An AI system reads the morning's new applications, scores each one against the role, and hands a recruiter a shortlist. For jobs nobody applied to, it goes out into the wider market, finds plausible candidates, and suggests who to reach first. Work that used to fill a recruiter's whole day is done before their coffee has gone cold. The capability is real, and in hiring it is already everywhere.
What is far less settled is everything sitting behind that shortlist. These tools shipped fast, and the law is only now catching up. As the implications come into focus, a lot of companies are asking a harder question than "does it work?" They are asking whether an AI system should be shaping hiring decisions in a regulated process at all.
However the technology gets built, in-house or licensed from a vendor, the compliance responsibility lands in one place: with the company doing the hiring. If a decision turns out to be discriminatory, it is the employer who answers for it, not the tool and not the vendor who sold it. So compliance here is not a finishing touch you add at the end. In a regulated domain, it is part of the foundation you build on.
So we want to walk through the state laws as they stand today, and what each one actually asks of a company using AI to hire. The specifics below are about recruiting, but the shape of the problem, enforce the rules, keep the record, and prove fairness, shows up anywhere AI touches a regulated decision.
The whole point of AI in hiring is speed. Staying compliant is what keeps that speed from turning into liability.
The structure
Governance has two parts
Two things have to be true at once, and they are easy to run together in your head. Pulling them apart is the first useful step.
The first is enforcement. Every action the AI system takes passes through a control layer before it lands. That layer checks the required disclosures are posted, blocks an evaluation that looks biased, and holds the system to its usage limits, all while keeping a running record of what it allowed. It runs continuously, inside the environment where the system operates, and the employer owns it (or a vendor the employer pays to run it).
The second is the audit. This is an independent look at whether the outcomes actually discriminate. It happens on a schedule, it measures results across groups, and, this is the part that matters, it has to be carried out by an outside party.
New York City's Local Law 144 makes that separation explicit. The bias audit has to come from an independent auditor with no financial stake in the tool. In other words, the vendor running your enforcement layer cannot also be the one grading it.
Control layer
Enforces policy in real time, on every AI transaction.
- Continuous, proactive enforcement
- Runs inside the company's perimeter
- Allows, blocks, meters, records
- Operated by the company or its vendor
Independent audit
Examines the outcomes afterward to verify fairness.
- Detailed examination of outcomes
- Combines demographic data with the AI's decisions
- Tests for unequal outcomes across groups
- Conducted by an independent third party
Controls reduce risk. Audits establish trust.
Two lines of defense, in sequence. The control layer prevents problems in real time; an independent, third-party audit verifies the outcomes afterward.
The obligations
What the laws require
- New York — independent bias audit & candidate notice (NYC Local Law 144)
- Illinois — discriminatory-effect ban; AI-use notice (HB 3773 / Human Rights Act)
- California — anti-bias testing & recordkeeping duties (FEHA automated-decision rules)
- Texas — ban on AI used to intentionally discriminate (TRAIGA)
- Connecticut — pre-decision disclosure (AI Responsibility & Transparency Act, from 2026)
- Colorado — disclosure & transparency duties (revised Colorado AI Act, 2027)
Where the rules apply. Six states now regulate AI in hiring: four in force today (darker), and two enacted and phasing in (lighter).
Under Local Law 144, a New York employer using an automated hiring tool carries three obligations. Commission an independent bias audit, post a plain-language summary of what it found, and give each candidate at least ten business days' notice before the tool is used on them.
Connecticut layers disclosure on top of that. Its Artificial Intelligence Responsibility and Transparency Act, signed in 2026, says that before a decision gets made, the employer has to tell the candidate that an AI tool is in the loop, what it does, and what data it leans on.
Illinois and Texas disagree on the thing that matters most: what counts as a violation in the first place. Illinois, through the Human Rights Act amendment that took effect in January 2026, treats a discriminatory effect as a violation on its own. Intent is beside the point. Texas went the other way. Its Responsible Artificial Intelligence Governance Act, also effective January 2026, asks for intent. It bans AI used with the intent to discriminate, and it states plainly that a skewed outcome, by itself, is not a violation.
A hiring model that passes the intent test in Texas can still fail the effect test in Illinois. Same model, same outputs, two verdicts.
That gap is not academic. Run one model across both states and you can be clean in Austin and exposed in Chicago on the same afternoon, with nothing about the model having changed. The law changed underneath it.
And the ground keeps moving. Illinois published draft notice rules in May 2026, then withdrew them a few weeks later, though the statute itself stayed in force. Connecticut's regime phases in over 2026, and Colorado's revised AI Act is set to follow in 2027. California's fair-employment regulators have folded automated decision systems into anti-bias testing and recordkeeping duties. A compliance posture built to satisfy the letter of one rule, on one date, in one state, will not survive contact with the next quarter. That is the real argument for treating enforcement as something that runs every day, rather than something you certify once and file in a drawer.
Where Meilynx fits. We built Meilynx for the first line of defense, and for the evidence the second line runs on. The proxy sits inline in front of every governed AI call, one environment variable, no application rewrite, and enforces policy as code on the way in and the way out: disclosures posted, usage limits honored, evaluations that trip a rule stopped before they take effect. Every request, every response, and every enforcement decision is written to a tamper-evident, hash-chained audit log inside your own perimeter, where an independent auditor can verify it. We are deliberately not the bias auditor, because the law says that party has to be someone else, and we happen to think that separation is the right one. What we give you is the enforcement layer that keeps the record honest, plus a record an examiner can actually trust. From prompt to auditor, one chain.
Frequently asked
Who has to run the bias audit under NYC Local Law 144?
An independent auditor with no financial interest in the automated hiring tool, the vendor that supplied it, or the employer using it. The point of the independence requirement is that the party checking for discriminatory outcomes cannot be the same party that built or operates the tool. Practically, that means the vendor running your real-time enforcement cannot also sign off on your annual bias audit.
What is the difference between the Illinois and Texas AI hiring laws?
They define a violation differently. Illinois, under its Human Rights Act amendment (effective January 2026), treats a discriminatory effect as a violation on its own, regardless of intent. Texas, under its Responsible Artificial Intelligence Governance Act (also effective January 2026), requires intent to discriminate and states that a skewed outcome by itself is not a violation. A model can clear the Texas standard and still breach the stricter Illinois one.
Does the law still apply if the AI tool was built by a third-party vendor?
Yes. Whether the system is built in-house or licensed from a vendor, the compliance responsibility, and the legal exposure for a discriminatory decision, stays with the employer doing the hiring. Buying the tool from someone else does not transfer the obligation.
Why isn't a point-in-time compliance check enough for AI hiring?
Because the obligations are continuous and the rules keep changing. Disclosure duties, notice windows, and the intent-versus-effect line differ by state and are still being revised, and a single model can be compliant in one state and exposed in another on the same day. Enforcement that runs on every transaction, plus a continuous audit record, is what answers "show us it ran," rather than "show us it was configured once."