A provider is preparing a high-risk recruitment-screening system for the EU market and is allocating the human oversight obligations under the EU AI Act. The deploying employer insists that oversight is purely its own concern once the system is purchased. How does the EU AI Act actually allocate the human oversight duty for a high-risk system?
- AOnly the deployer bears any oversight duty, because oversight happens during use and the provider's responsibility ends once the system is placed on the market.
- BThe provider must design the system so that natural persons can effectively oversee it, and the deployer must then assign competent persons with the authority to intervene. Correct
- COversight may be delegated entirely to an automated monitoring component, so no identified natural person needs the authority to intervene in individual decisions.
- DHuman oversight is only recommended guidance for high-risk systems, so a provider that documents strong testing may omit oversight measures altogether.
Why A is wrong: This matches the employer's intuition and the fact that oversight occurs in operation, but it is wrong because the provider must build oversight measures into the system before placing it on the market, so the duty is shared rather than the deployer's alone.
Why B is correct: Article 14 requires the provider to build in oversight measures appropriate to the risks and the deployer to entrust oversight to people who are competent and empowered to act, so responsibility runs across both roles.
Why C is wrong: Automated monitoring is attractive because it scales, but it contradicts the Act's premise that effective oversight is exercised by natural persons who can understand and override the system, not by another automated layer.
Why D is wrong: Treating oversight as optional is tempting where validation looks rigorous, but for high-risk systems oversight is a binding requirement that testing cannot substitute for, so omitting it is non-compliant.