Most organizations that are taking AI governance seriously are thinking about it as a legal problem or a technology problem. Legal counsel is examining liability exposure. IT is managing vendor contracts and data security. Boards are asking about reputational risk.
HR is often not in those conversations. That needs to change.
Where the risk actually sits
AI tools in the workplace are primarily workforce tools. They screen job applicants. They calibrate performance ratings. They predict turnover. They monitor productivity. They schedule shifts. The decisions they inform are employment decisions, which means the bias and accountability risk they carry is employment law risk.
Employment law risk is HR's domain. Discrimination claims, human rights complaints, and unfair labor practice allegations all sit with HR. When an AI hiring tool systematically deprioritizes candidates from protected groups, the resulting complaint does not go to IT. It goes to HR, and then to legal, and then potentially to a tribunal.
The risk is not theoretical. The EEOC has been clear that employers are responsible for the discriminatory impact of AI tools they use. Ontario amended its Employment Standards Act under Bill 149 to require employers with 25 or more employees to disclose AI use in job postings as of January 1, 2026. New York City has been auditing automated employment decision tools since 2023. The regulatory framework is being built around a reality that already exists in most organizations.
There is also a definition problem that HR teams need to understand. The OECD framework, which regulators across Canada, the US, and the EU are expected to use, defines AI as a machine-based system that infers from inputs how to generate outputs such as predictions, recommendations, or decisions. That is a broad definition. If your applicant tracking system ranks candidates or your performance platform generates ratings, it likely qualifies as AI in the regulatory sense, regardless of how the vendor describes it.
And there is the shadow AI problem. Research from the 2025 Technology at Work report found that 46% of office workers use AI tools their employers did not provide. HR professionals and hiring managers are using consumer AI tools to screen resumes, generate interview questions, and draft assessments outside any governance structure. The risk is not just in the enterprise tools. It is in every tool that any employee in the hiring process is using.
Why HR has been slow to engage
There are understandable reasons HR teams have not led on AI governance. The tools are often purchased and implemented by IT or finance, with HR as a downstream user rather than a decision-maker in the procurement. The technical language around machine learning and model training is unfamiliar. The regulatory environment is still developing, which makes the urgency feel less immediate than a complaint that is already in front of you.
None of these reasons are good enough. HR does not need to understand how the models work. HR needs to understand what they are used for, what decisions they inform, what the oversight structure looks like, and what happens when something goes wrong. That is a governance question, not a technical one. It is exactly the kind of question HR is trained to ask.
What HR ownership of AI governance looks like
It starts with knowing what AI tools are in use across the employment lifecycle. Most HR teams cannot currently answer that question. That is the first gap to close.
It involves asking vendors the same questions you would ask about any vendor whose services affect employment decisions: What does this do? How does it work? What is the error rate? Has it been independently tested for bias? What disclosure obligations does using it create?
It means developing policy before something goes wrong. An AI use policy for hiring, performance management, or workforce monitoring is an HR policy. It should be written by HR, in consultation with legal, and owned by HR.
It requires accountability. Someone needs to be responsible for monitoring these tools on an ongoing basis, reviewing outputs for anomalies, and managing the audit cycle. That accountability should sit with a named person in HR or a named role, not with a vague organizational commitment to oversight.
The window is closing
Organizations that build AI governance frameworks now are in a fundamentally better position than those that wait for a complaint or a regulatory inquiry to engage. The tools are already deployed. The risk is already present. The work is building the governance to match the reality.
HR is the right function to lead that work. The question is whether HR teams will recognize it and step into that role before the situation requires it, or after.