The Recruiter's Brief

The market for EU AI Act compliance and senior AI roles is moving faster than the supply of credible candidates. Two regulatory deadlines explain most of the demand. Article 50 transparency obligations bind on 2 December 2026. Annex III high-risk system obligations bind on 2 December 2027. Between now and then, every regulated EU enterprise will hire at least one senior person responsible for AI Act compliance, and many will hire a small team.

If you recruit into that market, the volume of candidates will grow faster than your ability to screen them carefully. Most CVs will look credible. A meaningful minority will be candidates whose breadth of claim exceeds their depth of practice. This article is a brief for the search consultants and recruiters who have to tell the difference quickly.

It is written by someone on the candidate side of the market — someone who has been on the receiving end of recruiter calls for these exact roles for years. The questions below are the ones I would want a recruiter to ask me, because they are the ones that produce a useful conversation.

The screening question that does the most work

Ask the candidate to name a system they have shipped in a regulated environment, with the company, the team size, the metric, and the timeframe in one sentence. The whole brief turns on this answer.

A good answer sounds like one of these. "I led the FRTB and IRRBB regulatory capital workstream at Deutsche Bank from February 2016 to September 2017 — front-to-end design and delivery of standardised and internal model approaches." Or: "I was Product Owner of the IFRS9 Calculation Engine at Rabobank, three years, managing the platform that computed expected credit losses on €400B of loans for 8,000+ users." Or: "I founded the 200-member GenAI Champions Community at Philips, trained 500+ employees over three years and the programme produced approximately €500K in annual savings."

A weaker answer sounds like this: "I have advised multiple Fortune 500 clients on AI governance frameworks." That is a position, not a system. The follow-up — "Which client, what framework, what changed for them?" — usually produces silence or evasion.

If the candidate cannot give you a one-sentence answer with named company, team size, metric and timeframe, they are not yet senior. Pass.

The four employer environments that matter

Some employers on a CV are stronger signals than others for AI Act roles specifically. The four that count are: financial services regulators (the Reserve Bank of India, the European Central Bank, De Nederlandsche Bank, BaFin); the large EU commercial banks (ING, Rabobank, ABN AMRO, Deutsche Bank, BNP Paribas, Santander); Big Four advisory in regulated sectors (EY, Deloitte, KPMG, PwC); and the large healthcare or medical device firms operating in the EU (Philips, Siemens Healthineers, Sanofi, Roche).

Why these four. Each one runs internal model validation, regulatory change management and audit infrastructure that AI compliance roles in 2026 will inherit directly. A candidate who has lived inside any of these four has muscle that other candidates have to build from scratch.

This is not a hard exclusion. There are credible candidates from non-traditional backgrounds. But for a senior compliance or governance hire, one of these four on the CV is a strong floor.

The certifications that mean something

In risk-adjacent AI roles, the FRM (Financial Risk Manager, awarded by GARP) is the most credible single certification — it signals two years of post-graduate-level study in market, credit and operational risk plus a verified two years of relevant work experience. PMP and CSM signal delivery discipline. GCP Professional Data Engineer and Azure Solutions Architect Expert signal cloud-native delivery competence.

Coursera specialisations are signals of curiosity, not capability. Treat them accordingly.

A candidate with FRM plus one cloud certification plus PMP or CSM is at the typical credentialing floor for a senior compliance-focused AI role. A candidate with all four is the unusual case.

The artifacts to ask for

Two specific artifacts strongly distinguish operators from advisors.

The first is a patent or a published paper in the relevant domain. It is independent third-party evidence that the candidate has produced original technical work that survived external scrutiny. European patents are searchable at the EPO registry by application number. SSRN papers are public. If a candidate references their own IP, ask for the registry number and check it. A patent reference of the form "EP26162901.8" can be verified in under thirty seconds at register.epo.org.

The second is a regulatory document the candidate has authored or signed. An IFRS9 model documentation pack, an FRTB validation report, an EU AI Act conformity assessment — anything the regulator has actually seen. The candidate cannot send you the document (it will be confidential) but they can describe its structure, the regulator's response and what changed in the next version. Operators will speak fluently about this. Advisors will speak generically.

The five red flags

These are claims I have seen on CVs that should prompt sharper follow-ups, not automatic disqualification.

**"20+ years of experience"** when the actual career started post-2010. Career length is one of the easiest claims to inflate. Verify start date against the LinkedIn earliest position, not the headline.

**"Fortune 500 clients"** without naming any of them. There is no NDA prohibiting a candidate from telling a recruiter the name of the bank they worked at; there are NDAs prohibiting them from describing the work. Vague client claims are usually a sign the relationship was thinner than the candidate suggests.

**Multiple overlapping leadership roles in the same period.** A candidate cannot be CEO of one company and head of AI at another simultaneously and do both well. Overlapping dates need a credible story.

**Team-size claims in the multiple hundreds.** A candidate may have *influenced* hundreds of people. A candidate has rarely *managed* hundreds. The wording matters.

**"Patented" without a number.** Patents have application numbers. If the candidate cannot produce one, the patent likely does not exist or is not yet filed.

None of these are dealbreakers on their own. All of them deserve the follow-up question.

The reference call that produces signal

When you reach the reference stage, the most useful question to ask references is rarely the obvious one. "Was Harish a strong leader?" produces vague positive answers. "What did Harish decide that you would have decided differently?" produces specific concrete answers. Three or four references answering that question give you the candidate's judgement profile in a way no résumé can.

A second useful question: "What is Harish still doing six months after they left the engagement, and what stopped working when they left?" The answer to that question tells you whether the candidate built systems or built reputations.

The ten-minute brief

If you can spend only ten minutes on a senior AI compliance candidate, spend them like this.

Two minutes on the system-they-shipped question. Two minutes on the regulator-and-framework question. Two minutes on the artifact verification (patent, paper, document). Two minutes on the red-flag follow-ups. Two minutes on a single behavioural question about a failure with named consequences.

This sequence will not get you to a hire decision. It will get you to a confident go-or-no-go on whether the candidate goes to your client.

That is the most a recruiter brief can do, and it is more than most recruiters do.

Related articles