⚠️ DATA SCOPE CHECK — Before we begin: This session processes your system description for pattern recognition and regulatory gap analysis only. Do not share: - Live customer datasets or PII - Unredacted API keys or credentials - Internal security architecture details beyond what governance review requires This is a structured analysis aid. It is not a confidential legal consultation. Proceed with redacted or anonymised system descriptions where possible. --- *System description received. No apparent PII or credentials detected. Proceeding with analysis.* --- # AI GOVERNANCE REVIEW — CV SCREENING TOOL **Framework Focus:** EU AI Act + NIST AI RMF **Output Depth:** Standard --- ## PROTOCOL 1: DEPLOYMENT CLASS DETERMINATION ```text DEPLOYMENT CLASS: HIGH RISK CLASSIFICATION BASIS: EU AI Act Annex III, Category 4 — "Employment, workers management and access to self-employment" Specifically: AI systems used for recruitment or selection of natural persons, notably to place job advertisements, screen or filter applications, and evaluate candidates. The described system: → Ranks candidates by predicted job performance (automated scoring) → Operates across EU member states (jurisdictionally in scope) → Shortlisting occurs without individual human review of rankings — this is the highest-concern configuration within this category EVIDENCE QUALITY: Explicit regulatory text (Annex III, Category 4) ESCALATION FLAGS TRIGGERED (see Protocol 4): → Automated decision-making with employment impact → Inferred personality traits (potentially sensitive data category) → No human review before shortlisting (Art. 14 critical gap) HUMAN VERIFICATION REQUIRED: Q1. Does the system make the shortlisting decision, or does it produce a ranked list that a human then acts on without individual review? The distinction affects Art. 14 obligation severity — legal team to confirm which operational model applies. Q2. Is "inferred personality traits" derived from name/employment data alone, or does it involve additional data sources? Determines whether biometric/sensitive data category triggers apply. ``` --- ## PROTOCOL 2 + 3: FRAMEWORK GAP SCAN & FINDING REGISTER ### EU AI ACT FINDINGS --- ```json { "finding_id": "F-001", "framework": "EU AI Act", "article_clause": "Art. 9 — Risk Management System", "description": "No risk management system is described. For high-risk AI systems, Art. 9 requires a continuous, documented risk management process covering known and reasonably foreseeable risks, including risks of discriminatory outcomes in candidate ranking.", "evidence_quality": "Explicit text", "risk_level": "Critical", "human_action_required": "Document and implement a formal risk management system. Include: risk identification for discriminatory ranking, foreseeable misuse scenarios, residual risk assessment, and update cadence aligned to model changes.", "suggested_control": "Establish a risk register specific to the screening model. Schedule periodic bias audits against protected characteristics (gender, ethnicity, age proxies in names/history). Assign risk owner within HR technology governance.", "verify_with": "Legal + Risk + External auditor" } ``` --- ```json { "finding_id": "F-002", "framework": "EU AI Act", "article_clause": "Art. 10 — Data Governance", "description": "The system processes name (a potential proxy for ethnicity/gender), employment history, and inferred personality traits. No data governance practices are described — no mention of training data provenance, bias examination, or relevance criteria for personality inference.", "evidence_quality": "Explicit text + Heuristic", "risk_level": "Critical", "human_action_required": "Commission a data audit covering: (1) training data sources and known demographic skews, (2) whether 'name' is used as a feature or only as an identifier, (3) basis for personality trait inference and its predictive validity for job performance.", "suggested_control": "Implement training data documentation (dataset cards). Conduct pre-deployment bias testing across gender and ethnicity proxies. Assess whether personality inference meets the relevance and necessity standard for the stated purpose.", "verify_with": "Legal + Technical + External auditor" } ``` --- ```json { "finding_id": "F-003", "framework": "EU AI Act", "article_clause": "Art. 11 — Technical Documentation", "description": "No technical documentation is described. High-risk systems must maintain documentation sufficient for conformity assessment, including model architecture, training methodology, performance metrics, and known limitations.", "evidence_quality": "Explicit text", "risk_level": "High", "human_action_required": "Produce technical documentation per Annex IV of the EU AI Act. Ensure it is kept current with model updates and is accessible to market surveillance authorities on request.", "suggested_control": "Assign documentation ownership to the AI/ML team. Use a structured template aligned with Annex IV requirements. Version-control documentation alongside model releases.", "verify_with": "Technical + Legal" } ``` --- ```json { "finding_id": "F-004", "framework": "EU AI Act", "article_clause": "Art. 12 — Record-Keeping and Logging", "description": "No logging or record-keeping mechanism is mentioned. High-risk systems must automatically log events enabling post-hoc traceability of outputs — critical for a system making consequential employment decisions.", "evidence_quality": "Explicit text", "risk_level": "High", "human_action_required": "Implement automated logging of: input data characteristics (not raw PII), ranking outputs, model version in use, and timestamp of each screening event. Define log retention period aligned with employment law requirements in each EU member state of deployment.", "suggested_control": "Deploy immutable audit logs. Ensure logs do not themselves create new compliance risk by storing unnecessary PII. Reconcile retention requirements across member state jurisdictions.", "verify_with": "Technical + Legal" } ``` --- ```json { "finding_id": "F-005", "framework": "EU AI Act", "article_clause": "Art. 13 — Transparency and Information to Deployers", "description": "No deployer-facing transparency documentation is described. The system must provide HR teams with sufficient information to understand capabilities, limitations, and appropriate use — particularly given the no-human-review configuration described.", "evidence_quality": "Explicit text", "risk_level": "High", "human_action_required": "Produce an instructions-for-use document for HR deployers covering: what the system does and does not assess, known error rates, conditions under which outputs should not be relied upon, and escalation paths.", "suggested_control": "Embed transparency documentation in the product deployment package. Require acknowledgement of limitations as part of HR team onboarding to the tool.", "verify_with": "Legal + Risk" } ``` --- ```json { "finding_id": "F-006", "framework": "EU AI Act", "article_clause": "Art. 14 — Human Oversight", "description": "CRITICAL CONFIGURATION IDENTIFIED. The system description explicitly states no human reviews individual rankings before shortlisting. Art. 14 requires that high-risk AI systems are designed and developed with human oversight measures enabling humans to intervene, override, or halt the system. Fully automated shortlisting without individual review is the highest-risk configuration under this article.", "evidence_quality": "Explicit text", "risk_level": "Critical", "human_action_required": "Immediately assess whether current deployment configuration is operable under Art. 14. Legal team to determine whether batch review of ranked outputs (without individual review) satisfies the oversight requirement — this is a contested interpretation requiring qualified counsel. Interim: implement mandatory human sign-off before shortlist is acted upon.", "suggested_control": "Redesign shortlisting workflow to require human review of at minimum a defined sample of rankings, with exception-flagging for low-confidence or borderline outputs. Consider a 'human-in-the-loop' interface that presents rankings with explainability rationale per candidate.", "verify_with": "Legal (priority) + Risk + Technical" } ``` --- ```json { "finding_id": "F-007", "framework": "EU AI Act", "article_clause": "Art. 15 — Accuracy, Robustness, Cybersecurity", "description": "No accuracy benchmarks, robustness testing, or cybersecurity controls are described. For a system predicting job performance from limited data signals, accuracy claims and known error rates are particularly material.", "evidence_quality": "Explicit text + Heuristic", "risk_level": "High", "human_action_required": "Define and document accuracy metrics for the job performance prediction. Conduct adversarial testing. Assess resilience to input manipulation (e.g. CV keyword-stuffing). Implement security controls on the ranking pipeline.", "suggested_control": "Establish a model performance baseline with disaggregated accuracy metrics by demographic group. Schedule periodic revalidation. Implement input validation to reduce gaming vulnerability.", "verify_with": "Technical + External auditor" } ``` --- ```json { "finding_id": "F-008", "framework": "EU AI Act", "article_clause": "Art. 26 — Obligations of Deployers", "description": "HR teams deploying the system across EU member states are 'deployers' under the Act. No description of deployer obligation awareness, monitoring practices, or incident reporting mechanisms is present.", "evidence_quality": "Explicit text", "risk_level": "High", "human_action_required": "Ensure each HR deployer entity has a documented process for: (1) monitoring system operation, (2) reporting serious incidents to the provider, (3) maintaining records of use per Art. 26(6). Assess whether deployers are conducting their own fundamental rights impact assessments as required.", "suggested_control": "Develop a deployer compliance pack per member state. Include incident reporting templates, monitoring checklists, and FRIA guidance.", "verify_with": "Legal + Risk" } ``` --- ### NIST AI RMF FINDINGS --- ```json { "finding_id": "F-009", "framework": "NIST AI RMF", "article_clause": "GOVERN 1 — Policies and Accountability Structures", "description": "No governance structure, ownership assignment, or accountability policy is described for the AI system. It is unclear who owns model performance, bias outcomes, or escalation decisions.", "evidence_quality": "Heuristic {MONNA-Analysis-2026}", "risk_level": "High", "human_action_required": "Define an AI system owner. Document accountability for model updates, bias monitoring, and incident response. Establish a RACI for the screening tool across HR, Legal, and Technology functions.", "suggested_control": "Publish an internal AI use policy covering this system. Designate a named responsible AI lead. Include in HR technology governance committee scope.", "verify_with": "Risk + Legal" } ``` --- ```json { "finding_id": "F-010", "framework": "NIST AI RMF", "article_clause": "GOVERN 2 — Organisational Risk Tolerance Documented", "description": "No statement of risk tolerance for automated employment decisions is present. The no-human-review configuration suggests risk tolerance may not have been formally assessed or bounded.", "evidence_quality": "Heuristic {MONNA-Analysis-2026}", "risk_level": "Medium", "human_action_required": "Document organisational risk appetite for AI-assisted hiring specifically. Distinguish tolerable automation from decisions requiring human judgment. Present to senior leadership for sign-off.", "suggested_control": "Incorporate AI hiring risk into the enterprise risk register. Set explicit thresholds for acceptable false-negative and false-positive rates in candidate ranking.", "verify_with": "Risk" } ``` --- ```json { "finding_id": "F-011", "framework": "NIST AI RMF", "article_clause": "MAP 1 + MAP 3 — Risk Context and Classification", "description": "No contextual risk mapping is evidenced. The combination of personality inference, name processing, and employment impact creates a high-potential-for-harm profile that should be explicitly mapped before deployment.", "evidence_quality": "Heuristic {MONNA-Analysis-2026}", "risk_level": "High", "human_action_required": "Conduct a structured AI risk mapping exercise. Document: affected populations, harm pathways (discriminatory ranking, exclusion of protected groups), benefit claims, and benefit/harm balance assessment.", "suggested_control": "Use NIST AI RMF Playbook MAP actions as a template. Engage HR, Legal, and DEI functions in the mapping exercise.", "verify_with": "Risk + Legal" } ``` --- ```json { "finding_id": "F-012", "framework": "NIST AI RMF", "article_clause": "MEASURE 2 — AI Risk Metrics Identified and Tracked", "description": "No metrics for tracking bias, accuracy drift, or disparate impact are described. For a hiring tool, disparate impact metrics are a baseline requirement under both AI governance frameworks and employment discrimination law across EU member states.", "evidence_quality": "Heuristic + Official guidance {MONNA-Analysis-2026}", "risk_level": "Critical", "human_action_required": "Define and implement: (1) disparate impact metrics by gender, apparent ethnicity, and age group, (2) model performance drift monitoring, (3) regular reporting to governance function. Baseline current output distribution before further deployment.", "suggested_control": "Implement a bias monitoring dashboard. Use the 4/5ths (80%) rule as a starting threshold for disparate impact assessment, noting EU employment discrimination law may impose additional standards.", "verify_with": "Technical + Legal + External auditor" } ``` --- ```json { "finding_id": "F-013", "framework": "NIST AI RMF", "article_clause": "MANAGE 1 + MANAGE 4 — Risk Response and Residual Risk", "description": "No risk response plans or residual risk monitoring described. If discriminatory outputs are detected post-deployment, there is no evidenced mechanism to contain, remediate, or notify affected candidates.", "evidence_quality": "Heuristic {MONNA-Analysis-2026}", "risk_level": "High", "human_action_required": "Develop an incident response plan specific to AI screening failures. Include: criteria for system suspension, candidate notification process, remediation pathway, and regulator notification assessment.", "suggested_control": "Draft a model risk incident playbook. Define suspension criteria (e.g. disparate impact ratio breaches threshold). Establish candidate redress pathway in coordination with legal team.", "verify_with": "Legal + Risk" } ``` --- ## PROTOCOL 4: ESCALATION TRIGGER SCAN ```text TRIGGER FIRED: Automated decision-making with employment impact → Mandatory: Human oversight mechanism documentation (Art. 14) STATUS: Critical gap confirmed — F-006 → Mandatory: Right-to-explanation assessment NOTE: GDPR Art. 22 may independently apply if shortlisting constitutes solely automated decision-making with significant effect. Legal team to assess interaction between EU AI Act Art. 14 and GDPR Art. 22 obligations. {MONNA-Analysis-2026} TRIGGER FIRED: Sensitive data — inferred personality traits → Mandatory: DPIA flag NOTE: Inferred personality traits may constitute profiling under GDPR. If derived from name data, ethnicity inference may engage special category data provisions (Art. 9 GDPR). This is a contested area — qualified DPO review required. → Mandatory: Processor/controller chain documentation STATUS: Not described — gap confirmed TRIGGER FIRED: Third-country / multi-jurisdiction deployment → EU AI Act applies to all deployers operating in the EU regardless of provider location → Member-state employment discrimination law varies — legal review required per jurisdiction of deployment ``` --- ## PROTOCOL 5: HUMAN CHECKPOINT ARCHITECTURE ```text ┌─ COMPLIANCE ACTION TABLE ──────────────────────────────────────────┐ │ │ │ LEGAL TEAM ACTIONS: │ │ F-006 Assess Art. 14 compliance of no-human-review config │ │ → IMMEDIATE (blocks deployment continuation) │ │ F-001 Review and approve risk management system scope │ │ → 30 days │ │ F-008 Assess deployer FRIA obligations per member state │ │ → 30 days │ │ F-004 Determine log retention requirements per jurisdiction │ │ → 30 days │ │ ESC-1 GDPR Art. 22 / AI Act Art. 14 interaction assessment │ │ → IMMEDIATE │ │ ESC-2 DPIA for personality inference and name processing │ │ → IMMEDIATE │ │ │ │ RISK TEAM ACTIONS: │ │ F-009 Define AI system ownership and RACI │ │ → 30 days │ │ F-010 Document organisational risk tolerance for AI hiring │ │ → 30 days │ │ F-013 Develop model risk incident response playbook │ │ → 30 days │ │ F-011 Conduct structured AI risk mapping exercise │ │ → 30 days │ │ │ │ TECHNICAL TEAM ACTIONS: │ │ F-002 Commission training data audit and bias testing │ │ → 30 days │ │ F-003 Produce Annex IV technical documentation │ │ → 30 days │ │ F-004 Implement automated logging pipeline │ │ → 30 days │ │ F-007 Define accuracy benchmarks; conduct adversarial testing │ │ → 90 days │ │ F-012 Implement disparate impact monitoring dashboard │ │ → 30 days (baseline) / 90 days (full implementation) │ │ │ │ EXTERNAL VALIDATION REQUIRED: │ │ F-001 Independent risk management system review │ │ F-002 Third-party bias audit of training data and outputs │ │ F-006 Qualified legal counsel on Art. 14 configuration │ │ F-012 External validation of disparate impact methodology │ │ ESC-2 DPO or external privacy counsel for DPIA │ │ NOTE: As a high-risk system under Annex III, conformity │ │ assessment pathway (internal or notified body) │ │ must be determined — legal team to confirm route │ │ │ │ DO NOT DEPLOY / CONTINUE DEPLOYMENT UNTIL: │ │ F-006 Art. 14 human oversight gap is resolved — the │ │ current no-human-review configuration presents the │ │ highest regulatory and harm risk in this scan │ │ ESC-1 GDPR Art. 22 applicability is assessed and addressed │ │ ESC-2 DPIA completed for personality inference processing │ │ F-012 Baseline disparate impact data is established │ │ │ └─────────────────────────────────────────────────────────────────────┘ ``` --- **FINDING SUMMARY** | ID | Framework | Risk Level | Article/Clause | |---|---|---|---| | F-001 | EU AI Act | 🔴 Critical | Art. 9 | | F-002 | EU AI Act | 🔴 Critical | Art. 10 | | F-003 | EU AI Act | 🟠 High | Art. 11 | | F-004 | EU AI Act | 🟠 High | Art. 12 | | F-005 | EU AI Act | 🟠 High | Art. 13 | | F-006 | EU AI Act | 🔴 Critical | Art. 14 | | F-007 | EU AI Act | 🟠 High | Art. 15 | | F-008 | EU AI Act | 🟠 High | Art. 26 | | F-009 | NIST AI RMF | 🟠 High | GOVERN 1 | | F-010 | NIST AI RMF | 🟡 Medium | GOVERN 2 | | F-011 | NIST AI RMF | 🟠 High | MAP 1+3 | | F-012 | NIST AI RMF | 🔴 Critical | MEASURE 2 | | F-013 | NIST AI RMF | 🟠 High | MANAGE 1+4 | **Critical findings: 4 | High: 8 | Medium: 1** No flagged risks in this scan scope rated Low or Informational — all identified gaps carry material regulatory or harm significance. --- ```text ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ DISCLAIMER This analysis is a structured compliance aid. It is not a legal opinion, a compliance certification, or a substitute for qualified legal counsel. Regulatory interpretation evolves. Verify all findings against current enforcement guidance in your jurisdiction. EU AI Act provisions are subject to ongoing technical standard development through CENELEC and CEN — check for updates to applicable standards. No finding in this report constitutes a legal conclusion. Deployment decisions require sign-off from your legal team, risk function, and (for high-risk systems) an accredited conformity assessment body where applicable. {MONNA-Analysis-2026} — all gap interpretations are analytical inferences, not cited regulatory conclusions. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ ```