AI Hiring Compliance in 2026: The Recruiter's Guide to NYC Local Law 144 and the EU AI Act

Introduction

If you bought an AI recruiting tool in the last twelve months, the first question your legal or procurement team is asking in 2026 is no longer "does it work?" — it's "will this get us sued?" That shift is not paranoia. It reflects two regulatory regimes that have moved from theory into enforcement, the resignation of a generation of vendor handwaving, and a wave of internal AI audits at large enterprises that are now flowing downstream to every recruiting vendor in the procurement pipeline.

This guide is written for the people who actually have to answer the question: heads of talent acquisition, recruiting operations leaders, and the in-house counsel they pull into vendor RFPs. It explains what changed in 2026, whether NYC Local Law 144 applies to your company even if you are not in New York, what the EU AI Act treats as a high-risk hiring system, and how to evaluate the AI tools already inside your stack. There is a checklist at the end you can paste straight into your vendor due-diligence template.

What Changed in 2026

Two things happened in the first five months of the year that turned AI hiring compliance from a topic for conferences into a topic for board decks.

First, the New York City Department of Consumer and Worker Protection (DCWP) accelerated enforcement of Local Law 144. The law, which technically went into effect in July 2023, spent its first two years in a soft enforcement posture while employers and vendors figured out what the bias audit requirement actually meant in practice. That posture has ended. DCWP investigations are open, fines have been issued, and the agency has published guidance clarifying that liability sits with the employer, not the vendor — even when the AEDT is provided by a third party.

Second, the European Union's AI Act high-risk obligations for employment systems are now in effect, and the first wave of conformity assessments is moving through notified bodies. The Q1 2026 DLA Piper enterprise audit benchmark — which surveyed 200+ multinational employers on their AI procurement practices — found that 71% of buyers now require an EU AI Act conformity statement from any AI vendor touching candidate data, regardless of whether the buyer hires in the EU. The reason is simple: most large employers do not want to maintain two separate AI tooling stacks for European and non-European hiring.

The combined effect is that compliance has become a procurement filter. Vendors that cannot produce a current bias audit and a documented conformity assessment are getting cut from RFPs before the demo stage.

Does Local Law 144 Apply to You? A Three-Question Decision Tree

The most common confusion among non-NYC employers is that they assume the law does not reach them. That is wrong as often as it is right. Use this three-question test.

Question 1: Are you using an Automated Employment Decision Tool to screen candidates for a job that could be performed in NYC, or by an employee residing in NYC? The law applies based on where the work happens or where the candidate sits, not where your headquarters is. A remote-first company in Austin hiring a remote engineer who lives in Brooklyn is in scope.

Question 2: Does the tool "substantially assist or replace" human decision-making? This is the test that catches most people off guard. If the tool generates a score, ranking, or classification that materially influences who gets advanced, it counts — even if a human "makes" the final call. Resume parsers that do skill-extraction-only generally fall outside scope. Tools that rank or score candidates fall inside.

Question 3: Have you done a bias audit in the last 12 months and posted a summary? If the answer to questions 1 and 2 is yes and the answer to 3 is no, you are out of compliance. Each separate AEDT requires its own audit, and each posting needs candidate notice at least 10 business days before use.

If you are unsure on Question 2, the safe default in 2026 is to treat scored screening as in-scope. The cost of an audit is materially less than the cost of a DCWP investigation.

What an AEDT Actually Is

The statutory definition of an Automated Employment Decision Tool is "any computational process, derived from machine learning, statistical modeling, data analytics, or artificial intelligence, that issues simplified output, including a score, classification, or recommendation, that is used to substantially assist or replace discretionary decision making."

In practice, that pulls in five categories of tools that show up in modern recruiting stacks. Resume scoring engines that produce a fit score against a job description. Video interview platforms that generate competency or trait scores. Assessment tools that classify candidates into bands. Sourcing tools that rank passive candidates by predicted interest or fit. Calibration tools that rerank a shortlist based on team-fit modeling.

What it does not pull in: tools that only structure data without scoring it, plain background-check services, scheduling assistants, and tools that flag policy violations without ranking candidates. Workday's core ATS is not an AEDT; the predictive features layered on top of it might be. Greenhouse is not an AEDT; the AI-scoring add-on you bought from a partner integration probably is.

This is why the question "does Workday or Greenhouse keep me compliant?" is the wrong question. Your ATS is a system of record. Compliance liability attaches to the AI features sitting on top of it, including ones added through integrations you may not have actively procured.

How a Bias Audit Works, What It Costs, Who Runs It

A Local Law 144 bias audit is an impact-ratio analysis performed by an independent auditor. The auditor calculates selection rates by sex, race/ethnicity, and intersectional categories, then computes the impact ratio (selection rate of each group divided by the selection rate of the most-selected group). The summary published by the employer must include those ratios and the date of the audit.

The audit needs to be done annually, by an auditor with no commercial interest in the AEDT vendor, and on data that reflects actual usage — synthetic test data does not satisfy the requirement.

Cost in 2026 is typically in the range of $15,000 to $50,000 per AEDT for a standard audit, depending on data volume, number of roles, and whether historical or test data is used. Large vendors increasingly pre-fund a vendor-side audit and provide a redacted summary to customers, which the customer can supplement with their own usage data. That is a workable model but it does not transfer liability — the employer still owns the posting requirement and the candidate-notice obligation.

Auditors who specialize in this work include BABL AI, Holistic AI, Conductor AI, and a small number of academic-affiliated groups. Generalist data science consultancies will do the math but often miss the documentation requirements that DCWP looks for. Ask any auditor for sample reports and the names of three Local Law 144 audits they have completed.

EU AI Act for Hiring: What "High-Risk" Means in Practice

Annex III of the EU AI Act lists employment, workers' management, and access to self-employment as a high-risk category. The specific systems named include AI used for recruitment or selection — particularly to place targeted job advertisements, screen or filter applications, and evaluate candidates — and AI used to make decisions affecting terms of work, promotion, termination, task allocation, and performance evaluation.

For a high-risk system, the obligations break into three buckets.

Provider obligations — what the vendor has to do — include conformity assessment, technical documentation, a risk management system, data governance documentation, post-market monitoring, and CE marking. Most reputable AI recruiting vendors selling into the EU completed their first conformity assessment in 2025 and are now in the post-market monitoring phase.

Deployer obligations — what the employer has to do — are the ones recruiters often miss. They include using the system in line with the provider's instructions, monitoring its operation, maintaining logs, ensuring human oversight by someone with the competence to override outputs, and providing meaningful information to candidates affected by the system. The deployer also has to perform a fundamental rights impact assessment for high-risk public-sector use cases, which increasingly bleeds into private sector best practice.

Cross-cutting obligations include candidate transparency — a candidate has the right to know that an AI system was used and to obtain an explanation of the decision — and incident reporting if the system causes serious harm or a fundamental rights violation.

The practical implication for a recruiter is that you cannot just buy a CE-marked tool and walk away. You have to operate it within the documented use case, log decisions, ensure a human reviewer has the training and the authority to overturn outputs, and provide candidate-facing transparency.

Side-by-Side: Penalties, Scope, Audit Cadence, Candidate Notice

The two regimes are not redundant. They cover overlapping but distinct ground, and a global employer typically needs to satisfy both.

On scope, Local Law 144 is jurisdictional and tool-specific — it applies when an AEDT is used for an NYC-located role. The AI Act is risk-based and extraterritorial — it applies wherever the AI system or its outputs are used in the EU, regardless of the provider's or deployer's location.

On audit cadence, Local Law 144 requires annual independent bias audits posted publicly. The AI Act requires conformity assessment before market entry plus continuous post-market monitoring; there is no annual public posting requirement, but technical documentation must be available to regulators on request.

On candidate notice, Local Law 144 requires at least 10 business days' notice before AEDT use, with a description of the qualifications and characteristics it considers. The AI Act requires that candidates be informed when interacting with a high-risk system and have a right to explanation for individual decisions.

On penalties, Local Law 144 fines run $500 for a first violation and up to $1,500 for subsequent violations per day per affected candidate — small per incident, but they compound fast across a hiring funnel. The AI Act caps administrative fines at €35 million or 7% of global annual turnover for the most serious violations, with €15 million / 3% for high-risk system non-compliance and €7.5 million / 1.5% for incorrect information to authorities. For a global SaaS employer, the AI Act is the more material exposure.

Vendor Due Diligence: Questions to Ask Your AI Recruiting Vendor

If you only ask your vendor one set of questions before signing in 2026, make it these. Paste them into the security and compliance section of your RFP.

Has an independent bias audit been completed in the last 12 months for the specific configuration we will be using, and can you share the auditor's name and a redacted summary report? Vendors that produce the report inside 24 hours have done this exercise; vendors who promise to "get back to you" usually have not.

For each AEDT feature, what training data was used, what protected-class proxies were tested for, and what mitigations are in place? You are looking for specifics — "we tested for adverse impact across sex and race/ethnicity using EEOC's four-fifths threshold and retrained when impact ratios fell below 0.85" — not "we take fairness very seriously."

Have you completed an EU AI Act conformity assessment for high-risk employment systems, and can you share the technical documentation summary? If they sell into the EU and the answer is no, that is a material risk signal.

What logging is available to deployers, and how long are logs retained? You need this for both your own AI Act deployer obligations and for any candidate explanation requests.

What is your incident-reporting process if a model issue is discovered post-deployment, and what notice will customers receive? Look for committed timelines, not "we'll let you know."

Who is the named human reviewer in your recommended deployment, and what training do you provide to ensure they can meaningfully override the system's output? "Human in the loop" without competence and authority is a paper control.

What is your data residency posture for EU candidate data, and how do you handle cross-border transfers? This is a GDPR question more than an AI Act question, but it shows up in the same buyer review.

Sign up free on TheHireHub →