AI Governance for HR and People Teams: The Compliance Obligations You Cannot Ignore

Why HR is the highest-risk function for AI governance

HR sits at the intersection of every major AI governance risk. Employment decisions — who gets hired, how performance is assessed, who gets promoted, who gets managed out — affect people's livelihoods in the most direct way. The AI systems that influence these decisions are subject to the most demanding legal framework: employment discrimination law (which has the longest enforcement history and the most developed case law), data protection law (which treats employment data as sensitive personal data), and the EU AI Act (which classifies all employment AI as high-risk requiring conformity assessment).

The enforcement history is instructive. Amazon's hiring algorithm case established the pattern of how AI hiring discrimination develops and what governance would have caught it. Multiple EEOC actions have established that algorithmic hiring tools must be tested for adverse impact. The Dutch DPA's enforcement against Uber established that performance management AI is subject to GDPR automated decision-making rules. New York City's Local Law 144 created the first mandatory bias audit requirement for hiring AI. HR leaders who have not mapped their AI tools against this enforcement landscape are managing an unknown exposure.

The EU AI Act and HR: what conformity assessment requires

The EU AI Act's classification of all employment and workforce management AI as high-risk means that HR leaders in organisations with EU operations — or that process personal data of EU residents — must ensure their HR AI tools have been through conformity assessment. For most systems, conformity assessment is self-assessed rather than third-party certified, but self-assessment is not lightweight: it requires technical documentation, a risk management system, evidence of bias testing, human oversight mechanisms, and logging of AI decisions. Most HR technology vendors do not provide this documentation as standard — it must be requested, and if the vendor cannot provide it, the deployer (your organisation) must create it.

Performance management AI and the monitoring obligation

AI systems that monitor employee productivity — screen activity, email and communication analysis, keystroke monitoring, location tracking, task completion metrics — are subject to both the EU AI Act and GDPR. The GDPR data minimisation principle requires that monitoring collect only the data necessary for the legitimate purpose. The GDPR purpose limitation principle requires that monitoring data not be used for purposes beyond those disclosed to employees. And the EU AI Act's high-risk AI obligations require that monitoring systems used in performance evaluation be subject to conformity assessment and human oversight.

The proportionality principle is particularly important for HR monitoring AI: the intensity of monitoring must be proportionate to the legitimate purpose. Monitoring that is technically possible is not automatically lawful. The CNIL in France, the ICO in the UK, and the EDPB at the European level have all published guidance establishing that comprehensive employee monitoring — including continuous screen capture, email content analysis, and productivity scoring — is generally disproportionate and unlikely to be lawful under GDPR.