EU AI Act, NYC Law 144 drive new hiring algorithm compliance rules

Serge Bulaev

Serge Bulaev

Regulators now consider hiring algorithms as high-risk systems, and new rules are being enforced in places like the EU and New York City. Employers may be required to do independent bias audits, publish some results, and give notice to candidates before using automated tools. The rules suggest companies use a checklist covering bias audits, transparency, human review, and data security. Continuous monitoring and clear contract terms may help address bias and compliance risks. Teams might benefit from updating their contracts and using these checklists to prepare for upcoming legal deadlines.

EU AI Act, NYC Law 144 drive new hiring algorithm compliance rules

New hiring algorithm compliance rules under the EU AI Act and NYC Law 144 now classify recruitment tools as high-risk systems. With enforcement active, talent teams must use a definitive checklist for AI hiring compliance and bias mitigation to vet and manage vendors.

These regulations impose significant obligations on employers. In the European Union, the EU AI Act classifies hiring software as high-risk, with non-compliance fines reaching up to €35 million or 7% of global turnover for prohibited practices. In New York City, Local Law 144 requires employers to provide candidates with a summary of the annual bias audit and 10 days' notice before using an Automated Employment Decision Tool. The audit summary must be posted on the employer's website if applicable. Enterprises now need a single, defensible checklist to manage these overlapping requirements and streamline vendor RFP scoring.

Core compliance questions

Compliance requires a multi-faceted approach. Organizations must conduct regular bias audits, maintain transparency with candidates through notices and documentation, provide pathways for human review and overrides, and ensure robust data security and documentation. These elements form the foundation of a defensible compliance strategy.

To ensure vendor alignment with these principles, your evaluation must answer these critical questions:

  1. Has the vendor supplied an external bias audit from the past 12 months that applies appropriate statistical measures for adverse impact analysis?
  2. Does the platform provide comprehensive documentation of training data, subgroup performance and known limitations?
  3. What information and rights are provided to candidates regarding automated decision tools?
  4. What human-oversight workflow allows recruiters to override or reverse an algorithmic recommendation?
  5. Which jurisdictions host data, and are encryption and data isolation controls certified under appropriate security standards like SOC 2 and ISO 27001?

Mapping laws to checklist controls

Region Key legal trigger Mandatory employer action
EU EU AI Act Aug 2026 full enforcement Conduct risk assessment, register high-risk system, maintain logs
United States - NYC Local Law 144 Conduct annual bias audit and provide pre-decision notice
Colorado SB 24-105 (effective February 2025) Complete impact assessment and ongoing monitoring
APAC Singapore PDPA guidance Provide transparency and human oversight

This table shows that most jurisdictions converge on four themes: bias auditing, transparency, human oversight and documentation.

Inserting checklist clauses into contracts

To operationalize compliance, procurement teams must embed specific, measurable service-level objectives into master service agreements (MSAs). Following established AI procurement frameworks, contracts should compel suppliers to provide remediation plans if disparate impact ratios fall below acceptable thresholds. Tying payment milestones to the delivery of compliance artifacts both incentivizes vendors and protects employers from downstream liability.

Bias mitigation KPIs

Effective bias mitigation relies on continuous monitoring, not just one-time certification. Best practice for high-risk AI systems includes monthly bias audits, with quarterly audits as a minimum requirement. Key performance indicators (KPIs) to track include the Disparate Impact Ratio and Demographic Parity measures. Integrating these metrics into a vendor scorecard allows for critical year-over-year trend analysis.

Human-in-the-loop safeguards

Legal frameworks place accountability on deployers of AI systems, requiring human oversight throughout the process. This involves calculating selection rates at every stage of the hiring funnel to proactively spot emerging bias. Best practice involves embedding formal checkpoints where recruiters must review AI-generated shortlists and document any overrides, creating a crucial audit trail.

Quick-reference bullet list for RFP writers

Incorporate these non-negotiable requirements directly into your Request for Proposal (RFP) documents to build a defensible audit trail:

  • Require recent external bias audit with appropriate documentation
  • Ask for comprehensive model documentation and training-data lineage
  • Mandate candidate notice templates and information about automated tools
  • Specify SOC 2 and ISO 27001 certificates for data security
  • Tie payment to regular bias monitoring and remediation timelines

Vendor responses to these five mandates create a defensible audit trail that satisfies core EU and US regulatory principles.

Next steps for talent and legal teams

To prepare for upcoming legal deadlines, talent and legal teams should immediately gather all current vendor contracts and map them against this compliance framework. Scheduling missing audits and embedding these controls into future procurement will shorten approval cycles and prevent costly compliance failures.