Free Competency Framework Template | Role-Based Examples & Proficiency Levels
Free Competency Framework Template | Role-Based Examples & Proficiency Levels
A well-designed AI governance checklist for HR creates shared guardrails — not new bureaucracy. It makes clear who decides which AI questions, what documentation is mandatory per deployment, and what transparency towards employees looks like in practice. From 2 August 2026, high-risk AI systems in HR must be evidenced under EU AI Act Annex III. This guide provides a structured approach with 4 maturity levels and 7 risk domains specifically for DACH companies.
Why HR needs its own AI governance checklist in 2026
AI tools are already part of everyday HR work: application screening, performance analytics, learning platforms with personalised recommendations. What many HR teams underestimate: these systems fall under the EU AI Act as high-risk AI (Annex III, Point 4). From 2 August 2026, strict documentation and transparency obligations apply to all HR AI systems that substantially influence recruiting, performance or career decisions (Source: enkaconsulting.de).
DACH adds a further layer: under § 87 Abs. 1 Nr. 6 BetrVG, the Betriebsrat (works council) has co-determination rights for the introduction of technical systems capable of monitoring employee behaviour or performance. The EU AI Act strengthens this position because the technical documentation it requires for high-risk systems is exactly what a works council needs for informed negotiation. Early documentation prevents late-stage conflicts.
Add to that the GDPR: every HR AI deployment that processes personal employee data and poses a high risk to individuals triggers a Data Protection Impact Assessment under GDPR Article 35. A functioning AI governance checklist for HR therefore integrates three layers: EU AI Act, GDPR and BetrVG.
The 4 maturity levels: where does your organisation stand?
Before working through a checklist, an honest baseline assessment pays dividends. Based on work with HR teams across DACH, four typical maturity levels emerge. According to research by witness.ai, around 14% of organisations are still at Level 1, while only about 11% have reached fully embedded Level 4 — most organisations are stuck at Level 2.
| Level | Characteristics | Typical HR AI situation | Next step |
|---|---|---|---|
| 1 – Ad hoc | AI tools are tested spontaneously. No inventory, no policy, no clear owner. | Recruiters use ChatGPT for job ads; IT is unaware. No DPA with the vendor. | Inventory all AI tools in use. Draft a one-page policy: approved / requires approval / prohibited. |
| 2 – Emerging | First policies in place but enforcement inconsistent. Some DPAs and DPIAs exist, coverage is patchy. | Recruiting tool has DPA and DPIA. Performance software runs without equivalent review. Works council not systematically involved. | Introduce a standard intake process: every new HR AI system goes through the same review path (risk class → DPIA → DPA → works council). |
| 3 – Managed | Cross-functional AI committee (HR, IT, Legal, works council). Each system has a documented use-case owner. Governance KPIs are reported. | Bias tests for recruiting and performance run quarterly. Works council sits on the steering group. Outcomes feed into performance goals. | Report governance metrics to leadership alongside recruiting and performance KPIs. Standardise works agreements instead of renegotiating per tool. |
| 4 – Optimised | Governance is part of how HR operates. Automated audits, continuous monitoring, external reviews. Lessons from incidents feed back into standards. | Fairness dashboards run in real time. Every vendor contract includes AI-specific audit clauses. HR co-sets company-wide AI standards. | Systematically incorporate incident learnings into training and templates. Annual external review. |
The 7 risk domains: AI governance checklist for HR at a glance
The following overview shows the seven areas a complete AI governance checklist for HR must cover — and what action is required in each.
| Risk domain | What to check | DACH specifics |
|---|---|---|
| 1. Strategy & use-case prioritisation | Are all HR AI deployments documented? Is there a prioritised roadmap with owners and success metrics? | Without a clear use-case owner, the EU AI Act's human oversight obligation cannot be met in practice. |
| 2. Data protection & privacy | Is a DPA in place for every HR AI vendor? Has a DPIA under GDPR Art. 35 been completed? Are data fields limited to what is necessary? | GDPR and EU AI Act overlap: high-risk systems need a DPIA under GDPR Art. 35 AND a fundamental rights impact assessment under EU AI Act Art. 26. |
| 3. Fairness, bias & non-discrimination | Are screening and matching tools tested for disparate impact by gender, age and other protected characteristics? Is a remediation process defined? | AGG compliance is mandatory. Automated recruiting without documented bias testing creates significant liability risk under German equal-treatment law. |
| 4. Employee experience & change management | Do employees know which AI systems affect them, what decisions they can influence and what their rights are? Are structured training and feedback channels in place? | Transparency obligation under EU AI Act (Art. 13): affected individuals must be informed about AI use before decisions are made. |
| 5. Works council & co-determination | Was the works council involved early? Do works agreements exist for all relevant systems? Is the works council represented on the steering group? | § 87 Abs. 1 Nr. 6 BetrVG: works council consent required before introducing systems capable of monitoring employees. Consistent BAG case law confirms a broad interpretation for digital tools. |
| 6. Tooling, vendors & contracts | Do contracts cover AI-specific risks (model changes, explainability, bias tests, audit rights)? Is a vendor due-diligence process established? | The EU AI Act separates provider (responsible for conformity assessment) from operator (bears independent obligations). Deploying organisations cannot rely on vendor compliance alone. |
| 7. Monitoring, incidents & continuous improvement | Are KPIs defined for each AI deployment? Is there an incident process? Do lessons from incidents feed back into policies and training? | EU AI Act requires automated logging (Art. 12) and post-market monitoring — not voluntary quality management but a legal obligation. |
Risk domain 1: Strategy & use-case prioritisation
Good AI governance in HR starts not with a compliance document but with a clear answer to the question: which AI systems do we use, for what purpose, with what goal, and under whose accountability? Without a maintained AI inventory, none of the other six risk domains can be addressed properly.
- Create an HR AI inventory: tool, use case, data fields, EU AI Act risk class, owner.
- Prioritise use cases by impact, risk and effort — not by vendor pitch schedule.
- Define which AI ideas require committee sign-off before pilots start.
- Connect your AI roadmap to your skill management strategy and DEI goals.
- Name a use-case owner per system who is accountable for KPIs and compliance.
Risk domain 2: Data protection & privacy (GDPR)
Every HR AI deployment that processes personal employee data and poses a high risk triggers a Data Protection Impact Assessment under GDPR Art. 35. For high-risk AI under the EU AI Act, a fundamental rights impact assessment under Art. 26 is additionally required — a broader concept covering impacts on non-discrimination, equal opportunity and access to effective remedy, not only data privacy.
According to the teamazing practical guide, organisations should maintain a complete eight-document compliance package per AI deployment: legal basis (GDPR Art. 6), DPIA (GDPR Art. 35), DPA, EU AI Act risk classification, technical documentation (Annex IV), AIBOM, works agreement (§ 87 BetrVG) and NIS2 supply-chain note.
- Run DPIAs for all high-risk HR systems — before go-live, not after.
- Review DPAs: do they cover AI processing, sub-processors and model training on employee data?
- Limit personal data fields in prompts and training data to what is necessary; avoid free-text where structured fields suffice.
- Document retention and deletion rules for AI logs, prompts and outputs.
- Inform employees about AI use and their rights — transparency obligation under GDPR Art. 13/14 and EU AI Act Art. 13.
Risk domain 3: Fairness, bias & non-discrimination
Automated decisions in recruiting, performance and internal mobility can reproduce or amplify existing inequalities. The AGG (Allgemeines Gleichbehandlungsgesetz — Germany's equal treatment act) prohibits discrimination on grounds of gender, age, ethnic origin and other protected characteristics. AI-supported processes are not exempt. The EU AI Act additionally requires ongoing monitoring for adverse impact in high-risk systems.
- Test screening and matching tools for disparate impact by gender, age and other AGG-protected characteristics.
- Require vendors to disclose bias-testing methods and results — as a contract term, not a courtesy.
- Define thresholds: at what deviation rate does a system get paused or adjusted?
- Document remediation steps (threshold adjustment, additional human review).
- Provide appeal channels for candidates and employees who feel treated unfairly.
Risk domain 4: Employee experience & change management
Even technically sound AI systems fail when employees do not understand what the AI does, what it cannot decide, and what rights they have. Trust is not a nice-to-have — it is a prerequisite for governance standards to be followed in practice. HR teams should invest in targeted AI training for HR teams to build in-house competence before new systems go live.
- Explain every AI use case in plain language: purpose, limits, human override option.
- Provide role-specific AI training for employees before AI-driven processes become mandatory.
- Measure sentiment after AI rollouts — short pulse surveys, not annual questionnaires.
- Maintain an FAQ log with recurring employee questions and official answers.
- Establish feedback channels that are active before complaints arrive.
Risk domain 5: Works council & co-determination (Betriebsrat)
In German companies with a works council, early involvement is a legal obligation, not a recommendation. Under § 87 Abs. 1 Nr. 6 BetrVG, co-determination rights apply to the introduction of technical equipment capable of monitoring the behaviour or performance of employees. Consistent BAG case law interprets this broadly — digital monitoring features in HR platforms generally fall within its scope.
The EU AI Act strengthens the works council's position: the technical documentation required for high-risk systems (Annex IV) contains exactly the information — functionality, training data, limitations, oversight concept — that a works council needs for informed negotiation.
- Clarify with Legal when § 87 BetrVG is triggered for a specific AI tool — in doubt, involve the works council early.
- Share concepts and DPIAs with the works council at the idea stage, not after purchase.
- Document consultation steps and agreements for every relevant AI system.
- Include the works council in evaluating pilot results and employee feedback.
- Develop a standard works agreement framework for HR AI systems rather than renegotiating case by case.
Risk domain 6: Tooling, vendors & contracts
Vendors are not neutral service providers — they are part of your AI risk surface. The EU AI Act clearly distinguishes between provider (responsible for conformity assessment and CE marking) and operator (bears independent obligations). An HR organisation deploying a high-risk AI system cannot shelter behind vendor compliance.
- Create a vendor checklist covering security, data use, explainability, bias testing, EU hosting and AI Act readiness.
- Require AI-specific contract clauses: notification of model changes, audit rights, incident duties, DPA templates.
- Ask vendors how they support works council processes and GDPR obligations (DPIA templates, DPAs).
- Align procurement, IT security and HR on a shared rating scheme for AI vendors.
- Review vendor performance against governance KPIs annually.
Risk domain 7: Monitoring, incidents & continuous improvement
Governance does not end at go-live. The EU AI Act requires automated logging (Art. 12) and post-market monitoring for high-risk systems — not voluntary quality management but a legal obligation. From practice: teams with functioning incident monitoring identify governance problems early and resolve them at significantly lower cost than after an external audit.
- Define 3–5 KPIs per AI deployment (e.g. time-to-hire, diversity rate, complaint rate).
- Define what counts as an "AI incident" — and who leads the response.
- Schedule quarterly reviews of HR AI dashboards and incident logs.
- Feed incident learnings into policies, templates and AI training programmes.
- Annual revision: reassess maturity level and incorporate new AI regulation.
The 8-document package: what must be on file per HR AI deployment
For every HR AI system processing employee data, a complete compliance package should be in place. This package forms the basis for GDPR audits, works council consultations and EU AI Act evidence (teamazing practical guide).
| Document | Legal basis | Who owns it? |
|---|---|---|
| Legal basis for data processing | GDPR Art. 6 | Data Protection Officer (DPO) |
| Data Protection Impact Assessment (DPIA) | GDPR Art. 35 | DPO + HR |
| Data Processing Agreement (DPA) | GDPR Art. 28 | Legal + HR |
| EU AI Act risk classification | EU AI Act Annex III | HR + IT + Legal |
| Technical documentation (high-risk systems) | EU AI Act Annex IV | IT + Vendor |
| AIBOM (AI bill of materials) | EU AI Act | IT |
| Works agreement (Betriebsvereinbarung) | § 87 Abs. 1 Nr. 6 BetrVG | HR + Works council |
| NIS2 supply-chain note (if applicable) | NIS2 Directive | IT Security |
Implementation in 7 steps
AI governance must be pragmatic enough that you can start tomorrow — but structured enough to withstand GDPR audits, co-determination requirements and EU AI Act scrutiny.
- Step 1 — Quick self-assessment: Rate the current state per risk domain with a small group (HR, IT, Legal, works council). No wordsmithing — one or two pieces of evidence per rating are enough.
- Step 2 — Set target levels: Decide where you want to be in 12–24 months. Example: Level 3 on data protection and works council, Level 2 on monitoring.
- Step 3 — Prioritise gaps: Pick 2–3 gaps with high risk or visibility — for example missing DPIAs for existing tools or absent bias checks in recruiting AI.
- Step 4 — Align partners: Co-create action plans with IT, Legal and the works council. Clarify owners, timelines and documentation needs (DPA templates, works agreements, DPIA registry).
- Step 5 — Connect to skills: Integrate AI governance competencies into learning paths and development plans. Track maturity-level progress as a development goal.
- Step 6 — Embed in systems: Add governance checkpoints to existing workflows: vendor RFPs, HRIS change requests, performance calibration, promotion committees.
- Step 7 — Review annually: Evaluate incidents, audits and employee feedback. Update level descriptions, checklists and training content accordingly.
Regular check-in formats
Even the best AI governance checklist for HR becomes a static PDF without live review formats behind it.
Format 1 — Monthly HR AI huddle (45–60 minutes): Quickly rate one HR AI system across the seven domains. Gaps become follow-up actions.
Format 2 — Semi-annual cross-functional calibration: HR, IT, Legal, DPO and works council jointly review 3–5 core systems (ATS, performance platform, learning system). Each function brings evidence.
Format 3 — Incident drills: Once per year, simulate a data leak or biased outcome. Walk through the playbook: notification to DPO and works council, communication to employees.
- Timebox sessions and focus on evidence, not opinions.
- Rotate facilitation so AI governance knowledge spreads across the team.
- Capture decisions and owners directly in the performance or talent system.
- Share non-sensitive learnings company-wide to build transparency and trust.
Conclusion
AI in HR creates real value — but only when employees, works councils and managers trust the processes behind it. A structured AI governance checklist for HR with four maturity levels and seven risk domains gives you three things: clarity about who decides what; fairness through measurable standards and audits; and a development lens so governance becomes a career competency, not "extra paperwork".
Start with a self-assessment in a small cross-functional group. Choose two governance gaps, assign an owner, and plan a cross-functional review with IT, Legal and works council in six months. After one or two cycles, your AI governance checklist for HR becomes a living part of performance, development and talent decisions — not a filed document.
FAQ
Which HR AI systems are classified as high-risk under the EU AI Act from 2 August 2026?
Annex III, Point 4 of the EU AI Act classifies as high-risk those AI systems used for recruiting (screening, matching, pre-selection), performance evaluation, promotion and termination decisions, and internal mobility recommendations, provided they substantially influence these decisions. Classification depends on intended use, not the underlying technology (source).
What is the difference between a DPIA (GDPR) and a fundamental rights impact assessment (EU AI Act)?
The DPIA under GDPR Art. 35 assesses risks to personal data protection. The fundamental rights impact assessment under EU AI Act Art. 26 goes further: it covers impacts on non-discrimination, equal opportunity and access to effective remedy — fundamental rights beyond data privacy. Both assessments are mandatory for high-risk HR AI systems in DACH.
Does every HR AI tool require a works agreement (Betriebsvereinbarung)?
Not necessarily every tool — but all systems capable of monitoring employee behaviour or performance (§ 87 Abs. 1 Nr. 6 BetrVG). Consistent BAG case law interprets this broadly. When in doubt, clarify early with Legal and the works council whether co-determination rights apply, rather than resolving conflicts retrospectively.
How do I prevent governance processes from slowing down AI projects?
By calibrating processes to risk level and using standard templates: for low-risk deployments (e.g. AI writing assistance for job ads without automated filtering) a short approval form suffices. For high-risk systems, the full review path applies. Templates for DPIAs, DPAs and works agreements substantially reduce the effort per deployment. The goal is predictable, not maximal, control.
Who should own AI governance in HR organisations?
Governance responsibility works best shared across HR (use-case ownership), Legal/DPO (compliance), IT (technology and vendor management) and the works council (co-determination). A central AI committee with a clear mandate is more efficient than scattered individual responsibilities — and is the only model that satisfies all four obligation layers (EU AI Act, GDPR, BetrVG, AGG) simultaneously.
What penalties apply for EU AI Act violations involving HR systems?
Fines of up to €35 million or 7% of global annual revenue, whichever is higher. Additionally, GDPR fines of up to €20 million or 4% of revenue, plus AGG damages claims for proven discrimination. The three regimes apply independently of each other (source).
Jürgen Ulbrich
Jürgen Ulbrich has more than a decade of experience in developing and leading high-performing teams and companies. As an expert in employee referral programs as well as feedback and performance processes, Jürgen has helped over 100 organizations optimize their talent acquisition and development strategies.
