Recruiters, not vendors, carry the legal burden when an AI screening tool discriminates. The Workday FEHA ruling 2026, Colorado’s AI Act taking effect this month, and NYC’s ongoing AEDT audit mandate have made that clear. These six rules will help you run an AI hiring tool audit that holds up under scrutiny.
TL;DR: Courts and regulators have decided that your ATS vendor’s compliance promises don’t shield you from ATS AI discrimination liability. Employers must independently audit their screening tools for adverse impact, map filters to job requirements, and build human override into every algorithmic decision point. Vendor assurances are not a legal defense.
The liability shift in resume screening compliance has happened fast. In 2024, most employers assumed their ATS vendor handled the legal side of algorithmic screening. By mid-2026, federal courts and at least four state legislatures have said otherwise. A single ATS deployment now needs to satisfy California FEHA, Colorado’s AI Act, Illinois’s disclosure rules, and NYC’s audit requirements at the same time. If your screening workflow wasn’t built with those overlapping obligations in mind, the rules below show you where to start.
Treat your vendor’s compliance claims as a starting point, not a finish line
The EEOC, the DOJ’s Immigrant and Employee Rights Section, and the Department of Labor have all stated that vendor assurances do not constitute a legal defense for employers. As the American Bar Association’s analysis puts it, employers’ use of AI tools is “subject to federal laws prohibiting employment discrimination and emerging state and local laws specific to AI.”
Workday’s Chief Responsible AI Officer, Kelly Trindel, has publicly stated that the company’s NIST/ISO-compliant AI governance framework prevents harm. But the plaintiffs in Mobley v. Workday allege those safeguards fall short when deployed at scale, and the court has allowed claims to proceed. A 2023 EEOC study found that 80% of ATS tools misclassify resumes based on subtle linguistic cues tied to demographic groups.
The rule applies broadly: if you’re relying on a vendor’s sales deck or certification badge as your compliance documentation, you’re exposed. It breaks only if you have independent third-party audit results that you commissioned and reviewed yourself.
We covered what the Workday ruling means for your hiring stack in detail, including how the “agent” theory of liability works.
Map every screening filter to a legally defensible job requirement
Every automated filter in your ATS pipeline needs a documented connection to a bona fide occupational qualification. That means the “5+ years of experience” filter, the degree requirement, the keyword match threshold, and any scoring algorithm. If a filter can’t be tied to actual job performance data, it’s a liability.
Illinois House Bill 3773, effective since January 2026, specifically bans the use of ZIP codes as proxies for protected characteristics. Colorado’s AI Act, effective this month, requires “reasonable care” to prevent algorithmic harm. Both laws assume you can produce documentation showing why each filter exists.
Warning: If your ATS uses algorithmic scoring or ranking that “substantially influences” hiring decisions in NYC, it almost certainly qualifies as an Automated Employment Decision Tool under Local Law 144 and requires an independent bias audit. ATS features that apply recruiter-defined filters without algorithmic scoring sit in a greyer area, but the trend is toward broader coverage.
This rule holds in every jurisdiction. The only exception is if a filter maps directly to a regulatory requirement (commercial driver’s license for trucking roles, security clearance for defense contracts) where the qualification is externally mandated.
Run adverse impact analysis before regulators do it for you
Analyze your rejection rates across age, race, sex, and disability status for every screening stage where automation plays a role. The four-fifths rule from the EEOC’s Uniform Guidelines remains the standard benchmark: if the selection rate for any protected group is less than 80% of the rate for the group with the highest selection rate, you have a presumption of adverse impact.
Greenhouse, for example, conducts monthly bias audits through Warden AI and publishes the results publicly. They also hold ISO 42001 certification for AI governance. Your ATS vendor may or may not offer similar transparency. Either way, the EEOC’s framework requires periodic audit of ATS screening criteria by the employer.
As the Employment Law Worldview analysis notes, “employers cannot hide behind the automated nature of their hiring tools at the risk of engaging in unlawful (yet unintended) discrimination.” The word “unintended” matters. Disparate impact liability doesn’t require discriminatory intent. The Mobley v. Workday case alleges discrimination under Title VII, the ADA, the ADEA, and California FEHA, covering race, sex, disability, and age. A preliminary certification of a nationwide ADEA collective action involving applicants aged 40+ screened by Workday’s HiredScore AI was granted in May 2025.
If you’re screening thousands of candidates annually and haven’t run this analysis, that gap is your biggest risk. If you’re screening fewer than 100 candidates per role, statistical significance is harder to establish, but documenting the attempt still matters.
Demand audit rights and indemnification in every vendor contract
Your vendor agreement should include three provisions: the right to conduct (or commission) independent bias audits of the screening algorithms, explicit indemnification for AI discrimination claims, and a data-access clause that gives you the raw scoring and ranking outputs. Our recruitment automation governance checklist breaks down these contract provisions further.
Employers face liability under federal, state, and local anti-discrimination laws if algorithmic tools produce discriminatory outcomes, according to analysis by Sanford Heisler Sharp McKnight. The vendor’s name on the software doesn’t transfer the legal obligation.
Many vendors will push back on indemnification clauses. That pushback is itself useful information. A vendor confident in the fairness of its algorithms should be willing to share liability. A vendor that refuses to offer audit access or indemnification is telling you something about the risk profile of the product.
This rule weakens only when you’re using an open-source or internally built screening tool, in which case the audit rights question is moot since you already control the code. But the documentation requirements remain identical.
Track which jurisdictions your candidates apply from
A remote-friendly job posting can pull applicants from every state. Each applicant’s location may trigger a different set of AI screening obligations. NYC Local Law 144 requires annual independent bias audits and candidate notices for AEDTs. California’s October 2025 regulations require meaningful human oversight and hold vendors liable if they exercise control over hiring decisions. Colorado requires reasonable care to prevent algorithmic harm starting this month. Illinois bans specific proxy variables.
Practically, this means your ATS needs location-aware compliance triggers. If it doesn’t have them, you default to the most restrictive applicable standard. For many employers, that means treating the NYC AEDT requirements as the baseline, since they’re currently the most specific.
Harvard research has shown that ATS filters eliminate millions of qualified workers before any human sees their application. When those filters operate differently across jurisdictions without documentation, each filtered-out applicant is a potential plaintiff.
Keep a human override at every algorithmic decision point
California’s 2025 AI regulations require “meaningful human oversight” over automated hiring decisions. But even in jurisdictions without that explicit mandate, building a human-in-the-loop at each screening stage is the single most defensible position if your tools are ever challenged in court.
The claims in Mobley v. Workday center on the allegation that Workday’s tools weeded out job applicants at many major companies for discriminatory reasons, with the implication that no human reviewed the algorithmic output before candidates were rejected. If a human recruiter reviewed and approved each AI recommendation, the employer’s defense posture changes substantially.
This rule applies everywhere. It does add time and labor cost to high-volume hiring. For organizations processing tens of thousands of applications, full human review of every AI decision may be impractical. In those cases, structured sampling with documented review rates (reviewing at least 10-15% of automated rejections, stratified by demographic group) provides a defensible middle ground. That’s a better legal position than relying on speed alone and hoping the algorithm got it right.
When These Rules Conflict
These rules will occasionally pull in different directions. Tracking candidate jurisdictions (Rule 5) creates data collection that could itself raise privacy concerns under state biometric and data protection laws. Running adverse impact analysis (Rule 3) requires demographic data you may not have and that candidates aren’t required to provide. Adding human oversight (Rule 6) increases time-to-hire in a labor market where speed matters for employer brand and candidate experience.
When the rules conflict, default to documentation. If you can show a regulator or a court that you identified the tension, made a deliberate choice, and documented your reasoning, that’s a defensible position even if the choice turns out to be imperfect. The employers facing the worst outcomes in AI discrimination cases are the ones who never examined their screening tools at all. The audit itself, done honestly and with real data, is where compliance begins.
