ctaio.dev
Ask AI Subscribe free

← AI Interviews

AI Hiring Bias and the Law: A 2026 CTO Compliance Checklist

Not legal advice — but the operational checklist every CTO should walk through before approving an AI hiring tool, written by someone who has actually procured these.

30-SECOND TAKEAWAY

  • The employer owns the liability. Vendor contracts do not transfer EEOC Title VII liability. The "the AI did it" defence has failed in every published US case so far.
  • Four jurisdictions matter most. EEOC (federal US), NYC LL 144, Illinois AIVIA, and the EU AI Act. Together they cover any meaningfully-sized engineering hiring program.
  • Bias audits are the floor, not the ceiling. A passing audit is necessary; it is not sufficient. Disparate-impact litigation can succeed on patterns the audit didn\'t capture.

The four regulatory frames every CTO needs to know

EEOC — Title VII liability sits with the employer

The EEOC issued technical assistance in May 2023 making explicit that Title VII applies to AI hiring tools used by the employer, even when the tool was built by a vendor. Disparate-impact liability cannot be transferred via contract. Do: verify the vendor publishes adverse-impact statistics and update the verification annually. Don\'t: rely on a vendor SLA that promises "Title VII compliance" — that language doesn\'t mean what it sounds like.

NYC Local Law 144 — bias audit + candidate notice

Effective July 5, 2023. Any "automated employment decision tool" used on a NYC candidate requires an independent bias audit (selection-rate analysis across protected categories) published within the last year, plus notice to the candidate at least ten business days before use. Do: centralise the bias-audit publication so candidates can find it in one click. Don\'t: assume LL 144 applies only to candidates in NYC offices — the relevant attribute is the candidate\'s location.

Illinois AIVIA — video-specific consent and destruction

Effective January 2020, the Artificial Intelligence Video Interview Act requires explicit consent from candidates before AI is used to analyse video interviews, plus destruction of the video on candidate request. Maryland has similar provisions. Do: build the consent step into the candidate experience explicitly rather than burying it in a privacy policy. Don\'t: retain interview video any longer than your stated retention period — destruction-on-request is enforceable.

EU AI Act — high-risk classification

Annex III of the EU AI Act lists AI systems used in employment, worker management, and access to self-employment as high-risk. Providers must complete conformity assessments. Deployers (employers using the tools) must use them per their intended purpose, maintain logs, and provide transparency to candidates. Phasing in through 2026-2027. Do: verify vendor conformity-assessment status as part of procurement. Don\'t: assume your existing GDPR processes cover it — they don\'t.

The procurement checklist

Walk through these twelve points with the vendor before signing. If they cannot answer most of them clearly, do not buy the tool.

  1. Most recent independent bias audit — date, auditor name, headline impact ratios, link to public summary.
  2. Data retention schema — what is stored about each candidate, for how long, in which jurisdictions.
  3. Candidate-notice language — the exact text the candidate sees, and when.
  4. Opt-out path — what happens if a candidate declines AI evaluation. (If the answer is "they cannot apply," that is a legal exposure, not a policy.)
  5. Human-review override — can a recruiter overrule an AI score, and is that override logged?
  6. Model-card transparency — does the vendor publish a model card describing intended use, limitations, and tested populations?
  7. EU AI Act conformity assessment — provider status, deployer obligations, CE marking if applicable.
  8. NYC Local Law 144 alignment — current audit date, publication URL, notice flow.
  9. Illinois AIVIA consent flow — applicable for any video-analysing product, even outside Illinois.
  10. EEOC defensibility — would the vendor sit beside you in a Title VII investigation and explain their model?
  11. Integration logs — what is logged on every scoring decision, and for how long.
  12. Termination clause — on contract end, what happens to the candidate data the tool has accumulated about your pipeline.

None of this is legal advice. Run all of it past actual counsel before procurement. But if the vendor cannot give you concrete answers to these twelve, you do not have enough information to buy.

AI Hiring Bias & Law: FAQ

What's the single biggest legal risk of deploying AI in hiring?
In the US, EEOC enforcement under Title VII for disparate impact, even when the AI vendor provided the tool. The EEOC has issued technical assistance confirming the employer remains liable. In the EU, classification as a high-risk AI system under the EU AI Act, which requires conformity assessment, transparency, and human oversight obligations.
Does NYC Local Law 144 affect me if I'm outside NYC?
Yes if you have NYC-based applicants or employees who would use the tool. The bias-audit and candidate-notice obligations are triggered by the candidate location, not the employer location. Many enterprise vendors have aligned their tooling to LL 144 globally to simplify, but the obligation sits with the employer.
What does a bias audit actually require?
Independent audit by an auditor not employed by the tool vendor; calculation of the impact ratio across protected categories (race, sex, intersectional); publication of the audit summary; and candidate notification at least ten business days before use. The substance of the audit is calculated impact ratios; the audit doesn't certify the tool, it characterises its impact.
Are AI video interview tools specifically regulated?
In the US, Illinois (AIVIA, 2020) and Maryland regulate AI-analysed video interviews specifically — consent and disclosure required, with destruction-on-request obligations. The Illinois law was the first of its kind and is the template most state-level proposals build on.
How does the EU AI Act change procurement?
AI hiring tools are explicitly Annex III high-risk. Providers must satisfy conformity assessment and quality management requirements; deployers (employers) must use the system per its intended purpose, maintain logs, and provide transparency to candidates. Practical effect for CTOs: vendor due diligence now includes verifying the provider's conformity-assessment status, not just feature parity.

Related guides

AI Recruiting Tools Directory → Tool list with ethical-risk grading — the procurement starting point. AI Resume Screening → The highest-bias-risk sub-category of AI hiring. AI Compliance Hub → EU AI Act, NIST AI RMF, ISO 42001 — the broader compliance frame. Using AI Ethically → The candidate-side ethics frame.
·
Thomas Prommer
Thomas Prommer Technology Executive — CTO/CIO/CTAIO

These salary reports are built on firsthand hiring experience across 20+ years of engineering leadership (adidas, $9B platform, 500+ engineers) and a proprietary network of 200+ executive recruiters and headhunters who share placement data with us directly. As a top-1% expert on institutional investor networks, I've conducted 200+ technical due diligence consultations for PE/VC firms including Blackstone, Bain Capital, and Berenberg — work that requires current, accurate compensation benchmarks across every seniority level. Our team cross-references recruiter data with BLS statistics, job board salary disclosures, and executive compensation surveys to produce ranges you can actually negotiate with.

Profile LinkedIn Newsletter