Generative AI in federal HR recruiting onboarding and performance

Key points

• OMB’s government-wide AI memo requires agencies to establish AI governance, inventory AI use cases, conduct impact assessments and real‑world testing for uses affecting rights or safety, and provide human alternatives and transparency for rights‑impacting AI¹.
• EEOC guidance applies to software, algorithms, and AI used in hiring, requiring accessible assessments under the ADA and vigilance for adverse impact under Title VII, including validation and monitoring of selection procedures²³⁴.
• Generative AI can assist in drafting job analyses and position descriptions, candidate communications, onboarding materials, and performance feedback, but HR decisions must align with merit system principles, privacy requirements, and performance management regulations, with documented human oversight⁵⁶⁷¹⁸.
• Agencies should map HR AI programs to the NIST AI Risk Management Framework’s Govern, Map, Measure, and Manage functions to systematize risk controls, testing, monitoring, and incident response⁸.
• Records created by AI systems in HR processes are federal records and must follow NARA General Records Schedules, including employee management records retention⁹.
• For federal cloud deployment, Azure Government holds FedRAMP High authorizations and DoD SRG IL2/IL4/IL5 support, with Azure Policy for regulatory compliance and Microsoft’s Responsible AI Standard to aid alignment to OMB and NIST expectations¹⁰¹¹¹².

Policy baseline and governance requirements

• Executive Order 14110 directs agencies to advance safe, secure, and trustworthy AI, including mitigating algorithmic discrimination and strengthening AI governance, risk management, and transparency across the federal government¹³.
• OMB Memorandum M‑24‑10 requires each agency to designate a Chief AI Officer, build an AI governance framework, inventory AI use cases, and publish annual reports, establishing a baseline for oversight of AI projects, including HR-related systems¹.
• M‑24‑10 requires AI Impact Assessments and real‑world testing before deploying rights‑impacting AI, ongoing monitoring for performance and harms, and mechanisms for affected individuals to understand and, where feasible, opt out or access human alternatives¹.
• The NIST AI Risk Management Framework (AI RMF 1.0) provides the Govern, Map, Measure, and Manage functions to structure AI risk controls, emphasizing context‑specific mapping, risk measurement, and lifecycle monitoring and incident response⁸.
• Agencies must manage personally identifiable information (PII) per OMB Circular A‑130, including privacy risk assessments, SORN alignment, and information security controls under FISMA when AI processes employee or applicant data⁵⁷.

Recruiting: generative AI opportunities and guardrails

• Drafting job analyses, position descriptions, and announcement text with generative AI is permissible if final content adheres to merit system principles and competitive staffing rules, including valid job analysis and qualification determinations under OPM policies and applicable statutes⁵.
• Automated or AI‑assisted candidate screening engages civil rights obligations; EEOC guidance requires that AI‑mediated assessments accommodate individuals with disabilities under the ADA and avoid disparate impact under Title VII, with proper validation when selection procedures show adverse impact²³⁴.
• Under OMB M‑24‑10, agencies should treat automated hiring decisions and eligibility determinations as potential rights‑impacting uses, requiring AI Impact Assessments, real‑world testing, active monitoring, and human alternatives before and during production use¹.
• Communications to applicants generated by AI must protect PII and follow Privacy Act and A‑130 requirements, including appropriate collection, maintenance, and disclosure controls and alignment to any applicable SORN for hiring systems⁷⁵.
• When AI systems generate or store records in recruiting (e.g., candidate ratings, correspondence), those records must be managed under NARA General Records Schedules governing hiring and employee management records⁹.

Onboarding: automation and compliance requirements

• Generative AI can assemble onboarding checklists, tailored orientation content, and FAQs from authoritative policy sources, but any processing of PII must align with Privacy Act requirements and agency SORNs for personnel systems⁷.
• A‑130 mandates privacy risk assessments for systems that handle PII, including new AI features, and requires agencies to implement appropriate safeguards and governance for information resources, which applies to onboarding workflows⁵.
• Onboarding records produced or managed by AI (e.g., forms, acknowledgments, training completions) must be retained and disposed per NARA GRS schedules for employee management records⁹.
• HR program owners should apply NIST AI RMF Map and Measure functions to onboarding assistants, documenting intended uses, context, data flows, metrics for accuracy and error modes, and procedures for incident logging and correction⁸.

Performance management: analytics with oversight

• Federal performance management systems are governed by 5 CFR Part 430, which sets requirements for planning, monitoring, developing, rating, and rewarding performance, and for transparency and fairness of ratings⁶.
• Generative AI can assist supervisors in drafting performance elements and narrative feedback, but final ratings and consequential personnel decisions must follow Part 430 requirements and merit system principles, with documented human review and accountability⁶⁵.
• If AI contributes to performance evaluations or recommendations that affect employment outcomes, agencies should treat such systems as rights‑impacting, conduct AI Impact Assessments, real‑world testing for bias and reliability, and ensure human alternatives, consistent with OMB M‑24‑10¹.
• Any analytical use of employee data must comply with the Privacy Act and A‑130 controls and be covered by appropriate SORNs; employees should receive appropriate notices of systems that process their data and avenues for redress consistent with agency privacy policies⁷⁵.

Data protection, privacy, and records

• The Privacy Act of 1974 governs collection, maintenance, use, and dissemination of PII in federal systems, including applicant and employee data processed by AI; agencies must adhere to SORN requirements, provide access and amendment rights, and limit disclosures⁷.
• OMB Circular A‑130 requires agencies to manage information as a strategic resource, conduct privacy impact assessments, and implement security and privacy controls commensurate with risk for systems, including AI features embedded in HR platforms⁵.
• Records created or transformed by AI within HR processes are federal records; agencies must apply NARA’s General Records Schedules, such as GRS 2.2 (Employee Management Records), to retention and disposition decisions⁹.

Acquisition and vendor management

• The AI Guide for Government outlines best practices for acquiring AI, including defining problems and success metrics, securing appropriate data and test environments, planning for evaluation and monitoring, and structuring contracts to enable access to model information needed for oversight¹⁴.
• OMB M‑24‑10 requires agencies to inventory and report AI use cases and to ensure that contractual arrangements support impact assessments, testing, and monitoring for rights‑impacting AI¹.
• Agencies should incorporate civil rights, privacy, and records requirements into statements of work and acceptance criteria for HR AI tools, including obligations to support accessibility under the ADA and provide documentation for adverse impact analysis where selection procedures are involved²³⁴.

Microsoft platform posture for federal HR AI

• Azure Government has FedRAMP High authorizations and supports DoD CC SRG IL2, IL4, and IL5 for appropriate workloads, providing a compliance‑aligned foundation for AI and data processing in HR systems¹⁰.
• Azure Policy offers built‑in regulatory compliance initiatives (e.g., FedRAMP and NIST SP 800‑53) that agencies can use to enforce governance controls across cloud resources supporting HR AI workloads¹¹.
• Microsoft’s Responsible AI Standard (v2) describes internal practices for responsible AI development and use, including impact assessments, measurement, and ongoing oversight, which agencies can adapt as reference practices to align with NIST AI RMF and OMB expectations¹².

Implementation steps for CIOs and CHCOs

• Establish joint governance: designate accountable product owners for HR AI pilots, integrate with the CAIO office, and register use cases in the agency AI inventory per M‑24‑10¹.
• Apply NIST AI RMF: for each recruiting, onboarding, and performance use case, document context and risks (Map), define metrics and tests including accessibility and adverse impact checks (Measure), and implement monitoring and incident response (Manage), under an overarching governance charter (Govern)⁸.
• Civil rights and accessibility: require ADA accessibility reviews for AI‑mediated assessments and set up processes to evaluate and mitigate adverse impact in selection procedures consistent with EEOC guidance and UGESP²³⁴.
• Privacy and records: complete Privacy Impact Assessments under A‑130, ensure SORN coverage for HR data processing, and align retention and disposition to NARA GRS; implement access controls and audit logging⁵⁷⁹.
• Human oversight: for any rights‑impacting uses (e.g., automated screening that may exclude candidates or AI‑assisted performance rating), conduct AI Impact Assessments, real‑world testing, and ensure human alternatives and appeals processes per M‑24‑10¹.
• Contracting: include provisions for vendor disclosure of model behavior, testing support, accessibility conformance, and data rights needed to evaluate and monitor AI in HR; follow the AI Guide for Government acquisition practices¹⁴.
• Cloud controls: enforce FedRAMP and NIST control baselines with Azure Policy for workloads in Azure Government; maintain continuous compliance reporting to support governance reviews¹⁰¹¹.

Risks and mitigations

• Algorithmic discrimination risk in hiring and performance: mitigate through validation, adverse impact monitoring, accessibility accommodations, and documented human review per EEOC guidance and UGESP²³⁴.
• Privacy and data leakage: mitigate via A‑130 privacy impact assessments, least‑privilege access, audit logging, and SORN alignment for HR datasets used by AI⁵⁷.
• Over‑automation risk: prevent by requiring human alternatives and opt‑out paths for rights‑impacting uses and by enforcing real‑world testing and monitoring per OMB M‑24‑10¹.
• Records non‑compliance: mitigate by classifying AI‑generated HR artifacts as federal records and applying NARA GRS retention schedules⁹.

Metrics and evaluation

• Hiring: track selection procedure validity, adverse impact ratios, accommodation rates and resolution times, and model error rates in screening decisions; review quarterly under AI governance³⁴¹.
• Onboarding: measure content accuracy, time‑to‑onboard, privacy incident counts, and user satisfaction; verify records retention compliance⁵⁹.
• Performance: monitor rating distribution shifts, consistency with 5 CFR Part 430 requirements, appeal rates, and AI contribution accuracy; ensure documented human oversight⁶¹.

¹³: Executive Order 14110 — Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence — https://www.whitehouse.gov/briefing-room/presidential-actions/2023/10/30/executive-order-on-safe-secure-and-trustworthy-development-and-use-of-artificial-intelligence/ ¹: OMB Memorandum M‑24‑10 — Advancing Governance, Innovation, and Risk Management for Agency Use of Artificial Intelligence — https://www.whitehouse.gov/omb/memoranda/2024/m-24-10-advancing-governance-innovation-and-risk-management-for-agency-use-of-artificial-intelligence/ ⁸: NIST AI Risk Management Framework 1.0 (NIST AI 100‑1) — https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.AI.100-1.pdf ²: EEOC — The Americans with Disabilities Act and the Use of Software, Algorithms, and Artificial Intelligence in Hiring — https://www.eeoc.gov/laws/guidance/americans-disabilities-act-and-use-software-algorithms-and-artificial-intelligence ³: EEOC — Select Issues: Assessing Adverse Impact in Software, Algorithms, and AI Used in Employment Selection Procedures — https://www.eeoc.gov/laws/guidance/select-issues-assessing-adverse-impact-software-algorithms-and-ai-used-employment ⁶: 5 CFR Part 430 — Performance Management — https://www.ecfr.gov/current/title-5/chapter-I/subchapter-B/part-430 ⁷: Privacy Act of 1974 (5 U.S.C. § 552a) — https://www.justice.gov/opcl/privacy-act-1974 ⁵: OMB Circular A‑130 — Managing Information as a Strategic Resource — https://www.whitehouse.gov/omb/information-regulatory-affairs/circular-a-130-management-of-information-as-a-strategic-resource/ ⁹: NARA General Records Schedules — GRS 2.2 Employee Management Records — https://www.archives.gov/records-mgmt/grs ⁴: Uniform Guidelines on Employee Selection Procedures (UGESP), 29 CFR Part 1607 — https://www.ecfr.gov/current/title-29/subtitle-B/chapter-XIV/part-1607 ¹⁴: AI Guide for Government — Acquire AI — https://ai.gov/acquire/ ¹⁰: Microsoft Azure Government — Compliance in Azure Government — https://learn.microsoft.com/en-us/azure/azure-government/documentation-government-cloud-compliance ¹¹: Azure Policy — Regulatory compliance overview — https://learn.microsoft.com/en-us/azure/governance/policy/concepts/regulatory-compliance ¹²: Microsoft’s Responsible AI Standard v2 — https://www.microsoft.com/en-us/research/publication/microsofts-responsible-ai-standard-v2/