AI hiring tools now operate under three overlapping regulatory frameworks: the EU AI Act, NYC Local Law 144, and EEOC anti-discrimination guidance. HR leaders must meet nine specific compliance requirements — covering bias audits, candidate disclosure, human oversight, and data governance — before deploying any algorithmic screening or ranking tool.

The regulatory window for “wait and see” is closed. The EU AI Act is in force, NYC Local Law 144 enforcement began in July 2023, and the EEOC has confirmed that existing anti-discrimination statutes apply fully to algorithmic decisions. If your organization uses AI to screen, rank, score, or evaluate candidates, you are already in scope under at least one of these frameworks — and if you hire in New York City or employ EU-based workers, you are in scope under multiple frameworks simultaneously.

This post maps the nine requirements that matter most, organized by the practical actions HR teams must take. For the broader context on building an AI-powered hiring operation, see our guides on EU AI Act requirements every HR leader must know, EEOC AI compliance requirements for HR teams, and California AI procurement compliance action steps.

Before diving into requirements, here is how the three major frameworks compare across the dimensions that drive your compliance workload:

Requirement 1: Classify Your AI Tools Under the Correct Risk Tier

The EU AI Act uses a tiered risk classification. HR tools sit in the highest tier by default. Annex III of the Act explicitly lists AI systems used in employment, worker management, and access to self-employment as high-risk — this covers resume screeners, ATS ranking algorithms, video interview analyzers, and predictive suitability scores.

This classification is not determined by how you use the tool. A vendor’s resume screener is high-risk whether you treat it as a primary filter or a secondary check. Misclassifying a tool as lower-risk to avoid obligations is the first compliance failure most organizations make.

Action: Build an AI tool inventory. For each tool that touches candidate evaluation, confirm its risk classification under EU AI Act Annex III. If it ranks, scores, filters, or recommends candidates, it is high-risk. Document this classification with a rationale that legal counsel can defend.

See also: EU AI Act strategic compliance for HR and recruiting automation.

Requirement 2: Complete a Pre-Deployment Conformity Assessment for EU-Scope Tools

The EU AI Act requires a conformity assessment before any high-risk AI system goes live. This is the most significant structural difference between EU and US compliance: the EU mandates pre-deployment controls; the US enforces post-harm. You cannot deploy first and audit later if EU residents are in your candidate pool.

A conformity assessment for an HR AI tool covers:

• Documentation of the system’s intended purpose and technical architecture
• Risk identification across the system’s lifecycle
• Evidence that data governance requirements are met
• Confirmation that human oversight mechanisms are operational before deployment
• Testing results demonstrating the system performs as intended across demographic groups

Action: If you are using a third-party AI hiring tool, request the vendor’s conformity assessment documentation. Do not assume the vendor has completed this. Many SaaS providers selling into the US market have not built EU AI Act compliance into their standard offering.

Requirement 3: Run an Independent Annual Bias Audit (NYC) or Ongoing Risk Assessment (EU)

NYC Local Law 144 requires an independent annual bias audit for any automated employment decision tool (AEDT) used to hire or promote candidates in New York City. The audit must be conducted by an independent third party, cover selection rate data by sex, race, and ethnicity, and produce a public summary that the employer posts on its website.

The EU AI Act requires bias evaluation as part of a continuous risk management system — not a one-time check. Both regimes demand documented evidence of disparate impact analysis, but they differ in cadence and who conducts the work.

The EEOC does not mandate bias audits under federal law, but disparate impact doctrine under Title VII makes voluntary bias auditing the strongest available legal defense if a charge is filed.

Action: If you use any AEDT for NYC hiring, engage an independent auditor now. If you operate across jurisdictions, design your bias audit program to meet the NYC standard at minimum — it satisfies the public disclosure requirement and provides defensible documentation for EEOC purposes as well.

Related: global AI regulations reshaping HR compliance strategy.

Requirement 4: Provide Candidate Disclosure Before the Tool Is Used

NYC Local Law 144 requires employers to notify candidates that an AEDT will be used in the hiring or promotion process — and this notice must be provided before the tool is applied. The notice must describe the characteristics the tool uses and invite candidates to request an alternative selection process or accommodation.

The EU AI Act imposes transparency obligations that require employers to disclose when AI is being used to make or significantly influence employment decisions, and to explain the logic of the system upon request.

Action: Add AI tool disclosure language to job postings, application confirmation emails, and any candidate-facing communication that precedes screening. For EU-scope roles, build a process for responding to candidate requests for an explanation of how the AI evaluated their application. This process must be documented and operational before a request arrives — not assembled after the fact.

Requirement 5: Implement and Document Meaningful Human Oversight

The EU AI Act requires meaningful human oversight for all high-risk AI systems. This is not satisfied by having a recruiter click “approve” on an AI-generated shortlist. Meaningful oversight requires that the human reviewer has access to the information needed to understand and question the AI’s output, has the authority to override it, and exercises that authority based on independent judgment.

Human oversight is also the strongest practical defense against liability under US law. When the EEOC or a plaintiff’s attorney reviews an adverse employment decision, documented evidence that a qualified human reviewed and independently validated the AI’s recommendation changes the risk profile of the case significantly.

Action: Design your hiring workflow so that AI outputs are presented as inputs to human decision-makers, not as final recommendations. Train recruiters to document their independent assessment of each candidate. Keep records of cases where human reviewers overrode AI recommendations — these records demonstrate the oversight is real, not performative.

See also: how HR can fix broken hiring processes and step-by-step guide to AI candidate screening.

Requirement 6: Establish Training Data Documentation and Governance

The EU AI Act mandates that high-risk AI systems use high-quality training data — and that the data governance practices are documented. Employers and vendors must identify known biases in training data, document the data sources used, and demonstrate that the dataset is representative of the intended deployment population.

For most HR teams, this requirement surfaces as a vendor management obligation. You are unlikely to train your own AI model; you are deploying a vendor’s model. But regulatory responsibility does not transfer to the vendor by default. The employer remains accountable for outcomes.

Action: Issue a formal data governance questionnaire to every AI hiring tool vendor. Ask: What data was the model trained on? Has the training data been audited for demographic bias? What is the documented performance disparity across protected class groups? Get written responses. Vendors who cannot answer these questions do not belong in your hiring stack.

Requirement 7: Maintain Compliant Record Retention

Record retention requirements exist under all three frameworks, but with different specifications. EEOC regulations under 29 CFR Part 1602 require employers to retain all personnel records relevant to employment decisions, including records related to automated screening. The EU AI Act requires audit logs, technical documentation, and system performance records throughout the lifecycle of the high-risk AI system. NYC Local Law 144 requires retention of bias audit data tied to the annual audit cycle.

The practical problem: most ATS and AI hiring tool vendors do not retain granular decision-log data by default. Their standard data retention settings are designed for operational use, not regulatory compliance. You must configure retention actively.

Action: Review the data retention defaults of every AI hiring tool in your stack. Configure audit logs to capture individual-level decision outputs, timestamps, and reviewer actions. Confirm retention periods meet the most demanding applicable standard. For EU-scope operations, that means retaining technical documentation for the full lifecycle of the system plus post-decommission obligations.

Requirement 8: Manage Vendor Contracts for Regulatory Accountability

Under all three frameworks, the employer — not the vendor — bears primary accountability for compliance outcomes. Vendor contracts that disclaim regulatory liability, provide no audit rights, and give you no access to model documentation create a compliance gap that cannot be fixed retroactively when a charge is filed or an audit is demanded.

The EU AI Act’s extraterritorial reach means that a US-headquartered vendor selling an AI hiring tool to a US employer who uses it for EU-based roles creates shared obligations. Neither party can fully offload responsibility to the other. Your contract must reflect this.

Action: Have legal counsel review all AI hiring tool vendor contracts before renewal. Require: (1) audit rights that let you access model documentation and selection rate data, (2) explicit representations about bias testing and training data governance, (3) indemnification provisions that address regulatory penalties, and (4) notification obligations if the model is retrained or materially updated. Treat this as standard procurement practice, not a special request.

Requirement 9: Build an Ongoing Compliance Calendar, Not a One-Time Project

The most common compliance failure in AI hiring governance is treating it as a project with an end date. NYC Local Law 144 requires annual bias audits. The EU AI Act mandates continuous risk management throughout the system lifecycle. EEOC regulations tie record retention to the hiring activity calendar. These are ongoing obligations, not a checkbox on an implementation plan.

As AI hiring tools evolve — and vendors retrain models, release new versions, and add new scoring dimensions — each material change restarts your assessment obligations. A tool you audited twelve months ago may be operating on a substantially different model today.

Action: Build a compliance calendar that includes: annual independent bias audit scheduling (NYC), quarterly review of vendor model update notifications, annual review of data retention configurations, semi-annual training for recruiters on human oversight obligations, and legal review of new AI tool deployments before go-live. Assign ownership of each item to a named individual. Compliance programs that are owned by everyone are owned by no one.

Related: what is HR triage risk mapping and how to build a 90-day HR triage plan your CEO will sign.

What Does This Mean for HR Teams Using Automation to Manage Hiring Workflows?

Automation and AI compliance are not in conflict — but they require intentional design. HR teams that use workflow automation to manage recruiting pipelines need to build compliance checkpoints into those workflows from the start. That means routing AI-generated outputs through documented human review steps, logging override decisions, and triggering audit data collection automatically rather than reconstructing it manually at audit time.

The teams that handle this best treat compliance as a workflow design problem, not a legal department problem. When the bias audit summary due date appears on the calendar, the data is already collected. When a candidate requests an explanation of how AI evaluated their application, the response process is already documented. That level of operational readiness does not happen by accident.

For teams building or rationalizing their HR automation stack in this context, see our resources on AI-powered recruitment and HR workflows, why small HR teams burn out, and how solo and small HR teams can fix broken HR operations.

Frequently Asked Questions

Does NYC Local Law 144 apply to employers headquartered outside New York?

Yes. The law applies to any employer using an automated employment decision tool to screen candidates for positions located in New York City, regardless of where the employer is headquartered. If your remote role is based in NYC or you have NYC-based employees being considered for promotion, the law applies.

What counts as an “automated employment decision tool” under NYC Local Law 144?

The law defines an AEDT as any computational process derived from machine learning, statistical modeling, data analytics, or artificial intelligence that is used to substantially assist or replace discretionary decision-making in hiring or promotion. Resume screeners, video interview analyzers, and skills assessment scoring tools all qualify. A simple keyword filter built into a spreadsheet is a closer call — but anything using a trained model to rank or score candidates is within scope.

Does the EU AI Act apply to US companies hiring for EU-based remote roles?

Yes. The EU AI Act applies based on where the affected person is located, not where the employer is headquartered. A US company using an AI screening tool to evaluate candidates who reside in EU member states is in scope, even if the role is fully remote and the employer has no EU office.

What is the difference between a bias audit and a disparate impact analysis?

A bias audit — as required by NYC Local Law 144 — is a structured, independent assessment of selection rates by protected demographic groups, conducted by a qualified third party and published publicly. A disparate impact analysis is a statistical method used to detect whether a neutral employment practice disproportionately excludes a protected class. Bias audits use disparate impact analysis as their core methodology, but the audit adds independence, documentation, and public disclosure requirements that a private internal analysis does not carry.

If the AI vendor says their tool is compliant, is that sufficient?

No. Vendor compliance representations do not transfer regulatory liability to the vendor. The employer is responsible for compliance outcomes under all three frameworks discussed here. Vendor representations are relevant evidence — and you should obtain them in writing — but they do not substitute for your own conformity assessment, bias audit, and record retention obligations. Verify, document, and maintain independent evidence of compliance.

Additional Reading

• 11 EU AI Act Requirements Every HR Leader Must Know in 2026
• 9 EEOC AI Compliance Requirements HR Teams Must Meet in 2026
• California AI Procurement Compliance: Action Steps for HR and Recruiting
• Global AI Regulations: Reshaping HR Compliance & Strategy
• EU AI Act: Strategic Compliance for HR and Recruiting Automation
• How HR Can Fix Broken Hiring Processes
• What Is HR Triage Risk Mapping?
• How to Build a 90-Day HR Triage Plan Your CEO Will Sign
• How Solo and Small HR Teams Can Fix Broken HR Operations
• The Real Reason Small HR Teams Burn Out
• Accelerate Hiring: A Step-by-Step Guide to AI Candidate Screening
• AI-Powered Recruitment: Transforming HR Workflows
• 11 Warning Signs Your Inherited HR Operation Is Bleeding Money
• HRIS Required Fields vs Manual Data Validation: Which Is Safer?
• HR of One Survival FAQ: Inherited Operations Questions Answered