Draft Commission Guidelines on High-Risk AI — Implications for the Workplace

Key considerations for US businesses with EU operations or exposure

Authors:

At a Glance

Workforce management is a key area of AI deployment, and businesses operating internationally are struggling to assess whether such use of AI falls within scope of the EU AI Act's rules on "high-risk" AI (with the additional compliance obligations that brings).
The recently published draft European Commission Guidelines on the classification of AI provide some helpful pointers for international businesses and set out clear examples of AI use cases that fall within and outside the "high-risk" category.
Businesses operating in multiple jurisdictions should pay particular attention to systems that may appear routine in US or non-European contexts — such as background-check scoring tools, targeted job advertising, or shift-scheduling algorithms — but which the Commission treats as presumptively high-risk.
Organisations demonstrating disciplined scoping of risk classification, narrow and well-evidenced reliance on the Article 6(3) filter, and robust governance for their in-scope systems will be best-placed for supervisory scrutiny and strengthening employee trust.
Workforce AI tools may also create risks under employment law, particularly where AI outputs influence recruitment, progression, work allocation, performance management, or dismissal.

Background

As summarized in our previous alert, "EU AI Act High-Risk Systems — European Commission Issues Draft Guidelines" on 19 May 2026, the European Commission published three interconnected draft guidelines for consultation to help providers and deployers assess whether an AI system should be classified as high-risk within the meaning of Article 6 of the AI Act. The guidelines address the two statutory paths to high-risk classification: Annex I product-safety legislation and Annex III listed-use cases. They also explain how the Article 6(3) "filter" mechanism can, in limited circumstances, exempt certain Annex III systems that do not pose a significant risk. This alert takes a closer look at some important issues in employment and recruitment use cases, which are increasingly being adopted by businesses operating internationally.

Territorial Scope Refresher

The AI Act applies not only to providers and deployers established inside the EU, but also to providers and deployers established outside the EU where the output of their AI system is used in the EU. This means that a US or UK company deploying an AI recruitment tool that is used to assess candidates based in the EU, or a US-headquartered platform using AI-driven task allocation for EU-based workers, may be directly subject to these rules. The guidelines have a broad interpretation of "employment, workers' management and access to self-employment", meaning workers, freelancers, and independent contractors fall within scope, regardless of contractual status. This is particularly significant for US technology and gig-economy companies that operate in the EU.

Key Takeaways for Workplace and Employment AI

Recruitment and selection are squarely in scope.

Systems used to place targeted job advertisements, analyse and filter applications, or evaluate candidates are likely to be high-risk AI systems under the AI Act. The Commission emphasises a functional test: if the AI meaningfully shapes access to roles (e.g., generates suitability scores, shortlists, or rankings), it will fall within scope, even if a human makes the final decision.

Worker management is an autonomous high-risk category.

AI that is intended to: make decisions affecting terms of work, promotion, or termination; allocate tasks based on individual behaviour or personal traits; or monitor/evaluate performance in the workplace is considered high-risk. Routine, low-impact operational tools can fall outside scope, but if outputs materially affect rights or prospects, the high-risk rules apply.

Profiling shuts the Article 6(3) "filter" door.

If an Annex III system performs profiling (defined under the GDPR as any automated processing of personal data to evaluate personal aspects of a natural person, such as work performance, reliability, or behaviour) the Article 6(3) filter (which exempts certain lower-risk AI systems) cannot be relied upon. This is particularly relevant for targeted advertising of vacancies, "risk" score-based background checks, and monitoring tools that rely on behavioural scoring.

Expansive interpretations to watch.

The guidelines extend targeted job-ad tools beyond stereotypical "micro-targeting". Even without profiling, an AI-driven advertising system can be high-risk if it "meaningfully conditions access" to vacancies or can lead to a risk of discrimination against candidates.

Similarly, using AI for task allocation between workers involves allocation based on a range of behavioural indicators (e.g., acceptance rates, punctuality, ratings), and is considered high-risk, in view of its impact on career progression and income. For example, the guidelines cite the possibility of one employee receiving more visible, lucrative assignments, which gives them better opportunities for career advancement, contrasted with an employee who receives repetitive or lower-value tasks, which can bring the risk of being precluded from promotion.

Performance/behaviour monitoring is likely to be high-risk.

AI used for performance/behaviour monitoring should be considered high-risk if its output systematically evaluates workers, even if it does not directly affect their contractual engagement, such as working hours or pay. For example, an AI system that assesses workers for low acceptance rates of shifts or declining tasks, or automatically rates workers on the number of deliveries completed per hour, could fall within the prohibition. This does not, however, extend to monitoring required in accordance with external legal or regulatory obligations (e.g., transaction logging under financial market abuse rules), supporting workers in their performance rather than pushing for additional productivity, or for health and safety reasons.

The Commission's Concrete Examples — What's In and What's Out

The guidelines set out examples for businesses to use as practical signposts when mapping their AI tools. The following illustrative table contrasts systems classified as high-risk under Annex III, Point 4, with those the Commission considers not high-risk (either outside scope or exempt under the Article 6(3) filter). Businesses operating internationally should pay particular attention to systems that may appear routine in US or non-European contexts — such as background-check scoring tools, targeted job advertising, or shift-scheduling algorithms — but which the Commission treats as presumptively high-risk.

Even where a system falls outside the AI Act’s high-risk category, employers should separately consider whether its use could affect workplace fairness, employee relations, or discrimination risk.

High-Risk Examples (Annex III, Point 4)	Not High-Risk / Exempt Examples
Automated job-matching and ranking tool that scores/shortlists candidates	Inclusive-language checker that flags potentially discriminatory words in job ads
Cross-platform candidate-sourcing tool that builds recruiter shortlists	Employer-branding ads not tied to a specific vacancy
Platform ranking of self-employed service providers for customer display	Employer reputation-monitoring tool using anonymised online sentiment
AI scoring of written/oral applicants' answers to rank interview invitations	Candidate-side CV-tailoring assistant (candidate controlled)
Background-check system that produces composite "risk" scores	Candidate job-recommendation tool run by the applicant
Targeted job-ad engine deciding who sees vacancies	Credential-verification tool returning only "confirmed / not confirmed" (filter task)
Vision-assessment AI for pilot recruitment eligibility	CV-parsing utility that only organises data for later search (filter task)
Apprenticeship-recruitment AI screening and short-listing applicants	Interview-scheduling assistant (logistics only) (filter task)
Shift-scheduler allocating work by behavioural signals (punctuality, ratings)	Delivery-operations tracker that flags label/route errors to the worker only, but is not used in individual evaluation
Platform tutor-performance score triggering auto-suspension/deactivation	Training-analytics tool giving feedback only to the employee
Work-allocation engine (e.g., associates) assigning premium matters via metrics	Desk/room-booking optimiser (workspace logistics)
Dynamic pay-setting system adjusting remuneration by ratings/acceptance/time	Corporate-travel planner suggesting itineraries (no mandates)
Civil-servant post-assignment AI using test scores and vacancies to finalise placements	Optional area recommendations for couriers (no penalties for ignoring)
	Attendance-data compiler that merely aggregates time-keeping records (filter task)
	Writing assistant that tidies promotion reports after decisions are final (improving results of previously human-completed activity)

How This Intersects with Local Law Practices

Businesses operating internationally should also consider other local laws, regulations, and guidance that impact the appropriate use of AI in the workplace. As noted above, the AI Act applies to providers and deployers established outside the EU, where the output of the AI is used in the EU (regardless of where the employee is located). For example, a multinational company headquartered in Germany with operations throughout the EU and UK, and with centralised HR functions managed from its Paris office, would need to take into account both the AI Act and local laws if, for example, the AI was used to make decisions relating to a performance management process in respect of a UK-based employee. Alternatively, the use of an AI-driven benefits system provided by a pan-European IT provider could come within scope of the AI Act where the output is used in the EU even if it relates to employees in the UK or Singapore.

For example, in the UK this could require analysis of the following:

Automated decisions (Data Protection Act 2018, as amended). Sections 49 and 50 restrict "significant decisions" based solely on automated processing, requiring authorisation by law and safeguards including notification and a right to human review; the 2025 Data (Use and Access) Act further refines UK rules on solely automated decisions.

Information Commissioner's Office (ICO) employment-monitoring guidance. The ICO's employment-practices guidance (including its monitoring-at-work consultation) underscores transparency, necessity, and accountability in worker monitoring, which aligns with EU high-risk governance and documentation expectations.

Local worker monitoring and fairness rules. For example in the UK, Acas guidance emphasises the need for consultation, transparency, and proportionality before introducing monitoring as well as the importance of equal treatment and avoiding disadvantage in hybrid/remote settings, with practical fairness pointers for promotion and opportunity allocation.

Practical Implications

For most businesses operating in or selling into the EU, at least some HR and worker-management tools will sit in Annex III, Point 4. The guidelines (although still in draft form) move the conversation from high-level principles to concrete judgements about how such tools influence opportunities, terms and career progression in practice. Organisations demonstrating disciplined scoping of risk classification, narrow and well-evidenced reliance on the Article 6(3) filter, and robust governance for their in-scope systems will be best-placed for supervisory scrutiny and strengthening employee trust. Businesses operating internationally and potentially within the scope of the AI Act should:

Inventory and classify. Produce an inventory of recruitment, selection, monitoring, task-allocation, progression, and pay systems. Treat any tool that scores, ranks, prioritises, or conditions access as presumptively high-risk unless a narrow procedural-task rationale is clearly met and documented.

Pressure-test any Article 6(3) "filter" arguments. Where a tool is preparatory, performs a narrow procedural task, improves a completed human activity, or detects patterns without influencing assessment, record precisely why its outputs cannot materially shape decisions and confirm it does not perform profiling. Expect regulators to scrutinise flimsy rationales.

Review targeted advertising and sourcing practices. If algorithms determine who sees vacancies or who is presented to recruiters, treat them as high-risk unless targeting is strictly contextual or based solely on inherent, nondiscriminatory job requirements (not simply "likely to apply" proxies, which may embed bias).

Calibrate monitoring and task-allocation tools. Strip out behavioural proxies that may skew opportunity or pay (e.g., acceptance rates or ratings). Where these are unavoidable, build in targeted guardrails such as review processes, bias testing, and explainability.

Align with additional local law expectations for worker monitoring. For example, in the UK, incorporate Acas/ICO principles (consultation, transparency, proportionality, data protection impact assessment (DPIA)-style analysis) into working practices.

Comply with applicable employment laws in the relevant EU state where the affected workers are based.

The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.