Resources · Worked example 3

AI risk assessment

Worked example · fictional company (Vesta Mutual Insurance AS) · free PDF · CC BY 4.0

This assessment covers TalentScreen, a tool that ranks job applicants, and it turns on a distinction almost everyone gets wrong: when a fundamental rights impact assessment is required.

TalentScreen is high-risk: the AI Act treats recruitment and candidate filtering that way, and Vesta as the deployer owes the full Article 26 duty set. But the Article 27 rights assessment is not triggered here, because a private employer's recruitment use sits outside its scope. The same question for PriceWise, Vesta's insurance pricing model, lands the other way: pricing of natural persons in life and health insurance does pull in the rights assessment. Recruitment tool, no; pricing model, yes. The assessment records the reasoning either way, because a defensible no is worth as much as a yes.

The rest is honest risk work. A two-hour workshop with HR, IT, the DPO, and a works-council member walked the system's data flow and scored each risk before and after controls. The two that stay amber after mitigation are proxy discrimination and automation bias, both inherent to ranking tools and both held at medium by auditable controls: quarterly disparate-impact testing with a 0.8 selection-rate trigger, a weekly sample review below the cut line, and an override rate tracked as a health metric. The COO accepts that residual level in writing, on conditions, with a hard reassessment date. Scoring is judgment; the value is in writing it down so it can be challenged.

Legal references: EU AI Act Annex III (high-risk uses) · Article 26 (deployer obligations) · Article 27 (fundamental rights impact assessment).

What's inside

  • System and context, with the affected persons and the deployer/provider split
  • The classification call and why Article 27 does not apply to this use
  • Method: a structured workshop scoring likelihood and severity
  • The risk register: inherent risk, controls, and residual risk per line
  • The Article 26 deployer-obligation checklist, line by line
  • Residual-risk statement and the COO's conditional acceptance
  • Framework mapping to the AI Act, NIST AI RMF, ISO/IEC 42001, and GDPR

Download the PDF

Worked example for portfolio and training purposes. Vesta Mutual Insurance AS is a fictional company; all data, metrics, and names are invented. Prepared by Erik Bernath, Furioso AI Consulting OÜ. Licensed CC BY 4.0: reuse freely with attribution. Informational, not legal advice.

The other four examples

Need this documented for your own company before August 2?

That's what the literacy and governance workshop produces: your own governance documents and the training record behind them.

See the workshop Book a call