TrueStep HR
Browse Tools
Preview of the EU HR AI Risk Checklist
The Risk ClassifierAnswer a few plain questions about one tool and read its likely classification, the five deployer readiness checks, and the gaps to close before you rely on itXLSX

Real pages from the kit files. Example tools and details are illustrative.

EU AI Act readiness kit

EU HR AI Risk Checklist

Inventory the AI behind your hiring and people decisions, see what the EU AI Act treats as high-risk or banned outright, and put the oversight, the worker notice, and the records in place before you rely on a tool, with the moments to bring in counsel and your data protection adviser marked.

$99USD

One-time purchase, no subscription. Instant download.

Built by expert HR practitioners and leaders

  • The briefing on the EU AI Act for HR: what Annex III treats as high-risk, what Article 5 bans outright, the timeline in plain terms with the dates that already apply, and whether you are a deployer or a provider
  • An AI System Register: every HR AI tool on one row, with the use, your role, the decision impact, the human reviewer, worker notice, vendor docs, and a quick high-risk flag
  • A Risk Classifier for every tool: answer a few plain questions and read the likely classification, high-risk, outside the list, or prohibited, plus the five deployer readiness checks and the gaps to close
  • Seven editable records in Word: an inventory entry, a classification worksheet, a deployer checklist, a human oversight record, a notice checklist, a vendor due-diligence questionnaire, and a decision record
  • A Readiness Tracker: the governance actions to clear across your HR AI, pre-filled, with owners, due dates, and the evidence on file

The kit structures the inventory, the classification, and the record. It is not a legal determination, and it routes anything near a banned practice or a cross-border call to qualified counsel and your data protection adviser.

One-time purchase Instant download Editable files 14-day guarantee

Practical readiness tools and general information, not legal or tax advice. The rules are set by Regulation (EU) 2024/1689, the EU AI Act, apply on a phased timeline that is still settling, and play out differently across member states, so confirm your position with qualified counsel and your data protection adviser before you act.

Not the right fit? Take the 60-second match.

Last reviewed June 2026

Buying for clients or multiple entities? The White-Label tier is in the license.

One-time purchaseNo subscription
Instant downloadFiles you keep
Editable filesExcel, Word, PDF
14-day guaranteeMoney back
Secure checkoutSSL encrypted
What you get

Four files that put your HR AI on the record before the Act asks

Read the Guide first for what is high-risk, what is banned, and what falls on you as a deployer. Run each tool through the Risk Classifier, log the inventory on the Register, fill in the records for the tools that matter, and work the Readiness Tracker to done.

PDFStart here

Start Here

A one-page map that sets the order: read the Guide, classify each tool, build the register, fill in the records, and work the tracker to done. It also carries the standing instruction to pause where it carries legal weight, anything near a banned practice, a decision no person can change, or a use that crosses borders.

PDFRead first

The HR AI Risk Guide (7 pages)

The plain-language briefing: why the EU now regulates the AI behind people decisions and the Annex III high-risk uses, the timeline with the dates that already apply, deployer versus provider and the six deployer duties, the workplace red lines under Article 5 and the fines they carry, five risks to manage on every tool, and how to govern HR AI without a big team.

DOCXWord

Templates and Records

Seven working records written to be filled in: an AI system inventory entry, a high-risk classification worksheet with the Annex III and banned-practice tables, a deployer readiness checklist, a human oversight record, a worker and candidate notice checklist, a vendor due-diligence questionnaire, and a governance decision record.

XLSXExcel

The HR AI Risk Workbook

The working system: an AI System Register with a quick high-risk flag on every row, a Risk Classifier that reads each tool as likely high-risk, outside the list, or prohibited, a Readiness Tracker with the governance actions pre-filled, and a plain-language Definitions tab. It works in Excel or Google Sheets, with a worked example through a CV screening tool.

How it works

The method in the order the system runs

Inventory the tools, classify each one, make the oversight real, get the vendor evidence, and tell your workers before go-live. The kit structures each step; you make the calls, and counsel and your data protection adviser cover the close ones.

STEP 01

Read the landscape, then inventory every tool

Read the Guide once for the picture: what Annex III treats as high-risk, what Article 5 bans, and the duties that fall on you as a deployer. Then list every AI tool that touches hiring, screening, performance, scheduling, monitoring, promotion, or termination on the register, including the AI features built into tools you already use. You cannot govern what you have not named.

STEP 02

Classify each tool against the Act

Run each tool through the Risk Classifier: the HR use area, how the output is used, and whether it infers emotions or sensitive traits from biometrics. The classifier reads it as likely high-risk, outside the list, or prohibited. A tool on a red line is not a compliance project; the only fix is to stop using it, so route it to counsel before anything else.

STEP 03

Name a human owner and make the oversight real

Give one named person the competence, the time, and the authority to review the output and overrule the tool. A reviewer who clicks approve on every recommendation is the tool deciding with a human signature, so expect the owner to say no sometimes, and record it when they do on the human oversight record.

STEP 04

Get the vendor documentation and keep it on file

Send the due-diligence questionnaire before you sign and before you renew: the instructions for use, the bias testing, and the AI Act readiness evidence. A claim in a brochure is not evidence, so ask for the documents and file them with the inventory entry for the tool, and record each approval on the governance decision record.

STEP 05

Tell your workers, keep the logs, and set a review date

Inform worker representatives and the affected workers before a high-risk tool goes live, following your local information and consultation rules. Confirm the system logs are kept for at least six months, complete the data protection impact assessment where it is needed, and put a review date on every tool and on the inventory itself.

The standard

Every tool inventoried, classified, and on the record

HR AI goes wrong in patterns: a tool nobody listed, a review that rubber-stamps, no notice before go-live, a vendor claim taken on faith, and a timeline read once and assumed settled. The fix is a small system, an inventory, a repeatable classification, real oversight, notice, and a review date, and this kit gives you all of it, with the moments to stop and get qualified help marked.

The banned practices did not wait. Article 5 and the AI literacy duty have applied since 2 February 2025, and a breach of a banned practice is the most serious failure under the Act, with fines up to EUR 35 million or 7 percent of worldwide annual turnover, whichever is higher. The heavier high-risk duties tell a different story: due 2 August 2026 in the enacted law, moved to 2 December 2027 by the Digital Omnibus, which as of mid-2026 still awaits formal adoption. So the durable pattern is the one the kit builds: inventory now, check the red lines now, and treat the later date as a planning baseline you confirm, not a reason to wait.
Inventory first: you cannot govern what you have not named. List every AI tool that touches an HR decision, including the AI features quietly added to tools you already use, a recruiting screen that ranks, a scheduler that optimizes, a monitoring tool that flags. A tool that is not on the register has not been classified, and is not approved.
Deployer is the role most HR teams hold, and it comes with duties. Use the tool as intended, keep a named person able to overrule it, mind the input data you control, monitor and report, keep the logs for at least six months, and tell your workers before go-live. One line is worth knowing: rebrand a high-risk system, change what it is used for, or substantially modify it and you can take on the heavier provider obligations without meaning to.
Treat the timeline as moving and the red lines as fixed. The high-risk date is settling between the enacted law and the Digital Omnibus, and the kit tells you to confirm it before you rely on it. The banned practices and the AI literacy duty already apply, so the inventory and the red-line check cannot wait for a later deadline.

The kit tells you when to call a lawyer

Most HR AI can be governed in-house with the register, the classifier, and the records. Some moments sit near a legal line, and the kit marks them, so you get qualified input and your data protection adviser before a tool affects a real decision. Advice before you act is far cheaper than defending an outcome after.

Before you rely on any tool that may touch a banned practice, such as workplace emotion recognition or sensitive-trait inference from biometrics A solely automated decision with a legal or similarly significant effect on someone, which also engages GDPR Article 22 The data protection impact assessment, and any works-council or employee consultation a rollout triggers Confirming the high-risk timeline and your position in each member state where you operate Using AI on candidates or workers in the EU or EEA from outside it, or any cross-border setup where the reach of the Act is unclear A candidate or worker challenges an AI-influenced decision, or asks for an explanation or a human review and you are unsure what applies

Who does what

Getting ready for the Act splits the work between you, the kit, and your advisers. Here is the split, stated plainly.

  • The kit structures the system; you run it. The register, the classifier, the records, and the tracker organize the work and keep it consistent. Naming the owner, filling the register, and keeping the cadence are yours to do.
  • The classifier reads the likely classification; you make the call. It follows the Act: employment uses are high-risk under Annex III, and the biometric red lines are banned. A high-risk reading is a prompt to apply the deployer duties, a prohibited reading is a prompt to stop, and neither is a legal determination.
  • The kit flags the legal lines; counsel and your data protection adviser rule on them. A possible banned practice, a solely automated decision under GDPR Article 22, the DPIA, and any consultation duty are signals to get qualified input. The kit tells you when a matter needs an adviser; the adviser tells you what to do about it.
  • The kit gives you the timeline as reviewed; you confirm it before relying. The Guide states the position as of its June 2026 review, including the Digital Omnibus planning baseline that still awaits formal adoption. The current position in each member state where you operate is confirmed with qualified counsel before you rely on it.
  • The kit keeps the record, and the record is the point. A named register, a classification per tool, an oversight record, the notices, the vendor answers, and a decision record for each approval are what a documented position looks like when legal and data protection review arrives.
Is this for you

Who it is built for

Who this kit fits, and where to go if that is not you.

Built for

  • An HR lead, people ops manager, or business owner with staff in the EU or EEA whose recruiting screen, scheduler, or monitoring tool counts as employment AI, and who wants the inventory, the classification, and the records in place before relying on it.
  • A company outside the EU using AI on candidates or workers based in a member state, in scope wherever the head office sits, that needs a documented position without standing up a compliance department.
  • An HR team of one preparing for legal and data protection review, who wants the register, the classifications, the notices, and the vendor answers ready to hand over rather than built from scratch in the meeting.

If you are looking for

  • A written AI policy for the whole function and a scored risk check across hiring and HR, with the US federal and state layer mapped. The AI in HR Policy and Risk Checklist is built for that path; this checklist drills into the EU duties.
  • A formal bias audit of your hiring tools, with a selection-rate log and ready candidate notices. The AI Hiring and HR Governance Kit covers that audit.
Questions

Before you buy

What format are the files and can I edit them?
The Guide and the Start Here are print-ready PDFs, the Templates and Records are an editable Word file, and the HR AI Risk Workbook is an Excel file that also works in Google Sheets. Everything is yours to keep and adapt. Replace the worked example in the workbook with your own tools, and reuse the classification worksheet and the records for every new tool.
We are not based in the EU. Does the AI Act even apply to us?
It can. The Act applies if you operate in the EU, or if the output of your AI is used on people in the EU, so a tool that screens candidates or rates workers based in a member state is in scope wherever your head office sits, and the three EEA states, Iceland, Liechtenstein, and Norway, are treated the same way. That reach is the first thing the Guide walks through. If your AI never touches people in the EU or EEA, this kit is not for you; the AI in HR Policy and Risk Checklist covers the US and general path.
The high-risk deadline moved to the end of 2027. Can this wait?
Two parts of it cannot. The AI literacy duty and the Article 5 banned practices have applied since 2 February 2025, so the inventory and the red-line check are already due, and a banned practice carries the highest fines in the Act. And the 2 December 2027 date is a planning baseline from a package that still awaits formal adoption, with 2 August 2026 still in the enacted law, so the kit has you confirm the position rather than assume it. The work is the same either way, and it is cheaper done before a deadline than after.
Is this legal advice?
No. It is general information and a set of working records for preparing a documented position. The Act applies on a phased timeline that is still settling, national authorities and practice differ across member states, and the kit routes the calls that carry legal weight, a possible banned practice, a solely automated decision, the DPIA, a consultation duty, to qualified counsel and your data protection adviser rather than determining that any tool complies.
How is this different from the AI in HR Policy and Risk Checklist?
That kit puts a written policy behind every AI tool across hiring and HR and scores each one through a five-factor risk check, with the US federal and state layer mapped. This kit drills into the EU AI Act: the Annex III classification, the deployer duties, the worker notice, the logs, and the records an EU position needs. A company in scope of both uses both, and each page points you to the other.
What is the refund policy?
Digital products are covered by a 14-day money-back guarantee. See the refund policy for the full terms.
What happens after I buy?
Checkout delivers an instant download link, and a receipt with the same link arrives by email. Open the Start Here page first, then read the Guide before you classify a tool or rely on one. If a file gives you trouble, email support@truestephr.com.
Can I expense this purchase to my business?

Most customers buy TrueStep HR tools for business use, and a tool you use for work often qualifies as a deductible business expense. Whether it does for you depends on your situation, so confirm with your accountant or tax professional. Your receipt arrives by email at checkout and works as documentation.

Free guide

The 6 red flags to check before you discipline or fire someone

A five-minute screen that catches the most common and most expensive people-decision mistakes before they happen. Free PDF, sent to your inbox. Unsubscribe anytime.

Get the kit

Put your HR AI on the record before the Act asks

Inventory every tool, classify each one against Annex III, make the oversight real, tell your workers, and keep the logs and the records, in files you keep, with the moments to bring in counsel marked.

$99
One-time purchase, no subscription

A briefing, editable records, and a risk workbook, not legal or tax advice. Last reviewed June 2026.