Hidden and proxy discrimination
Models trained on historical hiring data learn historical bias; neutral-looking features (postcode, career gaps, name) become proxies for protected characteristics.
ISO/IEC 42001 by industry
AI now screens CVs, ranks candidates, targets job ads and scores employee performance. Under the EU AI Act these are high-risk uses — and among the most scrutinised for bias. ISO/IEC 42001 gives HR and talent teams the management system to use hiring AI responsibly and prove it to candidates, works councils and regulators.
Why this is high-risk
The EU AI Act classifies AI used for recruitment and selection (targeted job ads, filtering applications, evaluating candidates) and for employment decisions (promotion, termination, task allocation, performance monitoring) as high-risk under Annex III. On top of that: GDPR Article 22 limits solely-automated decisions with significant effects, and bias-audit rules for automated hiring tools are spreading (e.g. New York City's Local Law 144). As a deployer of a hiring tool you carry obligations too — human oversight, monitoring and following the provider's instructions.
The risks
Each of these is a discrimination complaint, a regulator question or a reputational hit waiting to happen:
Models trained on historical hiring data learn historical bias; neutral-looking features (postcode, career gaps, name) become proxies for protected characteristics.
Candidates filtered out by a score no one can explain — a direct problem under GDPR and the AI Act's transparency duties.
Auto-rejection with no human review can breach GDPR Article 22 and the human-oversight expectations of the standard.
Parsing mistakes and brittle ranking logic silently drop qualified applicants.
Most HR AI is bought, not built — yet accountability for its outcomes stays with you.
Performance and productivity monitoring AI raises fairness, privacy and works-council issues.
How ISO/IEC 42001 covers it
The toolkit maps each hiring-AI risk to a specific Annex A control and a ready-made document:
| Annex A control | Toolkit document | Why it matters |
|---|---|---|
| A.5 — Impact assessment | AI Impact Assessment (RISK-TPL-01) | Assess the effect on candidates and employees before a tool goes live — the core evidence a regulator will ask for. |
| A.7.4 — Bias & fairness | Bias and Fairness Assessment Record (DATA-TPL-05) | Structured, documented evaluation of whether outcomes disadvantage protected groups, with ongoing drift monitoring. |
| A.9.3 — Human oversight | Human Oversight Plan (USE-PLN-01) | Guarantee a human reviews and can override hiring decisions — the answer to GDPR Article 22. |
| A.8.2 — Transparency | AI Transparency Notice (INF-TPL-01) | Tell candidates when and how AI is used in the process, in plain language. |
| A.2 — AI policy & prohibited use | AI Policy + Acceptable Use Policy (GOV-POL-01 / USE-POL-01) | Define what you will not automate (e.g. no fully automated rejection) and set the rules for HR tool use. |
| A.10 — Third-party AI | Vendor AI Questionnaire + Third-Party Register (TPR-TPL-01 / TPR-REG-01) | Due-diligence your ATS/hiring-AI vendors and record where responsibility sits. |
How to get there
Inventory every AI tool touching recruitment and HR (including the unofficial ones) in the AI System Register.
Run an impact assessment and a bias & fairness assessment on each high-stakes tool.
Put human oversight, transparency notices and a clear prohibited-use line in place.
Set monitoring for drift and adverse impact, and review at a fixed cadence.
Questions
Yes. As the deployer you carry obligations for human oversight, transparency and monitoring, and accountability for outcomes stays with you even though you didn't build the model. ISO 42001 gives you the vendor due-diligence and oversight controls to manage exactly that.
No — it means automated screening needs a documented impact and bias assessment, meaningful human review, candidate transparency, and a line you won't cross (e.g. no fully automated rejection). The standard makes responsible automation defensible.
Recruitment and worker-management AI are Annex III high-risk; those obligations now apply from 2 December 2027 after the 2026 Digital Omnibus, while transparency duties arrive earlier. The requirements didn't shrink — building the system now is the calm route.
The toolkit ships the impact assessment, bias & fairness record, human-oversight plan, transparency notice and vendor questionnaire — ready to tailor to your recruitment stack.