Worker monitoring is a topic many employers would rather not discuss. Since the pandemic brought hybrid work and tooling like Microsoft Viva, productivity dashboards and attrition prediction models went mainstream, every modern organization faces a question: how much visibility do you have on your workforce, and with which instruments?
For the EU AI Act this area is sharply delineated. AI that monitors workers, scores productivity, predicts attrition or analyzes sentiment โ all of that is in scope of Annex III point 4(b). But the practical line between "legitimate oversight" and "surveillance that is legally indefensible" is not always clear. This post explains that line.
What AI monitoring does today
The modern workforce monitoring stack increasingly covers:
- Time tracking and activity dashboards โ Microsoft Viva, Hubstaff, Time Doctor analyze work patterns, application usage, active hours
- Productivity scoring โ AI scores workers on output metrics, collaboration frequency, deal velocity
- Sentiment analysis โ engagement surveys, Slack/Teams sentiment, exit interview NLP
- Attrition prediction โ AI predicts which workers are likely to leave based on behavioral patterns
- Workforce analytics platforms โ Visier, Workday Prism, ChartHop with predictive features
- Communications monitoring โ DLP tools with AI for content classification and risk scoring
- Wellness and burnout detection โ AI on work patterns for burnout signals
Not everything in this list is by definition surveillance. Many tools have legitimate oversight functions. The question is: where is the line of what is defensible under the AI Act, and what is not.
What Annex III point 4(b) precisely covers
The text of Annex III point 4(b) covers AI systems used for "making decisions affecting terms of work-related relationships, the promotion or termination of work-related contractual relationships, allocating tasks based on individual behavior or personal traits, or monitoring and evaluating performance and behavior of persons in such relationships."
That is a broad reading. The Commission guidelines refine it further: monitoring with AI analysis used for performance, task allocation, contract decisions or terms of work falls within it. Pure logging without AI interpretation stays outside 4(b).
In practice this means:
- Time tracking without AI analysis โ administration. Outside 4(b).
- Time tracking with AI productivity scoring โ directly within 4(b) if the scoring feeds decisions.
- Attrition prediction with person-specific outcomes โ within 4(b). The prediction affects management actions toward the individual worker.
- Aggregate sentiment analysis without person attribution โ usually outside 4(b). Aggregate = team/organization, not individual worker decisions.
- Communications monitoring with AI risk scores on individuals โ within 4(b). This can also hit GDPR boundaries.
The gray zone: legitimate oversight versus surveillance
Employers have legitimate reasons to monitor workers: working conditions, safety, security, service quality. But the AI Act stacks on top of GDPR and labor law. The line runs along four dimensions:
- Proportionality โ is the monitoring proportionate to the purpose to be achieved?
- Necessity โ can the same purpose be achieved with less intrusive means?
- Transparency โ do workers know what is being monitored, by which AI, with what consequences?
- Cumulative effect โ what is the sum of all monitoring the worker is subjected to?
For regulators (DPAs, labor inspectorates, and soon AI supervisors) "we deployed AI for monitoring" is not the problem; "we deployed AI without FRIA, without worker representation approval, without worker notice and without cumulative impact analysis" is.
Step-by-step for your monitoring AI dossier
Do a cumulative monitoring inventory
Employers underestimate how much monitoring adds up across different tools. One individual worker can be measured in ten tools simultaneously. FRIA must address that sum.
Split legitimate oversight from surveillance gray zone
Not all monitoring is surveillance. But document per use case the proportionality test. Regulators ask for it explicitly.
Build worker perspective into your FRIA
The HR AI Evidence Pack has a section for 4(b) monitoring context: worker impact, alternative routes, and information duty.
Test your AI against the Article 6(3) filter
Interactive self-assessment, updated for the Commission guidelines of 19 May 2026. 9 steps, personal report with reasoning, vendor questions and next steps.
Frequently asked questions about monitoring AI and the AI Act
Practical questions for HR, security and compliance on Annex III point 4(b) monitoring.
What to do now
For employers with monitoring AI (or considering it): this is not a topic to park until 2027. The combination of AI Act 4(b), GDPR and works council law makes monitoring AI directly compliance-relevant. Start with the cumulative monitoring inventory this month, schedule worker representation conversation in parallel, and document via the HR AI hub and the HR AI Evidence Pack.