More than 83% of US employers now use some form of automated decision-making in their hiring process, according to a 2024 SHRM workforce technology survey. Yet fewer than one in four of those employers have a documented governance policy for how those tools are built, tested, or audited for bias.
That gap is closing, fast. New York City’s Local Law 144, active since July 2023, made the US the first jurisdiction to mandate third-party bias audits for AI-based employment tools. The EEOC has updated its guidance on algorithmic discrimination under Title VII. And a growing stack of state-level bills signals that federal-style regulation is no longer a matter of if, but when.
This article explains exactly where the law stands today, what hiring bias in AI looks like in practice, and how US employers can build compliance programs that hold up to scrutiny before a regulator comes asking.
The Regulatory Landscape: NYC Local Law 144, the EEOC, and What Comes Next
No two regulatory frameworks governing AI in employment are identical, which is partly what makes compliance so difficult. US employers operating nationally face a patchwork of city, state, and federal requirements that overlap in some areas and contradict in others.
NYC Local Law 144: The First Binding Standard
Local Law 144, signed by Mayor Eric Adams in November 2021 and enforced from July 5, 2023, applies to employers and employment agencies using Automated Employment Decision Tools (AEDTs) to screen candidates or employees for jobs based in New York City. An AEDT is defined as any computational process that substantially assists or replaces discretionary decision-making and that uses machine learning, statistical modeling, data analytics, or AI.
The law has three core requirements. First, employers must commission an independent bias audit of the AEDT from a qualified third party before deployment and at least annually thereafter. Second, they must publish a summary of that audit on their public-facing website, including the date it was conducted, the distribution of results by race, sex, and intersectional categories. Third, they must notify candidates and employees that an AEDT is being used in their evaluation process at least ten business days before the tool is applied, and must offer an alternative selection process upon request.
Violations carry fines of $375 per day for a first offense, rising to $1,500 per day for each subsequent offense. The Department of Consumer and Worker Protection (DCWP) administers enforcement. As of early 2026, the DCWP has issued formal guidance clarifying that the law applies to tools that rank or score candidates, not merely those that produce a binary accept/reject decision.
|
Key takeaway: If your company uses a resume screening algorithm, a structured interview scoring platform, or a video interview analysis tool that outputs candidate rankings for roles in New York City, Local Law 144 applies to you. |
EEOC Guidance: Title VII and Algorithmic Discrimination
The Equal Employment Opportunity Commission issued technical guidance in May 2023 confirming that the use of AI hiring tools does not insulate employers from Title VII liability. Employers remain responsible for the discriminatory impact of their tools, regardless of whether the tool was built internally or purchased from a vendor.
The guidance addresses two types of unlawful discrimination in this context. Disparate treatment occurs when an employer intentionally uses an algorithm with protected characteristics as an input, even indirectly through proxy variables such as zip code, graduation year, or credit history, each of which may correlate closely with race or national origin. Disparate impact occurs when a facially neutral algorithmic process produces significantly different selection rates across protected groups and the employer cannot demonstrate the tool is job-related and consistent with business necessity.
The EEOC also clarified the four-fifths rule in an algorithmic context: if an AI screening tool selects candidates from one demographic group at less than 80% the rate of the highest-selected group, that statistical disparity triggers a presumption of adverse impact that the employer must rebut. Critically, the employer, not the vendor, carries this burden.
|
Requirement |
NYC Local Law 144 |
EEOC Title VII Guidance |
Proposed Federal AI Act |
|---|---|---|---|
|
Bias audit |
Mandatory (annual, third-party) |
Not mandated but strongly implied |
Proposed mandatory |
|
Candidate notice |
Required (10 business days) |
Recommended |
Under review |
|
Audit publication |
Required on employer website |
Not required |
Proposed |
|
Employer liability for vendor tools |
Yes, employer remains liable |
Yes, employer remains liable |
Yes |
|
Scope |
NYC-based roles |
All US employers under Title VII |
All US employers (proposed) |
State and Federal Movement
Illinois enacted the Artificial Intelligence Video Interview Act in 2020, requiring employers using AI to analyze recorded video interviews to notify applicants and obtain consent. Maryland followed with a law banning facial recognition in employment screening without consent. California’s AB 2930, introduced in 2024, proposed broad mandatory impact assessments for automated decision systems, though it did not pass in its original form.
At the federal level, the Algorithmic Accountability Act has been introduced in successive Congresses without passing. However, the White House Executive Order on Safe, Secure, and Trustworthy AI, signed in October 2023, directed federal agencies to develop guidance on AI in the workplace, and the Department of Labor issued a blueprint in February 2024 for AI governance in hiring contexts. A unified federal standard is increasingly likely within the next legislative cycle.
How Hiring Bias Enters AI Systems
The phrase ‘algorithmic bias’ risks becoming so familiar that it loses its explanatory power. Understanding where bias actually enters AI hiring tools matters, because different entry points require different governance responses.
Training Data Bias
Most resume screening models are trained on historical hiring data: resumes of people who were hired, and the outcomes of their tenure. When the historical workforce skews toward particular demographics, the model learns to replicate that pattern. Amazon’s internal recruiting tool, decommissioned in 2018, is the most widely cited example. Trained on a decade of applications to a male-dominated technical workforce, it systematically downgraded resumes that contained the word ‘women’s’ or mentioned all-female colleges. The bias was not in the algorithm design. It was in the data.
The same principle applies to performance data. If performance scores were assigned by managers whose own evaluations reflected bias, those scores become a biased training signal. The model learns that certain profiles correlate with ‘success’ without recognizing that the success metric itself was contaminated.
Proxy Variable Bias
Algorithms trained to avoid protected characteristics often inadvertently introduce them through correlated variables. Zip code is correlated with race and socioeconomic status. Graduation year can be used to infer age. Extracurricular activities and volunteering patterns differ by socioeconomic background. Name formatting patterns differ by national origin. An algorithm that uses any of these variables as features without careful auditing may produce disparate impact even when protected characteristics are excluded from the model.
A 2022 study by the National Bureau of Economic Research found that call-back rates for job applications varied by 50% based on name alone, even when resumes were otherwise identical. AI tools trained on human-generated hiring decisions inherit this human bias if they are not explicitly tested and corrected for it.
Feedback Loop Amplification
AI tools that learn continuously from employer decisions can amplify bias over time. If early decisions reflect a biased pattern, and the model updates itself based on those decisions, the bias compounds with each iteration. Employers who deploy continuously learning models without monitoring this feedback loop may find that a tool that passed its initial audit fails a subsequent one by a significantly wider margin.
|
The governance implication: Bias audits conducted once at deployment are necessary but not sufficient. The tools that pose the greatest risk are those that update themselves over time without equivalent governance oversight. |
Assessment Design Bias
Video interview AI tools that analyze facial micro-expressions, vocal tone, or word choice to predict job fit introduce a different kind of bias. The validity of these assessments as predictors of job performance has not been established by peer-reviewed research. Neurodivergent candidates, candidates with speech differences, and candidates whose first language is not English may be systematically disadvantaged by tools whose underlying science is contested. A 2023 meta-analysis published in the Journal of Applied Psychology found that facial expression analysis tools showed no statistically significant predictive validity for job performance across diverse populations.
Conducting an AI Bias Audit: What the Process Actually Involves
An AI bias audit under NYC Local Law 144 is a specific technical and statistical process, not a general compliance review. Employers and vendors who conflate the two will find themselves non-compliant.
What a Qualifying Audit Must Cover
The DCWP’s rules require that the audit calculate the selection rate for each category of race, sex, and intersectional combinations of race and sex, and compare those rates to identify disparities. The audit must be conducted by a qualified third party defined as an independent entity that is not the employer, employment agency, or the AEDT developer. The audit must cover a statistically significant sample of recent applicants or employees, or use a historical dataset with a documented methodology.
A qualifying audit must produce: the date of the audit, the name and version of the AEDT, the distribution of results by demographic category, the impact ratio for each category, and a summary of the methodology. This summary must be posted publicly and remain accessible for at least three years.
The Technical Process: Impact Ratio Calculation
The impact ratio is the central metric. For each demographic group, the auditor calculates the selection rate, which is the proportion of candidates in that group who were advanced by the tool relative to the total number of candidates in that group who were evaluated. The impact ratio for a given group is then that group’s selection rate divided by the selection rate of the most-selected group.
An impact ratio below 0.80 triggers the four-fifths rule adverse impact threshold. But sophisticated auditors look beyond this single metric. They examine whether the disparity is statistically significant given sample size, whether it is consistent across intersectional subgroups, and whether it exists at the tool level or only when combined with subsequent human decisions.
|
Audit Component |
Description |
Regulatory Requirement |
|---|---|---|
|
Selection rate by demographic |
% of applicants from each group advanced by the tool |
NYC LL144, EEOC |
|
Impact ratio calculation |
Each group’s rate vs. highest-selected group |
NYC LL144, EEOC (4/5 rule) |
|
Intersectional analysis |
Combined race + sex subgroup analysis |
NYC LL144 |
|
Statistical significance testing |
Determines whether disparities exceed chance variation |
Best practice |
|
Methodology documentation |
Detailed record of data, sample, and methods used |
NYC LL144 (3-year retention) |
|
Corrective action record |
Documentation of any remediation taken post-audit |
Best practice, proposed federal |
Choosing a Qualified Third-Party Auditor
The market for AEDT auditors is still maturing, and credential standards are not yet unified. Look for firms with demonstrated expertise in algorithmic fairness, specifically background in statistics, psychometrics, or machine learning, not general compliance consulting. NIST’s AI Risk Management Framework provides a useful reference for evaluating auditor methodology. The firm should be genuinely independent: no financial relationship with the tool vendor, no involvement in the tool’s development, and no material interest in the audit outcome.
Cost varies significantly by tool complexity and data availability. Expect audits for large-scale enterprise tools to run between $15,000 and $60,000 depending on data volume and the number of demographic categories analyzed. Vendors who offer bias audits of their own tools are not compliant with the independence requirement under Local Law 144.
Building an AI Governance Program for HR: A Practical Framework
Compliance with the current regulatory baseline is necessary. It is not sufficient for employers who want to manage risk seriously. A genuine AI governance program for HR addresses the full lifecycle of an employment AI tool, from procurement to decommissioning.
Inventory and Classify Your AI Tools
The first step most employers have not taken is a simple one: catalog every tool in the HR tech stack that uses automated decision-making. This includes resume screening software, applicant tracking systems with AI scoring features, video interview platforms, pre-employment assessment tools, internal talent mobility platforms, and any custom-built tools developed by your data team.
For each tool, document: the vendor (or internal team), the intended use case, which decisions it influences, what data it uses as inputs, whether it has ever been audited for bias, and the version currently deployed. This inventory is the foundation of your governance program. Without it, you cannot know what you are governing.
Establish a Pre-Procurement Due Diligence Process
Before deploying a new AI hiring tool, require vendors to provide independent bias audit results, documentation of training data sources and demographic representation, a technical data sheet describing the model’s inputs and outputs, and their data retention and deletion policies. A vendor that cannot produce a recent independent audit report should be treated as higher risk. Require contractual representations about bias testing and notification of material changes to the model.
The Society for Human Resource Management recommends including AI tool governance requirements in vendor contracts, including audit rights, notification obligations on model updates, and indemnification provisions for regulatory fines resulting from tool failures.
Implement Ongoing Monitoring
Annual audits meet the current legal minimum. Ongoing monitoring is better practice. At minimum, track the demographic composition of each stage of your hiring funnel every quarter. If the demographic profile of candidates who pass AI screening differs meaningfully from the profile of those who applied, that is a monitoring signal warranting investigation.
Establish a process for receiving and investigating candidate complaints about AI screening results. The EEOC has signaled in its guidance that employer responsiveness to individual complaints factors into its assessment of good-faith compliance efforts.
Train HR and Hiring Manager Staff
Legal liability under Local Law 144 and Title VII does not attach only to the AI tool. It attaches to the employer’s decision-making process. Hiring managers who override AI recommendations in a pattern that correlates with protected characteristics, or who do not use the candidate notification process correctly, create independent compliance exposure. Annual training on AI governance obligations, including what the tools do and do not decide, should be part of your HR compliance curriculum.
|
Governance principle: AI tools reduce some forms of human bias while introducing new ones. The goal is not to eliminate human judgment from hiring, but to ensure both human and algorithmic judgment are governed by the same fairness standards. |
ISO/IEC 42001 and AI Governance in Employment: The International Standard
ISO/IEC 42001:2023 is the international standard for AI management systems. Where NYC Local Law 144 addresses a specific use case with specific technical requirements, ISO/IEC 42001 provides an organization-wide framework for responsible AI governance. For HR teams, the two are complementary rather than competing.
The standard requires organizations to establish an AI policy, conduct AI risk assessments, implement controls for AI systems throughout their lifecycle, and demonstrate continual improvement. Its risk assessment framework, codified in Clause 8, provides a structured methodology for exactly the kind of pre-deployment analysis that best practice in HR AI governance demands. ISO/IEC 42001 also includes specific guidance on AI systems that affect individuals, which maps directly to employment contexts.
Organizations certified to ISO/IEC 42001 can demonstrate to regulators, customers, and candidates that their AI governance program meets an internationally recognized standard, not merely the minimum required by local law. This matters increasingly in enterprise procurement contexts, where buyers are beginning to require AI governance certification from vendors as a contract condition.
GAICC’s ISO/IEC 42001 certification programs are designed for HR governance practitioners, compliance officers, and AI implementation leads who need to build and operate these governance frameworks in practice. The Lead Implementer program specifically covers the AI risk assessment and control implementation processes that are directly applicable to employment AI governance.
Candidate Rights, Notice Requirements, and Accommodation Obligations
The legal rights of candidates under NYC Local Law 144 are more specific than most employers realize, and the accommodation obligation in particular creates operational complexity that deserves careful attention.
The Notice Requirement in Practice
Employers must notify candidates at least ten business days before the AEDT is used in their evaluation. The notice must include a statement that an AEDT will be used, the characteristics or categories the AEDT will use in its analysis, and information about how to request an accommodation or alternative process. The notice can be provided by email, physical posting, or inclusion in the job listing itself.
The notice requirement applies even when the AEDT is embedded in a third-party platform. If your applicant tracking system uses AI scoring and the vendor did not configure the required notice, the compliance obligation falls on you, not the vendor.
The Alternative Process Obligation
Candidates may request an alternative selection process within the ten business day notice window. The employer is required to provide one, though the law does not specify what the alternative must be. Most compliance practitioners recommend documenting a standardized alternative process in advance, typically a structured human review of application materials. The alternative process should be equivalent in rigor and validity to the AI-assisted process, not a perfunctory review designed to satisfy the letter of the requirement.
ADA and State Disability Law Intersections
Candidates with disabilities that affect performance on algorithmic assessments, including neurodivergent candidates, candidates with anxiety disorders, and candidates with physical conditions that affect facial expression or vocal pattern, may have accommodation rights under the Americans with Disabilities Act. The EEOC guidance notes explicitly that employers must consider whether their AI tools systematically disadvantage candidates with disabilities and must provide reasonable accommodations where such disadvantage exists.
The intersection of AI bias law and disability accommodation is one of the most technically complex areas in this regulatory space. Employers using video interview AI tools or psychometric assessments with algorithmic scoring should obtain legal advice on their specific tools and accommodation processes.
Common Compliance Mistakes and How to Avoid Them
Enforcement actions and informal DCWP inquiries since July 2023 have revealed consistent patterns in where employers fall short. These are not obscure edge cases.
- Treating vendor bias testing as equivalent to an independent third-party audit. A vendor’s internal testing does not meet the independence requirement under Local Law 144. Employers must commission their own audit from a party with no relationship to the vendor.
- Publishing an audit summary that omits intersectional categories. The law requires race and sex to be analyzed independently and in combination. An audit that reports only binary sex data or aggregated racial categories is non-compliant.
- Applying the AEDT to NYC-based roles without any notice mechanism. Many employers have configured their ATS to use AI scoring globally without a jurisdiction-based notice trigger. This is one of the most common enforcement failures.
- Failing to update the audit after a material model change. If the vendor updates the algorithm, releases a new version, or retrains the model on new data, the existing audit is no longer valid. Contracts should require vendor notification of material model changes.
- Confusing the bias audit with a general AI ethics review. The audit is a specific statistical analysis of selection rate disparities. It is not a policy document, a fairness statement, or a vendor self-assessment.
- Overlooking internal tools. Custom-built scoring models developed by your data or engineering team are subject to the same requirements as purchased tools. In-house tools are frequently omitted from compliance inventories.
Frequently Asked Questions
Does NYC Local Law 144 apply to companies headquartered outside New York?
Yes. The law applies to any employer or employment agency that uses an AEDT to screen candidates for roles based in New York City, regardless of where the employer is headquartered. If you are a California-based company hiring for a New York City office and you use AI in that hiring process, Local Law 144 applies.
What is the difference between disparate treatment and disparate impact in AI hiring?
Disparate treatment is intentional discrimination: using protected characteristics as an input, directly or through a known proxy. Disparate impact is unintentional: a neutral process that produces significantly different outcomes across protected groups. AI tools can produce disparate impact without any discriminatory intent on the employer’s part. Both are actionable under Title VII, and AI does not change that.
How often must an AI hiring tool be audited under NYC Local Law 144?
At least once per year, and before the tool is first deployed. The audit must be conducted by a qualified independent third party. If the tool is materially updated, a new audit is required. The audit summary must be posted publicly and retained for three years.
Can a candidate sue under Local Law 144 directly?
No. Local Law 144 does not create a private right of action. Enforcement is through the DCWP, which can impose fines. However, evidence gathered through a Local Law 144 audit process can be used in a separate Title VII or state law discrimination claim. The lack of a private right of action does not mean employers face no litigation risk.
Do structured interviews count as AEDTs under Local Law 144?
Structured interviews conducted by humans, scored by humans, without algorithmic processing, do not qualify. However, if an AI system analyzes video recordings of structured interviews to produce scores or rankings, that system is an AEDT. The key question is whether computational processing substantially assists or replaces discretionary judgment.
What role does ISO/IEC 42001 play alongside Local Law 144 compliance?
ISO/IEC 42001 provides the organizational governance framework within which specific regulatory compliance sits. A company certified to ISO/IEC 42001 has a systematic AI risk assessment process, documented controls, and continual improvement mechanisms. This does not replace the Local Law 144 audit requirement, but it provides the organizational infrastructure that makes complying with that requirement, and future requirements, more consistent and defensible.
What should employers do immediately if they have not started compliance?
Inventory every AI tool in your HR tech stack. Identify which ones apply to NYC-based roles. Commission an independent bias audit from a qualified third party. Establish a candidate notice process. Review vendor contracts for audit-sharing and notification obligations. These five steps address the most critical compliance gaps for most employers.
Conclusion
The regulatory direction is clear. AI hiring tools are subject to legal requirements that are real, enforceable, and expanding. NYC Local Law 144 established the first mandatory audit standard. The EEOC confirmed that AI does not insulate employers from Title VII. State legislation is proliferating. Federal action is coming.
The employers who will manage this well are not those who scramble to meet minimum requirements as each new law takes effect. They are those who build genuine AI governance infrastructure now, when the cost of doing so is lower than the cost of enforcement actions, litigation, and reputational damage that follows non-compliance.
That means auditing the tools you have, governing the tools you buy, training the people who use them, and building the organizational systems that make responsible AI in hiring a standard practice rather than a compliance checkbox. GAICC’s ISO/IEC 42001 certification programs provide the governance expertise to do exactly that.
Explore GAICC ISO/IEC 42001 Certifications for AI Governance in HR
Build the expertise to govern AI hiring tools responsibly and meet current and future regulatory requirements. View our certification programs at gaicc.org/iso-iec-42001-courses/
