AI Agents for Recruitment: Resume Screening Without the EU AI Act Fine

Recruitment AI used to be a productivity win. Now it is the most regulated AI use case in your stack. The EU AI Act Annex III lists "AI systems intended to be used for the recruitment or selection of natural persons" as high-risk, alongside critical infrastructure and law enforcement. That means conformity assessments, registration in the EU database, human oversight obligations, and fines up to EUR 15 million or 3 percent of global turnover for non-compliance.

You can still run AI screening agents. You cannot run them the way most teams did in 2023.

What the EU AI Act actually requires for recruitment AI

For high-risk recruitment systems the obligations break into seven groups:

1. Risk management system: documented, reviewed annually, covering the AI lifecycle.
2. Data governance: bias audits on training data, gap analysis on protected characteristics, documented data lineage.
3. Technical documentation: a file that describes the system, the data, the metrics, the limitations.
4. Record-keeping: automatic logs of every inference, retained for the lifecycle of the system. Covered in detail in our Article 12 guide.
5. Transparency: candidates informed they are being screened by AI and what role it plays in the decision.
6. Human oversight: a qualified person reviews, can override, and can stop the system. Not a rubber stamp.
7. Accuracy and robustness: measured against documented metrics, monitored in production, reported when degraded.

Plus conformity assessment, EU declaration of conformity, CE marking on the underlying system, and registration in the EU database before deployment.

That is the bar. Most off-the-shelf "AI recruiter" tools were not built to it.

The agent design that survives the audit

The compliant pattern is not one agent that ranks candidates and hands HR a top-10 list. It is several narrow agents that produce structured evidence and stop short of the actual hiring decision.

Application sanity agent. Reads each application, extracts structured fields (years of experience, role, education, language proficiencies, location, work authorisation), flags incomplete or inconsistent applications, and writes the structured record to your ATS. No ranking, no scoring against the candidate. This step is low-risk: it is data extraction, not a hiring decision.

Requirements-match agent. Compares the structured candidate record to documented, role-specific requirements (degree required, years of relevant experience, mandatory certifications). Produces a boolean match per requirement with the exact source quote. Crucially: the agent does not produce an overall score. It produces evidence on each documented requirement. The recruiter still decides.

Interview prep agent. Generates a tailored interview question set per candidate based on their documented experience, mapped to the role competency framework. Useful, low-risk, makes interviews better.

Reference verification agent. With candidate consent, drafts the reference-check email, collects responses, structures them against a standard rubric. Humans run the actual conversations on senior roles.

No-go agents. Do not build: a "fit score," a "culture match score," anything that ranks candidates on a single number. These are exactly the patterns regulators are looking for, and they are also the patterns most likely to encode bias from your historical hiring data.

What human oversight actually looks like

The EU AI Act Article 14 requires "effective oversight by natural persons." For recruitment that means:

• A named, trained recruiter reviews every agent output before it influences a decision.
• The recruiter can override any agent output and has a documented escalation path.
• Override reasons are captured and reviewed quarterly for bias patterns.
• Candidates can request human review of any agent-influenced decision and receive a substantive response.

This is operationally heavier than "the recruiter looks at the top-10 list." That is the point.

Bias audits and what they look for

You will need to run bias audits annually at minimum. The audit looks for disparate impact across protected characteristics: gender, ethnicity, age, disability status, and any other characteristic protected in your jurisdiction. The standard test is the four-fifths rule: the selection rate for any protected group should be at least 80 percent of the rate for the most-selected group.

The audit framework you can defend:

• Capture the candidate demographics (where lawful) or use proxies (post-decision consent surveys, name-based inference with calibrated uncertainty).
• Run the four-fifths analysis on agent outputs and on final hire outcomes separately.
• If disparate impact appears, identify whether the agent caused it (compare to pre-AI baseline) and document remediation.
• Publish the methodology and results internally; share on regulator request.

This is uncomfortable work. It is also what separates a defensible recruitment AI deployment from one that ends in a public fine.

How the platform makes this tractable

The compliance overhead — the logs, the documentation, the override capture, the bias audit — is the part that kills DIY recruitment AI. The platform pattern that holds up:

• Automatic Article 12 logs on every agent inference, retained for the system lifecycle, exportable to the regulator.
• PII-aware processing: candidate names and contact details masked before any third-party LLM call; structured fields processed without exposing the underlying identity to the model.
• Override capture in the workflow: recruiter override of an agent output writes the reason to the audit log automatically. No separate spreadsheet.
• Quarterly bias dashboard: the four-fifths analysis runs on a schedule against your protected-characteristic data and surfaces drift before the annual audit.

This is what AgentWorks compliance builds in by default. Not because we like compliance theatre, but because rebuilding it once per team does not scale.