EU AI ACT — BIAS AUDIT

AI bias audit for HR systems — EU AI Act Article 10 and Annex III guide

AI systems used for recruitment screening, candidate scoring, employee performance evaluation, task allocation, or promotion and termination decisions are classified as high-risk under Annex III, point 4 of Regulation (EU) 2024/1689. That classification triggers mandatory data-governance requirements under Article 10, including examination of training datasets for bias that could affect fundamental rights or lead to discrimination. This guide explains what a bias audit must cover and who is responsible for what.

Why bias auditing is mandatory for HR AI

Annex III, point 4 of the EU AI Act lists the following as high-risk AI systems in the employment context:

AI used for recruitment or selection of natural persons, in particular for advertising vacancies, screening or filtering applications, and evaluating candidates during interviews or tests.
AI used to make decisions affecting terms and conditions of work, promotion, or termination of work-related contractual relationships.
AI used to allocate tasks based on individual behaviour or personal traits or characteristics.
AI used to monitor and evaluate performance and behaviour of persons in employment relationships.

For providers of these systems, Article 10 requires that training, validation and testing datasets be examined “in view of possible biases that are likely to affect health, safety or fundamental rights or lead to discrimination prohibited under Union law, in particular where data outputs influence inputs for future operations” (Article 10(2)(f)). This is an obligation to detect, measure and document bias, not merely to assert that the system is fair.

For deployers, Article 26(4) requires that where a deployer exercises control over input data, it must ensure those data are relevant and sufficiently representative for the intended purpose. This extends the bias-quality duty to the deployer’s own data pipeline.

Application date

High-risk obligations including Article 10 and Article 26 apply from 2 August 2026. The Digital Omnibus provisional political agreement (7 May 2026 — not yet adopted or published in the Official Journal) proposes deferring stand-alone Annex III high-risk obligations to 2 December 2027 for systems already on the market. Until formally adopted, 2 August 2026 remains the binding date.

The four-step bias audit process

Define protected attributes. Identify the characteristics protected under applicable anti-discrimination law — at EU level these include sex, racial or ethnic origin, religion or belief, disability, age and sexual orientation (Directives 2000/43/EC and 2000/78/EC). Add nationality and similar attributes protected under national law. The audit must name the attributes examined; a generic “fairness assessment” without specified attributes does not satisfy Article 10.
Measure disparate impact. Choose metrics that match your use case: statistical parity (equal outcome rates across groups), equal opportunity (equal true positive rates for qualified candidates), or disparate impact ratio. The US EEOC four-fifths rule (a selection rate below 80 % of the highest-rate group triggers scrutiny) is widely used as a benchmark and is referenced in EU supervisory guidance. Document the metric chosen, the threshold used, and the actual measured ratios per protected group. Document the method, not only the result.
Audit per model version and dataset snapshot. Bias properties are not stable across retrained versions. Each audit must be tied to a specific model version identifier, the dataset snapshot used for training or testing, and the intended operational context. This creates an artefact that can be compared across versions and presented to a supervisor on request.
Mitigate and document residual risk. Where bias is found, apply mitigation: re-balancing datasets, removing protected-attribute proxies, adjusting decision thresholds, or constraining the feature set (feature ablation). Residual risk that cannot be fully mitigated must be stated explicitly in the Annex IV technical documentation and in the instructions for use supplied to deployers.

Provider vs deployer responsibilities

Provider (Article 10, Article 43, Annex IV): Conduct bias examination of training and test datasets; include bias metrics (accuracy, robustness, discrimination measures per Annex IV, point 2(g)) in technical documentation; document known limitations in instructions for use; undergo conformity assessment before placing the system on the market.
Deployer (Articles 26(4), 26(6), 26(7)): Verify relevance and representativeness of input data where the deployer controls it (Art 26(4)); retain automatic logs generated by the system for at least 6 months (Art 26(6)); inform workers and workers’ representatives before deploying the system at the workplace (Art 26(7)); assign a competent human overseer with authority to override AI output (Art 26(2)).

When to repeat the audit

After any substantial modification to the model (re-training on materially different data, new architecture, change to intended purpose).
When extending use to a new geographic market or new occupational category, because the distribution of protected attributes in the applicant pool may differ.
When post-market monitoring data (Art 72) or serious incident reports (Art 73) signal unexpected disparate-impact patterns in production.
At a minimum annually for high-risk systems in continuous use.

Interaction with GDPR

A bias audit that reveals the system uses proxies for special-category data (e.g. features that correlate strongly with health status, religion or racial origin) may trigger an obligation to conduct a Data Protection Impact Assessment (DPIA) under GDPR Article 35, which is separately required where automated processing produces legal or similarly significant effects. Deployers using an HR AI system within scope of GDPR Article 22 automated decision-making must also be able to provide meaningful information about the logic involved and offer human review.

Evidence checklist for deployers

Vendor-supplied Annex IV technical documentation or summary, including bias metrics.
Record of deployer input-data quality check under Art 26(4): which data, relevance assessment, result.
Worker notification record: date, method, recipient group (Art 26(7)).
Log retention confirmation: system, retention period, access controls (Art 26(6)).
Human-oversight designation: named responsible person, competence evidence, override procedure (Art 26(2)).
Post-market monitoring plan: how bias drift will be detected in production (Art 72).

Penalties

Failure to comply with high-risk deployer obligations is sanctioned under Article 99(4) with administrative fines of up to EUR 15 000 000 or 3 % of total worldwide annual turnover, whichever is higher. For SMEs and start-ups, Article 99(6) applies the lesser of the two figures.

Related EU guides

Sources

Regulation (EU) 2024/1689, Articles 10, 26, 43, 72, 73, 99, Annex III(4), Annex IV — EUR-Lex: eur-lex.europa.eu/eli/reg/2024/1689/oj
Council Directive 2000/43/EC (racial equality) and Directive 2000/78/EC (employment equality) — EUR-Lex: eur-lex.europa.eu
Regulation (EU) 2016/679 (GDPR), Articles 22, 35 — EUR-Lex: eur-lex.europa.eu/eli/reg/2016/679/oj

Note: The AI Act’s bias-audit requirements are set at the level of principles; the specific statistical methods and thresholds are not mandated in the Regulation. Applying them requires expert judgment. PowerQuant supplies software and documentation for use in your internal compliance process — not legal advice.

PowerQuant Module 1

AI inventory with high-risk classification, gap analysis per system, and bias-audit protocol template — delivered in 5 working days. Fixed fee, no subscription.

See deployer checklist