Trusq

factual analysis · traceable to primary sources

Topics Opportunities Take the check Work with us LinkedIn NLยทEN
Analysis

AI in onboarding and internal mobility: where is the line?

Adopted 2026-06-22 ยท ≈ 2 min read ยท Dirk Baaijen

Talent marketplaces, skills matching and career paths with AI seem neutral, but they reach the high-risk line as soon as they steer promotion or progression decisions (Annex III, point 4). Then the AI Act, GDPR, transparency and equal opportunity apply internally too.

Short answer: AI in onboarding and internal mobility โ€” talent marketplaces, skills matching, career paths โ€” feels more innocent than AI in external recruitment, but legally it is not. As soon as such a system steers promotion, progression or task-allocation decisions, it falls under Annex III, point 4 of the AI Act and counts as high-risk. On top of that, the GDPR, transparency duties and the principle of equal opportunity apply โ€” inside your own organisation too.

Why internal is not "safer"

Many employers assume the heavy rules only apply when hiring new people. That is wrong. Annex III, point 4 of the AI Act expressly captures decisions after entry into service too: promotion, termination, task allocation and evaluation. An internal talent marketplace that determines who becomes visible for an attractive role touches exactly that core. The employee is already inside, but their career is steered by an algorithm all the same. See AI in the workplace for the broader frame of what falls on the employer.

When the high-risk line is reached

The pivot is influence over a decision. A tool that merely makes learning suggestions or shows vacancies without filtering does not yet steer a decision. But as soon as the system ranks candidates for an internal role, gives progression advice that weighs heavily, or determines who is and is not put forward, it influences a promotion or progression decision. That is when it tips into high-risk. The practical test: would a human as a rule adopt the system's outcome? If so, it steers the decision. AI in evaluation, promotion and dismissal works this out further.

Skills matching and the GDPR

Talent marketplaces run on profiles: skills, performance, ambitions, sometimes derived scores. That is processing of personal data in full. The GDPR requires a legal basis, data minimisation and transparency about what you process and why. If you use decisions based solely on automated processing with significant effects โ€” for example automatically excluding someone from a programme โ€” Article 22 comes into play, with a right to human intervention. Be careful too with derived sensitive data; a skills profile can inadvertently reveal health or origin.

Equal opportunity, internally too

A matching algorithm trained on who has historically progressed reproduces historical skew. If promotion was once mostly granted to a particular group, the model learns that pattern and reinforces it. Internally that feels invisible โ€” no one gets a rejection, people simply are not "matched". That is precisely why bias monitoring is essential here: measure progression per group and investigate unexplained differences. The ban on discrimination does not stop at the front door.

Algorithmic management and the grey zone

Between innocent recommendation and high-risk decision lies a growing grey zone: AI that distributes work, allocates opportunities and steers behaviour. That is a form of algorithmic management, and the regulator looks ever more closely at the actual influence, not the label the supplier attaches to it. So document explicitly how heavily the system weighs in and who makes the final decision.

Internal mobility with AI can make careers fairer and more transparent โ€” but only if you recognise the line where a suggestion becomes a decision.

Sources

  1. https://eur-lex.europa.eu/eli/reg/2024/1689/oj
    Regulation (EU) 2024/1689 (AI Act): Annex III, point 4 โ€” AI for decisions on promotion and termination, task allocation and evaluation in work relationships.
  2. https://eur-lex.europa.eu/eli/reg/2016/679/oj
    General Data Protection Regulation (GDPR), Art. 22 on decisions based solely on automated processing with significant effects.

Share on LinkedIn

Read next

U

AI in housing allocation: access to essential services

AI that decides who gets access to housing strikes at the core of the high-risk regime. Annex III of the AI Act covers access to essential private and public services; on top of that, the GDPR prohibits discrimination and sets demands on automated decisions.

U

AI financial fraud detection: the Annex III carve-out

AI that detects financial fraud is expressly carved out of the high-risk classification for credit scoring in Annex III. The carve-out is narrow: it covers genuine fraud detection, not credit assessment under a fraud label. The GDPR and governance still apply.

U

AI in insurance: underwriting and pricing

AI for risk assessment and pricing in life and health insurance is high-risk under Annex III of the AI Act. Other lines are not automatically covered, but the GDPR, solidarity rules and the prohibition of discrimination apply broadly.

Dirk Baaijen

About this knowledge base

Compiled and maintained by YRproject โ€” programme and project direction at the intersection of digital transformation, AI and regulation. Every factual claim is traceable to its primary source. YRproject is led by Dirk Baaijen About & method โ†’

A project or programme? Work with YRproject โ†’

The monthly briefing

AI regulation in five minutes: what changed, what is coming and what it means. No spam, unsubscribe anytime.

Your address is used for this only and stored on our own servers.