HR teams using AI in hiring, performance management, or compensation decisions must comply with Title VII, the ADA, ADEA, and NYC Local Law 144. The EEOC has issued guidance specifically addressing AI in employment decisions.
AI tools are transforming human resources, from resume screening and candidate assessment to performance reviews and workforce planning. However, employment law imposes strict requirements on how these decisions are made, and AI that produces biased outcomes exposes organizations to significant legal liability regardless of whether the bias was intentional.
Why AI Governance Is Different for HR
Human resources sits at the intersection of people, data, and high-stakes decision-making. AI tools used in HR directly affect individuals' livelihoods, making the consequences of errors or bias particularly severe. Employment law has decades of precedent around discrimination, and regulators are actively extending these protections to AI-driven decisions.
Key factors that differentiate HR AI governance:
- Anti-discrimination law: Title VII of the Civil Rights Act, the Americans with Disabilities Act (ADA), and the Age Discrimination in Employment Act (ADEA) prohibit employment discrimination based on protected characteristics. These laws apply to AI-driven decisions with the same force as human decisions. Under disparate impact theory, even facially neutral AI tools can violate these laws if they disproportionately affect protected groups.
- EEOC enforcement: The Equal Employment Opportunity Commission has issued specific guidance on AI in employment decisions, including its 2023 technical assistance document on AI and Title VII disparate impact. The EEOC has signaled that it will pursue enforcement actions against employers whose AI tools produce discriminatory outcomes.
- Local AI hiring laws: NYC Local Law 144 requires bias audits of automated employment decision tools (AEDTs) used in hiring or promotion within New York City. Similar legislation has been proposed or enacted in other jurisdictions including Illinois, Maryland, and the EU under the AI Act.
- Employee privacy: AI tools used in performance monitoring, sentiment analysis, or productivity tracking raise significant privacy concerns. State laws including the California Consumer Privacy Act (CCPA) and Illinois Biometric Information Privacy Act (BIPA) impose requirements on employee data collection and processing.
- Accommodation obligations: The ADA requires reasonable accommodations for employees with disabilities. AI tools used in hiring or performance assessment must not screen out qualified individuals with disabilities and must be compatible with accommodation processes.
Our comprehensive AI governance guide provides the foundational framework that HR teams should build upon with these employment-specific controls.
The Top AI Risks Facing HR Organizations
HR teams face AI risks that carry legal liability, regulatory penalties, and significant harm to individuals. The following table outlines the most critical risks:
| Risk | Likelihood | Impact | Mitigation |
|---|---|---|---|
| Hiring AI with disparate impact on protected groups | High | Critical | Conduct bias audits before deployment and annually; test across all protected categories; document validation procedures; maintain human oversight of AI recommendations |
| Performance AI lacking transparency and explainability | Medium | High | Require explainable AI models for performance decisions; provide employees with information about how AI is used in evaluations; establish appeal processes for AI-influenced decisions |
| Employee data processed by consumer AI tools | High | High | Block consumer AI on HR systems; deploy approved enterprise tools for HR workflows; train HR staff on data handling requirements; implement DLP controls for employee PII |
| No AI disclosure to candidates or employees | Medium | Medium | Implement disclosure processes compliant with NYC LL 144 and emerging state laws; update privacy notices; include AI disclosure in candidate and employee communications |
Disparate impact in hiring AI is one of the most consequential risks any organization faces. AI resume screening tools have been shown to discriminate based on proxies for protected characteristics, including names, zip codes, educational institutions, and activity patterns. Even when protected characteristics are excluded as direct inputs, AI models can find proxies that produce biased outcomes. Our guide on the EU AI Act covers how international regulations classify employment AI as high-risk.
What Regulators and Auditors Expect
Employment regulators at the federal, state, and local levels are developing increasingly specific expectations for AI governance in HR:
- EEOC expectations: The EEOC expects employers to evaluate AI tools for potential disparate impact before deployment, monitor AI tools for discriminatory outcomes on an ongoing basis, retain records of AI-assisted employment decisions, and ensure that AI tools do not screen out individuals who need reasonable accommodations.
- NYC Local Law 144 requirements: Employers using AEDTs in New York City must conduct annual independent bias audits, publish audit results on their website, notify candidates that an AEDT will be used, allow candidates to request alternative processes, and retain records of AEDT usage.
- State attorney general investigations: State AGs have opened investigations into AI hiring practices, focusing on disability discrimination, age discrimination, and racial bias. Employers should be prepared to respond to civil investigative demands for documentation of AI governance practices.
- Department of Labor guidance: The DOL has issued guidance on AI in the workplace covering wage and hour implications, safety considerations, and worker notification requirements.
- Internal and external audit: Internal audit teams and external auditors are increasingly examining AI usage in HR as part of compliance reviews. Documented governance programs, bias testing records, and training completion evidence are standard audit requests.
Organizations should also review the AI risk management framework guide for structured approaches to identifying and mitigating HR-specific AI risks.
AI Governance Built for HR Teams
PolicyGuard helps HR organizations enforce AI policies, detect shadow AI usage, and generate audit documentation regulators want to see.
Start free trialPolicyGuard helps companies like yours get AI governance documentation audit-ready in 48 hours or less.
Start free trial →Building an AI Policy for HR Teams
An HR AI policy must balance innovation with legal compliance and employee trust. The policy should cover all AI tools used in the employee lifecycle, from recruiting through separation.
Hiring and Recruiting AI
Establish specific governance requirements for AI used in any stage of the hiring process:
- Resume screening: Require bias audits of all automated resume screening tools. Document the selection criteria used by the AI, test for disparate impact across protected categories, and maintain human review of AI-recommended candidate lists.
- Assessment tools: AI-powered assessments including video interviews, skills tests, and personality evaluations must be validated for job-relatedness and tested for adverse impact. Ensure assessments comply with ADA requirements and offer accommodations.
- Interview scheduling and coordination: Lower-risk AI applications in logistics still require governance to ensure they do not inadvertently disadvantage candidates (for example, scheduling AI that disadvantages candidates in different time zones).
Performance Management AI
AI used in performance evaluations, promotion decisions, or compensation recommendations requires careful governance. Employees should understand how AI influences their evaluations, have access to appeal processes, and receive explanations for AI-influenced decisions. Prohibit opaque AI scoring systems that managers cannot explain or override.
Employee Monitoring AI
If the organization uses AI for productivity monitoring, sentiment analysis, or workplace behavior tracking, the policy must address employee notification requirements, data minimization principles, retention limits, and compliance with state and local privacy laws. Several states require employee consent for electronic monitoring, and the NLRA protects certain employee communications from employer surveillance.
Data Handling Requirements
HR data is highly sensitive, containing personal information, health data, compensation details, and performance records. The AI policy should specify which HR data categories may be used with AI tools, require data minimization so AI tools only access necessary information, establish retention limits for AI-processed HR data, and prohibit the use of employee data in consumer AI tools. Align these requirements with the broader principles in your AI governance framework.
How to Monitor and Enforce AI Usage in HR
Effective monitoring of AI in HR requires ongoing vigilance because employment decisions are continuously made and the legal landscape is rapidly evolving.
Bias Monitoring and Testing
Implement continuous bias monitoring for all AI tools used in employment decisions. This goes beyond pre-deployment testing to include ongoing analysis of outcomes across protected categories. When monitoring reveals disparate impact, the organization must be prepared to investigate, remediate, and document corrective actions. Establish clear thresholds that trigger investigation and define the process for pausing AI tools that show signs of bias.
Usage Compliance Tracking
Monitor whether HR team members are using approved AI tools following established procedures. Track disclosure compliance for jurisdictions requiring candidate notification, verification workflow completion for AI-generated content in offer letters and employment documents, and training completion across the HR team. PolicyGuard's compliance monitoring platform provides real-time visibility into AI policy adherence.
Regulatory Change Management
The legal landscape for AI in employment is changing rapidly. Assign responsibility for monitoring regulatory developments across relevant jurisdictions and updating policies accordingly. Subscribe to updates from the EEOC, state legislatures, and relevant bar associations. When new requirements emerge, assess their impact on existing AI tools and governance practices. Use our policy templates as a starting point and customize them as regulations evolve.
Frequently Asked Questions
Does our organization need a bias audit under NYC Local Law 144?
If your organization uses an automated employment decision tool (AEDT) to screen candidates or employees for employment or promotion within New York City, you must conduct an annual bias audit by an independent auditor. An AEDT is defined as any computational process derived from machine learning, statistical modeling, data analytics, or AI that issues a simplified output used to substantially assist or replace discretionary decision-making. Even if your company is headquartered outside NYC, the law applies if you are making employment decisions for positions located in New York City.
Can AI make final hiring decisions without human review?
While no federal law explicitly prohibits fully automated hiring decisions, best practices and regulatory guidance strongly recommend human oversight. The EEOC expects employers to ensure AI tools do not produce discriminatory outcomes, which is difficult to guarantee without human review. The EU AI Act requires meaningful human oversight for high-risk AI systems including employment AI. Most employment lawyers advise against fully automated hiring decisions because the legal risk is substantial and human review provides an important safeguard and defense in potential discrimination claims.
How do we test AI hiring tools for bias?
Bias testing for AI hiring tools should examine outcomes across all protected categories including race, sex, age, disability status, and national origin. Use the four-fifths rule as a starting point: if the selection rate for any protected group is less than four-fifths (80%) of the rate for the highest-performing group, there may be adverse impact. Beyond the four-fifths rule, conduct statistical significance testing, examine intersectional impacts, and test with representative datasets. Testing should occur before deployment and at regular intervals during use. Document all testing methodology, results, and remediation actions.
What should we tell candidates about AI in our hiring process?
At minimum, comply with disclosure requirements in applicable jurisdictions. NYC Local Law 144 requires notice at least 10 business days before use of an AEDT. Illinois AI Video Interview Act requires notice and consent before using AI to analyze video interviews. Best practice is to include a clear, plain-language notice in job postings or early in the application process explaining what AI tools are used in the hiring process, what data the AI analyzes, how AI recommendations are used alongside human decision-making, and how candidates can request accommodations or alternative processes.
Are employee monitoring AI tools legal?
Employee monitoring AI tools are generally legal but subject to significant restrictions that vary by jurisdiction. The Electronic Communications Privacy Act (ECPA) permits employer monitoring of business communications with certain limitations. State laws may require employee notice or consent before monitoring. The NLRA protects employees' rights to engage in concerted activity, which limits monitoring of certain communications. Biometric data collection (facial recognition, keystroke dynamics) may be regulated under state biometric privacy laws like Illinois BIPA. Organizations should consult employment counsel before deploying AI monitoring tools and implement clear policies that notify employees of monitoring practices.
