By Engelsman Magabane Incorporated | May 2026
AI has quietly moved into recruitment. In many organisations it is no longer a “future feature” or an experimental add-on. It is built into the workflow in ways candidates may never see: CVs are ranked, interview answers are summarised, video responses are scored, and shortlists are generated.
To an employer, this can look like efficiency. To the law, it can look like profiling and decision-making about people—sometimes with serious consequences.
South African law does not prohibit AI in recruitment. But it does place guardrails around fairness, accountability and privacy—especially where decisions substantially affect a person and the decision is made solely by an automated process.
This article explains the core legal lens employers should apply, the practical risks that tend to emerge, and a compliance model that allows AI to assist without allowing it to become the decision-maker.
This article is general information and not legal advice.
The reality: “invisible” AI decisions can still be real decisions
Recruitment systems can now shape outcomes long before any human interview. A candidate may be filtered out because the system scores their CV as “low fit”, because their response style is tagged as “low confidence”, or because the algorithm predicts a higher “flight risk”.
Even where a human later “approves” the shortlist, employers must be careful about what that human review actually means. If the review is a rubber stamp, the true decision may still be automated in substance.
That is why the legal risk is not the existence of AI. The risk is how it is used—particularly when it becomes the gatekeeper to opportunity.
1) The constitutional baseline: equality and dignity apply in the real world
South Africa’s constitutional values of equality and dignity matter in employment-related decision-making because hiring is one of the most direct gateways to opportunity.
The practical risk with AI is not always obvious, and it is not always intentional. More often it is “pattern discrimination”—biased historic data, biased proxies (such as location, school history, language patterns, or employment gaps), or scoring rules that disadvantage certain groups without any deliberate discriminatory intent.
This is why the law cares about process, not only motive. An employer may have a defensible intention (“we just want efficiency”) but still end up with an indefensible outcome (“our pipeline systematically excludes certain groups”).
The safer question is not: “Did we intend harm?”
It is: “Can we explain and justify how this system makes decisions, and can we show the process is fair?”
2) POPIA’s automated decision-making rule is the centre of gravity
POPIA contains a direct restriction on automated decision-making.
In simple terms, POPIA limits situations where a person is subjected to a decision that has legal consequences or affects them substantially if it is based solely on automated processing of personal information intended to profile them.
Recruitment is a classic “substantial effect” context. Being rejected from a job opportunity affects livelihood, dignity and access to opportunity. Even where the final hiring decision involves a human, automated rejection or automated shortlisting can still raise compliance risk if it effectively determines who is seen and who is not.
Where automated decision-making is permitted under POPIA’s exceptions, the law still expects protective measures—especially an opportunity for the affected person to make representations, and sufficient information about the underlying logic of the automated processing to enable those representations.
For HR teams, the compliance message is clear:
If your hiring tool rejects candidates automatically, you are in a high-risk zone.
If the tool profiles candidates and your human process cannot meaningfully review and override outcomes, you are still in a high-risk zone.
3) PEPUDA and employment: understand the boundary
PEPUDA prohibits unfair discrimination generally and provides equality court mechanisms and remedies. However, PEPUDA also contains an important boundary: it does not apply to a person to whom, and to the extent to which, the Employment Equity Act applies.
The practical takeaway is not “ignore PEPUDA”. The practical takeaway is:
Employment discrimination has a specialised framework, and employers must treat AI-driven recruitment outcomes as decisions that must be fair, explainable and defensible under employment law principles.
AI does not remove the employer’s responsibility. It simply changes how that responsibility must be managed.
4) What “profiling” looks like in real recruitment
Many employers assume profiling means formal psychological profiling. In modern recruitment software, profiling can happen quietly and continuously.
Examples include:
- scoring candidates by “culture fit” based on historic internal data,
- using language patterns to infer “professionalism” or “confidence,”
- ranking candidates based on proxies that correlate with race or socio-economic status,
- auto-rejecting candidates with employment gaps without recognising lawful explanations (caregiving, illness, retrenchment cycles),
- filtering candidates based on assumptions that are not true job requirements (for example, excluding people because of non-essential credentials).
The compliance risk is not merely theoretical. When AI is trained on biased historic patterns—or when proxies are used as if they are neutral—bias can become automated and scaled.
5) The model that works: “AI assists, humans decide”
Most legal exposure can be reduced by shifting from “AI decides” to “AI assists”.
A defensible model usually includes the following components:
Human ownership of decisions
If the tool scores candidates, a human must own the final decision—especially rejection decisions. “Human review” must be real: the reviewer must have authority, time, and information to override the tool’s outcome.
Documented criteria
If the criteria cannot be explained, it cannot be defended. Employers should be able to distinguish clearly between:
- job requirements (non-negotiable and objectively linked to the role), and
- preferences (which should not quietly become exclusionary filters).
When a decision is challenged, “the system said so” is not a defence. Clear criteria is.
Right-sized transparency
Not every recruitment process needs a public technical manual. But if decisions are substantially affected by automated profiling, employers should be prepared to explain the logic at an appropriate level—especially where POPIA requires measures that allow a person to make representations.
A simple internal principle is useful: if you cannot describe why a candidate was rejected in plain language, you should not allow the system to reject candidates automatically.
Bias monitoring that is practical
Bias monitoring does not require a PhD. It requires attention.
If shortlists consistently exclude certain groups, investigate why. Check whether proxies are being used. Test whether criteria reflect genuine job requirements. Monitor outcomes over time.
Ignorance is not a strategy. If a pattern exists, the organisation should be able to show it checked, tested and corrected.
Data minimisation and security discipline
Recruitment data is personal information. Organisations should limit what is collected, control who accesses it, keep it secure, and avoid unnecessary sharing—especially where third-party tools are involved.
6) When employers get it wrong: where the consequences usually land
The fallout from AI recruitment mistakes tends to arrive through three channels:
Candidate disputes
These often begin informally: “Why was I rejected?” “Was this even reviewed?” “Your advert says one thing but your process did another.”
If the employer cannot provide coherent reasons, suspicion grows quickly.
Regulatory and compliance risk
If personal information is processed unlawfully or if the organisation relies on automated profiling in a way that conflicts with POPIA’s restrictions, regulatory exposure increases. Even where enforcement is not immediate, the compliance risk becomes long-term.
Reputational damage
Few stories spread faster than “the algorithm rejected me” narratives—especially when the organisation cannot explain how the tool works or why the outcome was fair.
There is also an internal business risk: if hiring managers rely on a tool and later cannot justify the outcome, the liability lands on the employer—not the software.
7) A practical governance checklist for HR teams
If your organisation uses AI in recruitment, these steps keep the process defensible:
- Map where AI is used (CV ranking, screening questions, video scoring, shortlisting, rejection).
- Decide what is prohibited (no fully automated rejections for high-impact roles; no profiling that cannot be explained).
- Set documented criteria for what counts as a requirement vs preference.
- Require meaningful human review with authority to override.
- Create an “explainability” standard (a candidate rejection must be explainable in plain language).
- Monitor outcomes for bias patterns and document corrective actions.
- Control the data (minimise, secure, restrict access, and manage vendor processing carefully).
Conclusion
AI can shorten recruitment timelines and reduce administrative burden. It can also quietly increase legal exposure if it becomes the decision-maker.
POPIA’s restriction on substantial decisions based solely on automated profiling is the compliance centre of gravity. Constitutional values of equality and dignity shape what fairness looks like in practice. The safest approach is simple:
Use AI to assist—not to replace accountability.
This article is general information and not legal advice. For advice on your specific facts, consult a qualified attorney.