The EU AI Act for HRIS leaders — what you actually need to do

Quick context. The EU AI Act is the European Union's law on AI. Adopted in 2024, it phases into enforcement through 2026 and 2027. It does not ban AI in HR. It does sort AI systems into risk categories and attach specific obligations to each. For HR use cases, several common applications land in the highest non-prohibited category, which means real obligations, not optional ones.

HRIS leaders fall into two patterns early on. Some treat the Act as a legal problem that someone else will solve. Others treat it as a blocker that means "we cannot do AI in HR". Both readings are wrong. The Act is a structured way to think about which AI use cases need more care. Most HR AI work is still allowed if it is done with the right oversight, and the structure is genuinely useful as a way to triage the backlog.

The four risk categories, in plain English

Unacceptable risk. A small list of applications that are banned outright. The HR-relevant ones include social scoring of employees and certain emotion-recognition systems used in the workplace. If a vendor's product description involves real-time emotion analysis on employees, it is probably one to walk away from.

High risk. AI systems that can meaningfully affect people's fundamental rights. For HR, this category catches a lot. CV screening, candidate ranking, performance evaluation that influences employment outcomes, automated promotion or pay decisions, termination-related decisions. If your AI is involved in deciding who gets hired, promoted, paid more, or let go, you are almost certainly in this bucket.

High-risk does not mean prohibited. It means the system needs documentation, human oversight, risk management, data quality checks, logging, and transparency to the affected employee. These are real obligations, and they apply to your organisation as the deployer of the AI, not just to the vendor.

Limited risk. AI systems with specific transparency duties. Conversational agents that interact with employees fall here. The obligation is mostly that people know they are talking to AI and have a way to challenge or correct the output. Most HR knowledge agents and policy assistants sit in this category, provided they are not making decisions about people's careers.

Minimal risk. Everything else. Spam filters. Office productivity AI features. Most of what you already use without thinking about it. Essentially unregulated under the Act.

Provider, deployer, downstream provider — which one are you

The Act assigns obligations to three roles. Providers build and place AI on the market. Deployers use AI systems in their own operations. Downstream providers take a third-party general-purpose AI (a foundation model) and integrate it into their own product.

Workday is the provider when it ships its own native AI features. It is a deployer when it uses AI internally for its own work. It is a downstream provider when it plugs general-purpose models (the GPT or Claude family) into its features. Workday has been running a Responsible AI program since 2019 and is aligning its testing, documentation, and risk evaluation to the Act's categories. For Workday-native AI, most of the provider obligations sit with Workday.

You, as a Workday customer, are in the deployer role for most things. That changes what you focus on. You are not responsible for proving the underlying model is fair (that is the provider). You are responsible for deciding which AI features to enable, configuring them appropriately for your context, monitoring outcomes, and being able to explain to employees what AI is doing in your processes. These are real obligations and they are yours.

What "high-risk" actually means as a deployer

The Act asks deployers of high-risk AI to do several specific things. Use the system in accordance with the provider's instructions. Assign human oversight, by people with the competence to exercise it. Monitor the system in operation and report serious incidents. Inform affected workers (and their representatives) that high-risk AI is being used. Keep logs of the system's operation. Conduct an impact assessment for certain deployments.

Most of this is achievable with disciplined operating practice. None of it is technical wizardry. It is the kind of work HRIS teams know how to do for any HR system. The friction is in remembering to do it consistently for every new AI feature you turn on, rather than treating AI features as an exception to your normal controls.

What Workday handles and what you control

For Workday-native AI, Workday handles most provider obligations: model testing, documentation (the AI Fact Sheets they publish per feature), risk classification, ongoing technical controls. This is meaningful and worth using. Read the Fact Sheets when they are available. They are the easiest way to start your own deployer-side assessment.

What you control. Whether to enable each AI feature in your tenant. Whether your tenant data contributes to Workday's model improvement. Who in your organisation can configure AI features. How you communicate to employees about AI use, and how they can raise concerns. The discipline of running an internal review before each new feature goes live.

For partner agents from the Workday marketplace, the picture is similar but the documentation and fairness testing comes from the partner, not Workday. Your job as a deployer expands slightly: you check that the partner has done the work, and that their documentation matches your governance requirements.

For custom agents built in Extend or Flowise, the deployer obligations become broader. You are closer to the provider role for your own internal systems. The risk assessment, bias testing, monitoring, and documentation all need to live somewhere on your team. This is doable but it changes the operating model.

A short checklist before you turn anything on

Classify the use case. Does it influence hiring, promotion, pay, termination, access to benefits, or any other employment outcome? If yes, treat it as high-risk by default. If no, it is most likely limited-risk and the obligations are lighter.

Decide where humans are in the loop. For limited-risk use cases, the human decides what to do with the output. For high-risk, the human must be able to approve, override, or stop the AI. Both need to be designed in from the start, not bolted on at the end.

Cover the basics. Vendor AI Fact Sheet on file. Clear description of purpose and the data used. A named owner in HR or HRIS. Logging of significant actions. A way for employees to be informed of AI use, and a way for them to raise questions or concerns. None of this is optional for high-risk use cases.

The rest of the global landscape, briefly

If you operate only in the EU, the AI Act and GDPR are the main story. Most organisations do not. A short summary of what else to watch in 2026, with the strong caveat that this is a moving picture and your legal team owns the final read.

United States. No federal AI law, but a patchwork at the state and city level. New York City's Local Law 144 requires annual bias audits and candidate notice for automated employment decision tools used in hiring or promotion. Colorado's AI Act takes effect February 2026 and treats employment AI as high-risk with mandated risk assessments and disclosures. Illinois has both a Video Interview Act (in force since 2020) and a new amendment to its Human Rights Act (effective January 2026) covering AI in employment decisions. California's FEHC Automated Decision Systems Regulations took effect October 2025 and require human oversight of AI in employment decisions, with four-year record retention.

Canada. The Artificial Intelligence and Data Act is pending and would impose EU-like obligations on high-impact AI systems.

China. The picture is layered. The Algorithmic Recommendation Regulations (in force since 2022) require disclosure and audit of recommendation algorithms, which catches some HR use cases. The Deep Synthesis Provisions (2023) add labelling and consent requirements for generative content involving real people. The Generative AI Measures (2023) and the related security assessments cover providers operating in mainland China. Together they are stricter on data and content than many HRIS leaders expect, and any AI use case touching mainland China benefits from a separate legal read.

For global HRIS teams, the practical approach is to align with the strictest regime that applies to a given use case. The EU AI Act is the most demanding for HR-related AI, so a process built to satisfy it generally covers most of what other jurisdictions require. That is not legal advice. That is a useful planning heuristic.

The one-page deployer summary your CHRO will eventually ask for

If you do one thing before the next steering meeting, make it this. Write a single page that lists what AI features are in use, what risk category each one sits in, who owns each one, where the AI Fact Sheets live, and how employees are informed. The discipline of fitting it onto a page is what forces the difficult questions: which features have we enabled without an HRIS conversation, which ones have no named owner, which ones we cannot explain to an employee asking how it works. The first version surfaces the gaps. The second version closes them.

Getting to that page usually means a classification pass against every active AI feature, and standing up a small board (HRIS, IT, Legal or Privacy, and a representative from HR) that meets monthly to keep the page accurate as new features ship. Neither of those is heavy lifting once you have the page itself. The page is what holds the rest together.

Where Workday’s own program fits

Worth understanding for context. Workday runs a Responsible AI program that publishes an AI Fact Sheet per feature, covering the purpose, the data inputs, the customer controls available, and how the feature has been tested for fairness. The Fact Sheets are not a substitute for your own deployer assessment, but they are the single most useful starting point. Reading the Fact Sheet first usually cuts the amount of governance work your own team has to redo from scratch by half.

What you can stop worrying about

The Act does not require you to become a lawyer, build a model from scratch, or hire an in-house AI ethicist. It requires disciplined deployer practice on a class of systems that have real consequences for people. Most HRIS teams already have the operating instincts. The work is to formalise them, not to invent them.

Spend the time on the use cases you actually have, with the people you actually need (HRIS, IT, Legal, HR). Talk to your Workday account team about what they are doing on the provider side. Confirm with your DPO or general counsel for anything that feels close to the line. The compliance posture grows up from there.