Faced with the AI Act of August 2026, what should companies deploy to prevent modifications to their HR AI tools from reclassifying them as suppliers?
The emergence of artificial intelligence in HR processes – recruitment, performance evaluation, career management – acts as a stark revelation: data governance, for most companies, remains a major issue.
Behind the promises of efficiency, a more complex reality emerges. A CV sorting algorithm can reproduce implicit biases linked to geography or atypical career paths. A people analytics tool can guide sensitive decisions based on fragile correlations. In these situations, the question is no longer technical, it becomes legal and managerial: who is responsible?
As the entry into force of the “high risk” obligations of the AI Act approaches in August 2026, this question becomes structuring. It involves not only regulatory compliance, but also the continuity of HR decisions.
The requalification trap: from deployer to supplier
Regulation (EU) 2024/1689 explicitly classifies HR systems as high-risk uses (Annex III, point 4). Many companies think about limiting their exposure by relying on market solutions. This reading is incomplete and contains a real blind spot residing in Article 25 of this text.
Many organizations imagine that by purchasing a solution off the shelf, they are transferring the risk to the provider. This is a serious misreading. If your technical teams or your HR teams make a “substantial modification” – the exact term of article 25 – the company undergoes immediate legal reclassification. This is the case if it does aggressive fine-tuning, if it retrains the model on internal data not originally planned or if it diverts the initial use of the tool.
From then on, it switches from the status of deployer to that of supplier. This requalification leads to a major shift in responsibility: the company is no longer content with using a system, it bears the heavy structural obligations (CE marking, risk management system, exhaustive technical documentation).
Especially since in France, labor law is not going away. Article L.1132-1 on non-discrimination and article 22 of the GDPR – which prohibits exclusively automated decisions and imposes real human supervision – form a strict legal shield. If a manager is satisfied with a blind “validation click” on a recommendation from the machine, the decision will be reclassified before the industrial tribunal. It is the absence of effective human supervision, although imposed by article 26 of the AI Act, which will condemn the company.
The end of “technological solutionism”: Lessons from case law
Technological solutionism – this very French tendency to believe that a tool will solve a deep managerial problem – today comes up against European law. However, the weak signals were there from the start of the decade:
The Deliveroo affair in Bologna (2020): The “Frank” algorithm, by penalizing absent delivery workers without integrating the notion of the right to strike or sickness, demonstrated that a mathematical model blind to context produces systemic discrimination.
The fine from the Dutch authority (2021): 2.75 million euros penalty for a profiling system based on dual nationality.
Recruitment bias: More recently, legal analyzes include adjustments linked to gender and age discrimination caused by pre-selection AIs having learned on uncleaned historical corporate data, thus reproducing the glass ceilings of the past.
What these cases show us in the HR field is that algorithmic risk directly affects the employer’s security obligation (article L.4121-1 of the Labor Code). Management dictated by opaque algorithmic metrics generates a mental burden and psychosocial risks for which the company is legally and criminally responsible. In the age of social media and class actions, the reputational cost can be far greater than the financial penalties.
Execution plan: the 7 HR compliance projects
Faced with these challenges, the response must be organizational and immediate. Here is the operational roadmap to deploy to structure your contractual, technical and managerial defenses.
1. Map HR AI uses
Identify and list all systems used, directly or indirectly, in HR processes (recruitment, mobility, evaluation, training, schedule planning). The objective is to obtain an exhaustive vision, including Shadow AI (free or informal tools used by teams without official approval from the company).
2. Classify risk levels
Qualify each tool according to the AI Act criteria to prioritize efforts:
High-risk system (Appendix III): Recruitment, contract management, performance evaluation.
Use with required transparency: Conversational agents (chatbots) for welcoming candidates.
Low impact use: Generation of job description frames via general generative AI.
3. Audit changes and lock down the technical architecture
Technically analyze internal practices to definitively defuse the risk of reclassification of Article 25. The IT department must put in place a strict architectural “Guardrail”:
Freezing hyperparameters and training pipelines: Separate model access (inference) from any retraining capabilities. Block access rights (Rights Management) to ensure that no internal evaluation data modifies the weights of the underlying model.
Implementing “RAG” rather than “Fine-tuning”: If you need to connect AI to company job descriptions or internal labor laws, choose the RAG (Retrieval-Augmented Generation) architecture. RAG provides context documents to the AI at question time without ever changing the structure or training of the underlying algorithm. The RAG maintains your deployer status; fine-tuning makes you switch supplier.
4. Implement decision-making traceability and immutable logging
Formalize a tamper-proof and auditable chain of responsibility: Input data $rightarrow$ Algorithmic processing $rightarrow$ Motivated human arbitration.
On the technical side: Install a centralized and tamper-proof log system that records all queries, input data provided and model versions used. This logbook constitutes your absolute proof to the CNIL or labor inspectors that the system has not been modified.
On a managerial level: Each sensitive HR decision (refusal of application, evaluation, sanction) must be the subject of traceable monitoring explaining the final decision of the human stakeholder.
5. Structuring tripartite and social governance (“AI Clearing” Cell)
The technique is not enough, we must impose an internal validation protocol by creating a mandatory “AI Clearing” committee. No HR AI tool should be deployed, updated or connected to a new database without the green light from this cross-functional unit bringing together:
The DSI: Guarantor of non-modification of the architecture.
Legal / DPO: Guarantor of compliance with Art. 25 AI Act and Art. 22 GDPR.
HR Director: Guarantor of compliance with the Labor Code.
This body also manages fundamental rights impact assessments (FRIA). Furthermore, in direct application of article 26 paragraph 7, the company must present to the Social and Economic Committee (CSE) a clear and popularized map of the systems used, demonstrating precisely how humans maintain control. Transparent social dialogue eliminates the risk of class actions for algorithmic discrimination.
6. Overhauling supplier contracts: The “Non-Modification Pact”
The first reflex consists of legally locking the boundaries of your usage to prove, in the event of an inspection, that you have remained within the guidelines set by the publisher. The “as is” business model and paltry liability caps are no longer suitable. Legal departments must negotiate:
The strict usage annex (Scope of Use): Include a technical annex co-written by the IT department and the HR department which precisely lists the use of the tool. The publisher must validate in writing that this use falls within its “intended purpose”.
The liability clause on fine-tuning: Prohibit internal teams from touching it independently. Contract the fact that any additional training, interfacing (API) or weight adjustment of the model is carried out by the publisher itself, so that it integrates it into its own compliance loop (CE marking).
Audit and compensation clauses: Demand the provision of technical documentation from the supplier (linked to Art. 6 and Annex III) as well as a full compensation clause if the system proves non-compliant after integration of your standard data.
7. Train managers in the “Zero Black Box” protocol
The human supervision imposed by Article 26 of the AI Act must not be reduced to purely formal validation (the “blind click” syndrome). Recruiters and managers must be trained to understand the statistical limitations of models and detect potential bias.
Deploy an internal charter stipulating that an AI recommendation must be systematically analyzed and subject to critical arbitration. If the AI proposes a Top 3 candidates, the recruiter must be able to record and argue in writing the human reasons why he validates or invalidates this choice.
Towards responsible digital maturity
The AI Act does not slow down innovation. It requires an increase in maturity. The most successful companies will not be those that automate the most, but those that have the best control of their decision-making processes.
For HR managers, this implies an essential change of posture. It is no longer a question of adopting productivity tools, but of managing risky systems. Tomorrow’s HR performance will rely less on the intrinsic power of algorithms than on the quality, rigor and responsibility of their human supervision.
