AI in Hiring 2026: EEOC, NYC LL144, the EU AI Act, and the Controls That Hold Up

Short answer: AI is now mainstream in hiring — for resume screening, interview transcription, video analysis, scheduling, and outreach — and 2025 was the year regulators caught up. In 2026, employers using ChatGPT, Claude, Gemini, or specialized hiring tools have to satisfy at least four overlapping regimes: the EEOC's technical assistance on AI under Title VII / ADEA / ADA, New York City Local Law 144 (and a wave of state copycats), the EU AI Act's Annex III "high-risk" classification for employment AI, and underlying privacy law (CCPA/CPRA, GDPR, state biometric laws). This guide explains what each one actually requires, the patterns that get employers in trouble, and the controls that make AI in hiring defensible.

The four regimes that govern AI in hiring

1. EEOC technical assistance and federal anti-discrimination law

Title VII (race, color, religion, sex, national origin), the ADEA (age 40+), and the ADA (disability) all apply equally to AI-driven employment decisions. The EEOC has issued technical assistance making three points clear:

• Disparate impact still counts. If an AI selection procedure produces statistically different outcomes by protected class, the four-fifths rule and Uniform Guidelines on Employee Selection Procedures apply just as they would for a paper-and-pencil test.
• Vendor liability is shared. Employers cannot delegate compliance to an AI vendor; they remain responsible for the tools they deploy.
• Reasonable accommodation under the ADA applies to AI. A candidate who is screened out by an interview-analysis tool that does not work for their disability has the same accommodation rights as in any other employment process.

The 2024 ADA guidance in particular flagged emotion-detection, gaze tracking, and speech-pattern analysis as common sources of disability-discrimination risk.

2. New York City Local Law 144 (and the state copycats)

NYC LL144 (effective July 2023) regulates "automated employment decision tools" (AEDTs) used to substantially assist or replace discretionary decisions about candidates or employees who reside in or work in NYC. Requirements:

• Independent bias audit. Within one year before use, with race-ethnicity-and-sex impact ratios published.
• Public notice. On the company's website, with the bias-audit summary.
• Candidate notice. At least 10 business days before use, with the right to request an alternative process.

The 2024–2025 wave of state laws followed: Illinois (Right to Privacy in the Workplace Act updates and Illinois AI Video Interview Act), Maryland (HB 1202), Colorado (AI Act, effective February 2026, with high-risk employment use cases), California (proposed FEHC regulations on automated decisionmaking), and several others. Each has its own audit, transparency, and notice requirements.

3. EU AI Act Annex III: employment as a high-risk use case

The EU AI Act (Regulation 2024/1689) classifies employment-related AI as high-risk when used for:

• Recruitment, including targeted job advertisements, screening or filtering applications, and evaluating candidates.
• Decisions affecting work relationships, including promotions, terminations, allocation of tasks, and monitoring or evaluating performance.

High-risk obligations include risk-management system, data governance, technical documentation, record-keeping, transparency, human oversight, accuracy/robustness/cybersecurity, conformity assessment, registration, and post-market monitoring. The high-risk obligations phase in by August 2026 for systems already on the market and immediately for new systems placed afterward.

4. Privacy law: GDPR, CCPA/CPRA, biometric laws

Layered on top:

• GDPR Article 22 restricts solely-automated decisions with legal or similarly significant effects — most hiring decisions qualify. Either implement human-in-the-loop, or rely on consent / contract necessity with safeguards.
• CCPA/CPRA gives California job applicants and employees rights to know, delete, correct, and (under draft regulations) opt out of "automated decisionmaking technology."
• Illinois BIPA / Texas CUBI / Washington biometric law apply to face geometry from video interviews and voiceprints from audio analysis. Damages under BIPA have run into hundreds of millions in employment-context cases.

Where AI shows up in modern hiring

The patterns regulators are scrutinizing in 2026:

• Resume screening / ranking — LLM-based tools that summarize, score, or rank candidates against a job description. High disparate-impact risk if the model has learned proxies for protected class.
• Sourcing and outreach — AI assistants drafting personalized recruiter emails, sometimes with profile inference. CCPA/CPRA "automated decisionmaking" notices may apply.
• Asynchronous video interviews with analysis — speech-pattern, prosody, facial-expression, or gaze-tracking metrics. Highest risk under the ADA, BIPA, and the EU AI Act.
• Live interview transcription and summarization — generates notes from a Zoom call. Lower-risk use case if used for record-keeping rather than scoring.
• Skills assessments scored by AI — coding tests, work samples, situational judgment tests. Subject to the Uniform Guidelines if used as a selection procedure.
• Chatbots screening candidates — conversational triage and FAQ. Disparate-impact risk if the chatbot's parsing handles different dialects or accommodations differently.
• Background-check augmentation — AI surfacing "social media red flags" or news mentions. FCRA, defamation, and accuracy issues in addition to the above.

What the EEOC actually expects

A defensible employment-AI program in 2026 typically includes:

• Pre-deployment bias testing. Fairness analysis across protected classes before live use, with documentation.
• Validation under the Uniform Guidelines. Job-relatedness and consistency-with-business-necessity, especially for selection procedures.
• Reasonable accommodation pathway. A documented alternative process for candidates who cannot or do not consent to AI evaluation.
• Vendor diligence. Bias audits, model cards, training-data documentation, and contractual flow-down of compliance obligations.
• Ongoing monitoring. Periodic re-audits, especially after model updates.
• Adverse-impact records. Job-class outcome data, retained for the EEOC's standard recordkeeping period.
• Candidate notice and transparency. Beyond LL144, increasingly an expectation across jurisdictions.

What candidate data leaks where (and why it matters)

A separate category of risk: hiring teams using AI tools that retain or train on candidate data they should not. The most common patterns:

• Pasting a candidate's resume (with name, contact info, work history) into ChatGPT Plus to "summarize and rank these candidates." The candidate's PII is now in a non-DPA, non-zero-retention account; CCPA/CPRA notice and deletion obligations follow.
• Uploading a video interview to a third-party AI tool not covered by an enterprise agreement, which may fine-tune on the audio or hold biometric templates.
• Asking an AI assistant to "find anything notable about this candidate" using web browsing, with the candidate's full name in the prompt.

The defensive pattern is the same one we recommend in our broader posts: enterprise tier with a DPA and zero retention, plus local-first redaction at the browser layer for the moments when a recruiter pastes content into a chat. A tool like Sonomos detects and tokenizes candidate PII before the prompt leaves the device.

Examples: what is and is not defensible in 2026

| Scenario | Defensible? | Why | | --- | --- | --- | | Resume screening with an AEDT in NYC, no bias audit published | No | LL144 violation; civil penalties and possible enforcement | | Same screening, with annual independent bias audit, candidate notice, and alternative process | Yes | LL144 compliant; document validation under Uniform Guidelines | | Recruiter pastes 50 resumes into ChatGPT Plus to "rank top 5" | Risky | CCPA notice exposure; possible disparate impact without testing | | Same recruiter using ChatGPT Enterprise (DPA + ZDR) with browser-layer PII redaction | Defensible | PII does not leave device; enterprise terms apply to remaining content | | Video-interview tool scoring candidates on "engagement" metrics with no ADA accommodation pathway | Not defensible | ADA exposure; likely disparate impact for several disabilities | | Chatbot triage that disqualifies candidates without human review | Risky under GDPR Art. 22, EU AI Act, and several US state laws | Human-in-the-loop required for legally / similarly significant effects | | Background-check AI surfacing social posts with no FCRA-style accuracy checks | Not defensible | Inaccurate adverse data; defamation and FCRA exposure |

Frequently asked questions

Are simple AI summarization tools "AEDTs" under LL144?

LL144 covers tools that substantially assist or replace discretionary decision-making about employment candidates. A pure note-taking tool typically falls below that bar. A scoring or ranking tool usually does not. The line is fact-specific; the NYC DCWP guidance and the law's "any other group as identified by the Department" language counsel caution.

What is the four-fifths rule?

The Uniform Guidelines on Employee Selection Procedures define adverse impact as a selection rate for any race, sex, or ethnic group below four-fifths (80%) of the rate for the highest-selected group. It is a screening test, not a safe harbor — passing the four-fifths rule does not eliminate Title VII risk, and failing it does not always mean disparate impact, but the EEOC and courts use it as a starting point.

Does the EU AI Act require us to register our hiring AI?

If you are a provider placing a high-risk AI system on the EU market, you have registration obligations under the AI Act. If you are a deployer (most US employers using EU-vendor or US-vendor tools in the EU), the bulk of your obligations are around use, transparency, human oversight, and post-market monitoring — but the provider must register the system in the EU database.

Does an AI vendor's "bias audit" satisfy LL144?

LL144 specifies an independent auditor. Verify that the audit was performed by an entity independent of both the vendor and the employer, that it tested the version of the model and the configuration the employer actually uses, and that the impact ratios across race-ethnicity-and-sex are published. A vendor-conducted audit reused by every customer is unlikely to satisfy the law.

Is local-first redaction enough on its own?

It is one important layer — preventing candidate PII from reaching non-approved AI accounts — but it does not address bias, validation, accommodation, or candidate notice. Use it as part of a broader employment-AI program rather than as the program itself.

What about AI used inside the company (performance reviews, layoffs, promotions)?

Same regimes, often more squarely. Performance evaluation, allocation of tasks, monitoring, and termination decisions are explicitly enumerated as employment use cases under the EU AI Act's Annex III. State laws (Colorado AI Act, several proposed laws in 2026) cover them too. The risk is sometimes higher than in initial hiring because the employee has accrued reliance interests.

Can we just have humans rubber-stamp the AI?

No. Article 22 (GDPR) and the EU AI Act's human-oversight requirement assume meaningful human review — informed, with the ability to override, and based on more than the AI's own output. EEOC enforcement letters in 2024–2025 have repeatedly criticized "human-in-the-loop" implementations that turned out to be human signing-off-on-the-loop.

A short checklist for HR, legal, and IT

• Inventory every AI tool used in hiring or employment, including unsanctioned ones.
• For each, classify under Annex III (EU AI Act), AEDT (LL144 + state copycats), and federal anti-discrimination law.
• Run pre-deployment bias testing; commission independent audits where required.
• Document validation under the Uniform Guidelines for selection procedures.
• Build an accommodation pathway for candidates who cannot or do not consent to AI evaluation.
• Issue candidate notices that meet LL144 / state-law requirements, not just consumer-privacy disclosures.
• Choose enterprise-tier AI tools with DPAs and zero retention; deploy browser-layer redaction for the moments when staff paste candidate data into chat.
• Implement meaningful human review — informed override, not rubber-stamp.
• Re-audit after every material model update.
• Train hiring managers, recruiters, and HR partners on the policy.
• Coordinate with legal on jurisdiction-by-jurisdiction notice and consent requirements.

The bottom line

In 2026, AI in hiring is a regulated activity in most of the markets that matter. The combination of EEOC technical assistance, NYC LL144 + state copycats, the EU AI Act's Annex III high-risk classification, and underlying privacy and biometric laws means that a casual deployment is a multi-jurisdictional exposure waiting to happen. The good news is the path through is well marked: bias testing, validation, accommodation, candidate notice, vendor diligence, meaningful human oversight, and technical controls (including local-first redaction) on the prompt-and-paste workflows that recruiters actually use. Get those right and AI is a real productivity gain. Skip them and the next bias audit, candidate complaint, or regulator inquiry will find what you missed.