| Client | Acme HR-Tech GmbH |
|---|---|
| HQ | Berlin, Germany |
| Employees | 35 |
| Founded | 2023 (Series A, €4M raised) |
| Product | SaaS recruitment platform — CV ranking, candidate chatbot, interview transcription |
| Customers | ~80 mid-market German employers (B2B SaaS) |
| EU candidates in pipeline | ~12,000 active at any time |
| Audit window | 26 March – 14 April 2026 |
| Audit basis | Regulation (EU) 2024/1689 ("AI Act"), full text + Annex III |
High-risk AI obligations under the AI Act enter into application on 2 August 2026 (Art. 113). Acme operates AI systems that fall under Annex III #4 (employment, workers' management, access to self-employment), placing the CV ranking engine and the interview summarisation system squarely in the high-risk regime. The chatbot triggers transparency obligations under Art. 50. This audit identifies the obligations Acme must meet, the current gap, and a phased path to readiness.
Verdict. Acme HR-Tech GmbH operates two systems classified as high-risk under Annex III #4 (CV ranking engine; interview transcription & summary) and one system subject to Art. 50 transparency obligations (candidate chatbot). The current state shows material gaps against the Art. 9–15 high-risk obligations — most critically, no documented human-in-the-loop on automated rejections. None of the gaps appear structural; all are remediable on a realistic timeline before the 2 August 2026 application date.
Headline risk. The CV ranking engine produces a fit score that is, in practice, used by Acme’s customers to filter candidates without a documented human review step before rejection. Combined with insufficient bias testing on the training corpus and an incomplete Annex IV technical file, this is the single largest exposure in scope. Under Art. 99(4), violations of Art. 9, 10, 13, 14 or 15 obligations carry administrative fines of up to €15M or 3% of total worldwide annual turnover, whichever is higher.
Recommended path. Implement a four-phase roadmap (Sec. 5) that closes the Critical and High findings before July 2026, leaving June–July as a verification buffer ahead of the 2 August enforcement date. Estimated internal effort: ~1.5 FTE-months across engineering, product, and a designated AI compliance owner.
As of the audit date, the European Commission’s Digital Omnibus package may modify implementation timelines and certain obligations for AI Act and adjacent EU digital law. This report assumes the published text of Regulation (EU) 2024/1689 and the 2 August 2026 application date for high-risk obligations under Art. 113. Acme should track Omnibus developments and adjust the roadmap if formally adopted changes alter scope.
The following three production AI systems are in scope. Inventory was reconstructed from architecture diagrams, customer-facing documentation, vendor contracts, and engineering interviews.
| System | Purpose | Model / Vendor | Data inputs | User-facing? | Decision type |
|---|---|---|---|---|---|
| S-01 — CV Ranking Engine | Produces a 0–100 “fit score” per candidate, per open role, ranking the pipeline for customer recruiters. | Fine-tuned Llama 3.1 70B (in-house). Trained on ~1.4M parsed resumes + customer hire/no-hire labels (2024–2025). | Parsed CV text; job description embedding; customer-supplied job criteria. | Indirect (via Acme customer admins). | Decision-support; in practice used as automated filter below score thresholds set per customer. |
| S-02 — Candidate Chatbot | Answers candidate FAQs about open roles, working conditions, and benefits; books interview slots into Google Calendar. | OpenAI GPT-4 via API. RAG over Acme customer’s public job posting corpus + a per-customer FAQ. | Candidate free-text questions; URL of role; previously surfaced FAQs. | Yes — direct chat with the EU candidate. | Conversational + scheduling. No hire/reject decision. |
| S-03 — Interview Transcription & Summary | Transcribes recorded video interviews and generates a structured summary (strengths, weaknesses, fit indicators) consumed by hiring managers. | OpenAI Whisper (transcription) + GPT-4 (summarisation, prompt-templated). | Audio of consented interview; job description; scoring rubric. | Indirect (output read by hiring manager). | Decision-support feeding hire/no-hire judgement. |
Acme is the provider of all three systems (S-01 to S-03), as it places them on the EU market under its own brand. Acme’s 80 mid-market customers act as deployers. Provider obligations under Chapter III are therefore the dominant regime in this report; deployer obligations (Art. 26) are referenced where relevant for downstream contractual posture.
Each in-scope system was mapped against Annex III of Regulation (EU) 2024/1689 and against the transparency duties of Art. 50. Classifications reference the Annex III area, the relevant Article(s) under Chapter III, and the proposed risk tier.
| System | Annex III area | Risk tier | Reasoning |
|---|---|---|---|
| S-01 CV Ranking |
Annex III, point 4(a) — AI systems intended to be used for the recruitment or selection of natural persons, in particular to place targeted job advertisements, to analyse and filter job applications, and to evaluate candidates. | HIGH-RISK | The system is used “in particular to analyse and filter job applications” in the precise wording of Annex III #4(a). It is a safety-component-equivalent for an Annex III area, so Art. 6(2) places it in the high-risk regime. Provider obligations under Art. 9 (risk management), Art. 10 (data governance), Art. 11 (technical documentation), Art. 13 (transparency to deployers), Art. 14 (human oversight), and Art. 15 (accuracy, robustness, cybersecurity) all apply. The Art. 6(3) high-risk derogation is not credibly available because the system materially influences the outcome (filtering/ranking), failing the “does not materially influence” condition. |
| S-02 Candidate Chatbot |
Not an Annex III system. Triggers Art. 50(1) — transparency obligations for providers of AI systems intended to interact directly with natural persons. | LIMITED-RISK | The chatbot does not itself decide, filter, or score candidates. It is a conversational interface and a scheduling tool. It therefore falls outside Annex III #4(a)’s “analyse and filter” scope. However, because it interacts directly with a natural person (the candidate), Art. 50(1) requires the provider to ensure the candidate is informed they are interacting with an AI system, in a clear and distinguishable manner, no later than the first interaction. |
| S-03 Interview Summary |
Annex III, point 4(a) — evaluation of candidates in the recruitment process, by way of a structured summary that drives hire/no-hire judgement. | HIGH-RISK | Although the system frames itself as a “summary tool,” in practice its output influences a candidate-evaluation decision under Annex III #4(a). The full Art. 9–15 high-risk stack applies. Whisper’s known accent/dialect performance variance creates a foreseeable Art. 10(2)(g) data-quality concern (representativeness across the EU candidate population) and an Art. 15 accuracy obligation. Art. 50(2) (synthetic content marking) does not apply here because the output is consumed internally by the hiring manager rather than published. |
S-02 and S-03 rely on GPT-4 and Whisper (third-party general-purpose AI). Under Chapter V, GPAI provider obligations sit with the upstream provider (OpenAI). However, when Acme integrates these models into a high-risk AI system (S-03), Acme remains the provider of the high-risk system and bears Art. 9–15 obligations end-to-end. Vendor compliance documentation should be retained as part of the Annex IV file (see Sec. 6).
Eight findings were identified across the three in-scope systems. Severity reflects regulatory exposure, not engineering complexity. Penalty figures are drawn from Art. 99 and represent statutory maxima; actual fines depend on national supervisory authority discretion, the criteria in Art. 99(7), and Acme’s remediation posture at the time of any enforcement.
Customer admins routinely configure score thresholds below which candidates are auto-archived without a human reviewer touching the record. The current product UI does not require, log, or enforce a human-in-the-loop step for these rejections, and Acme’s deployer guidance does not specify minimum oversight measures. Art. 14(1) requires high-risk AI systems to be designed and developed in such a way that they can be effectively overseen by natural persons during the period in which the system is in use. Art. 14(4) requires the human overseer to be able to interpret outputs, decide not to use them, and intervene or override. Today, neither the product nor the customer workflow guarantees this for negative outcomes.
Penalty exposure (Art. 99(4)): up to €15M or 3% of worldwide annual turnover — high-risk obligations breachThe chatbot opens with a generic greeting (“Hi, I can help you find roles at <Customer>”) and does not state, in clear and distinguishable language, that the candidate is interacting with an AI system. Art. 50(1) requires providers of AI systems intended to interact directly with natural persons to ensure that those persons are informed of the AI nature of the interaction unless this is obvious from the context to a reasonably well-informed user. In a careers-page context this disclosure is not implied; it must be explicit and made by the time of the first interaction.
Penalty exposure (Art. 99(4)): up to €15M or 3% of worldwide annual turnover — transparency obligation breachAcme maintains an internal model card for S-01 and a one-page architecture note for S-03, but neither document covers the elements required by Annex IV: the general description and intended purpose, the development methodology, system architecture and data sheets (Annex IV(2)), monitoring and control measures (Annex IV(3)), risk management documentation (Annex IV(5)), and post-market monitoring plan (Annex IV(8)). The technical documentation must be drawn up before the system is placed on the market or put into service and kept up to date (Art. 11(1)).
Penalty exposure (Art. 99(4)): up to €15M or 3% of worldwide annual turnover — high-risk obligations breachAcme has run internal demographic-parity checks on a 5,000-row sample but has not formalised the data governance and examination procedures required by Art. 10(2). Specifically, Art. 10(2)(f) and 10(2)(g) require examination in view of possible biases that are likely to affect health and safety of persons, have a negative impact on fundamental rights, or lead to discrimination prohibited under Union law, and an evaluation of the relevance, representativeness and, where applicable, statistical properties of the data sets. Today these checks exist as ad-hoc notebooks rather than a repeatable process tied to the technical file.
Penalty exposure (Art. 99(4)): up to €15M or 3% of worldwide annual turnover — high-risk obligations breachAcme has product analytics (DAU, error rates) but no plan that meets Art. 72(1)’s requirements: a post-market monitoring system that systematically and actively collects, documents and analyses relevant data provided by deployers or collected through other sources on the performance of the high-risk system throughout its lifetime, and allows the provider to evaluate continuous compliance with the requirements of Section 2 of Chapter III. The plan must be part of the Annex IV file (Annex IV(8)).
Penalty exposure (Art. 99(4)): up to €15M or 3% of worldwide annual turnover — high-risk obligations breachApplication logs record latency and errors but do not record the inputs that produced a particular score, the scoring outputs, the model version, or the configuration thresholds in effect at the time of decision. Art. 12(1) requires that high-risk systems technically allow for the automatic recording of events (logs) over the lifetime of the system, to a degree appropriate to the intended purpose. Without traceable logs the deployer instructions required under Art. 13 cannot be fully delivered, because deployers cannot reconstruct decisions on demand.
Penalty exposure (Art. 99(4)): up to €15M or 3% of worldwide annual turnover — high-risk obligations breachAcme’s 80 customers operate primarily in DACH but also recruit cross-border across the EU. Whisper’s published per-language word-error rates are uneven across EU languages and accents. Acme has not benchmarked S-03 against the actual language distribution of its candidate base. Art. 15(1) requires high-risk systems to be designed and developed to achieve an appropriate level of accuracy, robustness and cybersecurity, and to perform consistently in those respects throughout their lifecycle. Closing this gap is comparatively cheap and demonstrates good faith.
Penalty exposure: indirect — contributes to Art. 15 breach risk if unaddressedAcme integrates GPT-4 and Whisper via API but does not retain a structured file of OpenAI’s published model documentation, DPA, and security attestations as part of its own technical file. While GPAI obligations under Chapter V sit with OpenAI, Acme remains the provider of the integrated high-risk system (S-03) and is expected to evidence the upstream posture in its Annex IV documentation. This is a documentation hygiene gap, not a substantive compliance failure.
Penalty exposure (Art. 99(5)): up to €7.5M or 1% of worldwide annual turnover — supply of incorrect, incomplete or misleading information to authoritiesAll figures cite the statutory ceilings in Art. 99 of Regulation (EU) 2024/1689. Art. 99(3) sets a higher tier (€35M or 7%) for breaches of Art. 5 prohibitions; none of Acme’s systems implicate Art. 5. Art. 99(4) is the relevant tier for the high-risk and transparency obligations identified above (€15M or 3%). Art. 99(5) (€7.5M or 1%) applies to supply of incorrect information to notified bodies or competent authorities, which is the relevant ceiling for documentation-only findings. National supervisory authorities apply Art. 99(7) factors when calibrating actual fines.
Roadmap is sequenced to close Critical and High findings before July 2026, leaving June–July as a verification buffer ahead of the 2 August 2026 application date for high-risk obligations under Art. 113. Effort estimates assume a 35-person company with one designated AI compliance owner working with an existing engineering team. Timeline is realistic but tight; if Digital Omnibus pushes the deadline, Acme should reinvest the slack into stronger evidence rather than slowing down.
| Action | Addresses | Owner | Dependencies |
|---|---|---|---|
| Ship UI gate: customer admins must explicitly review or delegate review on any candidate auto-rejected by score threshold. Log every override. | F-01 | Product + Engineering | None |
| Update deployer instructions (Art. 13) with mandatory human-oversight workflow; push to all 80 customers with sign-off. | F-01 | Customer Success + Compliance Owner | UI gate live |
| Add “You are chatting with an AI assistant” first-message banner + persistent label on chatbot. | F-02 | Engineering | None |
| Action | Addresses | Owner | Dependencies |
|---|---|---|---|
| Open Annex IV technical file for S-01 and S-03; populate sections 1–8 (description, development, monitoring, performance metrics, risk management, change-control, harmonised standards, post-market plan). | F-03 | Compliance Owner + Engineering Lead | None |
| Formalise data governance procedure (Art. 10): data sourcing, labelling, bias examination, representativeness statement. Re-run examination on full training corpus, not 5k sample. | F-04 | ML team | Tech file structure (above) |
| Design and ship traceability logging: input hash, model version, score, threshold, deployer ID, decision timestamp. 6-month retention minimum. | F-06 | Engineering | None |
| Action | Addresses | Owner | Dependencies |
|---|---|---|---|
| Stand up post-market monitoring plan (Art. 72): KPIs, drift detection, customer feedback channel, incident triage, quarterly review cadence. | F-05 | Compliance Owner + ML team | Logging from Phase 2 |
| Benchmark S-03 transcription accuracy against actual EU candidate language distribution; document representativeness gaps + mitigations. | F-07 | ML team | None |
| Centralise vendor compliance evidence (OpenAI model docs, DPA, security attestations) as part of Annex IV. | F-08 | Compliance Owner | None |
| Action | Addresses | Owner | Dependencies |
|---|---|---|---|
| Internal walkthrough of Annex IV file against Art. 11 checklist; gap-close any open items. | All | Compliance Owner | Phases 1–3 complete |
| External legal review by qualified EU AI Act counsel (strongly recommended before Acme issues a Declaration of Conformity). | All | External counsel | Tech file finalised |
| Tabletop exercise: simulate a supervisory authority data request; measure time-to-respond. | F-05, F-06 | Compliance Owner + Engineering | Logging + monitoring live |
Art. 11 requires that the technical documentation of a high-risk AI system be drawn up before the system is placed on the market or put into service, kept up to date, and contain at least the elements set out in Annex IV. The following minimum file structure is recommended for S-01 and S-03.
| Annex IV | Required content | Acme deliverable |
|---|---|---|
| 1 | General description, intended purpose, deployer instructions. | System fact sheet, intended-purpose statement, link to Art. 13 deployer instructions, version history. |
| 2 | Detailed description of elements and process of development: methodology, design choices, system architecture, data sheets, training methodology, validation procedures. | Architecture diagram, data sheet (sources, licences, demographic distribution), training and validation methodology document, model card. |
| 3 | Monitoring, functioning, and control measures. | Logging spec, control plane runbook, threshold configuration policy, override workflow. |
| 4 | Performance metrics & appropriateness. | Accuracy / fairness / robustness benchmarks vs. intended purpose; per-segment performance. |
| 5 | Risk management system per Art. 9. | Risk register, hazard analysis, mitigation status, residual risk acceptance, sign-off. |
| 6 | Changes to the system through its lifecycle. | Change log: model retrains, threshold updates, dataset additions, with rationale and reviewer. |
| 7 | Harmonised standards / common specifications applied. | List of standards consulted (e.g. relevant CEN/CENELEC drafts) and conformity rationale. |
| 8 | Post-market monitoring plan per Art. 72. | KPI catalogue, drift thresholds, incident escalation, quarterly review cadence. |
This report is informational and DOES NOT constitute legal advice. AI system classification under EU AI Act and recommendations are based on publicly available regulatory texts and information provided by the client. Final compliance determination requires review by qualified EU AI Act counsel. Provider is NOT a lawyer and does NOT provide legal services. Provider does NOT guarantee compliance or absence of penalty. Client is solely responsible for legal compliance.
This audit was prepared as a structured gap analysis between the client’s production AI systems and the obligations set out in Regulation (EU) 2024/1689 (the “AI Act”). The scoping and classification methodology proceeds in four steps: (i) inventory of in-scope AI systems and their data flows; (ii) mapping each system against Annex III categories and the provider/deployer roles in Chapter III; (iii) Article-by-Article gap analysis against Art. 9, 10, 11, 12, 13, 14, 15, 50, and 72; (iv) severity assignment based on regulatory exposure under Art. 99 and a remediation plan benchmarked to the 2 August 2026 application date in Art. 113.
| Version | Date | Author | Notes |
|---|---|---|---|
| v1.0 | 15 April 2026 | Piotr Reder · aiactaudit.pl | Initial report — sample / illustrative only. |
aiactaudit.pl · Piotr Reder · Málaga, Spain
Email: piotr@pricora.eu
Web: https://aiactaudit.pl
Plain-English definitions of recurring terms in this report. Definitions are summarised; for binding definitions consult Art. 3 of Regulation (EU) 2024/1689.