On 31 March 2026 UK’s Information Commissioner’s Office (ICO), called on businesses to review their use of automated decisions in recruitment and published fresh expectations for organizations using automated decision-making in hiring. The regulator said it had engaged with more than 30 employees, wrote to 16 organizations likely to be using automated decision-making in candidate decisions, and secured commitments to improve practices. This was not a minor HR update. It was a visible warning that AI-led decision-making is moving into high-impact processes faster than many organizations are building the controls to govern it properly.

This warning did not come out of nowhere.

Gartner found in early 2024 that 38% of HR leaders were already piloting, planning, or implementing generative AI in HR, up from 19% in June 2023, with recruiting among the top use cases.

Why this matter now: AI adoption is moving faster than governance maturity

The timing matters.

The ICO has noted that 70% of employers expect to increase their use of AI and automation in recruitment over the next five years, citing survey data from the Institute of Student Employers. Put alongside wider enterprise adoption figures, which matter far beyond hiring.

McKinsey found that 78% of respondents said their organizations were using AI in at least one business function, up from 72% in early 2024 and 55% a year earlier, with organizations now using AI in an average of 3 business functions. Once AI is influencing decisions across multiple workflows, governance gaps stop looking like isolated process quirks and start looking like enterprise control failures.

This is a governance, risk and compliance issue, not just an HR issue.

There is a real GRC story here. The risk is not only that a model produces a poor output. It is that enterprises allow important decisions to become partially or fully automated without building clear ownership, challenging rights, auditability, and evidence around them.

McKinsey makes the point clearly: its definition of AI use spans widely.

“Use of AI, therefore, spans from early experimentation by a few employees to AI being embedded across multiple business units that have entirely redesigned their business processes.”

McKinsey, The state of AI: How organizations are rewiring to capture value

That means many leaders may be underestimating how far AI has already spread inside their organizations, and how inconsistent governance may now be across functions.

Why recruitment is the clearest warning sign for AI governance

It is no wonder that so much of the ICO’s focus has been on recruitment and AI-automated decision making.

Recruitment is one of the clearest places to see the problem because it directly affects people’s opportunities and rights. The ICO’s message was explicit: if employers want to use automated decisions in hiring, “proper safeguards must be in place,” and those decisions must be transparent, fair, and understandable. That is not just a communications issue. It is a control issue.

Gartner found in 2025 that only 26% of job candidates trust AI to evaluate them fairly, even though 52% believe AI screens their application information. In other words, trust is already weak before a regulator even arrives.

Understanding the legal trigger: when automation becomes a rights issue, the burden changes

The legal trigger raises the stakes further.

Under the UK legal framework, where a decision is made solely by automated processing and has legal or similarly significant effects, individuals must be given meaningful information, along with rights to obtain human intervention, express their point of view, and contest the decision.

In its AI recruitment audit program, the ICO made 296 recommendations after finding that some hiring tools could directly enable discriminatory outcomes, including filtering by protected characteristics and relying on inaccurate inferred demographic data that undermines bias monitoring.

The ICO is also clear that even where a process includes meaningful human involvement, the principles of fairness, transparency, and accountability still apply.

For enterprise leaders, that is the practical question worth asking now: are we using AI in ways that trigger rights, safeguards, and board-level accountability without fully recognizing it?

In automated decision-making human oversight must be real, not cosmetic.

In automated decision-making human oversight must be real, not cosmetic. This is also why the Article 22 conversation should not be reduced to a technical debate about whether a person clicked “approve” at the end. The harder compliance question is whether the organization can show where human judgment actually sits, what information that reviewer saw, whether they had authority to change the outcome, and how that process would stand up if challenged.

A weak or cosmetic review step does little to reduce legal exposure if the real decisioning logic remains opaque.

Independent research has shown how serious the underlying bias risk can be: in a 2024 University of Washington study of AI resume screening, white-associated names were preferred 85% of the time, while Black-associated names were preferred just 9% of the time.

The ICO itself said it found a need for greater consistency in human involvement and better rights to recourse, alongside stronger bias monitoring.

Why DPIAs matter more than many teams realize.

The overlooked issue is the Data Protection Impact Assessment. In this context, a DPIA is not simply a compliance tick-box.

The ICO says a DPIA is always required for systematic and extensive profiling or other automated evaluation used for decisions that produce legal or similarly significant effects. DPIAs should be living documents, reviewed when the nature, scope, context, or purpose of the processing changes, and that organizations must consult the ICO if high residual risks cannot be reduced. That matters because many AI assessments still sit too close to procurement or privacy paperwork and too far from the real operational evidence of how systems are used, changed, monitored, and challenged over time.

A 2025 Data Privacy Benchmark Study shows why that gap matters: 64% of respondents worry about sensitive information being shared publicly or with competitors through generative AI use, yet nearly half admit inputting personal employee or non-public data into GenAI tools anyway.

For enterprises recruitment is just one symptom of the broader failure

Seen properly, recruitment is not uniquely broken. It is just a high-visibility environment where wider governance failures are easier to spot.

The ICO has said recruitment is one of its priority scrutiny areas under its AI and biometrics strategy, with risks focused on transparency, discrimination and redress, and the regulator said it made almost 300 recommendations in 2024 to providers and developers of AI recruitment tools to improve compliance. The wider governance picture looks similar elsewhere.

A 2025 global study led by the University of Melbourne with KPMG found that 58% of employees intentionally use AI tools at work on a regular basis, but only 47% say they have received AI training, and only 40% say their workplace has a policy or guidance on generative AI use.

That is exactly what a governance gap looks like in practice: adoption outpacing controls.

Learning from the use case of hiring: the same questions should now be asked across the business.

The same recurring questions now apply well beyond hiring.

• Who approved the model?
• What data was used?
• How are bias and drift monitored?
• Where does human judgment sit?
• What happens when a decision is challenged?
• What evidence will still exist six months later?

Those are not HR questions. They are enterprise risk questions.

They arise just as easily in customer triage, complaints handling, fraud review, workforce management, third-party screening, and internal prioritization decisions. The more AI gets folded into ordinary business processes, the less sustainable it becomes to govern each use case in isolation.

Trust and oversight angle: speed is not the same as legitimacy.

There is also a broader trust problem forming around this. Stanford HAI’s 2025 AI Index reports that global confidence that AI companies protect personal data fell from 50% in 2023 to 47% in 2024, and fewer people now believe AI systems are unbiased and free from discrimination than a year earlier.

At the same time, the KPMG and University of Melbourne study found that 66% of people rely on AI output without evaluating its accuracy and 56% say they have made mistakes in their work because of AI.

So, the compliance risk is not simply that AI is moving fast. It is that AI is moving fast into environments where trust is fragile, checking is inconsistent, and the consequences of error are often carried by the individual affected, not the system designer.

Looking ahead: this legal pressure is only going one way

The direction of travel is also becoming more formal.

Outside of the UK, in the EU, the AI Act treats AI tools for employment, management of workers and access to self-employment, including CV-sorting software for recruitment, as high-risk use cases. The European Commission says these systems are subject to strict obligations, including risk assessment, high-quality datasets to minimize discriminatory outcomes, logging for traceability, documentation, human oversight, and robustness.

The Commission also says the rules for high-risk AI will come into effect in August 2026 and August 2027. Even for UK-focused organizations, the signal is obvious: high-impact AI decisions are moving toward more explicit governance, more formal obligations, and more scrutiny around evidence and control.

Conclusion – what to takeaway as a risk and compliance leader

For risk and compliance leaders, the takeaway is simple. The ICO’s recruitment intervention should not be read as a niche story about hiring tools. It should be read as an early stress test for enterprise AI governance.

If your organization cannot show where automated decisions are already happening, which of them affect people or rights, what safeguards apply, who owns oversight, and what evidence you could produce tomorrow if challenged, then the governance problem is larger than the current use case.

Public expectations are only hardening: the KPMG and University of Melbourne study found that 70% of people believe AI regulation is needed, while only 43% believe existing laws and regulation are adequate.

The organizations that respond well will not be the ones that adopted AI fastest. They will be the ones that can prove they govern it properly.

AI governance includes looking beyond internal use cases too. As we explored in our recent piece on AI and vendor risk, organizations also need to understand how AI is entering the business through third parties, embedded tools, and supplier ecosystems, not just through systems they built or approved directly.

FAQ on the ICO and AI in recruitment