AI for Recruitment: A Practical Guide for UK Agencies and Teams

Recruitment was one of the first business functions to feel the pull of AI, and it is now one of the most heavily regulated places to use it. The CIPD's Resourcing and Talent Planning Report 2024 found that 31% of UK organisations now use AI or machine learning in recruitment, up from 16% in 2022, so this is no longer an experiment at the edges. At the same time, the ICO, the EHRC and the Department for Science, Innovation and Technology have all set out clear expectations about how candidate data and automated assessment must be handled. The opportunity is real, but so is the liability.

This guide is written for UK recruitment leaders, agency owners and in-house talent teams who want a calm, practical view of where AI helps, where it does not, and what the law actually requires. It covers the use cases that earn their keep, the limits you should respect, and the specific obligations that apply to hiring in the UK. If you want the wider context for how governed, business-grade AI agents work, our pillar on Claude AI agents for business sets out the foundations.

Where AI earns its keep in recruitment

The strongest case for AI in recruitment is not replacing recruiters, it is removing the administrative drag that stops a small team from giving every candidate proper attention. The following use cases all keep a human in the decision seat while AI does the heavy lifting around them.

• Candidate sourcing and talent mapping. AI can scan CV databases, job boards and professional networks against a role brief to surface and rank likely-fit candidates, including passive ones. The business value is a faster time to shortlist and far better coverage of a sparse market than a small in-house team could reach manually.
• Screening and shortlisting support. AI parses applications, extracts skills and experience, and flags candidates against role criteria. In UK practice this should be decision-support that surfaces candidates for a human to review, not an auto-reject gate, which keeps you clear of the rules on solely automated decisions. The value is handling high-volume applicant flows without a recruiter reading every CV cold.
• Drafting job specs, adverts and search strings. Generative AI produces first-draft job descriptions, advert copy and Boolean strings from a brief. Just as usefully, it can check existing adverts for non-inclusive or gendered language that the EHRC flags as a discrimination risk. The value is faster, more consistent and more inclusive adverts.
• Outreach and candidate communication. AI drafts personalised first-touch messages, follow-ups, interview invitations and rejection notes for a recruiter to edit and send. The value is keeping every candidate informed, including the people you are turning down, without adding admin headcount.
• Interview scheduling and coordination. An AI agent can handle the back-and-forth of finding slots across candidate and hiring-manager calendars, send confirmations and reminders, and rebook cancellations. The value is removing a high-friction task and reducing drop-off between application and interview.
• Pipeline and ATS hygiene. AI keeps candidate records current, de-duplicates entries, logs activity, chases missing information and summarises a candidate's history. The value is cleaner data and recruiters spending more of their day on judgement, not admin.
• Interview and call summarisation. AI transcribes and summarises screening calls into structured notes and scorecards against agreed criteria. The value is more comparable assessments and a documented, auditable basis for decisions if one is ever challenged.
• Candidate self-service assistants. An AI assistant can answer routine questions about a role, the process or application status outside working hours. The value is deflecting repetitive queries and improving responsiveness for teams handling high volumes.

Where AI stops, and why that matters in recruitment

Recruitment carries risks that do not apply to most other functions, because the output of a hiring process is a decision about a person. These limits are not reasons to avoid AI, they are reasons to govern it.

• Bias amplification is the headline risk. The REC puts it plainly: AI learns from data, so where bias has existed in the past, the AI will learn and can amplify it. A tool can systematically disadvantage a protected group while looking entirely objective. This is the single biggest sector-specific risk and the reason repeated bias auditing and human review are non-negotiable.
• Hiring judgement must stay human. AI can rank, summarise and surface, but assessing motivation, potential and fit, and making the actual hire or reject call, is a human responsibility. That is true for quality reasons and for legal ones. Treat AI output as a recommendation, never a verdict.
• Hallucination and false precision. Generative AI can misread a CV, invent a plausible-sounding qualification or write a confident but wrong candidate summary. Anything candidate-facing or decision-relevant needs human verification before it is used.
• Candidate trust is fragile. Research by Omni RMS found that 42% of UK candidates trust human-led recruitment more than AI-assisted processes, and that 36% of Gen Z candidates said they would withdraw from an application if AI was overused. Opaque or heavy-handed automation can quietly damage your employer brand.
• Validity and accessibility limits. AI screening tools are not always scientifically validated for the role they are applied to, and can disadvantage candidates who do not fit the training pattern, including disabled applicants who need reasonable adjustments. The ICO specifically found a lack of accuracy testing among the tools it audited.

The rules: recruitment-specific obligations

This is where recruitment differs most from other AI use cases. Candidate data is personal data, hiring is covered by equality law, and the regulators have been active. The key point throughout is that if you use a third-party AI tool, you are almost always the data controller and you remain accountable. You cannot assume the vendor has compliance covered.

UK GDPR and the Data Protection Act 2018

Candidate CVs and applications are personal data, so you need a lawful basis, data minimisation, accuracy, retention limits and respect for data subject rights including the right of access. The ICO's audit of AI sourcing and screening tools, reported in November 2024, made 296 recommendations and 42 advisory notes, criticising a lack of accuracy testing and the unnecessary collection of personal data. Treat that as the regulator telling the market what good looks like.

Automated decision-making (the new Article 22A safeguards)

The Data (Use and Access) Act 2025 rewrote the rules on automated decisions, and the Article 22A safeguards regime applies from 5 February 2026. For a significant, solely automated decision such as an AI auto-rejecting a candidate, you must tell the candidate the decision has been made, let them make representations, provide meaningful human intervention and let them contest it. The pragmatic takeaway is to keep a genuine human in the loop rather than relying on these safeguards as a workaround.

Transparency to candidates

The ICO, the DSIT "Responsible AI in Recruitment" guidance and the REC all require you to tell candidates clearly when and how AI is used to process or assess them. DSIT states that AI use should be "clearly signposted to applicants", and your privacy information must be specific rather than generic boilerplate.

The Equality Act 2010 and discrimination risk

It is unlawful to discriminate against applicants on protected characteristics, and that includes indirect discrimination caused by a tool that disadvantages a protected group. You remain liable for discriminatory outcomes even when a third party supplied the tool. The EHRC has warned that generative AI can produce discriminatory job adverts, for example gendered titles or "masculine"-coded language, by reproducing bias in its training data.

Reasonable adjustments and special category data

Automated screening or AI interview tools that cannot accommodate disabled candidates risk discrimination, so your process needs triggers for human checks and reasonable adjustments. The DSIT guidance was developed with disability input from Autistica and stresses accessibility in procurement. Separately, special category data such as health, disability, ethnicity and religion attracts extra protection under Article 9, so tools must not infer or process it without a valid condition, and you should avoid free or consumer AI tools that ingest candidate data for training.

DPIAs, vendor contracts and the DSIT guidance

The ICO and DSIT both expect a Data Protection Impact Assessment, completed early rather than retrospectively, alongside an equality or algorithmic impact assessment, because AI in recruitment is high-risk processing. DSIT's "Responsible AI in Recruitment" guidance, published on 25 March 2024 with the ICO, EHRC, REC, CIPD and others, sets out five principles: safety and robustness, transparency and explainability, fairness, accountability and governance, and contestability and redress. It recommends requesting evidence such as model cards and bias-audit documentation during procurement, and repeated bias audits across sex, ethnicity, age and disability. Your vendor contracts should define controller and processor roles and stop the vendor reusing candidate data to train its models. One further note for agencies placing into Europe: the EU AI Act classes recruitment and candidate evaluation as high-risk, with general provisions applying from 2 August 2026 and high-risk recruitment obligations phasing in from 2 August 2027.

Off-the-shelf AI or a custom agent?

Most recruitment businesses end up doing both, and the sensible split follows the risk. Off-the-shelf AI features built into mainstream applicant-tracking systems, such as CV ranking, parsing, advert generation and chatbots, are quick to switch on and need no build. The trade-off is that you inherit the vendor's model and its bias profile, you have limited control over how candidate data is processed or whether it trains the vendor's models, and you may get little of the transparency you need for a DPIA or bias audit. As the controller, you are still accountable for all of it.

A custom, governed agent is more work, but it lets you define exactly what the AI does, keep candidate data inside your own systems, log decisions for auditability, enforce a human-in-the-loop on any significant decision, and integrate cleanly with your existing CRM or ATS. The pragmatic rule for UK recruiters is to use off-the-shelf features for low-risk admin such as scheduling, comms drafting and data hygiene, and to consider a custom agent where candidate data sensitivity, bias-audit evidence, transparency and integration matter most. For a closer look at the people side of this, see our piece on Claude for HR and recruitment.

How to start

You do not need an AI strategy to begin. You need one task, governed properly, and a way to measure whether it helped.

• Pick one low-risk task. Start where the data sensitivity is lowest and the admin pain is highest, usually scheduling, comms drafting or pipeline hygiene, rather than screening.
• Govern it before you scale it. Complete a DPIA and an equality impact assessment early, document your lawful basis, and decide where the human checkpoints sit.
• Be transparent with candidates. Update your privacy information to say specifically when and how AI is used, and signpost it clearly.
• Pilot with a real cohort. Run the tool alongside your current process on a defined set of roles, with a recruiter reviewing every output.
• Measure and audit. Track time saved and candidate experience, and run a bias audit across sex, ethnicity, age and disability before you widen the rollout.
• Keep the human in the loop. No significant decision about a candidate should be made by the AI alone. That is both good practice and the safe side of the law.

What it costs

SpotDev works in fixed packages so you know the number before you commit. Engagements usually begin with an AI and Data Readiness Assessment at £5,000, which is where the governance work above gets done properly, including how candidate data flows and where the compliance risks sit. Delivery of a custom agent then ranges from £8,000 to £45,000 depending on scope, with a first rollout typically live in two to three weeks. We are a UK consultancy specialising in Anthropic's Claude, with in-house engineers and over 300 technology projects delivered, and nothing subcontracted. If you want to scope a recruitment use case, talk to a Claude-specialist engineer.

Frequently asked questions

Can AI legally reject job candidates in the UK?

You should not let AI make the final reject decision on its own. Under the Article 22A safeguards that apply from 5 February 2026, a significant solely automated decision such as an auto-reject triggers obligations to inform the candidate, allow representations, provide meaningful human intervention and let them contest it. The practical and safe approach is to use AI as decision-support that surfaces candidates for a human to review, and keep a genuine person making the call.

Do we have to tell candidates we are using AI?

Yes. The ICO, the DSIT "Responsible AI in Recruitment" guidance and the REC all require recruiters to tell candidates clearly when and how AI is used to process or assess them. DSIT says AI use should be clearly signposted to applicants, and your privacy information must be specific to what the tool actually does rather than generic.

Who is liable if an AI hiring tool discriminates, us or the vendor?

You are. Under the Equality Act 2010 you remain liable for discriminatory outcomes even when a third party supplied the tool, and under UK GDPR you are usually the data controller and remain accountable. The ICO found recruiters were not always clear on this. You should run bias audits, complete a DPIA, and require evidence such as bias-audit documentation from the vendor rather than assuming they have it covered.

Is it safe to put candidate CVs into a free AI tool?

No. The REC advises against putting sensitive candidate data into free tools, and special category data such as health, disability and ethnicity attracts extra protection under UK GDPR Article 9. Free or consumer tools may ingest candidate data to train their models, which you cannot allow as the controller. Use a tool where you can keep candidate data inside your own systems and stop it being reused for training.

Work with a Claude specialist

SpotDev designs, builds and deploys custom Claude agents and enterprise Claude rollouts for UK businesses, with fixed packages from £8,000 to £45,000 and a first rollout live in two to three weeks. Explore our Claude implementation packages or talk to one of our engineers.