AI in Hiring: Evolving Legal Risks Under State and Federal Law

May 19, 2026

Employers are increasingly integrating artificial intelligence (AI) into the hiring process, deploying AI hiring tools across multiple stages of the employment funnel, including to manage application volume. Common AI hiring tools include: (1) passive recruiting technology to identify qualified candidates and invite them to apply to open positions; (2) resume scanners to rank or otherwise identify the best qualified applicants within the larger pool; and (3) asynchronous video interview programs that schedule interviews and allow applicants to complete the interview whenever they are available.

These tools promise efficiency, but they also raise potential legal risks related to disparate impact discrimination and compliance with other legal requirements when automated systems influence employment outcomes. Companies face a rising tide of new state laws addressing AI in hiring, and must still be sure to comply with antidiscrimination and privacy obligations under long-standing federal laws that apply to AI tools just as they do to any hiring tools. Use of these technologies is also ripe for novel lawsuits, raising litigation risks for employers.     

Below we lay out key state, local, and federal approaches to regulating AI in hiring and provide practical guidance for employers to navigate and manage growing risk in this area.

Emerging State and Local Requirements

The use of AI in hiring has been a consistent area of focus for state and local policymakers. Early AI-specific laws focused on the hiring use case, including the Illinois Artificial Intelligence in Video Interview Act, enacted in 2020, which requires the consent of an applicant prior to use of the AI video system for a hiring purpose, and New York City Local Law 144, effective in 2023, which prohibits employers and employment agencies from using “automated employment decision tools” for hiring or promotion in New York City unless the tool has passed an independent bias audit within the last year.

That trend is continuing with several recent examples of states adding new requirements for AI in hiring. For example:

  • In the fall of 2025, California finalized its Automated Decision-Making Technology (ADMT) rules under the California Consumer Privacy Act (CCPA). The new ADMT rules, which will take effect on January 1, 2027, will apply to CCPA-covered businesses that use ADMT—defined broadly as technology that replaces or substantially replaces human decision-making in processing personal data—for “significant decisions,” including decisions that result in the denial or provision of employment or independent contracting opportunities or compensation. Where applicable, the new rules will require businesses to provide pre-use notice, as well as offer the right to opt out of the use of ADMT and the right to access certain information about the ADMT. In addition to the ADMT rules, California also has adopted Privacy Risk Assessment rules that are triggered for CCPA-covered businesses, in part, when ADMT is used for a significant decision concerning a consumer. Those rules took effect on January 1, 2026, and have variable compliance deadlines depending on when covered processing began.
  • Colorado recently repealed and replaced the previously enacted Colorado AI Act. The new law regulates ADMT, defined broadly as technology used to process personal data to “make, guide, or assist” a “consequential decision,” including decisions that relate to an individual’s “access to, eligibility for, or compensation related to” employment. Among other requirements, the law will require employers, where applicable, to provide a description of the ADMT’s role in making an adverse consequential decision within 30 days of such decision, supply an opportunity for human review of such decision, and allow for requests for corrections to factually incorrect personal data used by the ADMT. The new law is set to take effect on January 1, 2027, and the Colorado Attorney General is required to issue rules on various requirements by that date.
  • Connecticut recently passed broad legislation regulating AI across multiple domains including “automated employment-related processes,” defined as “a computational process that generates an output, including but not limited to, any constraint, rank, score, recommendation or classification that (i) affects the outcome of an employment-related decision, and (ii) is not a de minimis factor that is relied upon in making, or in determining the material terms of, an employment-related decision.” Employers that use AEDPs will be required to disclose in plain language that an individual is interacting with an AEDP, and to provide written notice describing the use of the AEDP, its purpose, the nature of the decision, and a means to opt out of personal data processing before the tool is permitted to “affect the outcome of” or be “relied upon in making” an employment-related decision. The legislation also amends the state’s employment discrimination law to cover the use of AEDPs that have a discriminatory effect, directing courts and state authorities to “consider any evidence, or lack of evidence, of anti-bias testing or similar proactive efforts.” Once signed into law, the employment-related compliance obligations will take effect on October 1, 2027.
  • Illinois amended its Human Rights Act to require employers as of January 1, 2026 to notify applicants and/or employees that AI will be used for hiring, recruitment, and other employment decisions. The law additionally makes it explicit that discrimination through AI tools is unlawful.
  • In late fall 2025, New Jersey adopted regulations reinforcing the New Jersey Law Against Discrimination’s prohibition on employment practices or policies that have a disparate impact on protected groups, even in the absence of discriminatory intent. The regulations specifically address employment decisions made using “automated employment decision tools,” defined in a manner similar to the ADMT concept under Connecticut law, but limited to tools used in the employment context. Although the rules do not impose new substantive requirements on employers, they clarify that impacted individuals, designated government officials, and organizations may bring claims alleging disparate impact discrimination.

Importantly, these new AI-specific requirements operate alongside—rather than replace—existing antidiscrimination and other laws that have long governed employers’ practices. 

Federal Requirements and Litigation Risks

In addition to developments at the state level, federal obligations to avoid using AI tools in a way that discriminate against applicants and employees remain under civil rights laws like Title VII of the Civil Rights Act of 1964.

An ongoing case, Mobley v. Workday, Inc., illustrates how courts are adapting traditional employment statutes to AI-driven hiring tools. In Mobley, plaintiffs allege that Workday’s resume-screening system disproportionately excluded older applicants and other protected groups. A federal court allowed claims under the Age Discrimination in Employment Act (ADEA) and Title VII to proceed, concluding that a vendor may qualify as an “agent” where it performs delegated hiring functions. While the case is still being litigated, it emphasizes that automation of hiring through AI tools does not eliminate accountability, and the theory of liability applied to Workday as the vendor could also apply to Workday’s clients (i.e., employers using the software).

Another case, Kistler et al. v. Eightfold AI Inc., illustrates how the use of AI tools may be alleged to implicate statutes like the Fair Credit Reporting Act (FCRA). In Kistler, the plaintiff job applicants allege that an AI-powered hiring platform, Eightfold AI, processes personal data gathered from various sources—including social media profiles, location information, internet and device tracking data, and data derived from online cookies—to build profiles and generate predictions about applicants, such as their “likelihood of success” in a role. The complaint contends that—due to this conduct—Eightfold AI is acting as a “consumer reporting agency” under the FCRA, without meeting the requirements of that statute, including certain notice and dispute resolution requirements. Although the case remains in its early stages, it and similar litigation that may arise underscore the importance for employers of evaluating how their AI hiring tools operate, what data is collected and retained, and what existing laws govern the use of these systems.

Practical Steps for Employers

Employers should take the time now to reassess AI governance across the hiring lifecycle to ensure an enterprise-level governance approach that accounts for existing and expanding legal risks. Employers should consider the following steps, as applicable and feasible, to help operationalize compliance:

  • Conduct an AI Tool Audit. Inventory tools that screen, score, rank, or otherwise influence hiring decisions—including embedded vendor technologies within broader HR platforms.
  • Strengthen Vendor Due Diligence. Obtain and evaluate vendor information regarding training data, bias testing, explainability, and contractual risk allocation, particularly as courts increasingly scrutinize delegated decision-making.
  • Establish Meaningful Human Oversight. Identify and implement clear intervention points requiring substantive human review of automated outputs, which may include rejections, borderline assessments, and appeals.
  • Conduct and Document Risk Assessments and Monitoring. Conduct and maintain records of impact assessments/bias testing.
  • Update Policies and Applicant Communications. Review and revise internal policies and external notices to ensure disclosures are clear, front-loaded, and aligned with evolving state law requirements. It must be clear to applicants and employees that they may seek reasonable accommodations as necessary for AI tools used in hiring that could disadvantage them in the hiring process due to disabilities.
  • Maintain Documentation. Maintain records of legally required disclosures and other documentation required by statute or regulation.
  • Integrate AI Governance with Broader Compliance Programs. Embed AI governance within existing privacy, cybersecurity, recordkeeping, and third-party risk management frameworks to ensure consistent oversight.

Employers should view this moment as an opportunity to build defensible, responsible AI systems that withstand both regulatory scrutiny and judicial review. Organizations that proactively audit their hiring tools, strengthen governance, and integrate meaningful human oversight will be best positioned to navigate this evolving landscape—and to realize the benefits of AI without inheriting its risks.

Wiley Connect

Sign up for updates

Wiley Rein LLP Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek