on promotions or evaluate performance. Any HR AI project that ignores this legal framework is not merely an ethical risk but an infringement carrying significant financial penalties. This article explains what can be done today with rigour, and what obligations come with it.
Application screening and CV analysis
The most widespread use case is CV parsing and classification. A natural-language processing system extracts experience, education, competencies and languages in structured form and scores them against the requirements of the role. Well designed, it saves hours of manual reading and frees the recruitment team to spend their time on interviews rather than initial screening. Poorly designed, it reproduces and amplifies historical biases.
The textbook example is a system trained on a company's past hiring decisions: if men were historically recruited at a higher rate for technical profiles, the model learns to penalise signals associated with women — clubs, women's universities, certain words — even when gender is not an explicit variable. The lesson is clear: the absence of a protected variable does not guarantee the absence of discrimination, because the model can infer it through correlation. Automated screening therefore requires bias auditing before and during deployment, not only at the moment of launch.
Turnover prediction: value and limits
Turnover prediction models estimate the probability that a person will leave the organisation within a given timeframe, combining signals such as tenure, salary progression, engagement survey results or team changes. Their value lies in the aggregate: detecting that a specific department carries elevated risk allows action on the underlying causes — workload, promotion pathways, leadership — before talent is lost. Their limit lies in the individual: using a "flight-risk score" to make decisions about a specific person is delicate both ethically and legally, and can become a self-fulfilling prophecy.
It is also worth remembering that these models predict correlation, not causation. The fact that a variable is associated with turnover does not mean that acting on it will reduce departures; it may simply be a symptom. Responsible use of turnover prediction is therefore diagnostic: it guides where to investigate the real causes through interviews, engagement analysis and a review of promotion and pay policies — not a replacement for that work by an automatic score applied to individuals.
Personalised talent development and training
Beyond recruitment and retention, AI delivers value in professional development with lower regulatory exposure, because its purpose is to expand opportunities rather than to filter people. Training pathway recommendation systems suggest courses and experiences based on current competencies and those required for a target role, helping to close skills gaps in an individualised way. Internal competency mapping allows the organisation to understand what its workforce can actually do and to identify talent for projects without always resorting to external hiring. Internal mobility benefits from engines that connect employees with internal vacancies aligned to their profile, retaining institutional knowledge within the organisation. Even in this less sensitive area than recruitment, transparency remains essential: the person must understand why something is being recommended and must retain the freedom to decide their own career path.
The legal framework: the AI Act and the GDPR
Two European regulations govern these systems and must be read together:
- AI Regulation (AI Act, EU Regulation 2024/1689): classifies recruitment and personnel management systems as high-risk. This requires documented risk management, training data governance, activity logging (traceability), transparency towards the people affected, effective human oversight and adequate levels of accuracy and robustness.
- GDPR (EU Regulation 2016/679): Article 22 recognises the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects, except in limited circumstances and with appropriate safeguards. It also requires a lawful basis for processing, data minimisation, a Data Protection Impact Assessment (DPIA) where high risk exists, and rights to information, access and objection.
In Spain, the Spanish Data Protection Agency (AEPD) has published specific guidance on the use of AI and automated decision-making that is worth following. The practical consequence is that an AI-driven recruitment process must be explainable, auditable, and — above all — must involve human oversight that is not merely a formality of rubber-stamping what the algorithm has already decided.
This framework is complemented by the management standard ISO/IEC 42001, the first international AI management system standard, which provides a structure for governing the lifecycle of these systems through policies, risk assessment, supplier control and audit. It does not replace legal compliance, but it provides the organisational scaffolding that demonstrates due diligence: it defines roles, documentation and periodic reviews that align with the requirements of the AI Act. For an HR department, adopting it means treating AI with the same process rigour already applied to information security.
Algorithmic bias: how to detect and mitigate it
The fairness of a system is not declared — it is measured. Formal metrics exist to quantify the treatment of different groups: demographic parity compares selection rates across protected groups; equal opportunity compares hit rates among equally qualified candidates; and disparate impact flags cases where the selection rate for one group falls below a threshold relative to the favoured group. These metrics can conflict with one another, so the organisation must choose and justify which one it prioritises based on the context. Mitigation operates at three moments: before training (by rebalancing the data and removing proxy variables for protected characteristics), during training (with fairness constraints built into the algorithm) and after training (by adjusting thresholds by group or reranking results). None of this is a one-time control: bias can re-emerge when the characteristics of applicants change or the model is retrained, so auditing must be periodic and documented.
Comparison: manual recruitment versus AI-assisted recruitment
| Dimension | Manual process | AI-assisted process (well governed) |
|---|---|---|
| Initial screening time | High, depends on volume | Reduced in the filtering phase |
| Consistency of criteria | Variable between evaluators | Homogeneous, with explicit criteria |
| Bias risk | Human bias difficult to measure | Bias measurable and auditable, but can be amplified |
| Decision traceability | Low, depends on notes taken | High if every step is logged |
| Regulatory burden | General (GDPR) | High (GDPR + AI Act, DPIA, human oversight) |
Responsible implementation step by step
A defensible deployment follows a sequence: (1) define the purpose and determine whether the system falls into the AI Act's high-risk category; (2) conduct the Data Protection Impact Assessment (DPIA) before processing real data; (3) govern the training data, documenting its origin, representativeness and the removal of proxy variables for protected characteristics; (4) audit for bias using fairness metrics by group before putting the model into production and periodically thereafter; (5) guarantee real human oversight, where the recruiter can reverse and justify the recommendation; (6) inform candidates that automated processing is taking place and explain its general logic; and (7) log and monitor every decision so it can be audited.
Common mistakes
The first mistake is buying an "AI recruitment tool" as a black box without demanding documentation of how it was trained or evidence of bias auditing: legal responsibility lies with the company using it, not only with the vendor. The second is confusing "removing gender from the data" with "eliminating bias," ignoring proxy variables. The third is presenting as "human oversight" a process where the person simply accepts the algorithm's ranking without the real capacity or time to question it. The fourth is using turnover predictions to penalise individual employees. And the fifth is omitting the DPIA on the grounds that it is bureaucracy, when it is precisely what demonstrates due diligence before the supervisory authority.
Frequently asked questions
Can AI decide on its own who to hire? Not lawfully in practice. Article 22 of the GDPR restricts decisions based solely on automated processing that produce significant effects, and the AI Act requires effective human oversight. AI recommends and assists; the decision remains with a human being.
What does it mean for these systems to be "high-risk"? The AI Act imposes reinforced obligations on them: risk management, data quality, technical documentation, traceability, transparency, human oversight and robustness, subject to conformity assessment.
Do I need an impact assessment? Yes, when processing entails a high risk to the rights of individuals — as is typically the case with large-scale candidate profiling. The DPIA must be carried out before processing begins.
How do I demonstrate that my system does not discriminate? By documenting the training data, measuring fairness metrics by protected group on a periodic basis, retaining a log of decisions, and maintaining a human review pathway with the genuine ability to correct the outcome.
Conclusion
AI in human resources is not a question of technical capability but of governance. The technology for reading CVs, mapping competencies or estimating turnover risk is mature; what separates a sound project from a legal problem is the design around three pillars: human oversight that genuinely decides, continuous bias auditing and traceability that allows every decision to be explained to a candidate or to the supervisory authority. Within the framework of the AI Act and the GDPR, the right question is not "what can the model do?" but "can I justify, to anyone who asks, every recommendation it has produced?" At Summum Inteligencia Artificial we design these systems starting from that obligation, not bolting it on at the end.