29 Jun Open Source HR Software and AI Act Compliance: Why Transparency Is a Structural Advantage
Key Takeaways
- The AI Act (Regulation EU 2024/1689) requires organisations using recruitment AI to prove how the algorithm works – closed source vendors cannot provide this proof on your behalf.
- Compliance responsibility rests with the deploying organisation, not the software vendor. If the regulator asks, you must answer.
- Open source HR software gives deployers direct access to source code, enabling independent audits that closed source systems structurally cannot offer.
- Self-hosting, available with open source systems such as MintHCM, keeps candidate data under the organisation’s direct control – a requirement reinforced by both AI Act and GDPR.
- Vendor independence (the ability to switch or modify the AI model) reduces lock-in risk and makes it easier to adapt when regulations change.
Choosing open source HR software has always been a technical decision. Under the AI Act (Regulation EU 2024/1689), it is also a legal one. Any software that evaluates candidates, filters CVs, or contributes to employment decisions is classified as high-risk AI – and the organisation using it bears full compliance responsibility from 2 August 2026. Whether that system’s source code is open or closed is no longer just a technical preference. It determines whether you can actually meet the law’s requirements.
What does the AI Act require that depends on how your system is built?
The AI Act imposes six specific obligations on deployers of high-risk HR systems (Annex III, Regulation EU 2024/1689). Three of them – algorithmic transparency, data governance, and human oversight – are directly affected by whether the underlying system is open or closed source.
Algorithmic transparency requires you to understand and be able to explain how the AI reaches its conclusions. Human oversight requires that a person can meaningfully intervene in any AI-assisted decision. Data governance requires you to know where candidate data goes, who processes it, and under what conditions.
A system built on closed, proprietary code puts a structural barrier in front of all three. The vendor controls what you can see. You cannot inspect the logic, cannot verify the training data for bias, and cannot independently confirm that the system behaves as described. When the regulator asks – and the AI Act assumes they will – you are dependent on what the vendor chooses to disclose.
Why does closed source HR software create a compliance problem?
The compliance gap is not hypothetical. Consider the scenario the AI Act was written to address: a candidate asks why their application was rejected by the AI. The deploying organisation is legally obligated to provide a meaningful explanation (Article 86, Regulation EU 2024/1689). If the answer requires understanding the algorithm, and the algorithm belongs to a vendor who treats it as proprietary, the explanation cannot be given.
Vendors of closed source systems – including major platforms widely used in HR – have published no source code and provided no mechanism for deployers to conduct independent audits. External wrappers built by third parties around their APIs (such as those available for Workday or BambooHR) expose data access, not decision logic. They do not satisfy the auditability requirement.
This is not a criticism of any specific vendor. It is a structural consequence of the closed source model: the code that determines how decisions are made is not available to the person legally responsible for those decisions. The AI Act closes that gap by making the deployer responsible regardless.
What does open source HR software change for AI Act compliance?
Open source HR software provides three structural compliance advantages that closed source systems cannot replicate without fundamentally changing their business model.
First, auditability. When source code is publicly available – as with MintHCM on GitHub – any auditor, regulator, or internal compliance team can inspect exactly how the system works. There is no need to trust a vendor’s assurance. The logic is readable, verifiable, and modifiable.
Second, data control. Open source systems can be self-hosted, meaning candidate data never leaves the organisation’s infrastructure. This satisfies both GDPR’s data residency requirements and the AI Act’s data governance obligations in a single architectural decision. Cloud-hosted closed source systems process data on vendor infrastructure under vendor terms – terms that can change.
Third, adaptability. Regulations change. When the AI Act is amended – or when a national regulator issues additional guidance – an organisation running open source software can modify the system itself, without waiting for a vendor to release a patch. This reduces both compliance risk and dependency risk simultaneously.
MintHCM illustrates this directly. Its MCP server – which governs how AI models interact with HR data – is part of the open codebase, maintained by the same team that builds the system. Every action taken by an AI agent through MCP is logged and traceable. The human-in-the-loop mechanism, described in the AI Agent in MintHCM article, ensures that no significant action occurs without user confirmation. These are not add-ons. They are built into the architecture.
Open source HR software vs. closed source HCM: AI Act compliance comparison
| AI Act requirement | Open source HCM | Closed source HCM |
| Algorithmic transparency (Art. 13) | Source code publicly available; auditors can inspect decision logic directly | Vendor controls disclosure; deployer cannot inspect or verify independently |
| Human oversight (Art. 14) | Human-in-the-loop can be built into the architecture and verified | Depends on vendor implementation; deployer cannot confirm mechanism |
| Data governance (Art. 10) | Self-hosting keeps candidate data within organisation’s infrastructure | Data processed on vendor infrastructure under vendor terms |
| Auditability of AI actions (Art. 12) | Action logs accessible and verifiable; open codebase confirms what is logged | Logs provided by vendor; no independent verification of completeness |
| Adaptability when regulations change | Organisation can modify the system directly, without vendor dependency | Organisation must wait for vendor update; timeline not within its control |
| Vendor AI lock-in risk | AI model (Claude, GPT, Gemini) can be switched or replaced freely | Often tied to vendor’s own AI product; switching requires contract change |
Source: author’s analysis based on Regulation EU 2024/1689.
Does open source mean navigating compliance alone?
A common concern about open source HR software is that choosing transparent code means giving up structured support. In practice, this distinction has narrowed significantly. Open source HR systems with active commercial development offer the same support structures as proprietary vendors, with the added benefit of code transparency.
The relevant question for AI Act compliance is not whether support exists, but whether the organisation can independently verify what the system does. A vendor’s assurance, however detailed, does not substitute for direct code access when a regulator asks for proof. Support and auditability are separate questions, and open source provides both.
For teams evaluating HR systems ahead of the August 2026 deadline, the practical starting point is to ask any vendor: can we see the code that governs how the AI makes decisions? For closed source systems, the answer will be no. That answer has compliance consequences that will not be resolved by a support contract.
Frequently asked questions
Is open source HR software secure enough for candidate personal data?
Yes. Security in open source HR software depends on implementation and hosting, not code visibility. A self-hosted open source system keeps candidate data within the organisation’s own infrastructure, which is more direct control than cloud-hosted closed source alternatives. AI Act and GDPR both require data governance – self-hosting satisfies this structurally.
Can we modify MintHCM ourselves if AI Act requirements change?
Yes. MintHCM is published under an open source licence. Any organisation can inspect, modify, and deploy the code without requiring vendor permission. This is directly relevant to AI Act compliance: if a regulatory update requires a change to how the system logs decisions or handles candidate data, the organisation can implement it independently.
What is the difference between MintHCM’s built-in MCP server and third-party API wrappers?
Third-party wrappers built around closed source HR APIs expose data access – they let an AI model read and write records. MintHCM’s MCP server is part of the core codebase, maintained by the same team, and governs both data access and the boundaries of AI action. It is auditable, modifiable, and operates under the same open licence as the rest of the system. The What is MCP and why it’s important article explains the technical distinction in more detail.
Does the AI Act apply to small companies?
Yes. The AI Act applies to any organisation that deploys high-risk AI affecting people in the EU, regardless of company size. Annex III’s definition of high-risk HR systems does not include a size threshold. Small and medium enterprises deploying recruitment AI face the same transparency, oversight, and documentation requirements as large organisations.
What does ‘algorithm auditability’ mean in practice?
In AI Act terms, auditability means the ability to reconstruct how an AI system reached a specific output – for example, why a candidate was ranked lower than another. In practice this requires access to: the decision logic (code), the logs of what inputs the system received, and the outputs it produced. Closed source systems typically provide only the last of these.
What AI models can be used with MintHCM?
MintHCM is not tied to a single AI provider. The system works with Claude (Anthropic), GPT (OpenAI), Gemini (Google), and other models that support the MCP standard. Organisations choose the model that fits their requirements – including data residency and contractual terms. This vendor independence is itself a risk management decision under the AI Act.