Skip to content
D W
EU AI Act III(4)(a): High Risk

Pre-Hire Due Diligence Agent

One auditable due-diligence pipeline that verifies references, credentials and criminal records before the hire - and proves every consent and adverse-action notice was sent correctly across the UK, EU and US.

An auditable background-check pipeline that verifies references, credentials and criminal records before the hire, with every consent and notice proven.

Analyse your process

A selection from over 5,000 projects in 25 years of software development

Airbus Volkswagen Shell Renault Evonik Vattenfall Philips KPMG

Can you prove the consent was valid, the criminal check was lawful, and the adverse-action notice went out on time - in every jurisdiction the candidate touched?

The agent runs pre-employment due diligence as a single auditable pipeline across the UK, EU and US. In the US it enforces FCRA Section 604(b) consent and the adverse-action sequence, the state Ban-the-Box timing, and Form I-9 verification; in the UK it runs DBS checks under the Rehabilitation of Offenders Act 1974; in the EU it applies the GDPR Article 9 and 10 limits on special-category and criminal data. Because the EU AI Act classes recruitment AI as high-risk, the model only orchestrates and flags - reference checks, credential validation, criminal screening and a Four-Fifths bias check - while consent capture, adverse-action notices and the final hiring call stay deterministic or human.

Outcome: A 1,000-employee company hiring 150 to 300 people a year is exposed under five to ten statutory regimes at once, and the exposure runs in several directions. A missing FCRA Section 604(b) disclosure becomes a class action at USD 100 to 1,000 per violation across the whole candidate pool. A Form I-9 gap invites an ICE audit at USD 281 to 2,789 per paperwork violation and far more per knowing hire. Algorithmic bias triggers the EU AI Act high-risk regime and the Mobley v. Workday (2023) precedent. A missing GDPR Article 35 DPIA reaches up to 4 percent of global turnover. And the underlying risk is real: cross-industry surveys find roughly one-third of applications contain false information, a January 2025 Resume Builder survey reports 44 percent admitted lying during hiring, and generative AI now produces fake reference letters in minutes.

62% Rules Engine
23% AI Agent
15% Human

The agent breaks pre-employment due diligence into 9 deterministic procedural decisions, 3 AI-augmented indicators and 2 mandatory human escalations - the DPIA and the EEO Officer's final hiring approval - each with a statute citation, audit trail and appeal path.

Invented degree, fabricated reference, undisclosed conviction - found six months too late, when the verification trail is exactly what a regulator and a class-action lawyer will examine.

Cross-jurisdictional pre-employment due diligence answers to five parallel statutory regimes. US anti-discrimination law sets the disparate-impact rules through the EEOC’s 2012 guidance. The FCRA governs consent and adverse-action notices. Form I-9 verification exposes the employer to ICE audit. The UK runs criminal checks through DBS under the Rehabilitation of Offenders Act 1974. And the EU adds the GDPR Article 9 and 10 limits alongside the EU AI Act high-risk regime, with fines up to EUR 35M or 7 percent of global turnover. A single pre-hire decision at a large or upper-mid-market employer can trigger all five at once.

Background check between compliance obligation and Title VII trap

This agent follows the Decision Layer principle: each decision is either rule-based, AI-assisted, or explicitly assigned to a human - and the human spots are reserved for the DPIA and the EEO Officer’s final hiring approval.

The hire is signed, the candidate starts - and six months later it turns out that the stated university degree never existed. The reference letter was manipulated. The criminal conviction was never disclosed. The Form I-9 was completed but the documents were never properly reviewed.

Cross-industry surveys show approximately one-third of all applications contain false information. A Resume Builder survey from January 2025 reports 44 percent of respondents admitted to lying during the hiring process - 24 percent directly in the CV. Since generative AI produces letters of reference and certificates in minutes, the rate keeps rising.

The legal side is asymmetric. Under Title VII, criminal-record screening that correlates with protected categories creates disparate-impact exposure unless an individualised assessment is done, as the EEOC’s 2012 guidance requires. FCRA statutory damages of USD 100 to 1,000 per violation, aggregated across the candidate pool, drive eight-figure class-action settlements. The UK Rehabilitation of Offenders Act 1974 protects against discrimination over a spent conviction. And unauthorised processing of special-category or criminal data under GDPR reaches up to 4 percent of global turnover.

EU AI Act high-risk classification, DPIA and FRIA

EU AI Act 2024/1689 Annex III(4)(a) classes AI systems for recruitment or selection as high-risk, and pre-employment due-diligence AI falls within scope because its verification decisions materially influence which candidates reach a final hire. Mobley v. Workday (2023) confirmed the same under US law: algorithmic discrimination in HR software is actionable on disparate-impact grounds across the whole pipeline.

The high-risk classification brings the full Chapter III conformity obligations - risk management, data governance, technical documentation, AI system logging, human oversight, accuracy and cybersecurity - together with a CE marking and a Fundamental Rights Impact Assessment by the deployer before first use. Fines reach EUR 35M or 7 percent of global turnover.

On top of this, GDPR Article 35 makes a DPIA mandatory for high-risk processing involving special-category or criminal data. The CJEU SCHUFA judgment (C-634/21, 2023) confirmed that scoring and profiling outputs which substantially shape a later decision count as automated decision-making, even when a nominal human review takes place.

US FCRA, Ban-the-Box and adverse-action notice

The FCRA Section 604(b)(2) requires a clear, standalone written disclosure before a consumer report is obtained - the document may contain nothing but the disclosure, with no liability waivers attached. Section 604(b)(3) requires the candidate’s written authorisation, and before any adverse action the employer must serve a Pre-Adverse Action Notice with a copy of the report, a Summary of Consumer Rights, and a 5-business-day window to dispute.

The Adverse Action Notice then follows under Section 615(a). Wilful non-compliance carries statutory damages of USD 100 to 1,000 per violation, which aggregate across the candidate pool into class-action exposure; Spokeo v. Robins (2016) confirmed that the procedural harm alone establishes standing.

More than 38 states delay any criminal-record inquiry until after a conditional offer is made. The EEOC’s 2012 arrest-and-conviction guidance sets the Title VII framework: blanket exclusions risk disparate-treatment liability, and disparate-impact liability requires an individualised assessment weighing the nature and gravity of the offence, the time elapsed and its relevance to the job. In California, the ICRAA adds a 7-year lookback and punitive damages of USD 10,000 for wilful non-compliance.

US Form I-9 employment eligibility verification

Form I-9, under Immigration and Nationality Act Section 274A, obliges the employer to verify each new hire’s identity and work authorisation. The candidate self-attests in Section 1 by the first day of employment, and the employer reviews the original documents in Section 2 within three business days, drawing on the List A, B and C categories of acceptable documents.

E-Verify, run jointly by USCIS and the Social Security Administration, confirms authorisation against federal databases. An ICE Form I-9 audit creates significant exposure: civil penalties of USD 281 to 2,789 per paperwork violation, USD 698 to 27,894 per knowing-hire violation, and criminal penalties for a pattern of violations. A Notice of Inspection typically gives only a three-day response window, and Section 274B bars discrimination on citizenship or national origin during the process.

UK DBS checks and ROA spent convictions

The UK runs criminal checks through a three-tier DBS framework: a basic check (with consent, unspent convictions only), a standard check for the regulated workforce (spent and unspent convictions, with cautions), and an enhanced check for roles with children or vulnerable adults (adding barred-list checks under the Safeguarding Vulnerable Groups Act 2006). The Rehabilitation of Offenders Act 1974 protects against discrimination over a spent conviction and limits when one must be disclosed. Under the DBS Filtering Rules, a single conviction is filtered after 11 years where no custodial sentence was imposed. Separately, the Modern Slavery Act 2015 requires supply-chain due diligence above GBP 36M turnover, and a Right to Work Check carries civil penalties up to GBP 20,000 per illegal worker.

Cross-reference to Candidate-Screening, Interview-Scheduling and Contract-Offer-Generation

The agent picks up from the Candidate-Screening Agent’s shortlist, runs after interview scheduling, feeds verified candidates into the Contract-Offer-Generation Agent, and triggers the Audit-Compliance Agent for the bias audit, DPIA and FRIA.

It integrates over API with the major ATS and HCM platforms (Workday, ADP, SAP SuccessFactors, Oracle Cloud HCM, Greenhouse, Lever, iCIMS, BambooHR) and the leading background-screening vendors (Sterling, HireRight, Checkr and others). Consent is sealed with a qualified electronic signature under eIDAS in the EU and ESIGN/UETA in the US.

At a glance

  • High-risk under EU AI Act 2024/1689 Annex III(4)(a) with full conformity duties, a deployer FRIA, fines up to EUR 35M or 7 percent of global turnover, and the Mobley v. Workday (2023) precedent
  • FCRA Section 604(b) standalone disclosure and authorisation with the Pre-Adverse Action Notice, the 5-business-day window, and statutory damages of USD 100 to 1,000 per violation
  • State Ban-the-Box laws applying the EEOC’s 2012 individualised-assessment framework, with a 7-year lookback and USD 10,000 punitive damages in California
  • Form I-9 verification with E-Verify, where an ICE audit carries USD 281 to 2,789 per paperwork violation and far more per knowing hire
  • UK DBS basic, standard and enhanced checks with ROA 1974 spent-conviction filtering, Modern Slavery Act due diligence, and the Right to Work Check
  • GDPR limits on special-category and criminal data under Articles 9 and 10, with a mandatory Article 35 DPIA and the SCHUFA judgment
  • ADA Title I medical-inquiry restrictions, barring disability inquiries before a conditional offer
  • Decision Layer audit trail retained per the longest applicable rule, from the AI system log lifetime under the EU AI Act to 5 years under the FCRA

Decision-Maker Distribution Pre-Hire-Due-Diligence

Decision TypeCountDeciderExamples
Rule-based deterministic9RJurisdiction routing, verification matrix, FCRA Section 604(b) consent, Form I-9 review, result validation, Pre-Adverse Action Notice, dispute handling, audit trail
ML-augmented intent indicator3AParallel verification orchestration, EU AI Act bias monitoring, SLA progress tracking
Mandatory human escalation2HDPIA and FRIA, with EEOC individualised assessment at final hiring approval

The 9 rule-based decisions handle deterministic procedural routing, where a statute citation determines the outcome. The 3 AI-augmented decisions provide indicators - the model output is an indicator, not a final decision. The 2 human escalations are the DPIA and FRIA, required by GDPR Article 35 and EU AI Act Article 27, and the EEOC individualised assessment at final hiring approval.

An escalation is triggered by a missing FCRA disclosure or Pre-Adverse Action Notice, a criminal-record discrepancy needing an individualised assessment, a Form I-9 gap, a spent-conviction discrepancy under the ROA 1974, a visa risk, or a bias indicator. Each one produces signed reasoning from the Talent Acquisition Director, DPO, EEO Officer, Hiring Manager and Compliance Officer, logged to the Decision Records as the basis for a later regulatory audit or class-action defence.

Micro-Decision Table

Who decides in this agent?

13 decision steps, split by decider

62%(8/13)
Rules Engine
deterministic
23%(3/13)
AI Agent
model-based with confidence
15%(2/13)
Human
explicitly assigned
Human
Rules Engine
AI Agent
Each row is a decision. Expand to see the decision record and whether it can be challenged.
Receive the due-diligence request and route it by role and jurisdiction Identify the role type (regulated financial services, healthcare, childcare, government contractor or standard commercial), the jurisdiction (UK, EU Member State or US state) and the candidate context (visa requirement, protected veteran or disclosed disability), then map it to the applicable verification matrix under Title VII, the UK Equality Act 2010 and the GDPR criminal-records rules? Rules Engine

A deterministic rule routes each request by role type and jurisdiction, mapping it to the applicable verification matrix - US state Ban-the-Box rules, the UK Rehabilitation of Offenders Act 1974, and the GDPR criminal-records derogations that vary by Member State.

Decision Record

Rule ID and version number
Input data that triggered the rule
Calculation result and applied formula

Challengeable: Yes - rule application verifiable. Objection possible for incorrect data or wrong rule version.

Determine which verification activities are permitted in the jurisdiction Apply the jurisdiction-specific matrix to decide which checks are required, permitted or prohibited - the FCRA consent and Ban-the-Box timing in the US, the ADA bar on pre-offer disability inquiries, the DBS check eligibility and ROA 1974 rehabilitation periods in the UK, and the GDPR Article 9 and 10 restrictions on special-category and criminal data in the EU? Rules Engine

A jurisdiction-specific rule decides which checks are required, permitted or prohibited - for example, FCRA consent and Ban-the-Box timing in the US, DBS eligibility and ROA 1974 rehabilitation periods in the UK, and the GDPR Article 9 and 10 restrictions on special-category and criminal data in the EU.

Decision Record

Rule ID and version number
Input data that triggered the rule
Calculation result and applied formula

Challengeable: Yes - rule application verifiable. Objection possible for incorrect data or wrong rule version.

Capture candidate consent per jurisdiction, sealed with a qualified e-signature Capture explicit candidate consent for each verification type - the FCRA Section 604(b) standalone written disclosure and authorisation in the US, the ICRAA state-specific notices, the UK DBS application with its ROA 1974 acknowledgement, and the GDPR Article 13/14 notice with Article 9 explicit consent in the EU - each sealed with a qualified electronic signature under eIDAS? Rules Engine Auditor

A deterministic rule captures the consent each jurisdiction requires: the FCRA Section 604(b) standalone written disclosure in the US, the DBS application in the UK, and explicit GDPR consent in the EU, each sealed with a qualified electronic signature under eIDAS. Missing FCRA disclosure carries statutory damages of USD 100 to 1,000 per violation.

Decision Record

Rule ID and version number
Input data that triggered the rule
Calculation result and applied formula

Challengeable: Yes - rule application verifiable. Objection possible for incorrect data or wrong rule version.

Challengeable by: Auditor

Validate identity and right to work per jurisdiction Verify the candidate's identity and work authorisation - the US Form I-9 with employer review within three business days and E-Verify where applicable, the UK Online Right to Work Check with sponsor-licence verification, and the EU Member State work permit or Blue Card - flagging any visa-dependent case for a sponsor-licence cross-check? Rules Engine

A deterministic rule verifies identity and work authorisation per jurisdiction: Form I-9 and E-Verify in the US, the Online Right to Work Check and sponsor-licence rules in the UK, and Member State work permits in the EU. At the pre-offer stage, ADA Title I bars disability inquiries.

Decision Record

Rule ID and version number
Input data that triggered the rule
Calculation result and applied formula

Challengeable: Yes - rule application verifiable. Objection possible for incorrect data or wrong rule version.

Fire the verification requests in parallel - references, credentials and criminal record Generate the verification requests in parallel rather than in sequence - the reference checks to the listed referees, the credential validations to the issuer registries, the employment verifications to previous employers, the criminal-record screening after the conditional offer per Ban-the-Box, and the sanctions-list screening against the OFAC, EU and UK lists? AI Agent Vendor

The model fires the verification requests in parallel through the background-screening vendors rather than one after another. Its output is an indicator, not a final decision; criminal-record checks stay deferred until after the conditional offer, as Ban-the-Box laws require.

Decision Record

Model version and confidence score
Input data and classification result
Decision rationale (explainability)
Audit trail with full traceability

Challengeable: Yes - fully documented, reviewable by humans, objection via formal process.

Challengeable by: Vendor

Monitor the pipeline for algorithmic bias under EU AI Act Annex III(4)(a) Verify the due-diligence pipeline shows no disparate impact across the protected categories (sex, race or ethnicity, age, disability and national origin) by monitoring the selection rate, impact ratio and Four-Fifths Rule, under the EU AI Act risk-management and human-oversight duties and the Mobley v. Workday (2023) precedent? AI Agent Auditor

The model monitors selection rates against the EEOC Four-Fifths Rule to detect disparate impact across protected categories. Its output is an indicator, not a final decision. The EU AI Act classes this recruitment use as high-risk, and the Mobley v. Workday (2023) precedent confirms algorithmic discrimination is actionable across the hiring pipeline.

Decision Record

Model version and confidence score
Input data and classification result
Decision rationale (explainability)
Audit trail with full traceability

Challengeable: Yes - fully documented, reviewable by humans, objection via formal process.

Challengeable by: Auditor

Track verification progress and escalate SLA breaches Monitor the response status across all verification streams, flag any delay that exceeds the SLA for that check type (from real-time sanctions screening to a 21-day DBS enhanced check), and escalate to the recruiter with the reason and a remediation proposal? AI Agent Vendor

The model polls each vendor for status, calculates deadlines per verification type and flags SLA breaches with a remediation proposal. Its output is an indicator, not a final decision.

Decision Record

Model version and confidence score
Input data and classification result
Decision rationale (explainability)
Audit trail with full traceability

Challengeable: Yes - fully documented, reviewable by humans, objection via formal process.

Challengeable by: Vendor

Validate the returned results and flag discrepancies Apply rule-based validation to the returned results - reference-check completeness, the credential registry match, whether the employment dates and role match the candidate's account, the DBS Filtering Rules and ROA 1974 spent-conviction exclusion on criminal records, and sanctions-list disambiguation - then flag any discrepancy for human review? Rules Engine

A deterministic rule checks each returned result for completeness and content match, then flags discrepancies for human review. Spent convictions are excluded under the ROA 1974 and DBS Filtering Rules, and criminal records follow the EEOC individualised-assessment factors - the nature and gravity of the offence, the time elapsed, and its relevance to the job.

Decision Record

Rule ID and version number
Input data that triggered the rule
Calculation result and applied formula

Challengeable: Yes - rule application verifiable. Objection possible for incorrect data or wrong rule version.

Run the FCRA Section 604(b)(3) pre-adverse-action sequence When the consumer report contains information that may lead to an adverse hiring action, deliver the Pre-Adverse Action Notice with a copy of the report and the Summary of Rights, open the 5-business-day dispute window, document it under FCRA Section 615(a), and wait for the dispute to resolve before any final adverse action? Rules Engine Auditor

A deterministic rule runs the FCRA Section 604(b)(3) adverse-action sequence: it delivers the Pre-Adverse Action Notice with a copy of the report, opens the 5-business-day dispute window, and waits before any final action. Skipping this carries statutory damages of USD 100 to 1,000 per violation and class-action exposure.

Decision Record

Rule ID and version number
Input data that triggered the rule
Calculation result and applied formula

Challengeable: Yes - rule application verifiable. Objection possible for incorrect data or wrong rule version.

Challengeable by: Auditor

Carry out the GDPR Article 35 DPIA and the EU AI Act Article 27 FRIA Carry out the Data Protection Impact Assessment under GDPR Article 35 and the Fundamental Rights Impact Assessment under EU AI Act Article 27, assessing the systematic monitoring, the special-category and criminal-record data, the automated decision-making, any cross-border transfer and the bias and discrimination risk, then document the mitigation measures and residual risk? Human Auditor

A person carries out the impact assessment, because GDPR Article 35 makes a DPIA mandatory for this high-risk processing and the EU AI Act Article 27 requires a Fundamental Rights Impact Assessment from the deployer. Both demand human judgement of the risks, which cannot be delegated to a model.

Decision Record

Decider ID and role
Decision rationale
Timestamp and context

Challengeable: Yes - via manager, works council, or formal objection process.

Challengeable by: Auditor

Handle a candidate dispute and document the resolution Process a candidate's dispute of the verification results - under the FCRA Section 611 procedures, the ICRAA right to inspect the file, the UK DBS Disputes Procedure and the GDPR rectification and erasure rights - by freezing the adverse action, coordinating the reinvestigation, updating the record and sending the candidate a written response? Rules Engine Employee

A deterministic rule processes candidate disputes: it freezes adverse action, coordinates the consumer reporting agency's reinvestigation under FCRA Section 611 and applies the GDPR rectification and erasure rights in the EU. The candidate receives a written response.

Decision Record

Rule ID and version number
Input data that triggered the rule
Calculation result and applied formula

Challengeable: Yes - rule application verifiable. Objection possible for incorrect data or wrong rule version.

Challengeable by: Employee

Apply human oversight and the EEOC individualised assessment to the final decision Does the designated approver - the Talent Acquisition Director, HR Director, DPO or EEO Officer - review the verification results, bias-audit summary and DPIA and FRIA findings, apply the EEOC individualised-assessment factors (the nature and gravity of any offence, the time elapsed and its relevance to the job), and make the final hiring decision on a documented basis? Human Employee

A designated approver makes the final hiring decision, applying the EEOC individualised-assessment factors and reviewing the bias audit and DPIA findings. The EU AI Act Article 14 makes this human oversight mandatory for high-risk recruitment AI.

Decision Record

Decider ID and role
Decision rationale
Timestamp and context

Challengeable: Yes - via manager, works council, or formal objection process.

Challengeable by: Employee

Log the audit trail and apply the retention rule under EU AI Act Article 12 Log every lifecycle event - decision records, reasoning, timestamps, signatures, access events, the bias-audit, verification, DPIA and FRIA findings and any dispute - and apply the retention each regime requires, including the AI system log lifetime under EU AI Act Article 12, five years post-disposition under the FCRA and seven years under the California ICRAA? Rules Engine

A deterministic rule logs every lifecycle event - decision, reasoning, timestamp, signature, bias-audit and DPIA findings - and applies the retention each regime requires, including the AI system log lifetime under EU AI Act Article 12 and 5 years under the FCRA.

Decision Record

Rule ID and version number
Input data that triggered the rule
Calculation result and applied formula

Challengeable: Yes - rule application verifiable. Objection possible for incorrect data or wrong rule version.

Decision Record and Right to Challenge

Every decision this agent makes or prepares is documented in a complete decision record. Affected employees can review, understand, and challenge every individual decision.

Which rule in which version was applied?
What data was the decision based on?
Who (human, rules engine, or AI) decided - and why?
How can the affected person file an objection?
How the Decision Layer enforces this architecturally →

Does this agent fit your process?

We analyse your specific HR process and show how this agent fits into your system landscape. 30 minutes, no preparation needed.

Analyse your process

Governance Notes

EU AI Act III(4)(a): High Risk
The Pre-Hire Due Diligence Agent is high-risk under EU AI Act 2024/1689 Annex III(4)(a), because a pre-employment background check is part of selecting a candidate. That classification brings the full Chapter III obligations: a risk-management system, data governance, technical documentation, AI system logging, transparency to deployers, human oversight, conformity assessment and CE marking. The deployer must also run a Fundamental Rights Impact Assessment under Article 27 before first use, and fines reach EUR 35M or 7 percent of global turnover. The Mobley v. Workday (2023) precedent confirms algorithmic discrimination in HR software is actionable across the recruitment pipeline. On the data-protection side, GDPR Article 9 governs special-category data and Article 10 restricts criminal-records processing to where official authority or specific authorisation exists; the CJEU SCHUFA judgment (C-634/21, 2023) confirms that recruitment shortlisting falls under the automated-decision rules, and Article 35 makes a DPIA mandatory. The UK applies the equivalent framework through the DPA 2018 and runs criminal checks through the three-tier DBS regime with Rehabilitation of Offenders Act 1974 protections. US law adds three distinct layers. Title VII disparate-impact analysis under the EEOC's 2012 arrest-and-conviction guidance requires an individualised assessment; the FCRA requires a standalone Section 604(b) disclosure as well as the Pre-Adverse and Adverse Action Notices with a 5-business-day window; and Form I-9 verification under the Immigration and Nationality Act exposes the employer to ICE audit penalties. Because these penalties stack across regimes, the agent records every verification, bias audit, DPIA and dispute with full reasoning and signatures.

Assessment

Agent Readiness 58-65%
Governance Complexity 78-85%
Economic Impact 51-58%
Lighthouse Effect 38-45%
Implementation Complexity 54-61%
Transaction Volume Weekly

Prerequisites

  • Verification Type Matrix per role and jurisdiction (US 38-state Ban-the-Box + California Fair Chance Act + NYC Fair Chance Act + Illinois Job Opportunities + Massachusetts CORI + UK DBS basic + standard + enhanced + Rehabilitation of Offenders Act 1974 + EU GDPR Article 9 + Article 10 + Member State criminal records derogations + role-specific regulated occupations financial services + healthcare + childcare + government contractor)
  • Background Screening Provider Integration (Sterling Background Checks + HireRight + Checkr + GoodHire + Accurate Background + First Advantage + LexisNexis Risk Solutions + Cisive + Truework + Pre-Employment Verification Inc PEVI) FCRA-compliant + Section 604(b) consent capture + Pre-Adverse Action Notice + Adverse Action Notice + 5-business-day waiting period + ICRAA California compliance + UK DBS + AICPA SOC 2 Type II + ISO 27001
  • Reference Collection Workflow + Templates with Title VII compliant questions + ADA accommodation considerations + structured questionnaire + interviewer training + reference contact methodology + EEOC Forbidden Questions exclusion + UK Equality Act 2010 reasonable adjustment + GDPR Article 13 + Article 14 information notice + Article 9 special category data restrictions + cross-reference Compliance-Training-Agent
  • Credential Validation Service Integration with university registries + professional bodies + chambers + licensing authorities + global education verification networks (NACES + UK NARIC) + employment verification services + International Background Screening Association IBSA standards + ICRAA California compliance + EU GDPR Article 6 + Article 9 + Article 10
  • Candidate Consent Management System per FCRA Section 604(b)(2) standalone written disclosure + Section 604(b)(3) written authorisation + ICRAA California Civil Code 1786.16 + UK DBS application form + GDPR Article 7 conditions for consent + Article 9(2)(a) explicit consent + Article 13 + Article 14 information notice + eIDAS Regulation 910/2014 Article 25-34 QSig + ESIGN Act + UETA + DocuSign + Adobe Sign + HelloSign + Yousign EU Trust Service Provider
  • EU AI Act 2024/1689 Article 9-15 Conformity Documentation for Annex III(4)(a) High-Risk AI System (risk management system + data governance + technical documentation + record-keeping AI system logs + transparency to deployers + human oversight + accuracy + cybersecurity) + Article 26 deployer obligations + Article 27 fundamental rights impact assessment FRIA + Article 47 EU declaration of conformity + Article 48 CE marking + DPIA per GDPR Article 35 + UK ICO DPIA guidance + AESIA Spanish AI Supervisory Agency + Mobley v. Workday 2023 settlement compliance
  • Data Protection Impact Assessment for candidate background processing per GDPR Article 35 + UK GDPR + DPA 2018 + ICO DPIA guidance + AEPD DPIA guidance + Italian Garante DPIA guidance + assessment of Article 9 special category data + Article 10 criminal records + Article 22 automated decision-making + cross-border transfer + bias risk + discrimination risk + necessity proportionality + mitigation measures
  • Legal Review of Permissible Checks per Jurisdiction (US 38-state Ban-the-Box + California Fair Chance Act + NYC Fair Chance Act + Illinois Job Opportunities + Massachusetts CORI + UK DBS Code of Practice + Police Act 1997 Part V + Rehabilitation of Offenders Act 1974 + DBS Filtering Rules + EU GDPR Article 9 + Article 10 + DPA 2018 Schedule 1 + Member State employment derogations + EEOC Enforcement Guidance Arrest and Conviction Records 2012 individualised assessment) reviewed by employment counsel + DPO + EEO Officer + cross-reference Audit-Compliance-Agent

What this assessment contains: 9 slides for your leadership team

Personalised with your numbers. Generated in 2 minutes directly in your browser. No upload, no login.

  1. 1

    Title slide - Process name, decision points, automation potential

  2. 2

    Executive summary - FTE freed, cost per transaction before/after, break-even date, cost of waiting

  3. 3

    Current state - Transaction volume, error costs, growth scenario with FTE comparison

  4. 4

    Solution architecture - Human - rules engine - AI agent with specific decision points

  5. 5

    Governance - EU AI Act, works council, audit trail - with traffic light status

  6. 6

    Risk analysis - 5 risks with likelihood, impact and mitigation

  7. 7

    Roadmap - 3-phase plan with concrete calendar dates and Go/No-Go

  8. 8

    Business case - 3-scenario comparison (do nothing/hire/automate) plus 3×3 sensitivity matrix

  9. 9

    Discussion proposal - Concrete next steps with timeline and responsibilities

Includes: 3-scenario comparison

Do nothing vs. new hire vs. automation - with your salary level, your error rate and your growth plan. The one slide your CFO wants to see first.

Show calculation methodology

Hourly rate: Annual salary (your input) × 1.3 employer burden ÷ 1,720 annual work hours

Savings: Transactions × 12 × automation rate × minutes/transaction × hourly rate × economic factor

Quality ROI: Error reduction × transactions × 12 × EUR 260/error (APQC Open Standards Benchmarking)

FTE: Saved hours ÷ 1,720 annual work hours

Break-Even: Benchmark investment ÷ monthly combined savings (efficiency + quality)

New hire: Annual salary × 1.3 + EUR 12,000 recruiting per FTE

All data stays in your browser. Nothing is transmitted to any server.

Pre-Hire Due Diligence Agent

Initial assessment for your leadership team

A thorough initial assessment in 2 minutes - with your numbers, your risk profile and industry benchmarks. No vendor logo, no sales pitch.

All data stays in your browser. Nothing is transmitted.

Agent Blueprint Available

A full blueprint for Pre-Hire Due Diligence Agent is available with micro-decision decomposition, industry variants, and implementation details.

View Blueprint

Related Agents

Candidate Screening Agent

One auditable candidate-screening pipeline - CV parsing, resume screening, shortlist generation and continuous bias monitoring - built to satisfy the EU AI Act's high-risk obligations, the EEOC four-fifths rule, NYC Local Law 144 and the UK Equality Act by construction, not retrofit.

W K
EU AI Act III(4)(a): High Risk
Readiness: 64-71%
Economic: 78-85%
Governance: 74-81%
Micro-Decisions: 13
Daily

Executive Recruiting Agent

Runs a confidential C-suite search across US, UK and EU governance - coordinating the Audit, Compensation and Nomination Committees, modelling executive pay, and meeting its EU AI Act high-risk obligations with a pay-equity check and a human decision at every gate.

W K
EU AI Act III(4)(a): High Risk
Readiness: 51-58%
Economic: 66-73%
Governance: 81-88%
Micro-Decisions: 14
Monthly

Interview Scheduling Agent

One auditable interview-scheduling pipeline that stays Title VII compliant - pay ranges disclosed where the law requires, a bias audit on every slot proposal under EU AI Act Annex III(4)(a), and ADA accommodation built in - across the UK, EU and US.

W
EU AI Act III(4)(a): High Risk
Readiness: 78-85%
Economic: 66-73%
Governance: 58-65%
Micro-Decisions: 14
Daily

Frequently Asked Questions

How does the EU AI Act high-risk recruitment classification apply, and what does it require?

Pre-employment due diligence is a high-risk AI system under EU AI Act Annex III(4)(a), because that provision covers AI used to recruit or select people - and due diligence is the gateway between the conditional offer and the final hiring decision. The Mobley v. Workday (2023) precedent confirms that algorithmic discrimination is actionable across the whole hiring pipeline, due diligence included. High-risk classification brings the full conformity stack: a risk-management system, data governance, technical documentation, record-keeping over the system's lifetime, human oversight, accuracy and cybersecurity, a conformity assessment, the EU declaration of conformity and CE marking (Articles 9 to 16, 47 and 48). The Article 26 deployer duties add using the system per instructions, assigning competent human oversight, monitoring operation, keeping the logs, and informing workers and their representatives before deployment. Article 27 requires a Fundamental Rights Impact Assessment before first use, and the Article 99 penalties reach EUR 15M or 3 percent of global turnover for a high-risk breach. The agent runs within this framework - human oversight by the Talent Acquisition Director, EEO Officer and DPO, candidate transparency, log-keeping, the bias audit and the FRIA - working with the Audit-Compliance and Candidate-Screening agents.

How do FCRA consent, Ban-the-Box and the EEOC arrest-and-conviction guidance operate across US states?

US background checks layer several statutes. The FCRA Section 604(b) requires a clear, standalone written disclosure before pulling a consumer report - on a document that holds nothing but the disclosure, with no liability waiver or employer branding - plus the candidate's written authorisation. Before any adverse action, Section 604(b)(3) requires a Pre-Adverse Action Notice with a copy of the report and the Summary of Rights, then a 5-business-day dispute window, followed by the Section 615(a) Adverse Action Notice; a wilful breach under Section 616 carries USD 100 to 1,000 per violation, which aggregates dangerously at class scale (Spokeo v. Robins confirmed standing for the procedural harm). Over 38 states add Ban-the-Box laws that delay any criminal-record inquiry until after the conditional offer. The EEOC 2012 guidance then governs Title VII: a blanket criminal exclusion risks disparate-impact liability, so an individualised assessment is required, weighing the nature and gravity of the offence, the time elapsed and its relevance to the job. California's ICRAA adds a 7-year lookback and a right to inspect the file. The agent automates the whole matrix - the FCRA disclosure and adverse-action notices, the Ban-the-Box timing, the ICRAA lookback and the EEOC factors - working with the Candidate-Screening and Audit-Compliance agents.

How do the UK DBS checks, the Rehabilitation of Offenders Act and the Modern Slavery Act work?

UK criminal-record disclosure runs on a three-tier DBS framework, gated by the Rehabilitation of Offenders Act 1974. A basic check (open to any role with consent) shows only unspent convictions, where the rehabilitation period runs from a few years for short custodial sentences to never-spent for sentences over four years. A standard check, for the regulated workforce, adds spent convictions and cautions, and an enhanced check, for work with children or vulnerable adults, adds barred-list cross-checks under the Safeguarding Vulnerable Groups Act 2006. The ROA 1974 protects spent convictions from discrimination (Section 4) and removes the duty to disclose them outside excepted occupations such as healthcare, financial and legal services (Section 5), as Mansfield v. CPS (2019) confirmed. The DBS Filtering Rules then strip older single convictions and cautions from standard and enhanced checks. Separately, the Modern Slavery Act 2015 Section 54 requires firms over GBP 36M turnover to publish a supply-chain statement covering labour recruitment, and the Right to Work check carries civil penalties up to GBP 20,000 per illegal worker. The agent automates the DBS application by role eligibility, the ROA spent-conviction filtering, the Modern Slavery supply-chain check and the Right to Work check, working with the Audit-Compliance and Onboarding-Workflow agents.

How do Form I-9, E-Verify and the ICE audit process work?

Form I-9, required under Immigration and Nationality Act Section 274A, makes every US employer verify the identity and work authorisation of each new hire. It uses three document categories: List A establishes both identity and authorisation (such as a US passport or permanent resident card), while List B establishes identity and List C establishes authorisation. The employee self-attests in Section 1 by the first day of employment, and the employer reviews the original documents in person and completes Section 2 within three business days, retaining the form for three years post-hire or one year post-termination, whichever is later. E-Verify, a USCIS and SSA partnership, is mandatory for federal contractors and in some states, and a Tentative Nonconfirmation gives the candidate a chance to dispute. An ICE Form I-9 audit, typically opened with a three-day Notice of Inspection, carries civil penalties from about USD 281 per paperwork violation up to nearly USD 27,894 for a knowing hire, with criminal exposure for a pattern of violations. The employer also cannot specify which documents to present or reject genuine ones, since Section 274B bars citizenship and national-origin discrimination. The agent automates the I-9 workflow, the E-Verify integration, the retention schedule and the ICE audit response, working with the Onboarding-Workflow and HR-Document-Management agents.

How does the ADA Title I bar on pre-offer disability inquiries and medical exams work?

ADA Title I controls disability inquiries in three stages. Before a conditional offer (Section 12112(d)(2)), the employer cannot ask about the existence, nature or severity of a disability, order a medical exam, ask about workers' compensation history or request genetic information under GINA - it can only ask whether the candidate can perform the job's functions. At the conditional-offer stage, a medical exam is permitted only if required of everyone entering that job category, and its results can be used only where job-related and consistent with business necessity, with medical records kept in a separate, restricted file. Post-employment, exams are limited to the same business-necessity standard. The UK Equality Act 2010 Section 60 mirrors this, barring pre-employment health enquiries outside narrow exceptions, and the GDPR Article 9 restricts processing health data without a lawful exception. Reasonable accommodation under Section 12112(b)(5) runs through an interactive process and can include accessible facilities, modified equipment, interpreters, or interview adjustments such as a sign-language interpreter, assistive technology, extended time or a remote option. The agent automates this timing and the accommodation process across the ADA, the UK Equality Act and the GDPR, working with the Equipment-Provisioning and Compliance-Training agents.

How do the GDPR automated-decision and DPIA rules and the EU AI Act FRIA apply here?

Two regimes - data protection and AI governance - stack their impact-assessment duties on pre-employment due diligence. GDPR Article 22 bars decisions based solely on automated processing that have a legal or similarly significant effect, unless they rest on contract necessity, Member State law or explicit consent, and even then the candidate keeps the right to human intervention, to express a view and to contest the decision. The CJEU SCHUFA judgment (December 2023) extended this to scoring and recommendation outputs that substantially influence a later decision even with nominal human review - directly relevant where verification results shape who reaches the final offer. Article 9 restricts special-category data and Article 10 limits criminal-record processing to official authority or specific authorisation. A DPIA under Article 35 is mandatory before high-risk processing - systematic evaluation, large-scale special-category data, AI applications or criminal records - and must describe the processing, assess necessity, proportionality and risk, and set out mitigations; skipping it risks a fine up to EUR 10M or 2 percent of turnover. The EU AI Act Article 27 then adds a Fundamental Rights Impact Assessment covering dimensions beyond data protection, such as discrimination, accessibility and worker protection. The agent runs an integrated DPIA and FRIA covering the monitoring, special-category and criminal-record data, the automated decision-making and the bias and discrimination risk, working with the Audit-Compliance and Compliance-Monitoring agents.

How does the Pre-Hire Due Diligence Agent differ from the Candidate Screening Agent and Interview Scheduling Agent and Contract Offer Generation Agent?

The four agents share the recruitment funnel but own different stages. The Pre-Hire Due Diligence Agent (this one) runs the post-offer background-check pipeline: the FCRA consent and adverse-action sequence, Ban-the-Box and ICRAA timing, reference, credential, criminal-record and sanctions screening, Form I-9 and E-Verify, the UK DBS checks with ROA 1974 filtering, the EU AI Act high-risk bias audit and the ADA medical-inquiry restrictions, integrating with vendors such as Sterling, HireRight and Checkr. The Candidate Screening Agent sits earlier in the funnel, on CV parsing, resume screening and the Four-Fifths Rule bias audit before any background check. The Interview Scheduling Agent handles multi-calendar conflict resolution, the EEOC forbidden-questions filter, the EU Pay Transparency Directive and interview accommodations. The Contract Offer Generation Agent produces the offer letter, employment terms and restrictive covenants and triggers onboarding. They chain together: due diligence triggers from the screening shortlist after the final interview and feeds cleared candidates to offer generation, drawing on the HR Document Management Agent for retention and triggering the Audit Compliance Agent for the bias audit, DPIA and FRIA. All four share the same statutory base - the EU AI Act high-risk recruitment rules, GDPR Articles 22 and 35, Title VII, the ADA, the UK Equality Act and ISO 27001.

What Happens Next?

1

30 minutes

Initial call

We analyse your process and identify the optimal starting point.

2

1 week

Discover

Mapping your decision logic. Rule sets documented, Decision Layer designed.

3

3-4 weeks

Build

Production agent in your infrastructure. Governance, audit trail, cert-ready from day 1.

4

12-18 months

Self-sufficient

Full access to source code, prompts and rule versions. No vendor lock-in.

Implement This Agent?

We assess your process landscape and show how this agent fits into your infrastructure.