No tracking. No cookie wall.·100 % EU-hosted on Hetzner
Services

Sample AI Act readiness assessment — high-risk HR screening

Skarval Analytics — FitScreen · sample deliverable · fictional client · produced with the same engine and format as a paid engagement

Document AIA-SKRV-2026-001 · Scope: one AI system, provider-side · Method: role → classification → obligation register · Status: sample — senior review pending

This is a fictional sample. Skarval Analytics and FitScreen don't exist — the company is invented so we can publish a complete deliverable without exposing a client. It was produced with the same gateway engine, the same sources, and the same format as a paid engagement, where it would ship signed by the reviewing practitioner. A sample has no client and nothing to certify, so the sign-off block in §8 shows the format and stays blank by design. Every linked citation is a real provision fetched from the gateway's EU corpus; the readiness verdicts and the company itself illustrate the format.
Section 1

Executive summary

Skarval Analytics ApS develops FitScreen, an AI ranking tool that scores and shortlists job applicants, and places it on the EU market under its own trademark. That makes Skarval the provider of a high-risk AI system: FitScreen falls under Annex III point 4(a) (recruitment and selection of natural persons), and the Art. 6(3) derogation is unavailable because the fetched text makes an Annex III system “always” high-risk “where the AI system performs profiling of natural persons” — which scoring applicants is.

The dates that bite: the AI Act's general high-risk regime applies from 2 August 2026. analyst-known fact — no row fetched in this run carries the application dates; the framing is the site's public AI Act timeline One date did arrive fetched: the Art. 6 text obliges the Commission to publish classification guidelines “no later than 2 February 2026” — those guidelines are a scoping input for the engagement.

Because FitScreen is already on the market, the transitional rule for pre-existing high-risk systems (Art. 111(2): systems placed on the market before the application date fall in scope upon a significant change in design) interacts directly with the quarterly-retraining question in §5 — whether retraining crosses that threshold decides when the register above starts to bind. Art. 111(2)'s second sentence adds an unconditional backstop: high-risk systems intended for use by public authorities must comply by 2 August 2030 regardless of design changes — so the analysis also turns on whether any FitScreen customer is a public body. analyst note — Art. 111 was not fetched in this run; the transitional analysis is scoped for the engagement, not concluded here

The register in §4 holds 12 obligations (11 on Skarval, 1 deployer-side that Skarval must enable). The heavy items: a documented lifecycle risk-management system (Art. 9), the Art. 16 duty stack — quality management, documentation, logs, conformity assessment, declaration of conformity, CE marking, registration — and the internal-control conformity route of Art. 43(2). Three items are not started; none of that is papered over. Readiness verdicts are analyst-assigned for the fictional client and would be evidence-checked in a real engagement.

Section 2

System description & role determination

Skarval Analytics ApS (fictional, Copenhagen) sells FitScreen, a B2B SaaS service that ingests applicant CVs and structured assessment results, computes a per- candidate fit score, and returns a ranked shortlist to enterprise recruiting teams. Models are retrained quarterly on pooled outcome data. FitScreen does no emotion inference and no biometric processing — facts that matter at the Art. 5 and Annex III boundaries walked in §3.

Role determination. Skarval develops FitScreen and places it on the EU market under its own name — the provider role. Its customers use the system on their own applicants — the deployer role. The functional split is visible in the fetched provisions themselves: Art. 16 binds providers to duties running “prior to its being placed on the market or put into service”, and the fetched Art. 26 is titled “Obligations of deployers of high-risk AI systems”. analyst — the definitional test itself lives in Art. 3, which this run did not fetch; the provider/deployer conclusions rest on that unfetched text and are flagged accordingly

Decision map in three clusters. Role (Article 3): Skarval Analytics ApS, which develops FitScreen and places it on the EU market, is the provider (highlighted); its enterprise customers, who run FitScreen on their own applicants, are deployers. Classification (Article 6 plus Annex III): the Article 6(1) product gate is not engaged (analyst-marked, Annex I not fetched); Article 6(2) points to Annex III point 4(a), recruitment or selection of natural persons; the Article 6(3) derogation test dead-ends at the profiling override — always high-risk where the AI system performs profiling of natural persons — so because FitScreen profiles applicants the derogation is unavailable and the verdict is high-risk. Obligations: the verdict fans out to Article 9 risk management, Article 16 provider duties (a) to (l), and Article 43(2) internal control without a notified body on the provider side, and to Article 26 duties — instructions for use, human oversight, logs — on the deployer side.
Role → classification → obligations, with the Art. 6(3) dead-end. Text version:
Show the text form
[Skarval Analytics ApS — develops FitScreen, places it on the EU market]  = PROVIDER  (Art. 3 — analyst)
      |
[Art. 6(1): safety component of an Annex I product?]  -- no (analyst; Annex I not fetched)
      |
[Art. 6(2): intended use listed in Annex III?]  -- yes (fetched Annex III row)
      |
[Annex III point 4(a): recruitment or selection of natural persons]
      |
[Art. 6(3) derogation: no significant risk of harm?]
      |   conditions (a)-(d) never reached, because:
[Profiling override: "always be considered to be high-risk where the AI system
 performs profiling of natural persons"  ->  FitScreen profiles applicants
 ->  derogation UNAVAILABLE]
      |
[VERDICT: HIGH-RISK — Annex III point 4(a)]
      |-- provider side -->  [Art. 9 risk management]  [Art. 16 duties (a)-(l)]  [Art. 43(2) internal control, no notified body]
      |-- deployer side -->  [Art. 26 duties]  <--  [Enterprise customers = DEPLOYERS]
Section 3

Classification walk (Art. 6 + Annex III)

Every quoted span below is verbatim from text fetched during the run; bracketed ellipses […] mark our elisions. Steps that rest on unfetched text say so.

  • Step 0 — prohibited-practices screen (Art. 5). FitScreen does no emotion inference or social scoring, so no Art. 5 prohibition appears engaged. The run fetched the AI Office's prohibited-practices guidelines as a guidance row (AI Office — prohibited-practices guidelines) but not the Art. 5 text itself, so this screen is analyst draft — held for senior review. The guidance row is still load-bearing for step 2: its Art. 5(1)(f) discussion points at “the list of high-risk AI systems in Annex III, referring to self-employment at 4”.
  • Step 1 — Art. 6(1): the product gate. The fetched Art. 6(1) makes a system high-risk where it “is intended to be used as a safety component of a product, or the AI system is itself a product, covered by the Union harmonisation legislation listed in Annex I” and that product needs third-party conformity assessment. FitScreen is stand-alone recruiting software, not a safety component. analyst — Annex I was not fetched; the negative (“HR software is not an Annex I case”) rests on analyst knowledge of that list Art. 6 — Reg (EU) 2024/1689
  • Step 2 — Art. 6(2): the Annex III route. Fetched: “In addition to the high-risk AI systems referred to in paragraph 1, AI systems referred to in Annex III shall be considered to be high-risk.” The run's Annex III row arrived as a search fragment ending the employment heading (“…to self-employment:”) and opening point (a): “AI systems intended to be used for the recruitment or selection of natural persons, in particular…”. Scoring and shortlisting job applicants is squarely that use. The point-4 numbering is corroborated by the fetched AI Office guidance row quoted in step 0 — the direct Annex III provision lookup returned nothing (§7). Annex III — Reg (EU) 2024/1689 · AI Office — prohibited-practices guidelines
  • Step 3 — Art. 6(3): the derogation test. Fetched: “By derogation from paragraph 2, an AI system referred to in Annex III shall not be considered to be high-risk where it does not pose a significant risk of harm to the health, safety or fundamental rights of natural persons, including by not materially influencing the outcome of decision making.” It applies where any of four fetched conditions holds: (a) “a narrow procedural task” — no, FitScreen ranks candidates end-to-end; (b) “improve the result of a previously completed human activity” — no, it runs before human review, not after; (c) detecting “decision-making patterns or deviations from prior decision-making patterns” without replacing human assessment — no; (d) “a preparatory task to an assessment relevant for the purposes of the use cases listed in Annex III” — arguable for a shortlisting tool, but the question is never reached, because of step 4. Art. 6 — Reg (EU) 2024/1689
  • Step 4 — the profiling override closes the derogation. Fetched, same paragraph: “Notwithstanding the first subparagraph, an AI system referred to in Annex III shall always be considered to be high-risk where the AI system performs profiling of natural persons.” FitScreen evaluates personal aspects of applicants — predicted job performance — to score and rank them: profiling. The derogation is therefore unavailable to Skarval regardless of how condition (d) would have come out. analyst — “profiling” takes its meaning from Art. 3(52) / GDPR Art. 4(4), which this run did not fetch; reading applicant scoring as profiling is the conservative reading and is flagged as analyst reasoning Art. 6 — Reg (EU) 2024/1689
  • Step 5 — Art. 6(4): if Skarval disagreed. Fetched: “A provider who considers that an AI system referred to in Annex III is not high-risk shall document its assessment before that system is placed on the market or put into service”, with registration under Article 49(2). Not exercised here — Skarval accepts the high-risk classification — but recorded so the road not taken is visible. Art. 6 — Reg (EU) 2024/1689

Verdict: FitScreen is a high-risk AI system under Annex III point 4(a); Skarval is its provider. Everything in §4–§6 follows from those two findings.

Section 4

Obligation register

One row per obligation, grounded in a quoted span of the fetched article text. Readiness verdicts are analyst-assigned for the fictional client — in a paid engagement each verdict is evidence-checked before it ships.

IDBasisObligation (fetched span)OwnerReadinessActionCitation
OB-01Art. 16(a)Meet the Section 2 requirements for high-risk AI systems — “ensure that their high-risk AI systems are compliant with the requirements set out in Section 2Skarval (provider)GapStand up a tracked gap program against the full Section 2 requirement set. Only Art. 9 (risk management) was fetched and walked in this sample; a paid engagement walks the remaining Section 2 articles the same way.Art. 16 — Reg (EU) 2024/1689
OB-02Art. 9(1)–(2)Establish a documented, lifecycle risk-management system — “a continuous iterative process planned and run throughout the entire lifecycle of a high-risk AI system, requiring regular systematic review and updatingSkarval (provider)PartialAd-hoc model-risk reviews exist but nothing is documented as a lifecycle process. Formalise the four Art. 9(2) steps — risk identification, estimation under reasonably foreseeable misuse, post-market data evaluation, targeted measures — as a recurring, documented cycle.Art. 9 — Reg (EU) 2024/1689
OB-03Art. 9(6), (8)Test against pre-defined metrics and thresholds before release — “Testing shall be carried out against prior defined metrics and probabilistic thresholds that are appropriate to the intended purpose of the high-risk AI system.Skarval (provider)GapRelease testing today is accuracy-only with no pre-committed thresholds. Define pass/fail metrics — including disparate-performance metrics across applicant groups — before the next model release, and keep the test records.Art. 9 — Reg (EU) 2024/1689
OB-04Art. 16(c)Operate a quality management system complying with Article 17 — “have a quality management system in place which complies with Article 17Skarval (provider)PartialAn engineering QMS exists; map it against Article 17 (content not fetched in this run — scoped in the engagement) rather than assuming coverage.Art. 16 — Reg (EU) 2024/1689
OB-05Art. 16(d)Keep the Article 18 documentation — “keep the documentation referred to in Article 18Skarval (provider)PartialTechnical documentation is spread across wikis and release notes. Consolidate it into one controlled set with retention rules (Article 18 content not fetched — scoped in the engagement).Art. 16 — Reg (EU) 2024/1689
OB-06Art. 16(e)Keep the automatically generated logs under Skarval's control — “when under their control, keep the logs automatically generated by their high-risk AI systems as referred to in Article 19Skarval (provider)In placeFitScreen already emits per-decision event logs retained on Skarval's side. Confirm coverage and retention against Article 19 (content not fetched).Art. 16 — Reg (EU) 2024/1689
OB-07Art. 16(f) + Art. 43(2)Run the conformity assessment before placing on the market — “ensure that the high-risk AI system undergoes the relevant conformity assessment procedure as referred to in Article 43, prior to its being placed on the market or put into serviceSkarval (provider)Not startedRun the internal-control route (§5). FitScreen is already on the market, so sequencing the assessment against the application date is the first planning question.Art. 16 — Reg (EU) 2024/1689
OB-08Art. 16(g), (h)Draw up the EU declaration of conformity and affix CE marking — “draw up an EU declaration of conformity in accordance with Article 47Skarval (provider)Not startedProduce the declaration and CE marking as outputs of OB-07 — they attest the assessment, they don't replace it (Arts. 47–48 content not fetched).Art. 16 — Reg (EU) 2024/1689
OB-09Art. 16(i)Register FitScreen per Article 49(1) — “comply with the registration obligations referred to in Article 49(1)Skarval (provider)Not startedPlan registration in the EU database — the one the fetched Art. 26(8) text calls “the EU database referred to in Article 71”. Note the fetched scope: Art. 26(8)'s register-check and non-use duty binds deployers “that are public authorities, or Union institutions, bodies, offices or agencies” — not private customers. Private enterprise deployers will still check the database in procurement, so an unregistered listing costs deals either way.Art. 16 — Reg (EU) 2024/1689
OB-10Art. 16(j)Corrective actions and information duties — “take the necessary corrective actions and provide information as required in Article 20Skarval (provider)PartialAn internal incident process exists; extend it so it can produce the corrective actions and information Article 20 requires (content not fetched — scoped in the engagement).Art. 16 — Reg (EU) 2024/1689
OB-11Art. 16(l)Accessibility compliance of the system — “ensure that the high-risk AI system complies with accessibility requirements in accordance with Directives (EU) 2016/2102 and (EU) 2019/882Skarval (provider)GapAdd accessibility conformance of the recruiter and candidate-facing UIs to the backlog. This duty sits in Art. 16 itself, not in an annex — it is easy to miss.Art. 16 — Reg (EU) 2024/1689
OB-12Art. 26(6)Deployer log retention of at least six months — Skarval must enable it — “keep the logs automatically generated by that high-risk AI system […] of at least six months, unless provided otherwise in applicable Union or national law, in particular in Union law on the protection of personal dataCustomer (deployer)GapFitScreen's tenant default purges decision logs after 90 days, so deployers cannot comply without a manual export. Change the default to ≥ 6-month retention and expose a retention control (§6).Art. 26 — Reg (EU) 2024/1689

Quoted spans are verbatim from the fetched Art. 9 / Art. 16 / Art. 26 / Art. 43 texts; […] marks our elisions. Cross-referenced articles (13, 17, 18, 19, 20, 47, 48, 49) appear in the fetched Art. 16 text by number only — their content was not fetched in this run, so actions stop at what the fetched span requires and say so.

Section 5

Conformity-assessment route (Art. 43)

The fetched Art. 43(2) settles the route for FitScreen: “For high-risk AI systems referred to in points 2 to 8 of Annex III, providers shall follow the conformity assessment procedure based on internal control as referred to in Annex VI, which does not provide for the involvement of a notified body.” FitScreen sits in point 4 — inside points 2 to 8 — so Skarval self-assesses under Annex VI; no notified body is involved. The notified-body alternatives in the fetched Art. 43(1) apply only to “high-risk AI systems listed in point 1 of Annex III”, which FitScreen is not. (Annex VI itself was not fetched; the route is named here, its contents are scoped in the engagement.)

Two more fetched Art. 43 findings matter to a quarterly-retrained system. First: “High-risk AI systems that have already been subject to a conformity assessment procedure shall undergo a new conformity assessment procedure in the event of a substantial modification”. Second, the learning carve-out: “changes to the high-risk AI system and its performance that have been pre-determined by the provider at the moment of the initial conformity assessment and are part of the information contained in the technical documentation […] shall not constitute a substantial modification.” Practical consequence for Skarval: describe the quarterly retraining envelope — data sources, metrics, thresholds — inside the initial assessment's technical documentation, or every retrain risks re-opening conformity. Art. 43 — Reg (EU) 2024/1689

Section 6

Deployer duties Skarval must enable (Art. 26)

Skarval's customers carry their own obligations as deployers. A provider that makes those duties hard to discharge is selling its customers a compliance problem — so the readiness assessment treats deployer-enablement as provider work. Each row quotes the fetched Art. 26 span and names what FitScreen must ship.

ProvisionDeployer duty (fetched span)What Skarval must ship
Art. 26(1)take appropriate technical and organisational measures to ensure they use such systems in accordance with the instructions for use accompanying the systemsVersioned, per-release instructions for use that are complete enough to be operated against. (The provider-side instructions duty lives in Article 13 — referenced in the fetched Art. 26(9) text, not itself fetched in this run.)
Art. 26(2)assign human oversight to natural persons who have the necessary competence, training and authority, as well as the necessary supportA review surface where an overseer can see why a candidate ranked where they did and override the shortlist, plus training material that defines what “competence” means for FitScreen.
Art. 26(5)monitor the operation of the high-risk AI system on the basis of the instructions for use and, where relevant, inform providers in accordance with Article 72A monitoring guide plus a named incident-intake channel. The same fetched paragraph obliges deployers to suspend use and escalate to the provider and the market surveillance authority when use presents a risk — Skarval's support process must be able to receive exactly that call.
Art. 26(6)keep the logs automatically generated by that high-risk AI system […] of at least six months, unless provided otherwise in applicable Union or national law, in particular in Union law on the protection of personal dataA tenant retention default of at least six months and a retention control — see register row OB-12; today's 90-day purge makes compliance impossible without manual exports.
Art. 26(9)use the information provided under Article 13 of this Regulation to comply with their obligation to carry out a data protection impact assessment under Article 35 of Regulation (EU) 2016/679 or Article 27 of Directive (EU) 2016/680A DPIA-consumable documentation pack: processing description, model inputs and outputs, oversight design — structured so a deployer's privacy team can lift it into their GDPR Art. 35 assessment.
Art. 26(11)shall inform the natural persons that they are subject to the use of the high-risk AI systemA candidate-notice template and a product hook to deliver it — the fetched text scopes this to Annex III systems “that make decisions or assist in making decisions related to natural persons”, which is what FitScreen does.

All spans from the fetched Art. 26 — Art. 26 — Reg (EU) 2024/1689. Art. 26(7) (informing workers' representatives before workplace use) binds deployers-as-employers and is noted for the deployer playbook rather than rowed here.

Section 7

Method note & refusal discipline

  • Sources fetched through the Ansvar gateway. The EU AI Act provisions cited here — Arts. 6, 9, 16, 26 and 43 — were fetched as full-text provision rows; Annex III arrived via search; the AI Office guidance row via the guidance fan-out. Every linked citation preserves the fetched source URL, publisher, and license. Nothing is cited from model recall.
  • The Annex III lookup limitation, on the record. A direct provision lookup for the annex returned “No provision matches EU AI_ACT annex_III.” The grounding row for point 4(a) came from the search fan-out instead, and its fragment is short — which is why the point-4 numbering leans on the fetched AI Office guidance row for corroboration (§3, step 2). A paid engagement closes this by citing the full annex text.
  • Off-topic search rows, named and excluded. The high-risk employment search also returned rows from Regulation (EU) 2023/1542 (batteries, Art. 79), Directive 2014/47/EU (roadside-inspection risk rating, Arts. 5–6), and Regulation (EU) No 3/2014 (vehicle definitions, Art. 2) — lexical matches on “high-risk” phrasing. They were excluded as off-topic; they are listed so the exclusion is checkable.
  • Refusal discipline. Unfetched text is never quoted. Marked analyst in this document: the Art. 3 role definitions (§2), the Annex I negative (§3 step 1), the Art. 5 screen (§3 step 0), the profiling definition (§3 step 4), the application dates (§1), and the contents of the cross-referenced Arts. 13, 17, 18, 19, 20, 47, 48 and 49 (§4). Gaps are marked, never filled with plausible text.
  • What a paid engagement adds. Your real system and a scoping call; the full Section 2 requirements walk; evidence-checked readiness verdicts instead of analyst-assigned ones; the deployer playbook; and a named senior reviewer who confirms or corrects every row before it ships.
Section 8

Sign-off

Senior review:   [shown for format — fictional sample, nothing to certify]
Reviewer:        [named reviewer — AI-governance / EU-regulatory]
Date:            [—]

A paid engagement ships only after the named reviewer has validated every row and signed here. This sample is published unsigned, on purpose, so you can read the document exactly as it leaves the engine.

Want this for a real system?

Try the free AI Act high-risk checker →

Scope an AI Act readiness assessment →