AI in employment decisions checklist
Using AI to screen CVs, score interviews, rank candidates, or select people for promotion or redundancy is one of the most heavily regulated AI use cases there is. The EU AI Act treats it as high-risk, GDPR restricts solely automated decisions, the EEOC polices disparate impact, and New York City mandates a published bias audit. This checklist pulls those obligations into one place so you can see whether your deployment is defensible.
How it works
You choose the HR process the AI touches — hiring, promotion, performance, or termination — name the system, and select your jurisdiction. The checklist filters to the safeguards that apply and separates critical ones (human oversight, no solely automated decisions, documented bias testing, candidate notice, explainability, a route to contest, reasonable accommodation, and a completed DPIA) from secondary ones like ongoing drift monitoring and record-keeping. Any unmet critical safeguard flags the deployment as non-compliant.
What the critical safeguards require in practice
Genuine human oversight
EU AI Act Annex III and GDPR Article 22 both require that a human who can meaningfully review and override the AI’s recommendation is in the loop. A reviewer who looks at the AI’s output for 30 seconds and approves everything does not satisfy this. The oversight is genuine when: the reviewer has access to the same information the AI used; the reviewer sometimes disagrees and can act on that disagreement; and the override rate is logged and not effectively zero.
Candidate notice (especially in NYC and California)
New York City’s Local Law 144 requires employers to notify candidates before the tool is used, explain what it assesses, and make the bias-audit results available. Failure to notify is itself a violation, separate from whether the tool is actually biased. Check whether your application form and job postings include the required disclosure.
Explainability and contestability
If a rejected candidate asks why they were screened out, you need an answer in plain language. “The model scored you low” is not an answer. “The screening assessed years of experience in [domain] and found you below the threshold for [criteria]” is the minimum. Document what factors the model uses and train reviewers to explain decisions in those terms.
Bias testing before and after deployment
One bias test at deployment is not enough. Models drift — training data becomes stale, applicant populations shift, and a system that passed its initial bias audit can develop disparate impact over time. The checklist includes an ongoing monitoring obligation alongside the initial pre-deployment test.
DPIA for EU entities
If you process EU citizens’ data for automated hiring decisions, a Data Protection Impact Assessment (DPIA) under GDPR Article 35 is required before the system goes live. The checklist flags this as a critical safeguard; if your DPIA is incomplete or absent the deployment should not proceed.
Tips and notes
- Human oversight has to be real. A rubber-stamp reviewer who always accepts the AI’s output does not satisfy Article 22 or the AI Act — the human must genuinely be able to and sometimes does override it.
- Test for proxies, not just explicit attributes. Postcode, name, and gaps in employment can stand in for protected characteristics and produce disparate impact even when you never feed the model race or gender directly.
- Keep the decision logs. When a regulator or a rejected candidate asks why, you need to reconstruct the main factors — that record-keeping is itself an AI Act obligation.