With states leading the charge to regulate AI-powered hiring tools, here’s how HR leaders can mitigate risk and ensure compliance. 

By Stefanie Camfield and Michael Scott

AI promises big gains in workplace performance and efficiency, but as states roll out new laws, employers must strike a careful balance between innovation and compliance. Most of the regulations being passed at the state level seek to prevent employment discrimination based upon bias produced by generative AI algorithms. This focus on discrimination is especially relevant because one of the most common workplace applications of AI is through automated employment decision tools (AEDTs).  

One of the main ways employers leverage AI in the workplace is by using an AEDT such as a resume reviewer to assist with selecting candidates during the hiring process. When using an AEDT, it’s important to understand the training data that was used to develop each tool. If the training data does not contain data from diverse populations, then the model will likely exclude people based on protected statuses like age, race, and sex. This will influence any outputs produced by the AEDT which could result in discriminatory action by employees making decisions based upon these tools. 

State Regulations 

Even with these known risks, the use of AI in the workplace is not a field of heavy regulation at the moment. Earlier this year, employers took note that the EEOC and DOL withdrew guidance addressing AI. Although federal anti-discrimination laws still arguably prohibit discrimination resulting from AI, states are leading the way when it comes to regulating the use of AI tools for employment purposes. This means that HR leaders must be prepared to know how to leverage AI in the workplace while also navigating an increasingly complex field of regulations being enacted by different states.  

All but three states have proposed or enacted laws that regulate the use of AI in the workplace. Current state/local regulations employers should be aware of include the following. 

  • California: Starting Oct. 1, 2025, employers are prohibited from algorithmic discrimination using automated employment decision tools. 
  • Illinois: Starting Jan. 1, 2026, the Illinois Human Rights Act prohibits the use of AI that results in discrimination based on protected characteristics. Additionally, the Artificial Intelligence Video Interview Act requires employers that use AI-enabled assessments of video interviews to notify and obtain the consent of applicants. 
  • Texas: Starting Jan. 1, 2026, employers are prohibited from using AI systems that intentionally discriminate against protected classes. 
  • Colorado: Starting on Feb. 1, 2026, employers are prohibited from using AI systems that generate algorithmic discrimination. 
  • New Jersey: The New Jersey Division on Civil Rights clarified that the New Jersey Law Against Discrimination prohibits algorithmic discrimination resulting from AI tools. 
  • New York City: Prohibits the use of automated employment decision tools unless employers conduct regular bias audits and provide required notices. 
  • Utah: AI Policy Act created the Office of Artificial Intelligence Policy and requires disclosure of the use of generative AI in certain situations with administrative penalties for failure to comply.  

While the states share similarity in the conduct they are trying to regulate, the approaches are often very disparate. Comparing the legislation passed in Colorado and Texas (more below) demonstrates the difficulty multi-state employers face when attempting to comply with a patchwork of state regulations. 

Comparing Colorado and Texas 

The Colorado AI Act takes a very broad approach with extensive obligations on both developers and deployers of AI systems. The term “deployer” refers to users of AI systems which includes employers. Employers using AI are required to use reasonable care to protect from known or reasonably foreseeable risks of AI discrimination. Most importantly, the law appears to allow individuals impacted by violations to file private rights of action against employers for violations under Colorado’s Consumer Protection Act (CPA). The CPA allows for the collection of damages as well as attorney’s fees and costs. To reduce the risks associated with deploying AI systems, businesses must implement risk-management policies and programs, complete annual impact assessments, and provide notices to employees and Colorado’s Attorney General. Employers must also allow employees to challenge adverse decisions based on AI.  

The Texas Responsible AI Governance Act (the “Act”), on the other hand, takes a more limited approach to regulating AI systems and does not allow for individuals to file private rights of action. Under the Act, employers are prohibited from using AI systems with the intent of unlawful discrimination of a protected class. Individuals must prove actual intent and not just disparate or negative impact on a particular group. Proving intent will likely be a difficult task, but employers should still be careful about how they employ AI systems for employment decisions. Employers that receive a notice of violation have 60 days to fix the violation before enforcement action is taken. Businesses can reduce liability by employing testing procedures, following state agency guidelines, or conducting an internal review process. 

Mitigating Risks Associated with Use of AI 

To avoid liability, employers must carefully leverage AI tools in a way that complies with the patchwork of state regulations. Employers can proactively implement some of the of the following best practices for using AI tools to protect themselves from potential claims related to AI use.  

  • The employer’s position on the use of AI in the workplace should be stated clearly in either the handbook or a separate written policy. 
  • Organizations should pre-approve specific AI tools before use in the workplace and be transparent with employees about when and how AI is being used.  
  • Employees should be trained on how to use AI at work, with a focus on making sure people, not just machines, make the final decisions, and on how to prevent AI from being used to discriminate against others. 
  • Employees should be trained on using AI in the workplace, including an emphasis on human decision-making and how to avoid implementing it in a discriminatory manner.  
  • Conducting regular bias audits is a must. It’s important to make sure that the AEDT is not discriminating against a specific group of people when it’s making decisions. 

Businesses looking for more formalized guidance can reference the AI Risk Management Framework (RMF) developed by the National Institute of Standards and Technology (NIST). The NIST worked with public and private interests to create a nationally recognized framework for managing the risks associated with AI. Both Colorado and Texas reference the RMF as a resource for mitigating the risks associated with implementing AI. The biggest drawback to the RMF is that it is extensive, technical, and somewhat difficult for the average business owner to understand, much less implement. Similar to cybersecurity, businesses that plan to implement a widespread use of AI systems should work with an expert to assist them with developing compliant policies and practices. 

The spread of AI across workplaces should be seen as a transformation on par with the internet’s arrival. It represents numerous quickly evolving technologies which will continue to develop and expand in use over the next few years. This will likely result in continued attempts by states to regulate the use of AI. As a result, organizations should constantly be on the lookout for newly passed or pending laws in their respective states.  

Stefanie Camfield is associate general counsel and director of HR services for Engage PEO. Michael Scott is a law clerk with Engage PEO.  

Shares: