Skip to content
Playbook
AdvancedPillarHRPeopleOpsCEO

AI governance in HR: the EU AI Act, NYC Local Law 144, and the Colorado AI Act compared

The three regulatory regimes every HR team using AI must navigate in 2026 — EU AI Act, NYC Local Law 144, Colorado AI Act — with what each requires, when, and…

18 min read
On this page
60-Second Summary
  • Three regimes, three philosophies. EU AI Act: risk-based, prohibits some uses, heavily regulates HR AI as 'high-risk'. NYC LL 144: narrow but specific — bias audits for AEDTs in hiring/promotion. Colorado AI Act: economy-wide, takes effect Feb 1, 2026, requires reasonable care to prevent algorithmic discrimination.
  • Common floor: bias audit, candidate notice, human-in-the-loop, documented impact assessment, vendor accountability. Build to this floor and you cover ~80% of all three.
  • EU AI Act enforcement on HR systems begins August 2, 2026 (24 months after entry into force). Full penalties up to EUR 35M or 7% global turnover.
  • NYC LL 144 has been live since July 2023. Penalty up to USD 1,500 per violation per day. Most employers under-comply because the bias audit must be done by an independent auditor.
  • Colorado AI Act (SB 24-205) is the first US state-level economy-wide AI law — covers any 'consequential decision' including employment. Effective Feb 1, 2026; private right of action removed in 2024 amendments.

Three jurisdictions wrote three different AI laws. For HR teams using AI in hiring, promotion, performance, or termination, all three may apply at once. This guide compares them and gives you the compliance floor that covers all three.

Scope note

This article is the comparison and operating guide. For the full EU AI Act deep dive — high-risk classification, technical documentation, conformity assessment — see the EU AI Act for HR article in the AI & Future of HR Work category.

Why this matters in 2026

Until 2023, AI in HR was essentially unregulated outside general anti-discrimination law. In 2024–2026 that changed: NYC's bias audit law went live (July 2023), the EU AI Act entered into force (Aug 1, 2024, with HR provisions applying Aug 2, 2026), and Colorado passed the first US state-level economy-wide AI law (effective Feb 1, 2026). At least 15 other US states have similar bills in progress.

1. EU AI Act (high-risk HR systems)

What the EU AI Act says about HR AI
  1. 1
    Classification
    AI used for recruitment, candidate evaluation, promotion/termination decisions, work allocation, and performance/behaviour monitoring is 'high-risk' (Annex III). This is the bulk of HR AI.
  2. 2
    Provider obligations
    Risk management system, data governance (training data quality, bias mitigation), technical documentation, transparency, human oversight, accuracy/robustness, post-market monitoring, conformity assessment with CE marking.
  3. 3
    Deployer (employer) obligations
    Use according to instructions, ensure human oversight by competent staff, inform workers and representatives before deployment, monitor and log, conduct fundamental rights impact assessment for public-sector/critical deployers.
  4. 4
    Timeline
    Entered into force Aug 1, 2024. Prohibited practices: Feb 2, 2025. GPAI rules: Aug 2, 2025. High-risk obligations (including HR): Aug 2, 2026. Legacy systems in operation before Aug 2, 2026 get until Aug 2, 2027 to comply.
  5. 5
    Penalties
    Up to EUR 35M or 7% of global annual turnover (whichever is higher) for prohibited practices; up to EUR 15M or 3% for high-risk non-compliance.

2. NYC Local Law 144 (AEDT bias audits)

What NYC LL 144 actually requires
  1. 1
    Scope
    Any 'Automated Employment Decision Tool' (AEDT) used to substantially assist or replace discretionary decisions in hiring or promotion for positions in NYC — even for remote roles tied to a NYC office.
  2. 2
    Bias audit
    Annual, by an independent auditor (not the vendor, not internal staff). Calculates selection rate and impact ratio across sex, race/ethnicity, and intersectional categories. Results must be published on the employer's website before use.
  3. 3
    Notice to candidates
    At least 10 business days before use of the AEDT, notify candidates: that an AEDT will be used, the job qualifications/characteristics it assesses, and the data types collected. Provide an alternative selection process if requested.
  4. 4
    Vendor reality
    Most ATS / video-interview / assessment vendors now provide pre-packaged bias audits. They are insufficient — the law requires the audit to reflect the actual user's data, not generic vendor benchmarks.
  5. 5
    Penalties
    USD 500 first violation, USD 500–1,500 per subsequent violation, per day. DCWP enforces; class actions also possible under NYCHRL.
The audit gotcha

Most employers using a vendor 'bias audit' are non-compliant. The audit must reflect *your* candidate data within the last 12 months, conducted by an auditor with no material business relationship to the vendor. If your AEDT vendor provided the auditor, the audit is likely invalid.

3. Colorado AI Act (SB 24-205)

What Colorado SB 24-205 actually requires
  1. 1
    Scope
    Any 'high-risk AI system' used in 'consequential decisions' — including employment, housing, insurance, healthcare, lending, legal services, education, government services. The first US state law to regulate AI economy-wide.
  2. 2
    Reasonable care standard
    Developers and deployers must use 'reasonable care' to protect consumers from any known or reasonably foreseeable risk of algorithmic discrimination.
  3. 3
    Employer obligations (deployer)
    Risk management policy, annual impact assessments, notice to affected individuals (including right to appeal adverse decisions and request human review for employment decisions), notice to Attorney General of discovered algorithmic discrimination within 90 days.
  4. 4
    Affirmative defense
    Compliance with NIST AI Risk Management Framework or a comparable framework creates a rebuttable presumption of reasonable care — making NIST AI RMF the de-facto US standard.
  5. 5
    Timeline & enforcement
    Effective Feb 1, 2026. Enforcement exclusively by Colorado AG (no private right of action after 2024 amendments). Penalties under the Colorado Consumer Protection Act — up to USD 20,000 per violation.

The common compliance floor

All three regimes converge on a small set of practices. Build to this floor and you cover the substance of all three, plus most pending state bills (Texas, California, New Jersey, Connecticut, Illinois).

RequirementEU AI ActNYC LL 144Colorado AI Act
AI inventory of HR toolsRequired (risk-mgmt system)Required (must identify AEDTs)Required (impact assessment)
Bias / impact auditRequired (in conformity assessment)Required annually by independent auditorRequired annually (impact assessment)
Candidate / employee noticeRequired (transparency obligation)Required ≥10 business days before useRequired (with appeal right)
Human oversight in decisionRequired (Art. 14)Implicit (AEDT must 'substantially assist or replace')Required for adverse employment decisions
Vendor / developer documentationRequired (technical docs)Required (auditor needs vendor data)Required (developer must provide info)
Logging & post-market monitoringRequired (Arts. 12, 72)Implicit in annual audit refreshRequired (continuous monitoring)
Notification to regulator on discovered harmSerious incident reporting (Art. 73)Not specifiedRequired within 90 days to AG

Implementation: a 90-day plan

  1. Days 1–15: Build the AI HR inventory. Every tool used in sourcing, screening, interviewing, scoring, scheduling, onboarding, performance, comp recommendations, or termination — including features added to existing tools (e.g. LinkedIn AI Recruiter, Greenhouse AI screening).
  2. Days 16–30: For each tool, classify under each regime: EU high-risk? NYC AEDT? Colorado consequential decision? Where applicable in all three.
  3. Days 31–45: Commission independent bias audits for any NYC AEDT. Begin EU AI Act conformity work with vendors. Draft Colorado-style impact assessment template aligned to NIST AI RMF.
  4. Days 46–60: Publish bias audit summaries on website. Update candidate communications (notice ≥10 business days for NYC). Set up alternative process intake.
  5. Days 61–75: Train hiring teams and managers on human-oversight obligations. Document who has authority to override AI recommendations. Set logging requirements with each vendor.
  6. Days 76–90: Establish quarterly governance review (AI HR Council with HR, Legal, IT, DEI, Data). Pre-set the impact-assessment refresh cycle (annually + on material change).

FAQ

Frequently asked questions

We're a US company with no NYC office — does LL 144 apply?

Only if you hire for positions located in NYC or remote positions tied to a NYC office. Otherwise, no. But pay attention to similar bills in California (SB 7), Illinois (HB 3773), and New Jersey (A 3854) which expand the model.

Is using ChatGPT to draft a job description regulated?

Drafting JDs is not 'consequential' under any of the three. But using GPT to screen resumes, score candidates, or recommend hire/no-hire decisions is — and many companies casually doing the latter haven't realised they're now in scope.

Who's responsible — us or the vendor?

Both, but differently. Vendors (providers/developers) have technical and documentation obligations. Employers (deployers) have use-time obligations: oversight, notice, monitoring, impact assessment. You can't outsource employer obligations to the vendor.

Are open-source LLMs exempt?

Under the EU AI Act, open-source GPAI models have lighter obligations than commercial GPAI — but if you fine-tune or deploy them for a high-risk HR use, the high-risk obligations attach to you as the deployer regardless.

Written by Pawan Joshi.Sources cited inline.
First published 15 Jun 2026See site changelog →