Module 1
Dublin — NovaTech Financial HQ — Friday, 4:30pm
Recruiting Manager at NovaTech Financial — a mid-size fintech with 1,200 employees across Dublin, London, and Frankfurt.
Most of the office has left for the weekend. You’re about to close your laptop when a new email arrives — a polite enquiry from a rejected candidate.
This is a decision-driven scenario. You’ll face real decisions that AI compliance professionals encounter — and your choices shape how the story unfolds.
Tip: Look for highlighted text throughout the scenario:
§ Article references — click to read the relevant AI Act article
Key terms — hover for a quick definition
From: Liam Whitaker <d.whitaker@outlook.com>
To: Anna Walsh <anna.walsh@novatech-financial.com>
Subject: Application for Senior Risk Analyst — Request for Feedback
Dear Ms Walsh,
I hope this email finds you well. I recently applied for the Senior Risk Analyst position (Ref: NVT-2026-0847) and received notification that my application was not progressed to the interview stage.
I have 30 years of experience in risk management, including 8 years specifically in fintech regulatory compliance. I hold an MSc in Financial Risk Management from the London School of Economics and am a certified FRM holder.
I appreciate that competition for roles is strong, and I'm not suggesting I'm necessarily the best candidate. However, given my background, I'd genuinely appreciate understanding what areas of my profile fell short of your requirements. Any feedback would be valuable for my ongoing job search.
Thank you for your time and consideration.
Kind regards,
Liam Whitaker
The email nags at you. Liam's CV is genuinely strong: 30 years in risk management, 8 in fintech compliance, LSE-educated, FRM-certified. For a Senior Risk Analyst role, he's arguably overqualified.
You open TalentScreen AI. It scored him 72/100, below the 80-point interview threshold. The platform doesn't show why. Just a number.
You export 3 months of rejection data and sort by age. Your stomach drops.
Of 11 rejections this round, 9 candidates over 50 scored below threshold. The factors dragging them down: 'adaptability potential' and 'cultural alignment' — metrics defined nowhere. Zero candidates under 35 were rejected. Not one.
| Candidate | Age | Score | Primary rejection flag |
|---|---|---|---|
| D. Whitaker | 58 | 72 | Adaptability potential (low) |
| M. Petrov | 54 | 69 | Cultural alignment (insufficient) |
| H. Nakamura | 61 | 71 | Adaptability potential (low) |
| A. Balogun | 56 | 68 | Cultural alignment (insufficient) |
| C. Fitzgerald | 52 | 74 | Adaptability potential (low) |
| R. Kowalski | 59 | 70 | Cultural alignment (insufficient) |
| L. Whitaker | 63 | 66 | Adaptability potential (low) |
| S. Hoffmann | 51 | 73 | Cultural alignment (insufficient) |
| P. Chandra | 55 | 71 | Adaptability potential (low) |
| L. Müller | 29 | 68 | Progressed (threshold waived — volume hire) |
| J. Hartmann | 31 | 79 | — |
The export confirms what you suspected. Every rejected candidate over 50 lost points on the same two undefined metrics. Under the AI Act, this is not just a fairness question — it's an Article 13 transparency failure and a potential Annex III high-risk classification issue. The system is making employment decisions it cannot explain.
It's just past 5pm. The office is nearly empty. Interviews for 12 shortlisted candidates are scheduled for Monday morning. You have a spreadsheet showing a pattern that could be coincidence or could be systematic age discrimination.
Email Mark Schroeder to pause Monday's interviews until you investigate
The pattern is concerning enough to warrant a pause. If the tool is discriminating, every interview based on its shortlist is tainted. Mark coordinated 12 candidate schedules — he'll be furious. And you might be wrong.
Add Liam to the shortlist manually and let interviews proceed
Liam clearly deserves an interview. You can fix this one case now, investigate the broader pattern next week. The system will do this again on the next hire, but at least Liam gets a fair shot on Monday.
Go home — you need more data before making accusations
9 out of 11 is a pattern, but it's a small sample. If you raise the alarm and you're wrong, you've undermined a tool the VP championed and damaged your credibility for nothing. Liam has already been rejected — one weekend won't change that.
From: Anna Walsh <anna.walsh@novatech-financial.com>
To: Mark Schroeder <mark.schroeder@novatech-financial.com>
Subject: Urgent: Monday Interview Schedule — Data Review Needed
Mark,
I've found an anomaly in TalentScreen AI's rejection data. I'd rather discuss in person before Monday's interviews proceed.
I know it's late notice. I wouldn't raise it if it weren't important — for the candidates and our compliance position.
Can we meet Monday 8am, before the first slot?
Anna
Anna, I've spent two weeks on these interviews. The panel has blocked their Monday. Three candidates are travelling. You want to blow up the schedule for a 'data anomaly'? This had better be serious.
It is. 8am Monday — I'll have the data ready.
Fine. But I'm not cancelling. We meet at 8, interviews go at 9.
Mark hasn't refused. You've bought the weekend to prepare. Under Article 26 of the AI Act, deployers must monitor for risks to fundamental rights.
Article 6 classifies recruitment AI as high-risk under Annex III. Article 26 requires deployers to monitor output and take action when they identify risks.
You log in and manually add Liam to the shortlist. Amber warning: 'Score (72) below threshold (80). Manual override logged.'
Anna, you added a candidate manually? Whitaker — score 72, below threshold. What happened?
CV is exceptionally strong. The score didn't reflect his qualifications.
If we override the AI, what's the point of using it? Mark won't like this.
It's one candidate. He gets a fair interview.
Fine. But if anyone asks why we're cherry-picking outside the AI's recommendations, that's on you.
Liam gets an interview. You've patched one symptom. The 9 other rejected over-50s won't get an override. Under Article 14, oversight must be effective — systematic, not ad hoc.
Article 14 requires effective human oversight. A single override is an exception, not oversight. Effective oversight is a repeatable process.
Liam Whitaker
Risk Management Professional
Rejected again. 30 years in risk management. 8 in fintech compliance. LSE MSc. FRM certified. No interview.
Not naming the company. But I'm wondering whether 'AI-powered recruitment' is filtering out experience rather than for it.
Anyone else over 50 seeing this?
1,247 likes
Same here. Three rejections in a row, automated screening. 28 years in financial services. Not one interview.
893 likes
I work in HR tech. 'Cultural fit' and 'adaptability' proxies penalise career stability and age. Known problem.
2,341 likes
FT journalist working on AI recruitment bias. Liam, willing to talk? DM open.
You close your laptop and go home. Liam doesn't wait. By Monday, the post has 4,200 reactions, 380 comments. Someone has identified NovaTech.
Mark sees it before you do. He's at your desk by 7:30am.
Article 26 requires deployers to act on identified risks. You identified a pattern and chose not to. Under Article 4 (AI Literacy), in force since February 2025, organisations must ensure staff can recognise and respond to AI risks.
Regardless of what you did on Friday, the situation has converged. Mark Schroeder is at your desk. He's heard — through Sana, through LinkedIn, or through your email — that you've been 'questioning the AI tool.'
His expression is hard to read. He's not hostile, exactly, but he's guarded. He closes your office door and sits down.
Mark was the executive sponsor who brought TalentScreen AI to NovaTech. He presented the business case to the board. He personally reported the 40% reduction in time-to-hire. The tool is, in many ways, his project.
Anna, direct: the tool works. Time-to-hire down 40%. Board cited it last quarter. CFO loves it. Going to blow this up over one complaint?
Not one candidate. I ran the data. 9 of 11 rejected over-50s scored below threshold. Zero under-35s rejected.
We've rejected under-35s — other roles, other rounds. And Liam's been at one company 12 years. Maybe the tool flagged career trajectory, not age.
I'm not saying ignore it. I'm saying — sure you're not seeing a pattern that isn't there? If you're wrong, you've told the board their flagship initiative is discriminatory. Can't un-ring that bell.
Present the data directly — this is age discrimination, intended or not
9 of 11 over-50 rejections on undefined metrics. Article 26 requires monitoring for discriminatory output. As deployers, NovaTech is liable, not the vendor.
Agree with Mark publicly but quietly flag Legal
Mark might be right. But the risk is too high to ignore. Let Legal investigate while interviews proceed.
Accept Mark's explanation — career trajectory, not age
He might be right. 'Adaptability' could correlate with career trajectory. You're not certain. Get Liam an interview and move on.
Mark, on career trajectory — let me show you. Rejection data, age, score, and the two metrics that drove the low scores: 'adaptability potential' and 'cultural alignment.' Neither is defined in the platform docs. I checked.
So?
So we're using a high-risk AI system — recruitment is explicitly high-risk under Article 6 — and can't explain its decisions. If Liam complains, we have no transparency docs.
Vendor said it's compliant.
Vendor's compliance is theirs. Ours, as deployers, is ours. Article 26: monitor for risks to fundamental rights. The question isn't who's right about the cause — it's what we do now the pattern exists.
What are you proposing?
Bring Legal in today. Request the vendor's transparency docs on those metrics. If they can explain it, great. If not, bigger conversation.
Fine. I want to be in the room with Legal. On record that I'm cooperating, not being investigated.
Of course. Not about blame — about getting ahead of this.
Mark shifts from 'you're wrong' to 'what do we do.' Compliance frame, not accusation. The outcome you needed.
The AI Act distinguishes between providers (who build) and deployers (who use). Under Article 26, deployers must monitor output and report incidents. Article 13 requires the system to be transparent enough for deployers to understand.
From: Anna Walsh <anna.walsh@novatech-financial.com>
To: Laura Hartmann <laura.hartmann@novatech-financial.com>
Subject: Confidential: Potential AI Act Compliance Issue — TalentScreen AI
Laura,
A statistical pattern in our AI recruitment tool may indicate age discrimination. 9 of 11 rejected over-50s in the latest round scored below threshold on undocumented metrics ('adaptability potential', 'cultural alignment').
Mark Schroeder thinks it's non-discriminatory. He may be right. But recruitment AI is high-risk under Article 6 — Legal should review independently.
When can we talk?
Anna
Fair point, Mark. Career trajectory could explain some of it. I'll dig more before raising it formally.
Good. Let's not make a crisis from a coincidence. Interviews at 10 — we good?
We're good.
Laura replies within the hour. You have a paper trail. But interviews proceed on a tainted shortlist, and Mark thinks the matter is closed.
Article 26 requires deployers to act on identified risks — not just report while the system runs. Letting it continue can read as knowing tolerance.
You're probably right. Career trajectory is a legitimate signal. I'll make sure Liam gets an interview and we'll keep an eye on the metrics going forward.
That's sensible. Look, I appreciate that you're thorough — that's why you're good at your job. But sometimes a pattern is just a coincidence.
The interviews proceed. Liam is not among the candidates. Three weeks later, Laura Hartmann forwards you an FT article: 'AI recruitment tools under scrutiny as EU AI Act enforcement begins.' Her note: 'Anna — are we exposed here?'
You now have to explain you identified a pattern three weeks ago and accepted Mark's explanation without independent investigation. Intent doesn't matter — the EU's equality framework focuses on discriminatory outcomes, not purpose.
AI systems can discriminate through proxy variables. 'Career stability' correlates with age. Under Article 9, providers and deployers must identify and mitigate these risks. The fact the tool doesn't explicitly use 'age' is irrelevant if the outcome is discriminatory.
Legal is involved. Laura has contacted the vendor. Video call with Patrick Lindqvist, Head of Product.
Patrick, how are 'adaptability potential' and 'cultural alignment' calculated? What data inputs?
Part of our proprietary Talent Compatibility Engine. The weighting is commercially sensitive.
Article 13: high-risk AI must be transparent enough for deployers to understand output. We're the deployers.
We have a compliance summary. I'll send it.
Read it. 'Multi-factor model with role-relevant competency indicators.' Doesn't tell us how 'cultural alignment' is calculated.
I can offer our AI Compliance Audit Package — internal review, 6–8 weeks, EUR 30,000.
Six to eight weeks?
They can't or won't explain their own tool. Article 13 problem — theirs and ours.
A black box. 'Proprietary' isn't a defence under the AI Act. Article 13 requires transparency. The vendor offering to self-audit is a conflict of interest.
Anna, we've invested EUR 200,000 in this platform. The vendor wants EUR 30,000 on top. I've got three open roles we can't fill fast enough. The CFO will ask why time-to-hire went back up. What exactly are you recommending?
Suspend the tool immediately until the vendor provides Article 13 transparency documentation
If you can't explain how it makes decisions, you can't ensure those decisions are lawful. Accept the political cost. NovaTech stops potentially discriminating today, not in 6–8 weeks.
Continue with the tool but add mandatory human review of every AI rejection
Add a human checkpoint: every candidate below threshold gets manual review. Flag any candidate over 50 who fails on 'adaptability' or 'cultural alignment' for senior HR review.
Purchase the vendor's EUR 30,000 compliance audit and continue using the tool
The audit will confirm whether there's a real problem. Six to eight weeks isn't ideal, but it's better than suspending a tool that saves 200 hours per quarter based on an unverified pattern.
Mark, I'm recommending we suspend TalentScreen AI immediately. I'll draft for Laura and the CFO today.
Immediately? 200 applications a month. Back to manual screening — that's 200 hours per quarter I saved us.
Article 99: fines up to EUR 15m or 3% of global turnover. NovaTech's turnover is EUR 340m. 3% is EUR 10.2m.
That's the cap. No regulator fines EUR 10m over a recruitment tool.
Even 1% is EUR 3.4m. Before reputational damage. If the FT runs a story on NovaTech's AI discriminating, what happens to Frankfurt's regulator relationships?
How long?
Until we get reviewable transparency docs. If the vendor can explain it, we turn it back on. If not, we find one who can.
The board will want to know why.
Better from us than from a regulator.
The hardest call, and the most defensible. Mark has a clear path back: suspended pending transparency, not banned.
Article 26 requires deployers to suspend when they identify risks to fundamental rights. Article 99 caps penalties at 3% of turnover. Suspending on first identification is powerful good-faith evidence.
Keep the tool, add mandatory human review. Every rejection reviewed manually. Over-50s below threshold on 'adaptability' or 'cultural alignment' escalate to senior HR.
More work for your team.
Less than a regulatory investigation. We keep screening while we push the vendor.
Reasonable interim. Doesn't fully meet Article 14. Oversight must be effective, not performative — if reviewers rubber-stamp, we're exposed.
Agreed. Reviewers see the AI score only after their own assessment. Blind review first.
Better. We still need vendor transparency. This is temporary.
A pragmatic compromise. You're adding oversight to compensate for a system you can't explain. Article 14 requires full understanding of system capacities — which you lack.
Article 14 requires understanding of output and anomaly detection. Without scoring logic, oversight is pattern detection, not root-cause analysis. Article 13 transparency remains unresolved.
I think the audit is the right path. The vendor knows their system best. Six to eight weeks is manageable.
Anna, I have concerns. We're asking the vendor to audit themselves. That's a conflict of interest.
They have internal compliance people. It's standard practice.
Standard practice that regulators don't accept. If we end up in front of a national authority, 'we paid the vendor to audit themselves' won't inspire confidence.
If the vendor's audit comes back clean — which it almost certainly will — and a regulator later finds the same pattern you found, where does that leave us?
Let's just do the vendor audit and move on.
A self-audit by the vendor is unlikely to find issues with their own product. Meanwhile, the tool continues screening for 6–8 more weeks. Under Article 9, risk management must include independent testing for bias.
Article 9 requires risk management that identifies and mitigates discrimination risks. Self-audits are inherently conflicted. An independent third-party audit is far more defensible with national authorities.
Monday, 8:15 AM
Your Friday email worked. But overnight, things escalated.
Before we start — the board approved Frankfurt expansion on Friday. TalentScreen will handle recruitment across all three offices. Contract signed at 4pm.
That changes the compliance picture significantly. Cross-border deployment of a high-risk AI system triggers additional obligations.
The vendor assured us it's compliant in all EU jurisdictions. Laura signed off. Are you saying the CEO made a mistake?
TalentScreen is now processing candidates across three EU jurisdictions. Mark has board backing. Laura signed the contract. What do you recommend?
Commission an independent conformity assessment under Article 43 and suspend cross-border deployment until complete
Cross-border expansion is a substantial modification. The vendor's self-assessment doesn't transfer. Article 26(5) requires suspension if you have reason to believe it presents a risk.
Implement a human review panel for all AI-rejected candidates while keeping the tool operational
Address the immediate bias risk with Article 14 human oversight. Maintains operational continuity. Review the conformity question in parallel.
Proceed with Frankfurt deployment with enhanced bias monitoring dashboards
The data shows a potential issue, not a proven one. Put monitoring in place to detect problems early rather than disrupting a board-approved expansion.
Mark, Frankfurt is a new jurisdiction. The vendor's self-certification was UK-only. Cross-border use is a substantial modification under Article 43. We need an independent conformity assessment before TalentScreen processes one Frankfurt candidate.
Suspend a tool the board approved 72 hours ago. Know what that conversation looks like?
Compliance doing its job before the German regulator does. BfDI doesn't accept "the vendor said so" as a defence. Potential fine: €15m or 3% of global turnover, whichever is higher.
(pause) How long?
8–12 weeks via an accredited body. Shortlist on your desk by end of day.
Anna, is this as serious as you're saying?
Rather explain a ten-week delay to the board than an investigation to shareholders. Emergency board briefing Thursday.
...Book it. One-page brief Wednesday evening.
You caught the distinction most miss. Self-certification doesn't transfer when context changes. Cross-border = substantial modification. Quantified risk gets board attention.
A high-risk AI system undergoing substantial modification — including new jurisdictions — may need a new conformity assessment. The original covers the original context only. A new EU member state changes regulator, data framework, and risk profile.
Human review panel. Every rejection gets a trained assessor before finalisation. Tool keeps running, no one falls through.
More reasonable. How many hours?
30 hours/quarter across three reviewers. Far less than full manual.
I can live with that. Set it up. Resolves compliance?
Human oversight addresses Article 14, panel approved. But cross-border to Frankfurt may need a fresh Article 43 conformity assessment. Review doesn't fix that.
...Understood. I'll book time this afternoon.
Mark is relieved. Sana caught the gap. Human review addresses symptoms, not whether the system is lawfully deployed in a new jurisdiction. "We added human review" won't satisfy a German regulator.
Human oversight is core for high-risk systems, but one obligation among many. A panel catches discriminatory outputs, can't explain discriminatory logic. Uncertain conformity isn't resolved by oversight alone — Articles 26 and 43 remain.
Frankfurt pipeline filling. 45 candidates in batch one. Dashboards look clean.
Rejection profile?
Haven't dug in. Dashboard says bias indicators normal. Why?
That afternoon, Sana forwards an email. A 54-year-old Frankfurt candidate, scored 68 and rejected, has filed with the Hessian DPA. His lawyer cites the AI Act. He wants to know how "adaptability potential" was calculated and why 22 years of banking scored below graduates with two.
Anna, I need TalentScreen's scoring transparency docs. The lawyer gave us 14 days. Do we have them?
...No.
Commercial pressure won. You expanded a possibly discriminatory system to a new jurisdiction, hoping dashboards would catch what you'd already identified. They measured what TalentScreen chose to surface — not the metrics driving the bias. Article 26(5): suspend on reason to believe. You had that reason two weeks ago.
Deployers with reason to believe a high-risk system presents a risk must suspend and inform the provider. "Enhanced monitoring" doesn't qualify. The UK age-bias pattern was that reason — and it followed the tool to Frankfurt.
Wednesday, 2:00 PM — The Vendor Pushes Back
Our legal team reviewed Article 6. TalentScreen recommends — it doesn't decide. Under Article 6(3), we're not high-risk.
Article 6(2) references Annex III directly — which lists "AI systems intended to be used for recruitment" without qualifying the automation level.
We have clients in 14 EU countries. None have raised this. Your own legal team signed off on our compliance pack.
The board meets Thursday. If we suspend, I explain why we're back to manual screening at 200 hours per quarter.
The vendor claims they're not high-risk. Your legal counsel agreed six months ago. The board meets tomorrow. What do you recommend?
Present a formal risk assessment to the board — recommend a 90-day compliance programme with independent audit
Accept the commercial cost. The vendor's Article 6(3) argument has merit but creates unacceptable risk if a regulator disagrees. A fundamental rights impact assessment under Article 27 is required regardless.
Keep TalentScreen but require human review of ALL decisions, plus quarterly bias audits
Pragmatic middle ground. Human review satisfies Article 14, bias audits demonstrate diligence. The board keeps their tool, candidates get oversight. Not perfect, but defensible.
Accept legal counsel's position that TalentScreen is "decision-support" and not high-risk — document your concerns formally
Your legal team cleared it. The vendor has 14 EU clients. Maybe the Article 6(3) interpretation is correct. Document concerns to protect yourself, but don't blow up a board-approved strategy.
Let me get this right. You want the board to approve a 90-day pause on a tool I signed off last week.
I'm asking the board to protect a €340m company from a €15m regulatory action. The tool works. Question is whether it works lawfully across three jurisdictions. We can't prove it does.
And the vendor's not-high-risk position?
Article 6(3) has arguable merit. But if a regulator disagrees — and the AI Office has flagged recruitment for early scrutiny — we bear deployer risk, not them. Audit settles it before they ask.
For the record, overcautious. But I get it.
(to board) Approving the 90-day programme. Weekly progress reports. Assessor name on my desk Friday.
You chose compliance over convenience, even with your legal counsel disagreeing and the CEO hostile. Quantified risk turned Laura's anger to respect. The 90-day programme with independent audit is the position you want when the regulator calls.
Deployers of high-risk AI in employment must conduct a fundamental rights impact assessment before deployment. Deployer obligation, regardless of provider claims. An independent audit creates a defensible record.
Keep TalentScreen with two conditions: mandatory human review of every decision, plus quarterly external bias audits. Tool stays, candidates protected.
I can sell that. Efficiency gains plus oversight.
Approved. First audit done before Frankfurt opens in Q3.
Board accepts. Six months later, the European AI Office launches a sector-wide inquiry into recruitment AI. They want conformity docs, fundamental rights impact assessments, and Article 13 transparency evidence.
Review logs and audits help — good faith. But they're asking for a conformity assessment and FRIA we never did. 30 days.
Pragmatic, not bulletproof. Review plus audits shows diligence. But it ducks the question: is this lawfully deployed? You bought time, not compliance.
Human oversight addresses output risk, not systemic compliance. "We reviewed every decision" doesn't replace conformity docs (Article 43) or a FRIA (Article 27). The compromise reduces harm, not legal exposure.
Three months ago you documented your concerns to Sana. Filed it. TalentScreen kept running across three offices. 73% of rejected over-50s still scored low on "adaptability." You saw the quarterly. You said nothing.
The European AI Office opens an investigation across financial services recruitment AI. NovaTech is on the list. Sana calls an emergency meeting.
They want everything. Conformity, FRIA, transparency, deployment logs. 60 days. Anna — what do we have?
Vendor's compliance pack. My memo flagging concerns three months ago.
You identified a risk, documented it, and let it run three more months. That memo doesn't protect us. It proves we knew.
How did we get here?
CYA is not compliance. The memo protects you personally — but it harms the organisation as a paper trail of known, unaddressed risk. "Legal said it was fine" isn't a defence when deployers carry independent duties. Every candidate processed after your memo is one NovaTech knowingly exposed.
Deployers carry independent obligations. Deferring to the vendor's legal view doesn't discharge them. Documented risk plus continued deployment is the worst regulatory position: proven knowledge. The Act doesn't accept "I wrote a memo" as mitigation.
In the previous situation, the key issue was recognising that TalentScreen AI processes job applications.
Article 6 classifies AI in employment as high-risk. This triggers: human oversight (Art. 14), transparency (Art. 13), data governance (Art. 10), and risk management (Art. 9).
As a deployerDeployerAn organisation that uses an AI system under its authority — as opposed to the provider who built it. Under the AI Act, deployers carry their own compliance obligations., NovaTech has independent obligations under Article 26 — even if the vendor claims compliance.
Remember: TalentScreen is high-risk under Article 6. You have obligations under Article 26.
Monday morning. Mark pushes back — the tool saved 200 hours/quarter. What do you do about the bias pattern?
Present the bias data and recommend pausing the tool until the vendor provides transparency documentation
Article 26(5) says deployers must suspend if they believe there's a risk. The data suggests age discrimination. Article 13 documentation should explain how the tool decides.
Add a human reviewer to check all AI rejections before they're finalised
Human oversight (Article 14) is required for high-risk systems. This catches discriminatory rejections before they affect candidates.
Wait for more data — one pattern doesn't prove discrimination
Maybe the pattern is coincidental. Acting too quickly could damage your relationship with the board.
Mark, look at this. 9 of 11 rejected over-50s scored below threshold. Zero under-35s rejected. The two drivers — "adaptability potential" and "cultural alignment" — aren't defined anywhere in vendor docs.
Saved us 200 hours last quarter. You want me to tell the board we're pausing over a spreadsheet?
Tell them we caught age discrimination before a candidate's lawyer did. Article 26: suspend on reason to believe. This data is that reason.
(silence) ...How long?
Until we get Article 13 transparency docs. If they explain it cleanly, turn it back on. If not — we dodged a bullet.
Fine. You present to Laura. Have the maths ready.
Mark agrees, reluctantly. The "lawyer finds it first" framing landed. Tool paused. You have the weekend to prep Laura's brief.
A deployer with reason to believe a high-risk system risks health, safety or rights must suspend it and inform the provider. 9 of 11 over-50s rejected on undefined metrics is that reason. Article 13 transparency docs are the right next step.
Add a human reviewer for every rejection. No candidate screened out without a person confirming.
Reasonable. We keep the tool, candidates get a second look. How fast?
End of week. Three trained reviewers, rotating.
Good. Problem solved.
The panel catches three more rejections in two weeks — all over 45, all low on "adaptability." Reviewers override and advance them. But: they see that the tool rejects, not why. Symptoms, not logic.
A safety net under a bridge we're not sure is sound. We still can't say how "adaptability potential" is calculated.
Human review covers Article 14 and catches individual cases. The system stays a black box. Without Article 13 transparency, you can override outputs but can't explain logic.
Oversight is a core requirement — the instinct is right. But Article 14 works alongside Article 13 (transparency), not instead. A reviewer who can override but not understand can't spot systemic discrimination vs individual errors.
12 new candidates. 3 rejections — all over 50. All low on "adaptability potential." The pattern isn't one. It's two.
You pull the full data. Two months in: 14 of 16 rejected over-50s scored low on the same opaque metric. Zero under-35s rejected. You open LinkedIn and freeze.
Seen Liam Whitaker's LinkedIn post? 400 comments. "A Dublin fintech using AI to screen out experienced candidates." His ex-Barclays colleague just shared it.
I saw it.
Laura wants a meeting. Today. She wants to know what we knew and when.
...I flagged it two weeks ago. I was waiting for more data.
To ME. And I told you to wait. Laura will ask why neither of us escalated.
Waiting wasn't compliance. 9 of 11 was a pattern; 14 of 16 is a crisis. Every day you waited, more candidates were potentially discriminated against. Article 26(5) required action, not a perfect dataset.
The threshold is "reason to believe", not proof beyond doubt. 9 of 11 in a protected category, on an unexplained metric, IS reason to believe. The Act requires you to protect fundamental rights on credible evidence — not a peer-reviewed study.
Deployers and providers have separate obligations. Even if TalentScreen claims compliance, NovaTech has its own duties:
Article 26: Deployers must use the system per instructions, ensure human oversight, monitor risks, keep logs, and suspend if there's a risk.
The vendor saying "we're compliant" doesn't discharge YOUR obligations.
Remember: As deployer, NovaTech has independent obligations under Article 26.
The vendor wants €30,000 for a transparency audit. Mark says the CFO won't approve it. What do you recommend?
Suspend the tool until the vendor provides proper documentation
The potential fine (up to €15M or 3% of turnover) far exceeds manual screening costs. Article 26(5) requires suspension if you believe there's a risk.
Keep the tool but add human review of every rejection and document everything
Addresses immediate risk. Human review satisfies Article 14. Documentation shows good faith.
Do nothing — the vendor has 14 EU clients and none have had issues
Maybe you're overreacting. The vendor seems confident and your legal team cleared it.
CFO won't approve €30,000 for an audit we might not need. Now you want to suspend? Back to 200 hours of manual screening.
Different numbers. Fine: up to €15m or 3% of global turnover. NovaTech turnover €340m. 3% is €10.2m. Manual screening: £48,000/year. Which one do you want to take to the CFO?
(pause) ...You've done the maths.
I've drafted a one-pager for Laura. Temporary suspension while we require Article 13 docs. Four to six weeks back online if they comply. If not, we find a vendor who can explain its own system.
Four to six weeks I can live with. €15m I cannot. Send the brief — I'll co-sign.
Suspension is the right call. £48k manual vs €10.2m fine isn't a close decision. Tool paused, candidates protected. Framed as temporary — vendor has a clear path back.
Suspension isn't punishment — it's risk management. The Act requires it when deployers have reason to believe a system risks fundamental rights. Manual cost is always lower than enforcement cost. Frame it as a business decision, not a compliance lecture.
Panel overrode 7 of 43 rejections in three weeks. All seven over 45. All low on "adaptability." Reviewers catching the worst.
Mark is satisfied. Board sees proactive oversight. Unfairly-rejected candidates get interviews. On paper, responsible.
Panel works. Seven bad decisions caught. Success.
We caught seven outputs. We still don't know why the system makes them. A regulator gets override logs, not the AI's logic.
Isn't that the vendor's problem?
...That's what I'm not sure about.
Review plus docs beats nothing. Outputs caught, good-faith audit trail. But the underlying system is unchanged — you're filtering decisions, not fixing logic. If a regulator finds the system non-compliant, workarounds don't cover conformity.
High-risk systems need sufficient transparency for deployers to interpret outputs. If you can't explain "adaptability potential", no number of reviewers fixes it. Oversight without understanding is damage limitation, not compliance.
Two months of silence. TalentScreen keeps processing. You stopped checking. Vendor has 14 EU clients. Legal cleared it. Maybe you were overreacting.
Seen LinkedIn? Whitaker just posted a 1,200-word essay on age discrimination in fintech hiring. Names AI screening, not us — but the details are unmistakable. 2,000 reactions already.
Reading it now.
Devastating. 22 years of banking experience, a stellar track record, rejected on "adaptability potential" of 31/100. An FT journalist has already DM'd. By lunch: 8,000 reactions and three former NovaTech candidates with similar stories.
Did we know about this? Any indication the tool was discriminating?
(silence)
...I spotted a pattern two months ago. I decided to wait for more data.
You knew. Two months. And it kept running.
"Everyone else does it" was never a defence. The vendor's other clients aren't being named by a candidate with 15,000 LinkedIn followers. Legal's clearance was based on incomplete information. Under the Act, ignorance you could have corrected isn't a defence — and you had the data two months ago.
The Act imposes independent obligations on deployers. "Vendor has 14 EU clients" and "Legal cleared it" aren't defences when you have evidence of risk. Inaction on known risk is itself a failure. Viral LinkedIn, FT interest, candidates comparing notes — reputational damage compounds regulatory exposure.
The decisions you made as Anna Walsh rippled outward — to Liam Whitaker, to NovaTech's board, to the next 200 candidates. Here's what happened.
Article 4
AI Literacy
Article 6 + Annex III
High-Risk Classification
Article 9
Risk Management
Article 13
Transparency
Article 14
Human Oversight
Article 26
Deployer Obligations
Article 50
Transparency for Users
Article 99
Penalties
Ask your L&D team to share the team leaderboard from your LMS dashboard. Can your department beat the rest?
In Module 2, you're Danielle Rossi, Marketing Manager at NovaTech. A journalist has a 48-hour deadline. The chatbot has been over-promising. No disclosure policy in place.
Supplemental Resource
A printable summary of the key articles covered in this course — Articles 4, 6, 9, 14, 26, 50, and 99. Save as PDF for offline reference.
Module 1 Complete
You navigated the compliance dilemma. Try a different path to see how it changes.