Skip to content
Casework
CaseworkPublished May 15, 2026· Updated May 21, 2026

The Article 27 FRIA for hiring AI: what to include, what to leave out

Article 27 of the EU AI Act introduced the Fundamental Rights Impact Assessment — a deployer obligation that most companies have no template for. This post walks through what the FRIA must contain for an AI hiring system, and where deployers tend to over- or under-write.

  • EU AI Act
  • FRIA
  • Article 27
  • Fundamental rights

The DPIA was a culture shock when GDPR introduced it in 2018. Privacy teams had to learn a new format. Engineering had to provide inputs they did not previously document. Legal had to sign off on something that looked like a checklist but felt like a position paper.

The FRIA is the same shock, with two differences. First, the substance is broader — fundamental rights, not just privacy. Second, no one has done this before. There is no industry template. There is no list of "30 questions you must answer." Article 27 itself is two paragraphs.

This is the structure we use for the FRIA on a hiring AI deployment.

§1. The deployer’s context

Who is the deployer. What is its size and sector. What is its overall hiring posture. This is short — half a page — but it bounds the analysis. A FRIA for a 600-person SaaS company is not the same document as a FRIA for a national retailer hiring 5,000 associates per year.

§2. The system’s purpose and the candidate’s journey

What does the system do. Where does it sit in the hiring workflow. What does a candidate experience. This section is where you describe the human-in-the-loop posture: who reviews the system’s outputs, with what criteria, at what point in the funnel. If the system’s output is final — that is, no human reviews it — you note this and you cross- reference the higher level of justification required.

§3. Categories of natural persons likely to be affected

Article 27 calls this out explicitly. For hiring, the set is wider than people sometimes assume:

  • Candidates who interact with the system.
  • Candidates who do not interact with the system because of how it filters at earlier stages.
  • Current employees whose data trained the system or whose data is referenced for fit.
  • Workers’ representatives who must be informed.

We include each category. The "candidates who do not interact" line is often the one that lands the FRIA at the most useful place — the system shapes the pipeline before any candidate sees a job posting.

§4. Risks to fundamental rights

This is the substance. We organize it around the Charter of Fundamental Rights of the European Union categories that are most likely to be at risk in a hiring deployment:

  • Article 21 — non-discrimination.
  • Article 8 — protection of personal data.
  • Article 31 — fair and just working conditions (for employees affected by the system).
  • Article 47 — right to an effective remedy (does the candidate have recourse).

For each, we describe the specific risk this system creates, the evidence we have for it, and the severity. We do not pad the list with abstract risks. Better to have four concrete risks per right than 20 abstract ones.

§5. Mitigation measures

For each risk, the mitigation. Some are technical (input filtering, output thresholding, monitoring). Some are organizational (oversight roles, training, escalation paths). Some are contractual (what your agreement with the vendor lets you do, and what it requires the vendor to do).

§6. Oversight measures

Article 14 obliges the provider to design for human oversight. Article 27 obliges the deployer to document the oversight that actually happens in deployment. Who oversees. What they look at. How often. What they are trained on. What they can do when they see a problem.

§7. Complaint and redress mechanisms

How does an affected person — a candidate — surface a complaint. To whom. With what response SLA. With what right of appeal. With what record-keeping.

The Colorado AI Act requires this explicitly. The EU AI Act expects it. A FRIA without it reads as incomplete.

What to leave out: speculative harms that the deployer has no realistic ability to address. The FRIA is not an academic exercise; it is a record that the deployer thought about the risks that apply to this deployment and put measures in place. Throwing in every theoretical risk dilutes the actually-load-bearing risks.

The hardest part of writing a first FRIA is reading the Charter. The hardest part of writing the second is realizing that the first one was too long.

Ready to engage?

Start your intakeRead the SKU