Log In
Book Demo

Where AI in HR Creates Legal Exposure: A Practical Risk Audit

Where AI in HR Creates Legal Exposure
Facebook
X
LinkedIn

Table of Contents

This is general information to help you orient your own compliance review, not legal advice. The rules below are evolving fast and vary by jurisdiction — confirm current requirements with employment counsel before changing any policy or process based on this article.

There’s a comforting myth floating around HR teams right now: that AI regulation is still “coming,” so there’s time before any of this matters. It isn’t true. New York City has had an enforceable AI hiring law since 2023. Illinois’s AI employment notice requirements took effect in 2026. California’s automated-decision-system regulations are already live. The EEOC has stated plainly that using an algorithm doesn’t change your liability for a discriminatory outcome — the tool doesn’t carry the risk, you do.

This isn’t a list of laws to memorize. It’s a practical audit: the specific places AI use creates exposure in a typical HR function, what’s already enforceable, and the questions you should be able to answer right now if a regulator — or a plaintiff’s attorney — asked.

TL;DR
  • There’s no single federal AI law in the US — just a growing patchwork of state/city rules layered on top of existing anti-discrimination statutes (Title VII, ADA, ADEA) that already apply to AI-assisted decisions.
  • Key principle: regulators treat AI-assisted employment decisions as employment decisions, full stop — using a tool doesn’t reduce your liability for a discriminatory outcome.
  • NYC’s Local Law 144 requires annual independent bias audits and candidate notice for any automated hiring/promotion tool — and it applies based on the job’s location, not your HQ.
  • Illinois, Colorado, and California all add their own layers: video-interview consent, automated decision-making oversight, and FEHA’s anti-discrimination rules applying in full to AI-assisted decisions.
  • “The vendor’s tool did it” isn’t a defense — employers remain liable for AI-driven outcomes regardless of whether the tool was built in-house or bought from a vendor.
  • Disclosure failures are the most common violation across nearly every law — many don’t even require proof of a discriminatory outcome, just proof you didn’t tell people AI was used.
  • Multinational employers face the EU AI Act’s “high-risk” classification for employment AI, often pushing global policy to the strictest jurisdiction’s standard.
  • Practical first moves: map every place AI touches an employment decision, fix disclosure first, get bias audits proactively, and make sure a human in the loop has real (not rubber-stamp) override authority.

The one principle that underlies everything below

There is no single federal AI law in the US. What exists instead is a patchwork: a handful of state and city laws specifically about AI, layered on top of decades-old anti-discrimination statutes (Title VII, the ADA, the ADEA) that apply regardless of whether a human or an algorithm made the call. Regulators have been consistent on one point across every jurisdiction: AI-assisted employment decisions are still employment decisions. A disparate-impact claim doesn’t get weaker because a model was involved — if anything, it creates a more thorough paper trail for a plaintiff’s attorney to subpoena.

That single principle should drive how you read every section below: the question is never “does an AI-specific law cover this,” it’s “could this outcome look discriminatory or undisclosed, regardless of what produced it.”

Also read: Claude for HR: The Honest, Detailed Guide

Risk area 1: Automated screening and ranking

What triggers it: Any tool — including Claude or another general AI assistant used to screen, score, or rank resumes — that materially affects who advances in a hiring or promotion process.

What’s already enforceable: New York City’s Local Law 144 requires employers using an automated employment decision tool for hiring or promotion to undergo an independent bias audit at least annually, publish a summary of the results, and notify candidates in advance that such a tool is in use. It applies based on where the job is located — not where your company is headquartered — so a fully remote candidate based in NYC can trigger it even if your office is elsewhere. Illinois’s 2026 amendments add a similar notice requirement and specifically prohibit using ZIP code as a stand-in for protected-class data. The EEOC continues to apply the long-standing “four-fifths rule” (a selection rate for any group below 80% of the highest-performing group is a red flag) to algorithmic screening exactly as it would to any other selection method.

Audit questions:

  • Do you know, precisely, which step in your hiring pipeline counts as “automated” under each definition that might apply to you — a fully automated reject, or anything that “substantially assists” a human reviewer?
  • If you used Claude (or any AI tool) to screen or rank candidates this year, can you produce a record of what criteria it was given and that those criteria were applied consistently?
  • Have you ever asked an AI tool to compare candidates against each other rather than against fixed criteria? That’s a harder pattern to audit and defend, because the basis for any individual rejection becomes relative rather than documented.
  • Is there a written notice to candidates that automated tools are used in your process, and is it actually being shown to them — not just sitting in a policy document nobody reads?

Risk area 2: Video and voice interview analysis

What triggers it: Using AI to score, transcribe-and-analyze, or flag candidates from recorded or live video/audio interviews.

What’s already enforceable: Illinois has regulated this since 2020 and tightened it further in 2026 — employers must get advance consent, explain what the AI is evaluating, and follow specific data retention and destruction rules for the recordings and analysis.

Audit questions:

  • If a hiring manager uses an AI meeting tool to summarize or score a candidate interview, does the candidate know that’s happening, and did they consent before it started?
  • Do you have a retention and deletion schedule for interview recordings and AI-generated notes about candidates — including ones who weren’t hired?

Risk area 3: Compensation, performance, and promotion algorithms

What triggers it: Using AI to recommend pay bands, flag performance outliers, or influence promotion decisions — including using a tool like Claude’s compensation-analysis features as an input to an actual pay decision.

What’s already enforceable: Colorado’s evolving AI law (which has been repealed and replaced once already in 2026, so treat this area as genuinely moving) targets “automated decision-making technology” that materially influences consequential decisions including employment and pay. California’s civil rights regulations clarify that its existing anti-discrimination law (FEHA) applies in full when an employer uses AI or algorithms anywhere in an employment decision — there’s no AI carve-out from existing liability.

Audit questions:

  • If an AI tool’s compensation suggestion is wrong in a way that happens to underpay women or older workers more often than other groups — even unintentionally, even just due to a documented systematic pattern in the underlying data — do you have any process that would catch that before it reaches a candidate or a comp committee?
  • Can you show, after the fact, what inputs went into an AI-assisted pay or promotion recommendation, and who made the final human decision?
  • Is “a human approved it” actually true in practice, or does the human reviewer typically just accept the AI’s output without independently checking it? Regulators and courts have shown interest in whether human review is real or rubber-stamp.

Risk area 4: Data privacy and retention

What triggers it: Feeding candidate or employee personal data into any AI tool, including pasting resumes, HRIS exports, or performance reviews into a chat interface.

What’s already enforceable: State privacy laws (California’s CCPA, Virginia’s CDPA, Colorado’s privacy law, and others) give individuals disclosure and opt-out rights around automated decision-making that uses their personal data. California in particular has a four-year retention expectation tied to automated-decision-system records for employment use.

Audit questions:

  • Do you know whether your AI tool’s data retention settings, and your own organization’s retention policy, are actually aligned — or could your ATS quietly purge records that a regulator might later ask you to produce?
  • Have you reviewed what categories of personal data (health information, immigration status, protected leave details) staff might be pasting into a general AI chat tool, and whether that’s covered by your data handling policy at all?
  • If a candidate asked “was an automated tool used to evaluate me, and what data did it use,” could anyone in your organization actually answer that within a reasonable timeframe?

Also read: How to Run a Compensation Cycle From Start to Finish: A Step-by-Step Guide

Risk area 5: Vendor and third-party tool liability

What triggers it: Using any AI-powered HR vendor, ATS feature, or plugin — not just tools you built yourselves.

What’s already enforceable: Every regulator and court so far has rejected “the vendor’s tool did it” as a defense. The EEOC has stated employers remain liable for discriminatory outcomes regardless of whether the AI was built internally or bought from a vendor. Several state laws require employers to obtain documentation from AI vendors about the tool’s training data, bias testing, and risk mitigation — and assertions from the vendor itself don’t substitute for an independent audit where one is legally required.

Audit questions:

  • For every AI-powered HR vendor you use, do you have their bias-testing or risk-assessment documentation on file — not just a sales claim that the tool is “fair”?
  • If a candidate or employee challenged an outcome, do you know whether your contract with that vendor gives you the right to obtain the data needed to defend the decision, or does the vendor’s system function as a black box even to you?

Risk area 6: Notice and disclosure failures

What triggers it: Using AI anywhere in a process that affects hiring, promotion, discipline, or termination without telling the people it affects.

What’s already enforceable: This is the single most common thread across nearly every law in this space — NYC, Illinois, Colorado, and the EU AI Act all build in some version of a disclosure requirement, even where the substantive bias rules differ. Several explicitly note that the notice obligation applies whether or not the AI actually produces a discriminatory outcome — failing to disclose is its own violation, independent of harm.

Audit questions:

  • Walk your actual hiring process end to end. At which steps is AI involved that a candidate doesn’t know about?
  • Is your disclosure specific (this tool, for this purpose) or a vague catch-all buried in a privacy policy that wouldn’t hold up as meaningful notice?

Risk area 7: Multinational exposure

What triggers it: Any employment decision touching candidates or employees in the EU, or a global HR policy that needs to work across jurisdictions.

What’s already enforceable: The EU AI Act classifies employment-related AI as “high-risk,” which triggers some of the most stringent obligations in the regulation — risk assessments, bias mitigation, human oversight, and post-deployment monitoring. Multinational employers frequently end up building one global standard set to the strictest jurisdiction they operate in, rather than maintaining separate compliance programs per region, simply because it’s more manageable.

Audit question:

  • If you operate in multiple regions, is your AI-in-HR policy written once at your strictest jurisdiction’s standard, or does it assume US-only rules and quietly under-comply elsewhere?

The fast self-audit: 12 yes/no questions

Run through these. Any “no” or “not sure” is a gap worth closing before it’s tested by an actual complaint.

  1. Can you list every place AI currently touches a hiring, promotion, pay, or termination decision in your organization?
  2. Do candidates and employees receive clear, specific notice when AI is used to evaluate them?
  3. Have you had an independent bias audit of any tool that screens or ranks candidates, within the timeframe your jurisdiction requires?
  4. Can you reconstruct, after the fact, what data and criteria went into a specific AI-assisted decision?
  5. Is there a real human decision-maker in the loop for consequential outcomes — one who could plausibly have overridden the AI’s suggestion, not just rubber-stamped it?
  6. Do you have current documentation from every AI vendor you use about their bias testing and training data?
  7. Does your data retention policy for AI-related employment records actually match what your systems do, not just what the policy says?
  8. Have you reviewed what kinds of sensitive personal data staff might paste into general AI tools, and whether that’s governed by any policy at all?
  9. If you operate in NYC, Illinois, Colorado, California, or the EU, do you know which specific obligations apply to you, distinct from the general patchwork?
  10. Is your compliance approach built to the strictest jurisdiction you operate in, or assembled piecemeal per state as laws pass?
  11. Could you produce a clean answer if a candidate formally asked whether AI was used to evaluate them and how?
  12. Does anyone — a named person, not “HR” generally — actually own AI governance for your HR function, with the authority to pause a tool’s use if something looks wrong?

What to actually do with this

A risk audit is only useful if it produces action. The realistic next steps, roughly in order:

  1. Map it first. Before fixing anything, get an honest inventory of every place AI currently touches an employment decision, including the informal ways individual recruiters or managers use general tools like Claude or ChatGPT on their own.
  2. Fix disclosure before you fix anything else. It’s the cheapest gap to close and the one regulators check first.
  3. Get bias audits for anything that screens or scores candidates, even where not strictly required yet — it’s far cheaper to do proactively than to produce one under deadline after a complaint.
  4. Put a real human in the loop, and make it real. Document that the human reviewer has genuine authority to override the AI, and spot-check that they actually do sometimes.
  5. Build one governance standard, not fifty. Set your internal policy to the strictest jurisdiction you operate in and apply it everywhere — segmenting compliance by state is more work and more risk than it saves.
  6. Revisit quarterly, not annually. This area changed meaningfully multiple times within 2026 alone (Colorado’s law was replaced mid-year). A policy written once and filed away will be stale within months.

The bottom line

None of this means don’t use AI in HR — it means use it the way you’d use any other tool that touches real people’s employment outcomes: with documentation, disclosure, and a human who’s genuinely accountable for the result. The organizations getting burned aren’t the ones using AI — they’re the ones that never wrote down what it was doing.

Sources consulted for this article include legal trackers and law-firm analyses covering NYC Local Law 144, Illinois HB 3773, Colorado’s AI legislation (SB 24-205 and its 2026 replacement SB 26-189), California’s automated decision-system regulations, EEOC technical guidance, and the EU AI Act, current as of mid-2026. This area changes quickly — verify current requirements with employment counsel before acting.

Stello AI’s Startup Program is live! Small, growing teams interested in working with us can apply for complimentary access to Stello’s AI compensation agent.

Learn More →
Products

Centralize your compensation data in one AI-powered platform. Reduce the hours your team spends on compensation decisions.

Book a demo

AI Budgets Modeling

With Stello AI, your team can model different budget scenarios to stay within budget while maintaining pay equity and rewarding top performers.

AI Market Pricing

Accelerate your salary benchmarking process. Use Stello AI to accelerate your job matching and market pricing processes.

Compensation Planning

Manage an entire compensation cycle with integrated data to support compensation change decisions.

Total Rewards Portal

Send informative employee statements that incorporate total rewards. Allow employees to access their total rewards history at any time through a single portal.

Ad Hoc Increases

Initiate pay changes throughout the year, whether via base salary increases or spot bonuses.

AI Compensation Agent

Iconic is your company’s newest compensation partner, able to answer questions about your compensation data and handle complex calculations in seconds.