Human oversight under Article 14 of the EU AI Act

What Article 14 actually says

Article 14(1) requires high-risk AI systems to be designed and developed in such a way, including with appropriate human-machine interface tools, that they can be effectively overseen by natural persons during the period in which they are in use. Article 14(2) clarifies that the aim of oversight is to prevent or minimise the risks to health, safety or fundamental rights that may emerge when a high-risk AI system is used in accordance with its intended purpose or under conditions of reasonably foreseeable misuse, in particular where such risks persist despite the application of other Section 2 requirements.

Article 14(3) makes the provider responsible for identifying the appropriate oversight measures, either built into the system before it is placed on the market, or identified by the provider for the deployer to implement before putting the system into service.

The four oversight functions (Art 14(4) a–e)

Article 14(4) sets out what the oversight measures must enable the assigned natural person to do, as appropriate and proportionate to the circumstances:

1. Understand the capacities and limitations of the high-risk AI system properly and monitor its operation so that signs of anomalies, dysfunctions and unexpected performance can be detected and addressed as soon as possible.
2. Remain aware of automation bias. The person overseeing must remain aware of the possible tendency to automatically rely or over-rely on the output produced by a high-risk AI system, in particular for high-risk AI systems used to provide information or recommendations for decisions to be taken by natural persons.
3. Correctly interpret the output, taking into account in particular the characteristics of the system and the interpretation tools and methods available.
4. Decide not to use the output or otherwise disregard, override or reverse it in any particular situation.
5. Intervene in the operation or interrupt the system through a “stop” button or a similar procedure that allows the system to come to a halt in a safe state.

The two-person rule for remote biometric identification

Article 14(5) adds a specific reinforcement for high-risk AI systems referred to in point 1(a) of Annex III (remote biometric identification systems). For those, the oversight measures must ensure that, in addition, no action or decision is taken by the deployer on the basis of the identification resulting from the system unless that identification has been separately verified and confirmed by at least two natural persons with the necessary competence, training and authority.

The two-person rule does not apply where Union or national law considers the application of this requirement to be disproportionate.

Where the deployer comes in — Article 26(2)

Article 26(2) makes the deployer side of oversight explicit: deployers must assign human oversight to natural persons who have the necessary competence, training and authority, as well as the necessary support. The provider supplies the means; the deployer supplies the humans, their training, their authority and the time on their calendar.

For a Nordic HR-tech deployer, this means a named recruiter, hiring manager or HR-ops lead is the human-in-the-loop — not an unnamed reviewer in a vendor contract. Their training file, role description and override authority belong in the Article 26 record.

What an Article 14 oversight record looks like

• Per-system designation of the natural person(s) responsible for oversight.
• Evidence of their competence and training (role profile, training log, sign-off date).
• Authority statement: the person has explicit authority to override or stop the system.
• Reference to the provider’s Article 13 instructions for use and the oversight measures the provider has identified.
• Standing operating procedure for the “stop” or rollback measure.
• Where Annex III point 1(a) applies, the two-person verification protocol and log template.
• Periodic review cadence and an incident-trigger that forces a re-review.

Common misconceptions

• “A human-in-the-loop is enough.” Article 14 requires effectiveoversight. A reviewer who clicks approve on 100% of outputs because the queue is too long is presumptive automation bias, which Article 14(4)(b) explicitly calls out.
• “The provider takes care of oversight.” The provider designs the means; the deployer must assign and resource the actual humans (Article 26(2)) and document it.
• “The two-person rule is for any biometric use.” It is specifically for remote biometric identification systems under Annex III point 1(a). Biometric categorisation and emotion recognition fall under other Annex III sub-points and have their own regime.
• “Oversight is a one-off design decision.” Article 14 talks about the “period in which the system is in use” — oversight is operational and continuous, not a sign-off at go-live.

Related EU guides

• Record-keeping & logging — Article 12
• Data governance & bias testing — Article 10
• EU AI Act timeline for deployers
• Enforcement & penalties — who supervises and how
• NIS2 essential vs important entities

Sources

• Regulation (EU) 2024/1689, Articles 13, 14, 26; Annex III — EUR-Lex: eur-lex.europa.eu/eli/reg/2024/1689/oj
• European Commission — AI Act Service Desk, Article 14: ai-act-service-desk.ec.europa.eu/en/ai-act/article-14