Future Proof Intelligence · Published 14 June 2026 · 12 minute read

AI liability for recruitment and HR: the SME guide.

Q: Is AI used in hiring classified as high-risk under the EU AI Act?

Yes. Annex III, point 4 of Regulation (EU) 2024/1689 lists AI systems used for recruitment, selection, promotion, task allocation, monitoring, and termination of employment as high-risk AI systems. This classification applies to the deployer, not just the provider. If your recruitment agency or HR team uses an AI screening tool to filter CVs, rank candidates, or make shortlisting decisions for EU residents, the Chapter III compliance obligations apply to your organisation. The deadline for full high-risk compliance is provisionally 2 August 2026, with a potential deferral to 2 December 2027 under the Digital Omnibus agreement of 7 May 2026 (not yet formally adopted).

Q: What is the Mobley v. Workday case and what does it mean for European SMEs?

Mobley v. Workday, Inc. (N.D. Cal., filed 2023) is a US class action in which the plaintiff alleged that Workday's AI-powered hiring tools systematically screened out Black, older, and disabled applicants at a rate that could not be explained by non-discriminatory factors. The district court allowed the case to proceed in part, treating the employer using the AI tool as a potential agent of the software provider for Title VII purposes. The case remained in active litigation as of mid-2026, and it signals a litigation theory in which the operator deploying an AI tool can face discrimination liability for the tool's outputs even if they did not design the algorithm. Under European law, the same logic operates through equal treatment directives (Directive 2000/43/EC on racial equality; Directive 2000/78/EC on employment equality). EU deployers cannot outsource discrimination liability to the AI vendor.

Q: Does employment practices liability (EPL) insurance cover AI screening errors?

Most standard EPL policies were written before AI screening tools became routine. The typical EPL policy covers wrongful dismissal, harassment, and discrimination claims arising from human decisions. Whether it extends to a discrimination claim that traces to an algorithmic shortlisting output depends on the wording. Many policies include an 'intentional act' exclusion that insurers have argued applies where the operator knowingly deployed a tool with documented bias risk. There is also frequently an 'uninsurable discrimination' exclusion in some jurisdictions. Before deploying any AI screening tool, send your broker a written request asking specifically whether EPL coverage responds to discrimination claims arising from algorithmic hiring outputs, and obtain a written answer.

Q: Does professional indemnity (PI) insurance cover AI errors in recruitment?

For recruitment agencies acting as intermediaries, a professional indemnity policy covers claims arising from negligent professional services. If an agency uses an AI screening tool and a client employer faces a discrimination claim as a result, the client may bring a claim against the agency for negligent candidate sourcing. Whether the PI policy responds depends on whether the AI tool's failure constitutes 'professional negligence' under the policy definition, and whether there is an AI-related exclusion. Standalone AI liability products from carriers including HSB, Armilla, and Counterpart are designed to fill this gap, but each product has its own scope and sublimit. Read the coverage section and the exclusions section of any dedicated AI policy before treating it as a substitute for assessing whether your core EPL and PI policies already respond.

Q: What pre-deployment checks should an HR SME run before going live with an AI hiring tool?

Before deploying any AI tool in a hiring or employment context, run at least five checks. First, confirm the tool is in the EU AI Act Annex III high-risk category and identify the provider's documentation under Article 13 (instructions for use) and Article 11 (technical documentation). Second, request the provider's bias audit or algorithmic impact assessment covering the demographic groups protected under Directive 2000/43/EC and Directive 2000/78/EC. Third, confirm you have a human oversight mechanism: Article 26(2) of Regulation (EU) 2024/1689 requires deployers of high-risk AI systems in employment contexts to maintain meaningful human review of AI-assisted decisions. Fourth, add a Fundamental Rights Impact Assessment (FRIA) if your system is subject to Article 26(9). Fifth, notify your EPL and PI insurers in writing of the deployment before going live: failure to disclose a material change in how employment decisions are made may give an insurer grounds to deny a subsequent claim.

Q: Who is liable when an AI recruiting tool produces a biased shortlist: the operator or the software vendor?

Under the EU AI Act, the deployer (the business using the tool) carries primary compliance responsibility for how a high-risk AI system is used in their operations. The provider (the software vendor) carries obligations at the point of placing the system on the market. Discrimination liability under EU equal treatment directives sits with the employer making the hiring decision, not the software vendor. The operator cannot pass discrimination liability upstream to the vendor simply because the vendor designed the algorithm. In practice, an operator who can show they followed the provider's instructions for use, maintained human oversight, and did not use the tool for purposes outside its authorisation has a stronger position than one who cannot. Contractual indemnities between operator and vendor are negotiable but rarely transfer the full discrimination exposure.

Using an AI tool to screen CVs or shortlist candidates places your business in the EU AI Act's highest-risk category. This guide explains what that means for your compliance programme, where your existing insurance is likely to fall short, and what a buyer should ask before going live.

Key takeaways

AI used in hiring, promotion, task allocation, or termination is classified as high-risk under EU AI Act Annex III, point 4 (Regulation (EU) 2024/1689). The full Chapter III compliance programme applies to any SME deploying such a tool for EU residents.
Discrimination liability under EU equal treatment law sits with the employer making the decision, not the AI vendor. Operators cannot pass this exposure upstream by contract alone.
US litigation (Mobley v. Workday, N.D. Cal.) has established a viable class action theory around AI hiring bias, treating the operator as responsible for algorithmic outputs. The same logic operates through EU equal treatment directives.
Standard employment practices liability (EPL) and professional indemnity (PI) policies were not written for AI-sourced discrimination claims. Coverage gaps are common and material.
Standalone AI liability products from carriers including HSB, Armilla, Counterpart, and Lloyd's syndicates are beginning to address this gap, but each product has its own sublimits and exclusions that must be read carefully.
The minimum pre-deployment check is five steps: confirm high-risk classification, obtain the provider's bias audit, verify human oversight exists, complete a Fundamental Rights Impact Assessment where required, and notify your insurers in writing before going live.

Why recruitment AI is in its own liability category

Most AI tools an SME might deploy fall outside the EU AI Act's high-risk classification. A chatbot answering customer queries, an AI drafting marketing copy, an AI agent scheduling meetings: none of these are in the high-risk categories that trigger the full Chapter III compliance programme.

Employment AI is different. Annex III, point 4 of Regulation (EU) 2024/1689 explicitly lists AI systems used for "recruitment or selection of natural persons, notably for advertising vacancies, screening or filtering applications, evaluating candidates in the course of interviews or tests" as high-risk AI systems. The same point covers AI used for "making decisions on promotion and termination of work-related contractual relationships, for task allocation and for monitoring and evaluating performance and behaviour of persons in such relationships."

The scope is deliberately broad. An AI tool that ranks CVs before a human sees them is in scope. An AI tool that generates a suitability score on a candidate profile is in scope. A tool that analyses candidate video interviews for personality traits or engagement signals is in scope. The classification applies regardless of the size of the organisation deploying the tool and regardless of whether the tool is built in-house or purchased from a vendor.

The practical consequence is that recruitment agencies, HR departments, and any SME using AI to assist employment decisions for EU residents must comply with the full Chapter III obligations: a documented risk management system under Article 9, technical documentation under Article 11, a human oversight mechanism under Article 14, and a Fundamental Rights Impact Assessment (FRIA) under Article 26(9) where Article 26(9) applies to the deployment. The compliance deadline under the current regulation is 2 August 2026. The Digital Omnibus proposal would defer this to 2 December 2027 for new systems, but it has not yet been adopted and the 2 August date remains binding until it is.

The discrimination exposure: where the real risk sits

The EU AI Act is a compliance instrument. It creates regulatory obligations and the risk of fines from national market surveillance authorities. But the litigation exposure for an SME using AI in hiring does not primarily come from the AI Act. It comes from equal treatment law, which has been in force for two decades and which applies fully to AI-assisted decisions.

Directive 2000/43/EC (the Racial Equality Directive) prohibits direct and indirect discrimination on grounds of racial or ethnic origin in employment and occupation, including access to employment, promotion, and dismissal. Directive 2000/78/EC (the Employment Equality Directive) prohibits discrimination on grounds of religion, disability, age, and sexual orientation. Both directives define indirect discrimination as "an apparently neutral provision, criterion or practice" that puts persons of a protected characteristic at a particular disadvantage.

An AI screening algorithm that disproportionately filters out candidates of a particular ethnic origin, age group, or disability status is, in principle, a "neutral criterion or practice" that produces disparate impact. The fact that the criterion was generated by an algorithm rather than a human does not change the legal analysis. The employer deploying the tool is the entity making the employment decision, and that entity carries the burden under EU equal treatment law of demonstrating that the practice is justified by a legitimate aim and that the means of achieving that aim are appropriate and necessary.

This is not a theoretical risk. The European Parliament's 2021 report on AI and employment noted documented cases of bias in commercially available CV screening tools. Studies including Amazon's internal review of its own recruitment AI (disclosed publicly in 2018) found that models trained on historical hiring data replicated historical gender biases. Audits commissioned on behalf of public sector bodies have found that commercially available recruitment AI tools produced measurably different shortlisting outcomes by inferred ethnicity on otherwise equivalent profiles.

Mobley v. Workday and what it signals for European operators

In the United States, Derek Mobley filed a class action against Workday, Inc. in the Northern District of California in 2023, alleging that Workday's AI-powered applicant screening software systematically disadvantaged Black, older, and disabled applicants in violation of Title VII of the Civil Rights Act 1964, the Age Discrimination in Employment Act 1967, and the Americans with Disabilities Act 1990. Mobley alleged that he had applied for over 100 positions using platforms powered by Workday's software and was rejected in each case despite meeting the stated qualifications.

The district court's ruling on the motion to dismiss allowed claims to proceed in part. The court accepted the theory that an operator using Workday's AI tool could be treated as acting through Workday as an agent for purposes of employment discrimination liability. The significance for European operators is the underlying legal logic: the employer who deploys an AI hiring tool does not escape liability for discriminatory outputs by pointing to the vendor. The vendor designed the algorithm, but the employer made the hiring decision.

Under EU equal treatment law, the equivalent structure is more direct because liability attaches to the practice (the use of the discriminatory criterion), not to the actor's intent. An employer in Germany, the Netherlands, or France who uses an AI tool that produces disparate impact on a protected group is applying an indirectly discriminatory criterion within the meaning of the relevant national transposition of Directive 2000/78/EC. The burden to justify that criterion then falls on the employer. Contract terms indemnifying the employer against vendor liability do not change the employer's position under the directive, because the directive's obligations run between the employer and the affected individual, not between the employer and the vendor.

Where EPL and PI insurance fall short

Employment practices liability insurance covers claims by employees or job applicants arising from alleged wrongful employment acts: unfair dismissal, harassment, breach of employment contract, and discrimination. In a world where hiring decisions were made by human managers, a discrimination claim in the application process was clearly an EPL matter.

AI screening tools have created three coverage questions that standard EPL policies do not clearly resolve.

First, the intentional act question. Most EPL policies exclude coverage for deliberate or intentional discrimination. An insurer defending a claim arising from AI screening may argue that the operator knowingly deployed a tool with documented bias risk, and that this constitutes an intentional act. Whether this argument succeeds depends on the specific policy wording and the facts of the deployment. An operator who has a third-party bias audit showing the tool passed disparity testing is in a different position from one who deployed the tool with no audit.

Second, the AI exclusion question. EPL policies written since 2023 increasingly include explicit AI-related exclusions or carve-backs. The exclusion wording varies: some exclude claims "arising from or related to the use of artificial intelligence systems," which is broad enough to exclude an AI-sourced discrimination claim entirely. Others exclude only claims arising from AI systems the operator "designed or developed," which would not exclude off-the-shelf tools. Read the exclusion wording of any EPL policy carefully before treating it as covering AI-sourced discrimination.

Third, the professional indemnity question for recruitment agencies. A recruitment agency operating as an intermediary between candidates and client employers is providing professional services. If the agency's AI screening tool produces a biased shortlist and the client employer faces a discrimination claim from a rejected candidate, the client may bring a professional negligence claim against the agency. Whether the agency's PI policy responds depends on whether AI-assisted screening is within the policy's definition of professional services and whether there is an AI carve-out in the exclusions.

Standalone AI liability products are being developed to fill these gaps. HSB's AI Liability product, Armilla's AI insurance offering, and Lloyd's of London syndicate capacity are among the sources of dedicated AI coverage in the European market; availability and scope vary and should be confirmed with a specialist broker. Counterpart offers coverage specifically designed for technology firms with employment-related AI liability exposure; European availability should be confirmed with a specialist broker. None of these products are a substitute for reading the policy wording: each has its own sublimits, coverage triggers, and exclusions. The key question to ask of any dedicated AI policy covering recruitment use cases is whether it explicitly responds to discrimination claims arising from algorithmic shortlisting outputs, or whether it is limited to data breach, system errors, and third-party financial loss.

For a full comparison of the available products and what each covers, see the AI insurance product comparison guide.

The deployer obligations under Article 26

Article 26 of Regulation (EU) 2024/1689 sets out the obligations that apply specifically to deployers of high-risk AI systems. For recruitment and HR tools, the obligations that matter most in practice are as follows.

Article 26(1) requires deployers to use high-risk AI systems in accordance with the instructions for use provided by the provider. This is the compliance foundation. If the provider's instructions state that the tool is not validated for certain language variants, certain job categories, or certain demographic profiles, and you deploy it in those conditions, you have departed from the instructions for use. Insurers and regulators will treat this departure as material.

Article 26(2) requires deployers to ensure that natural persons assigned to oversee high-risk AI systems have the necessary competence, training, and authority. For a recruitment AI, this means at least one identified person in your organisation has the knowledge to understand what the AI is doing, the authority to override its outputs, and the training to recognise when an output should be reviewed. A sign-off workflow where a hiring manager clicks "confirm" on an AI-generated shortlist without reviewing the underlying ranking criteria does not satisfy this obligation.

Article 26(5) requires deployers to monitor the operation of the high-risk AI system and inform the provider without delay if they identify a risk to health, safety, or fundamental rights. For a recruitment tool, monitoring means tracking whether the shortlisting outputs show patterns of disparity by protected characteristic over time. This requires some form of demographic data collection and analysis, which in turn raises its own questions about what data can be lawfully collected under the GDPR in the hiring context.

Article 26(9) requires certain deployers to carry out a Fundamental Rights Impact Assessment (FRIA) before putting the high-risk AI system into use. The FRIA requirement applies to bodies governed by public law and to private operators using high-risk AI systems that interact with the public. The precise scope of the private operator requirement is being defined through national implementation guidance; check current guidance from the relevant national competent authority. Recruitment agencies and large employers using AI screening for public-facing job roles should treat the FRIA as a required step and prepare one in advance of deployment.

Five pre-deployment checks for recruitment AI

The following five steps represent the minimum documentation an SME should have in place before going live with any AI tool used in hiring or employment decisions for EU residents.

First, confirm the Annex III classification and document it. Identify which specific functions of the tool fall within Annex III, point 4. Write a one-page classification memo. This document is the starting point for a regulator or insurer asking whether you understood the risk profile of the deployment.

Second, obtain the provider's bias audit or algorithmic impact assessment. Request the provider's testing data showing disparity analysis across the protected characteristics listed in Directive 2000/78/EC: race and ethnic origin, religion, disability, age, and sexual orientation. Ask specifically for data on your target geographic market and job category, since bias profiles differ by context. If the provider does not have this documentation, treat that as a material risk factor and document your decision on whether to proceed.

Third, build and document a human oversight mechanism. Designate a named person responsible for reviewing AI shortlisting outputs. Define when the designated person must intervene (for example, when the AI produces a shortlist with statistically significant demographic skew, or when a candidate disputes a rejection). Record the oversight decisions and retain those records for the limitation period applicable to employment discrimination claims in each relevant EU member state; this varies by jurisdiction and legal advice should be sought for each operating market.

Fourth, complete the FRIA if required. If your deployment falls within the Article 26(9) scope, the FRIA is not optional. It must be carried out before deployment and must be made available to the relevant market surveillance authority on request. A standardised FRIA template is not yet available at EU level; check current guidance from the relevant national competent authority. The assessment must cover at minimum: the rights at stake, the likelihood and severity of adverse impact, and the mitigation measures in place.

Fifth, notify your insurers in writing before going live. Send a written notification to the insurers holding your EPL policy, your PI policy, and any general liability policy that might respond to a discrimination claim. State that you are deploying an AI-assisted recruitment tool, describe its functions, and ask explicitly whether the deployment is covered. If any insurer's response indicates a gap, address that gap before the deployment goes live, not after. An insurer who was not notified of a material change in how employment decisions are made has grounds to decline a claim on the basis of non-disclosure. For the complete insurer notification template, see the what to tell your insurance broker guide.

The vendor contract: what to negotiate

The AI vendor's standard contract terms will not be adequate protection for an SME deploying a high-risk recruitment AI tool. The standard terms are written to limit the vendor's liability, not to protect the operator's position. The following provisions are worth negotiating before signature.

Ask for an express warranty that the tool has been audited for disparity across the protected characteristics in Directive 2000/78/EC, and that the vendor will provide updated audit results at least annually and whenever a material model update is deployed. Without this warranty, the operator is left to commission its own bias testing, which requires technical capacity most SMEs do not have in-house.

Ask for an indemnity from the vendor for claims arising from defects in the training data or model design that the operator could not reasonably have detected. This will be resisted but is worth requesting because it establishes the negotiating record that the operator raised the issue.

Ask for a contractual obligation on the vendor to notify you promptly if the vendor becomes aware of bias testing failures, regulatory investigations, or litigation relating to the same model you are using. A vendor who discovers a bias problem in its model has no obligation under standard terms to tell its customers. Contractual notification rights change this.

Ask for the right to terminate the contract without penalty if the tool fails a bias audit commissioned by the operator, or if a regulatory authority issues a finding that the tool does not comply with EU AI Act requirements. Standard terms typically make termination expensive. A clean exit right for regulatory non-compliance is a reasonable request.

What underwriters will ask

AI liability underwriters reviewing a recruitment or HR technology risk will ask a set of questions that go beyond the standard EPL or PI renewal questions. Understanding these questions in advance helps an SME prepare a more complete submission and is likely to improve both the coverage terms and the premium.

Underwriters will ask which AI systems are used in the hiring process and for what functions. They will want to know whether each system has been independently audited for bias. They will ask about the human oversight structure: who reviews AI outputs, at what stage, and with what authority to override. They will ask whether the operator has a documented incident response procedure for the case where an AI-sourced discrimination claim is received. They will ask about the volume of hiring decisions made with AI assistance each year, since this is the primary loss exposure metric for a discrimination claim. They will ask whether the operator has received any previous complaints or claims relating to hiring decisions in the last five years, with or without AI.

For the complete list of underwriter questions and how to prepare your submission, see the dedicated guide on what an underwriter will ask about your AI agent.

Frequently asked questions

Is AI used in hiring classified as high-risk under the EU AI Act?

Yes. Annex III, point 4 of Regulation (EU) 2024/1689 includes AI systems used for recruitment, candidate screening, shortlisting, promotion decisions, task allocation, monitoring, and termination of employment. The full Chapter III compliance obligations apply. The compliance deadline is 2 August 2026 under the current regulation, with a proposed deferral to 2 December 2027 under the Digital Omnibus (not yet adopted).

What is the Mobley v. Workday case and what does it mean for European SMEs?

Mobley v. Workday (N.D. Cal., filed 2023) is a US class action alleging that Workday's AI hiring tools systematically screened out Black, older, and disabled applicants. The court allowed the case to proceed in part on the theory that the operator is responsible for the AI tool's discriminatory outputs. Under EU equal treatment directives, the same logic applies directly: the employer deploying an AI tool that produces disparate impact bears the burden of justifying that impact under Directive 2000/43/EC and Directive 2000/78/EC.

Does employment practices liability (EPL) insurance cover AI screening errors?

Not reliably. Standard EPL policies predate AI screening tools and contain wording around intentional acts and, increasingly, AI exclusions that may prevent the policy from responding to a discrimination claim tracing to algorithmic shortlisting. Request a written confirmation from your EPL insurer specifically covering AI-sourced discrimination before deploying any hiring AI.

Does professional indemnity (PI) insurance cover AI errors in recruitment?

For recruitment agencies, PI coverage for AI-sourced errors depends on whether AI-assisted screening falls within the policy's definition of professional services and whether there is an AI carve-out in the exclusions. Standalone AI liability products from HSB, Armilla, Counterpart, and Lloyd's syndicates are designed to address gaps, but each has its own sublimits and scope. Read the policy wording before treating any product as covering algorithmic hiring liability.

What pre-deployment checks should an HR SME run before going live with an AI hiring tool?

Five minimum checks: (1) confirm and document the Annex III high-risk classification; (2) obtain the provider's bias audit covering EU equal treatment protected characteristics; (3) build a documented human oversight mechanism with a named responsible person; (4) complete a Fundamental Rights Impact Assessment if required under Article 26(9); (5) notify your EPL, PI, and general liability insurers in writing before going live and obtain written confirmation of coverage.

Who is liable when an AI recruiting tool produces a biased shortlist: the operator or the software vendor?

The employer deploying the tool carries the discrimination liability under EU equal treatment law. The EU AI Act places primary deployer compliance obligations on the operator, not the vendor. Contractual indemnities from the vendor may provide some financial recourse but do not change the operator's legal position in relation to the affected candidate. An operator who followed the provider's instructions for use, maintained documented human oversight, and completed a bias audit before deployment has a materially stronger position than one who did not.

References

Regulation (EU) 2024/1689 of the European Parliament and of the Council (EU AI Act), OJ L, 2024/1689, 12 July 2024. Annex III, point 4; Articles 9, 11, 14, 26.
Council Directive 2000/43/EC implementing the principle of equal treatment between persons irrespective of racial or ethnic origin, OJ L 180, 19 July 2000.
Council Directive 2000/78/EC establishing a general framework for equal treatment in employment and occupation, OJ L 303, 27 November 2000.
Directive (EU) 2024/2853 of the European Parliament and of the Council on liability for defective products (revised Product Liability Directive), OJ L, 18 November 2024.
Mobley v. Workday, Inc., N.D. Cal., Case No. 3:23-cv-00770-RFL (filed 2023). Case remained in active litigation as of mid-2026.
European Parliament, Committee on Employment and Social Affairs, Report on Artificial Intelligence in Education, Culture and the Audiovisual Sector (2020/2017(INI)), adopted 20 October 2021.
Dastin, J., "Amazon scraps secret AI recruiting tool that showed bias against women," Reuters, 10 October 2018.
Digital Omnibus on AI: European Parliament and Council political agreement, 7 May 2026. [Text not yet formally adopted as at 14 June 2026; original deadlines remain binding.]
HSB AI Liability insurance product. Product scope and EU availability vary; confirm current terms with HSB or a specialist broker.
Armilla AI insurance. Product scope and EU availability vary; confirm current terms with Armilla or a specialist broker.
Counterpart AI liability coverage. European availability should be confirmed with a specialist broker.
Lloyd's of London, AI Liability Market Briefing, 2025. Specific syndicate capacity and product scope vary; confirm with a specialist Lloyd's broker.
Commission Recommendation 2003/361/EC concerning the definition of micro, small and medium-sized enterprises, OJ L 124, 20 May 2003.