AI hiring compliance in 2026 is not optional. From NYC Local Law 144’s mandatory bias audits to the EU AI Act’s high-risk classification, recruiters using automated tools face active legal obligations — not future risks. These 10 rules define what you must do right now to stay compliant and protect your organization.

AI is no longer a pilot project in recruiting. It is embedded in ATS ranking, resume parsing, interview scheduling, and candidate scoring across organizations of every size. That scale of deployment has triggered an equally scaled regulatory response. Jurisdictions from New York City to Brussels now impose specific legal obligations on employers who use automated tools to make or influence hiring decisions.

This is not a future risk to monitor — it is a present compliance obligation to manage. Sustainable AI adoption requires structured governance, and regulatory compliance is the floor, not the ceiling, of that governance. The workflows covered in 6 Ways the Make MCP Changes Automation Work for HR Teams and the audit discipline described in How to Run an OpsMap Audit Before Automating Anything both depend on a compliance-ready foundation. Before you automate, you need to understand what the law requires.

Before diving into the 10 rules, here is a quick-reference summary of where each regulation applies:

1. NYC Local Law 144 — Bias Audits Are Mandatory, Not Optional

New York City’s Local Law 144 is the most operationally specific AI hiring regulation in the United States. Any employer or staffing agency using an automated employment decision tool (AEDT) to evaluate candidates for NYC-based roles must commission an independent bias audit before deploying the tool and annually thereafter.

• Who it covers: Any employer or employment agency using an AEDT for NYC-based candidates or employees — regardless of where the company is headquartered.
• What is audited: Selection rates by sex, race, and ethnicity, compared across demographic groups to identify statistically significant disparities.
• Independence requirement: The audit must be conducted by a third party independent of the AEDT vendor — vendor-commissioned audits do not satisfy the requirement.
• Publication requirement: Audit results must be published on the employer’s website and remain accessible to candidates.
• Candidate notice: Employers must notify candidates that an AEDT is being used at least ten business days before assessment and provide an alternative process upon request.

If your organization screens candidates for any NYC-based role using algorithmic tools, you are already subject to this law. Non-compliance carries civil penalties. Audit your vendor stack now.

2. EU AI Act — Recruiting AI Is Classified High-Risk

The EU AI Act classifies AI systems used in recruitment, selection, promotion, and termination decisions as high-risk. High-risk classification is not a warning label — it is a substantive obligation tier that triggers a specific conformity framework before deployment.

• Risk management system: Providers and deployers must maintain a documented, ongoing risk management process throughout the AI system’s lifecycle.
• Data governance: Training data must be subject to governance practices addressing relevance, representativeness, and potential biases.
• Technical documentation: Providers must produce and maintain comprehensive technical documentation demonstrating compliance.
• Transparency to workers: Where AI systems directly interact with or evaluate individuals, those individuals must be informed.
• Human oversight: High-risk AI systems must be designed to allow human oversight, including the ability to override, disregard, or correct outputs.
• Conformity assessment: Before market placement, high-risk systems must undergo conformity assessment — in some cases requiring third-party involvement.

If you operate in or sell to EU markets and use AI in any part of the hiring funnel, the EU AI Act is not a future consideration. Phased enforcement deadlines have begun. Get legal review on your current tools immediately.

3. Illinois Artificial Intelligence Video Interview Act — Consent and Bias Testing Required

Illinois enacted one of the earliest AI-specific hiring laws in the United States. The Artificial Intelligence Video Interview Act (AIVIA) applies to employers using AI to analyze video interviews of Illinois residents applying for positions in Illinois.

• Consent requirement: Employers must notify applicants before the interview that AI will be used to analyze their facial expressions, speech, and related characteristics, and must obtain explicit consent.
• Distribution restriction: Video recordings analyzed by AI may not be shared with third parties except those necessary to operate the AI tool.
• Deletion on request: Applicants may request deletion of their video within 30 days of final hiring decisions, and employers must comply within that period.
• Bias testing obligation: Employers must annually test AI video tools for race and sex bias and report those results to the Illinois Department of Commerce and Economic Opportunity.

Recruiters using AI-powered video interview platforms — including tools that score candidate responses or flag emotional signals — face direct obligations under this law when interviewing Illinois residents.

4. Maryland’s Facial Recognition Hiring Law — Prior Consent Is Non-Negotiable

Maryland HB 1202 restricts employer use of facial recognition technology in the hiring process. Employers in Maryland are prohibited from using facial recognition services during job interviews without the applicant’s prior written consent.

• Scope: Covers any technology that identifies or verifies an individual based on facial geometry or facial characteristics.
• Consent timing: Consent must be obtained before the interview takes place — not during or after.
• No coercion: Employers cannot condition interview participation on consent to facial recognition use.

AI-enhanced video platforms that include facial analysis features — even as a background capability — trigger this requirement. Recruiters must verify what their video interview tools actually analyze, not just what the vendor markets them as doing.

5. EEOC Guidance on AI and Adverse Impact — Federal Liability Is Already Active

The Equal Employment Opportunity Commission has issued technical guidance making clear that existing federal employment discrimination law applies to AI hiring tools. Employers cannot shield themselves from adverse impact liability by attributing selection decisions to an algorithm.

• Adverse impact standard: If an AI tool disproportionately screens out candidates based on a protected characteristic — even without discriminatory intent — the employer faces potential Title VII liability.
• Employer accountability: The EEOC holds employers responsible for the discriminatory effects of tools they choose to use, including tools provided by third-party vendors.
• ADA intersection: The EEOC has specifically flagged AI tools that screen out candidates with disabilities, including tools that use proxies such as speech pattern analysis or attention metrics.
• Vendor reliance is not a defense: Contracting with a vendor does not transfer legal liability. The employer remains the responsible party.

This is not new law — it is existing federal civil rights law applied to new technology. The risk is active and enforcement actions have occurred. Every AI screening tool in your stack should be evaluated for adverse impact before deployment.

6. GDPR and UK GDPR — Automated Decision Rights Apply to Candidates

Under the General Data Protection Regulation and its UK equivalent, candidates have the right not to be subject to decisions based solely on automated processing when those decisions produce significant effects on them. Hiring decisions qualify.

• Lawful basis: Employers must identify a lawful basis for processing candidate data through automated systems — typically legitimate interest or explicit consent, each with different requirements.
• Right to explanation: Candidates subject to solely automated decisions have the right to obtain an explanation of the logic involved and to contest the decision.
• Data minimization: Only data that is necessary for the stated purpose may be collected and processed.
• Retention limits: Candidate data may not be retained longer than necessary for the purpose for which it was collected.
• Data Protection Impact Assessment: High-risk processing activities — including AI screening at scale — require a documented DPIA before deployment.

Recruiters using AI tools to score, rank, or filter candidates in the EU or UK must have legal counsel review the lawful basis for that processing and confirm candidate rights mechanisms are functional.

7. CCPA and CPRA — California Candidates Have Data Rights Your Process Must Honor

The California Consumer Privacy Act and its amendment, the California Privacy Rights Act, extend meaningful data rights to job applicants. California-based candidates interacting with AI-driven hiring tools have rights that employers must actively support.

• Right to know: Candidates can request disclosure of what personal information has been collected and how it is used.
• Right to delete: Candidates can request deletion of their personal information, subject to certain business purpose exceptions.
• Right to opt out of sale or sharing: If candidate data is shared with AI vendors in ways that constitute a sale or cross-context sharing under California law, candidates have the right to opt out.
• Sensitive personal information: The CPRA created enhanced protections for sensitive categories including racial origin and biometric data — both highly relevant in AI hiring contexts.
• No retaliation: Employers cannot penalize candidates for exercising their privacy rights.

California’s enforcement posture has intensified. If your AI hiring stack processes data about California applicants, a privacy audit of your vendor data flows is a compliance requirement, not a best practice.

8. ADA and Accessibility in Automated Screening — Disability Discrimination Has New Vectors

The Americans with Disabilities Act prohibits employment discrimination against qualified individuals with disabilities. AI hiring tools create new vectors for ADA violations that many recruiters have not fully mapped.

• Screening out qualified candidates: AI tools that use proxies correlated with disability — including non-standard speech patterns, motor function variations, or cognitive processing differences — may screen out qualified candidates in violation of the ADA.
• Reasonable accommodation in the assessment process: Candidates have the right to request reasonable accommodations in the hiring process, including accommodations for AI-based assessments. Employers must have a process to grant those requests.
• Medical inquiry restrictions: AI tools that prompt or elicit disability-related information during pre-offer stages may violate ADA provisions on pre-employment medical inquiries.
• Section 508 compliance: Federal contractors and agencies must ensure assessment platforms used in hiring are accessible to individuals with disabilities.

The EEOC’s 2023 technical guidance on AI and disability discrimination is required reading for any recruiter deploying automated screening tools. Verify with each vendor what accommodation workflows their platform supports before deployment.

9. OFCCP and the Internet Applicant Rule — Federal Contractors Face Compounding Obligations

Federal contractors are subject to compliance oversight from the Office of Federal Contract Compliance Programs. AI hiring tools used by federal contractors sit at the intersection of the Internet Applicant Rule and evolving OFCCP guidance on algorithmic bias.

• Internet Applicant Rule recordkeeping: Federal contractors must maintain records of all expressions of interest — including those processed through AI tools — and apply adverse impact analysis to the full candidate pool.
• Adverse impact analysis: Contractors must analyze whether AI-assisted screening at any stage of the funnel produces statistically significant disparate impact across protected classes.
• OFCCP audit readiness: AI tools and their outputs are subject to review during compliance evaluations. Contractors must be able to produce documentation of how AI tools work, what data they use, and what their outcomes have been across demographic groups.
• Affirmative action data integrity: AI screening outputs affect applicant flow data used in affirmative action plans. Errors or unexplained demographic patterns in AI outputs compromise AAP integrity.

Federal contractors using AI in any part of recruitment face a higher documentation burden than other employers. Implement audit-ready recordkeeping from the point of first candidate contact through final selection.

10. State-Level Expansion — The Regulatory Perimeter Is Growing

NYC, Illinois, and Maryland were early movers. The legislative pipeline in 2025 and 2026 shows this is not isolated activity — it is the leading edge of a national pattern.

• Washington state: Legislation has been introduced requiring employers to disclose AI use in hiring and to conduct bias assessments on automated tools.
• New Jersey: Proposed legislation mirrors key elements of NYC Local Law 144, including independent audit and candidate notice requirements.
• Colorado: The Colorado AI Act addresses algorithmic discrimination in consequential decisions, with provisions that extend to employment contexts.
• Texas and Florida: Both states have active legislative discussions about AI accountability frameworks, with employment use cases included in scope.
• Canada (AIDA): Canada’s Artificial Intelligence and Data Act, if enacted, would create federal obligations for high-impact AI systems — including those used in employment decisions.

Organizations operating across multiple states or jurisdictions cannot build a compliance program around any single regulation. The practical approach is to build toward the most rigorous standard — independent audit, candidate notice, human override capability, and documented adverse impact analysis — and treat that as your baseline across all jurisdictions.

What Compliance Looks Like in Practice

Understanding the regulations is necessary but insufficient. Compliance requires operational infrastructure. The recruiters and HR teams best positioned to meet these obligations are those who treat AI governance as a process design problem — not a legal checkbox exercise.

The same discipline that makes AI automation reliable in HR workflows applies to compliance. As documented in How Sarah Compressed a 45-Minute Onboarding Process to Under 4 Minutes, building structured process checkpoints produces both efficiency and accountability. The OpsMesh™ framework applies exactly this logic: map processes before automating, build in human oversight points, and maintain documentation that survives scrutiny.

For recruitment teams using Make.com to automate candidate communications, screening routing, or data management, the 7 Questions to Ask Before You Automate Anything checklist is a practical starting point. Compliance considerations — what data is processed, where it flows, who has oversight — belong in that checklist alongside efficiency and accuracy questions.

The organizations that will absorb the next wave of AI hiring regulations without disruption are those building governance infrastructure now, not those scrambling to retrofit it when enforcement actions begin.

Additional Reading

• 6 Ways the Make MCP Changes Automation Work for HR Teams
• How to Run an OpsMap Audit Before Automating Anything
• How Sarah Compressed a 45-Minute Onboarding Process to Under 4 Minutes
• What Is OpsMesh? The Framework That Structures Every 4Spot Engagement
• 7 Questions to Ask Before You Automate Anything (The OpsMap Checklist)
• How a Non-Technical HR Team Started Building Their Own Automations With Make + AI
• How David Eliminated 3 Hours of Daily CRM Entry With a Single Make Scenario
• How One Ops Team Recovered $103K in Annual Labor Hours With Make Automation
• What Is Automation-First? Why You Should Automate Before You Add AI
• OpsMap vs. Skipping Discovery: What Happens When You Automate Without a Map
• 5 Automation Tasks AI Handles Well — and 5 It Still Gets Wrong
• How Nick Cut 6 Manual Handoffs From Proposal Generation With One Make Workflow
• DIY Automation vs. Hiring a Make Partner in 2026: When to Do Each
• AI-Assisted Make Automation: Frequently Asked Questions
• 10 Automations That Are Finally Easy to Build With Make + AI — No Developer Needed