What should an EU AI Act vendor checklist for hiring AI cover?
Michael
Founder, KimonRecruit
Published
The evidence to demand from a hiring-AI vendor under the EU AI Act: documentation, bias testing, logging and oversight, set out as a practical procurement checklist.
When you buy a hiring-AI tool, you inherit the vendor's gaps. As a deployer of a high-risk system you carry duties you cannot outsource, and the evidence you need for them mostly lives with the provider. This article is a practical checklist of what to demand before you sign. It is a practical orientation, not legal advice; for decisions about your specific situation, speak to your own advisers.
Why does the vendor's paperwork become your risk?
The EU AI Act splits duties between providers, who build and supply the system, and deployers, who use it. An employer running a hiring-AI tool is a deployer. Providers carry the heavier conformity burden: risk management, data governance, technical documentation, accuracy and robustness testing, post-market monitoring. But your deployer duties, human oversight, monitoring, informing candidates, depend on the provider having done that work and being able to show it.
{/* SOURCE (founder-verified 2026-06-18): provider obligations span EU AI Act Articles 9 to 15 (risk management, data governance, technical documentation, record-keeping, transparency, accuracy/robustness); deployer obligations are Article 26; recruitment/selection AI is high-risk under Annex III(4). Confirm article references before publish. Source: artificialintelligenceact.eu. */}
So when you evaluate a vendor, you are really evaluating whether they can evidence that work. A provider who cannot produce it is asking you to carry their risk. The checklist below turns that principle into specific questions.
The vendor evidence checklist
Ask for each item in writing, and treat "we are working on it" as a gap, not an answer. The right-hand column is what good looks like.
| Evidence to demand | Why it matters | What good looks like |
|---|---|---|
| Technical documentation | The Act requires providers to maintain it for high-risk systems; you need it to understand and oversee the tool | A current document set, dated, covering intended purpose, design and known limitations |
| Risk management record | High-risk systems require a documented, ongoing risk process | Evidence of a live process, not a one-off sign-off, with hiring-specific risks named |
| Bias and adverse-impact testing | You must monitor outcomes; the provider's testing is your baseline | Results disaggregated by group, the method stated, dated, repeated over time |
| Instructions for use | Your oversight must follow them; vague instructions undermine your defence | Concrete operating limits, not marketing copy |
| Logging capability | You must retain logs under your control to evidence decisions | Automatic, exportable, retained for a defined period |
| Human-oversight design | Your duty is meaningful oversight, which the tool must enable | Output a reviewer can interrogate and overrule, not a verdict |
| Data governance and provenance | Input-data quality is a shared responsibility | A documented account of training-data sources and representativeness checks |
| Data protection posture | Candidate data triggers UK and EU data protection duties | A data processing agreement, residency answers, and a clear erasure path |
{/* SOURCE (founder-verified 2026-06-18): the logging/record-keeping requirement is Article 12 + Article 26(6) (deployer log retention); instructions-for-use duties are Article 13. Confirm before publish. Source: artificialintelligenceact.eu. */}
A vendor who answers most of these cleanly is one whose gaps will not become your operational risk. One who deflects on bias testing or logging is telling you something important.
Does the deadline change what you should demand?
The timeline is in flux, but your procurement standard should not move with it. The EU AI Act's high-risk obligations covering hiring were set to apply from 2 August 2026. The provisional Digital Omnibus agreement of 7 May 2026 would defer standalone Annex III obligations, including recruitment and selection AI, to 2 December 2027, and as of writing it is not yet formally adopted, so 2 August 2026 still stands today.
{/* SOURCE (founder-verified 2026-06-18): both dates are time-sensitive. The Digital Omnibus (7 May 2026) and the proposed 2 December 2027 deferral were NOT YET ADOPTED as of 2026-06-18; re-check adoption status before publish. Sources: Gibson Dunn, Travers Smith, EU AI Act Service Desk. */}
Either way, a tool you buy now will outlive the uncertainty. Demanding the evidence above today means you are not renegotiating your contract the moment the date settles, and it means your UK Equality Act 2010 monitoring duties, which apply regardless, are already supported by the vendor's data.
How to run the evaluation
Make the checklist part of procurement, not a box ticked after you have chosen. Score each vendor against it, keep their written answers, and weight bias testing, logging and oversight design heavily, because those are the items your own duties depend on most directly. Re-ask annually, because a provider's conformity is a moving target as the system and the law evolve.
If you are comparing tools, look closely at how each one handles the final decision. A tool that can move a candidate out of a pipeline without a person reviewing that step puts your oversight duty at risk before you have written a line of policy.
How KimonRecruit approaches this
We built KimonRecruit to pass the checklist above rather than to argue with it. The platform produces decision support, never automated outcomes: there is no code path that moves a candidate out of a pipeline without a human recruiter making that call. Every assessment score is replayable from the prompt, model and version that produced it, so the logging and explainability items are satisfied by design. An outcome dashboard monitors selection across Equality Act 2010 characteristics, with demographic data held separately from candidate identity.
None of that removes your deployer duties, and we would not tell you it does. It does mean the evidence your checklist demands is generated as you hire rather than reconstructed under pressure. To weigh it against other tools, see how we compare KimonRecruit and what the platform features actually do, then read our pillar guide to the EU AI Act and recruitment for the wider context.
The checklist is not a hoop to jump through. It is the cheapest insurance you can buy, because every gap you accept at procurement is a gap you own at enforcement.
Found this useful? Share via email. · Read more →