Five US regulations now govern AI in employment decisions. They don't agree on terminology. They don't agree on who's liable. They don't agree on what compliance looks like. For an HR tech vendor selling into multiple states, or an enterprise employer hiring across jurisdictions, that patchwork creates a compliance burden no single statute solves.

NYC Local Law 144 was the first US law to directly regulate AI in hiring, and it remains the only one mandating an annual independent bias audit by name. Colorado, California, and Illinois have followed with different structural choices — disclosure-and-human-review (Colorado), anti-discrimination overlay (California FEHA), transparency rights (California CCPA), and direct accountability for adverse impact (Illinois). A December 2025 federal preemption executive order promises to flatten the patchwork, but litigation challenging the EO is in motion and the outcome won't be clear until 2027 or beyond.

This guide walks through what each US regulation requires, compares them across substantive dimensions, and offers a multi-jurisdiction compliance playbook. For EU AI Act obligations — also in active flux as of the May 2026 Digital Omnibus agreement — see our forthcoming standalone EU AI Act for HR guide.

Key Takeaways

  • Five US regulations cover AI in hiring under different terminology — AEDT (NYC), High-Risk AI System (CO), ADS (CA FEHA), ADMT (CA CCPA), and Predictive Data Analytics + AI (IL HB 3773). Tool classification matters before compliance analysis.
  • NYC LL 144 is the only US regulation mandating an annual independent bias audit by name. Colorado, California, and Illinois create discrimination liability that independent audits defend against, but don't require the audit itself.
  • Colorado SB 26-189 is the only US regulation explicitly imposing direct obligations on both developers (HR tech vendors) and deployers (employers) in a dual structure. Every other US regulation places primary obligations on employers and pulls vendors in indirectly.
  • California operates two distinct compliance tracks for AI in employment: FEHA (anti-discrimination, enforced by the Civil Rights Department) and CCPA/CPRA (automated decision-making transparency, enforced by the California Privacy Protection Agency). Compliance with one does not satisfy the other.
  • The December 2025 federal preemption EO creates uncertainty about how state laws will be enforced going forward. Independent bias audits are preemption-resistant — they defend against discrimination liability under federal Title VII regardless of which state statutes survive.

The Patchwork Problem

Five US regulations now govern AI in employment decisions. They emerged within roughly three years of each other, none of them was designed to fit alongside the others, and each one reflects the specific concerns of its regulator. NYC's Department of Consumer and Worker Protection came at it from the consumer-protection angle. Colorado's legislature framed it as a high-risk-AI-systems question. California's Civil Rights Council layered AI tools into the existing anti-discrimination framework, while California's Privacy Protection Agency treated the same technology as an automated decision-making transparency question. Illinois amended its Human Rights Act to add employment AI explicitly.

For an HR tech vendor selling into multiple states, or an enterprise employer hiring across jurisdictions, that patchwork creates a compliance burden that isn't solvable by reading any single statute. Each regulation uses its own definitional bucket for the regulated technology, its own trigger conditions, its own required actions, and its own enforcement mechanism. The federal preemption EO signed in December 2025 promises to flatten the patchwork — but litigation challenging the EO is in motion, and a definitive resolution is years away.

In the meantime, employers and HR tech vendors need a baseline that satisfies the highest-bar jurisdictions while remaining defensible if the patchwork persists. The sections below cover each US regulation, compare them across substantive dimensions, and offer an operational playbook.

NYC Local Law 144

NYC Local Law 144 was the first US law to directly regulate AI in hiring. The statute took effect January 1, 2023, with enforcement by NYC DCWP beginning July 5, 2023 after a six-month grace period. It applies to any employer or employment agency using an Automated Employment Decision Tool (AEDT) for a role connected to New York City — including remote roles filled by city residents and remote roles posted from an NYC office.

The law has three core obligations: an annual independent bias audit measuring impact ratios across sex and race/ethnicity (including intersectional analysis); public disclosure of a summary of the most recent audit on the employer's website; and a candidate notice provided at least 10 business days before the AEDT is used, with the right to request an alternative selection process. Penalties run from $500 for a first violation to $1,500 per day for each day a non-compliant AEDT remains in use. For the full employer walkthrough, see our Employer's Guide to the NYC Bias Audit Law. For the AEDT definitional deep-dive, see Automated Employment Decision Tools (AEDT) Under NYC LL 144.

The December 2025 NY State Comptroller audit of DCWP enforcement concluded the agency had been enforcing the law ineffectively, and DCWP has since formalized its enforcement procedures and adopted an internal Enforcement Workbook. Employment-law practices including DLA Piper have advised clients to expect tighter enforcement through 2026 and beyond.

Colorado SB 26-189

Colorado SB 26-189 replaced Colorado's earlier SB 24-205 statute in May 2026 and takes effect January 1, 2027. Rather than mandating a bias audit, SB 26-189 uses a disclosure-and-human-review model: covered employers must disclose to candidates when AI is used in employment decisions and must provide a human-review pathway for adverse decisions. The Colorado Attorney General enforces the statute, with a private right of action available to affected candidates.

The distinguishing feature of Colorado's regulation is its dual developer/deployer structure. Most US AI hiring laws regulate the employer (deployer) directly and pull HR tech vendors (developers) in indirectly through procurement diligence, aiding-and-abetting theories, or the Mobley v. Workday agent doctrine. Colorado is the exception: SB 26-189 explicitly creates compliance obligations for both. Developers face pre-use risk assessment and documentation obligations. Deployers face disclosure and human-review obligations. Both face discrimination liability if the AI system produces adverse outcomes.

SB 26-189 does not mandate a bias audit by name. But the discrimination liability the regulation creates is precisely the kind of risk that an independent bias audit is the strongest evidentiary defense against — which is why Colorado-deploying vendors should not treat the absence of a bias-audit mandate as a reason to lower the audit bar.

California FEHA

California's Civil Rights Council adopted regulations governing automated-decision systems (ADS) under the existing Fair Employment and Housing Act framework. The Civil Rights Council secured final approval on June 27, 2025, with the regulations taking effect October 1, 2025. The regulations don't create a new ADS-specific compliance regime; they layer AI tools into FEHA's existing anti-discrimination architecture, with disparate-impact liability for tools that produce protected-class disparities.

FEHA's enforcement record on disparate impact is what makes the California regulation substantial even without an audit mandate. The Civil Rights Department (CRD) has a long history of pursuing disparate-impact claims, and California courts have long recognized private discrimination liability under FEHA. An AI tool that produces statistically significant adverse impact against a protected class creates direct litigation exposure — whether or not an AI-specific statute is in play.

Vendor exposure under FEHA runs through two doctrines. The aiding-and-abetting theory holds vendors liable for materially contributing to an employer's discriminatory practice. The agent theory, foregrounded by Mobley v. Workday, holds vendors liable as agents of the employers using their tools. Both are active litigation surfaces for HR tech vendors selling into California.

California CCPA

California operates a second AI-in-employment compliance track under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). The California Privacy Protection Agency (CPPA) — a different regulator from the Civil Rights Department — has issued regulations on Automated Decision-Making Technology (ADMT) that apply to any business using ADMT for a "significant decision," including employment, housing, lending, and education.

The ADMT compliance obligations are substantively different from anything in FEHA, NYC LL 144, or Colorado SB 26-189. Covered businesses must provide a pre-use notice to candidates explaining that ADMT will be used in the decision, must allow candidates to opt out of ADMT processing, must provide an access right (information about the logic used and the key parameters that influenced the decision), and must provide an appeal right. The CPPA regulations also require a pre-use risk assessment for ADMT used in significant decisions.

The practical consequence: an employer can be FEHA-compliant — passing every disparate-impact test — and simultaneously CCPA-noncompliant on the ADMT side, because the audit-based defense to FEHA discrimination liability doesn't address ADMT's notice, opt-out, and access obligations. These are separate compliance tracks with separate enforcement mechanisms and separate remedies.

For HR tech vendors, the CCPA architecture maps vendors as "service providers" or "third parties" depending on the data-processing relationship with the employer-business. Each role carries different obligations under the CCPA regulation — another distinction that makes California compliance a two-track problem.

Illinois HB 3773

Illinois HB 3773 amended the Illinois Human Rights Act to add AI in employment decisions explicitly to the state's anti-discrimination framework. Governor Pritzker signed the bill on August 9, 2024, with the amendments taking effect January 1, 2026. The statute uses two defined terms: Predictive Data Analytics (PDA) — "use of machine learning algorithms for the purpose of predicting outcomes" — and AI, defined as a machine-based system that infers from inputs to generate predictions, recommendations, or decisions (the OECD-derived definition, which includes generative AI). The statute requires employers to disclose to applicants and employees when AI is used in employment decisions and creates anti-discrimination liability for tools that produce adverse impact.

HB 3773 is structurally closer to NYC LL 144 than to Colorado SB 26-189 in that it regulates employers directly. Vendor exposure is indirect — through procurement diligence and the same aiding-and-abetting and agent theories at play in California. The Illinois regulation does not mandate a bias audit, does not require public disclosure of audit results, and does not impose a specific candidate-notification timeline. It also prohibits using zip codes as a proxy for protected classes. The compliance obligation is the disclosure + non-discrimination duty, with the Illinois Department of Human Rights (IDHR) as the primary enforcement body and private civil action available as a remedy.

Illinois has separately maintained the older AI Video Interview Act, which has narrower scope (video-interview tools specifically) but predates the broader HB 3773 statute. Employers using video-interview AI in Illinois may face both obligations.

How These Regulations Compare

The five US regulations cover overlapping technology but make different structural choices. Two comparison surfaces below — terminology taxonomy and the operational comparison table — give employers and HR tech vendors the at-a-glance view that no single statute provides. Protected class coverage also varies — NYC LL 144's audit is narrow (sex and race/ethnicity) while CA FEHA, IL HB 3773, and federal Title VII cover substantially broader categories; for the full protected-class matrix across regulations, see our AI bias auditing methodology page.

AEDT vs ADMT vs ADS vs PDA vs ADM: The Terminology That Matters

Five terms appear across the US regulations, each with a different scope. Tool classification is the first compliance question, not the last — because a single tool can fall under multiple definitional buckets with different compliance obligations attached.

  • AEDT (Automated Employment Decision Tool) — NYC LL 144's narrow definition. Covers tools that substantially assist or replace human judgment in hiring or promotion decisions. Employment-specific. The substantial-assist/replace test (rely exclusively, weigh more heavily, or use to overrule human judgment) is what brings a tool into scope.
  • ADMT (Automated Decision-Making Technology) — California CCPA / CPRA framing. Broader than AEDT — covers any technology making significant decisions, including employment, housing, lending, and education. A tool can be an ADMT under CCPA without being an AEDT under NYC LL 144 (e.g., a tenant-screening AI), or be both (most enterprise HR tools).
  • ADS (Automated-Decision System) — California FEHA framing. Broader than AEDT, less specific than ADMT. Covers any computational process used in employment decisions, with the regulatory weight resting on the disparate-impact outcome rather than the procedural compliance.
  • PDA (Predictive Data Analytics) / AI — Illinois HB 3773 framing. Defined as "use of machine learning algorithms for the purpose of predicting outcomes." The Illinois statute pairs PDA with a separate AI definition (the OECD-derived machine-based system definition that includes generative AI), so Illinois actually carries two definitional anchors rather than one.
  • ADM (Automated Decision-Making) — generic term used across policy literature and some state regulations. Broadest of the bunch; conceptually covers any automated decision-making process. Not a precise regulatory term in any US statute.

The classification implications are real. A single enterprise HR platform might be classified as an AEDT under NYC LL 144 (triggering annual independent bias audit + public disclosure + 10-day candidate notice), an ADS under CA FEHA (triggering anti-discrimination liability without a specific procedural mandate), and an ADMT under CA CCPA (triggering pre-use notice + opt-out + access + risk assessment). Each classification triggers a different compliance overlay.

Operational Comparison Table

Side-by-side across the six variables that drive employer and vendor compliance decisions:

Regulation Terminology Who's regulated Required actions Penalties Effective date
NYC LL 144 AEDT (Automated Employment Decision Tool) Employer / employment agency (vendors indirect) Annual independent bias audit; public disclosure of audit summary; 10-business-day candidate notice; alternative-process opt-out $500 first violation; $1,500 per day ongoing July 5, 2023
CO SB 26-189 High-Risk AI System BOTH — developer AND deployer Disclosure to candidates when AI used; human-review pathway; pre-use risk assessment (developers) Civil penalties; private right of action January 1, 2027
CA FEHA Automated-Decision System (ADS) Employer (vendor via aiding-and-abetting + agent theories) Non-discriminatory outcomes; no specific procedural mandate (bias audit = strongest evidentiary defense) Full disparate-impact remedies (damages + injunctive) October 1, 2025
CA CCPA / CPRA ADMT (Automated Decision-Making Technology) Business + service provider (both roles) Pre-use notice; opt-out; access right; appeal right; pre-use risk assessment Statutory damages + administrative fines Phased 2026–2027
IL HB 3773 Predictive Data Analytics (PDA) + AI (machine-based system definition) Employer (vendors indirect) Disclosure to candidates; non-discrimination obligation; no zip-code-as-proxy Civil penalties via IHRA enforcement January 1, 2026

The Federal Preemption Variable

A December 11, 2025 White House executive order seeks to preempt or limit state-level AI regulation, citing the patchwork-compliance burden as the basis for federal action. The EO is being challenged in litigation that will shape the state-law picture through 2026 and 2027, and the operative scope of preemption is still being defined.

For employers and HR tech vendors, the prudent posture during this uncertainty is to maintain a multi-state compliance baseline calibrated to the highest-bar jurisdiction — which today is NYC LL 144 — while tracking preemption rulings as they land. The audit posture itself is preemption-resistant: an independent bias audit defends against discrimination liability under federal Title VII regardless of which state-specific statute is in scope. State-specific compliance items (NYC's audit publication requirement, CCPA's ADMT opt-out plumbing, Colorado's disclosure forms) could be federalized, narrowed, or rendered moot depending on how preemption resolves. But the underlying anti-discrimination liability — and the audit's value in defending against it — survives.

The strategic implication for compliance planning: invest in the audit infrastructure, the continuous-monitoring capabilities, and the documentation discipline that the bias-audit framework requires. That investment holds value across every scenario the preemption litigation could produce.

The Common Defense: Why Bias Audits Cover the Discrimination Floor

Across NYC LL 144, California FEHA, Illinois HB 3773, and the federal Title VII baseline — the common thread is anti-discrimination liability based on disparate impact. The legal theories differ in their procedural specifics, but the substantive question is the same: does the AI tool produce outcomes that disadvantage protected groups at materially different rates than the most-selected group?

An independent bias audit that documents impact ratios across protected classes — using the 4/5ths rule as the baseline threshold and intersectional analysis for the more rigorous cuts — is the strongest evidentiary defense against this liability, regardless of which specific statute is in scope. A clean audit creates a defensible record. The absence of a current audit creates a vacuum that plaintiff's counsel fills with adverse inferences. The same audit documentation satisfies NYC LL 144's explicit mandate, defends against FEHA disparate-impact claims, supports the Illinois HB 3773 non-discrimination duty, and provides Title VII coverage at the federal level.

What bias audits do NOT cover: California CCPA's ADMT transparency obligations (notice, opt-out, access, appeal) and Colorado SB 26-189's disclosure and human-review obligations are separate compliance tracks. They require their own infrastructure — disclosure plumbing, opt-out interfaces, human-review workflows. The bias audit is the discrimination floor; these are additional overlays that the discrimination defense doesn't address.

A Multi-Jurisdiction Compliance Playbook

For employers and HR tech vendors operating across multiple US states, the operational playbook has five steps.

Step 1: Tool classification. Confirm whether each AI tool in your stack is an AEDT (NYC LL 144), an ADS (CA FEHA), an ADMT (CA CCPA), a high-risk AI system (CO SB 26-189), or AI in employment decisions under Illinois HB 3773. Most enterprise HR platforms fall under multiple definitions simultaneously, which means stacked compliance obligations.

Step 2: Jurisdiction inventory. Map your candidate and employee population to the five regulations. NYC roles or NYC-office remote roles trigger LL 144. Colorado operations trigger SB 26-189. California candidates trigger both FEHA and CCPA. Illinois employment decisions trigger HB 3773. The same tool can trigger different regulations depending on which candidates it processes.

Step 3: Calibrate to the highest-bar discrimination defense. Commission an annual independent bias audit to NYC LL 144 standards (sex and race/ethnicity at minimum, intersectional analysis, 4/5ths rule threshold). That single audit satisfies the discrimination-defense floor across FEHA, IL HB 3773, federal Title VII, and the NYC LL 144 mandate itself.

Step 4: Layer jurisdiction-specific overlays. CCPA ADMT requires pre-use notice, opt-out plumbing, access mechanisms, and appeal workflows. Colorado requires disclosure forms and human-review pathways. NYC requires public publication of the audit summary and 10-day candidate notification. Illinois requires disclosure to applicants. Each overlay is structurally separate from the bias audit and must be operationalized independently.

Step 5: Continuous monitoring. Annual audits set the compliance floor; continuous monitoring catches model drift between formal audit cycles and produces the evidentiary record that discrimination litigation will require. The regulatory direction across all five US regulations (and the EU AI Act post-Omnibus) points toward continuous oversight, not annual snapshots.

For deployer-side detail on NYC LL 144 compliance, see the Employer's Guide to the NYC Bias Audit Law. For HR tech vendor-specific playbook, see the NYC LL 144 Vendor Compliance Playbook.

Build a Compliance Baseline That Survives the Patchwork

Warden AI runs independent bias audits and continuous monitoring across all major US AI hiring regulations — engineered for multi-jurisdiction employers and HR tech vendors. Book a 30-minute demo.

Related Articles

Frequently Asked Questions: Multi-State AI Hiring Compliance

No. An independent bias audit conducted to NYC LL 144 standards (4/5ths rule across sex and race/ethnicity with intersectional analysis) satisfies the discrimination-defense floor across federal Title VII, CA FEHA, IL HB 3773, and the broader anti-discrimination liability that the other state regulations create. Most enterprise vendors run one comprehensive annual audit and use the same audit documentation across all jurisdictions. State-specific procedural overlays (Colorado disclosure forms, CCPA ADMT notices, NYC public publication) layer on top of the audit — they don't replace it.

No. The preemption EO is under litigation and won't be resolved until 2027 at earliest. Even if preemption ultimately succeeds at the federal level, the underlying federal anti-discrimination framework (Title VII) creates liability for AI tools producing disparate impact — which is the same liability state laws like CA FEHA and IL HB 3773 codify. The independent bias audit defends against this liability regardless of which statute is in scope. State-specific compliance items (NYC's audit publication, CCPA's ADMT opt-out) may be federalized, narrowed, or rendered moot depending on the preemption outcome, but the underlying discrimination defense remains.

NYC LL 144. It's the highest-bar jurisdiction in terms of explicit procedural requirements (audit + disclosure + notice), it has the most active enforcement signal (the December 2025 NY State Comptroller audit pushed DCWP toward tighter enforcement through 2026 and beyond), and calibrating compliance to NYC LL 144 gives you the strongest evidentiary defense against CA FEHA, IL HB 3773, and federal Title VII liability at the same time. A clean NYC LL 144 audit also serves as procurement-cycle documentation for enterprise buyers in any state.

AEDT (Automated Employment Decision Tool) is NYC LL 144's narrow definition, limited to tools that substantially assist or replace human judgment in hiring or promotion decisions. ADMT (Automated Decision-Making Technology) is California's CCPA framing, broader, covers any technology making significant decisions including employment, housing, lending, and education. A single tool can be both: an AEDT under NYC LL 144 and an ADMT under CCPA. The classification matters because the compliance obligations differ: bias audit + public disclosure for AEDTs; pre-use notice + opt-out + risk assessment for ADMTs.

It depends on the jurisdiction. Colorado SB 26-189 explicitly regulates both developers (vendors) and deployers (employers) — vendors face direct compliance obligations including pre-use risk assessments. California CCPA covers vendors as service providers when they process personal information on behalf of an employer-business — vendors carry distinct CCPA obligations in that role. NYC LL 144, CA FEHA, and IL HB 3773 regulate employers directly — vendors are pulled in indirectly through procurement diligence, aiding-and-abetting theories, and the Mobley v. Workday agent doctrine. For a vendor-specific multi-jurisdiction playbook, see NYC LL 144 for HR Tech Vendors: A Compliance Playbook.