Tom Cedoz

Framework · AI & emerging risk

AI in Hiring: An Employment-Law Risk Review

AI changes how a hiring decision gets made; it does not change who answers for it. When an algorithm screens out a protected group, the charge names the employer, not the vendor. This framework walks the work that has to happen before deployment — and keep happening after.

Updated June 2026· 7 steps· Prints to 2 pages

Start from the duty, not the tool

Recruiting and hiring tools that rank résumés, score video interviews, run gamified assessments, or recommend candidates can save real time. None of them shift the underlying legal duties. Title VII, the ADEA, the ADA, and their state analogues still apply in full, and the employer remains responsible for the outcome even when an outside vendor built and trained the model. The recurring theme across this series holds here: the workflow changes; the duties — non-discrimination, job-relatedness, reasonable accommodation, recordkeeping — do not. “The algorithm did it” is not a defense.

This is general information, not legal advice, and AI employment law is moving fast and unevenly across jurisdictions. Treat every framework and statute named below as a prompt to confirm current scope, effective status, and applicability to your facts with counsel — not as a settled rule.

The framework

  1. Inventory where AI already touches an employment decision.

    You cannot assess what you have not located. Map every point in the funnel where an automated tool sources, screens, ranks, scores, or recommends — including features bolted onto an applicant-tracking system or a job board that no one procured as “AI.” For each, record what it measures, what data it ingests, and what human action follows its output. A short inventory now is cheaper than reconstructing one after a charge. (A fuller approach lives in the AI governance and inventory resource.)

  2. Test for adverse impact — under privilege, before you deploy.

    A facially neutral tool can still select candidates in a way that disadvantages a protected group; that is disparate impact, and it does not require any intent to discriminate. Run a validation and adverse-impact analysis before go-live, structured through counsel so that, where it holds, privilege cannot be retrofitted after a problem surfaces. Routing the work through counsel can support a claim of privilege, but that protection is fact-dependent and frequently contested — especially where the same analysis also serves a business or compliance purpose — so confirm the approach with litigation counsel. Many teams find it useful to set a re-testing cadence, because models drift as they ingest new data and as the applicant pool changes. The selection rate that matters is the one produced by the version you are actually running.

  3. Build the ADA accommodation path before the first candidate needs it.

    Timed tests, video and voice analysis, and gamified assessments can disadvantage applicants with disabilities — a vision, motor, speech, or cognitive impairment may depress a score for reasons that have nothing to do with the job. Provide an accessible alternative and a plainly stated, easy-to-use route to request an accommodation, staffed by someone who can actually grant one. Tools that purport to infer health, disability, or emotional state from face or voice deserve particular scrutiny; they can stray toward a prohibited medical inquiry and tend to be the hardest to validate. EEOC guidance has addressed AI and algorithmic tools in this area — confirm the current version and its standing before relying on it.

  4. Check age and the other protected traits, not just the headline ones.

    Adverse-impact exposure is not limited to race and sex. Tools trained on an existing workforce can encode age, and proxies — graduation year, “digital native” signals, continuous-employment gaps that track caregiving or disability — can disfavor older applicants, women, and others without ever naming the trait. Include age (40+) and the full set of protected characteristics in the analysis under Step 2, and watch for features that operate as stand-ins for a protected status.

  5. Map the notice, audit, and transparency rules that may reach you.

    A growing patchwork of state and local law imposes bias-audit, notice, or disclosure obligations on automated employment decision tools. These vary sharply, carry different definitions of what is even covered, and change quickly — so the task is to identify which regimes plausibly apply given where your candidates and operations sit, then confirm the current particulars with counsel rather than assuming a single national standard.

    Example regime (confirm current status)General thrust — verify scope and effective date
    NYC Local Law 144Has been described as requiring a bias audit of automated employment decision tools and notice to candidates. Confirm coverage, audit specifics, and enforcement posture before relying on it.
    Illinois AI Video Interview Act (and BIPA)Associated with notice, consent, and limits around AI analysis of video interviews; BIPA separately governs biometric data such as face or voice prints. Confirm what triggers each and how they interact.
    Colorado AI Act and other states and localitiesBroader AI-in-hiring transparency and impact obligations are emerging in additional jurisdictions. Treat the map as shifting and re-check before each deployment.

    None of the above should be read as a statement that a given law is currently in effect, applies to you, or carries a particular threshold. It is a prompt to look.

  6. Do the vendor diligence — you cannot outsource the liability.

    Procurement language about “bias-free” or “EEOC-compliant” AI is marketing, not a defense. The point of diligence is to get the evidence and the contractual cooperation you will need if a tool is ever challenged. Work the following before signing, and pair it with the AI vendor contract checklist for the deal terms.

  7. Keep a human in the loop — and a record of why.

    Document a job-related business justification for using the tool at all, and ensure a person with authority and information makes or meaningfully reviews the decision rather than rubber-stamping a score. Retain the inputs, the outputs, and the basis for each decision — the same records that prove a defensible process also satisfy recordkeeping duties and let you reconstruct what happened if a candidate complains. A score no one can explain is not a decision you can defend.

The point

The EEOC and plaintiffs pursue the employer, not the vendor — so the adverse-impact analysis and the accommodation path have to exist before deployment, not after the first charge. By the time a complaint arrives, the tool has already made the decisions you will be answering for, and the only file you have is the one you built in advance.