List every tool that ranks, screens, scores, filters, or generates output about candidates. The obvious ones go first — your ATS, your assessment platform, your sourcing AI — but those are not where most teams get caught. The shadow stack is:

• →The ChatGPT/Gemini account someone in TA pays for personally and uses to rewrite job descriptions.
• →The resume parser embedded in your ATS that you do not consciously think of as AI.
• →LinkedIn Recruiter AI features (Recruiter, AI-assisted search, AI messages).
• →Microsoft Copilot if recruiters use it for candidate research.
• →Any chatbot that pre-screens applicants before a human sees them.

If a system is used for recruitment, candidate screening, candidate ranking, promotion decisions, performance evaluation, or worker monitoring, it is high-risk under Annex III §4 of the Act. There is no judgment call because the use case decides.

The CultureGene Hiring AI Self-Assessment is a structured way to walk through the classification questions. It maps each question to the specific Article or Annex provision, including the Article 5 prohibitions you need to rule out first.

For each high-risk system, request the vendor's Article 11 / Annex IV technical documentation. Ask for it by name. If the vendor doesn't recognise the term, that's your answer.

The documentation should cover:

• →Training data composition and representativeness (Art. 10)
• →Bias testing methodology and results
• →Mitigation steps taken
• →Ongoing monitoring approach
• →The human oversight mechanism the system is designed to support (Art. 14)
• →Transparency information for deployers (Art. 13)

If the vendor cannot produce this, you have a procurement decision to make, not a compliance one.

Vendor documentation is necessary but not sufficient. As the deployer, you are responsible for how the system is used in your specific context, and Article 26 puts that obligation squarely on you. Write down:

• →What decisions the system informs in your hiring process
• →Where humans review and can override its output
• →What training your recruiters received on the system's limitations
• →What monitoring you do for adverse impact in your own data

A 2023 University of Washington study found recruiters mirrored biased AI rankings at high rates — meaning a "human in the loop" is not the same as meaningful oversight. You need a human in the loop, not a human in the seat. Document what makes the difference.

Pull selection rates by protected class at every stage where an AI system is involved. Apply the four-fifths rule: if any group's selection rate is less than 80% of the highest group's rate, you have an adverse-impact problem the Act expects you to identify and remediate.

This is the single most important number in your compliance file. It shows you actually checked.