AI governance in HR: the EU AI Act, NYC Local Law 144, and the Colorado AI Act compared
The three regulatory regimes every HR team using AI must navigate in 2026 — EU AI Act, NYC Local Law 144, Colorado AI Act — with what each requires, when, and…
On this page▾
- Three regimes, three philosophies. EU AI Act: risk-based, prohibits some uses, heavily regulates HR AI as 'high-risk'. NYC LL 144: narrow but specific — bias audits for AEDTs in hiring/promotion. Colorado AI Act: economy-wide, takes effect Feb 1, 2026, requires reasonable care to prevent algorithmic discrimination.
- Common floor: bias audit, candidate notice, human-in-the-loop, documented impact assessment, vendor accountability. Build to this floor and you cover ~80% of all three.
- EU AI Act enforcement on HR systems begins August 2, 2026 (24 months after entry into force). Full penalties up to EUR 35M or 7% global turnover.
- NYC LL 144 has been live since July 2023. Penalty up to USD 1,500 per violation per day. Most employers under-comply because the bias audit must be done by an independent auditor.
- Colorado AI Act (SB 24-205) is the first US state-level economy-wide AI law — covers any 'consequential decision' including employment. Effective Feb 1, 2026; private right of action removed in 2024 amendments.
Three jurisdictions wrote three different AI laws. For HR teams using AI in hiring, promotion, performance, or termination, all three may apply at once. This guide compares them and gives you the compliance floor that covers all three.
This article is the comparison and operating guide. For the full EU AI Act deep dive — high-risk classification, technical documentation, conformity assessment — see the EU AI Act for HR article in the AI & Future of HR Work category.
Why this matters in 2026
Until 2023, AI in HR was essentially unregulated outside general anti-discrimination law. In 2024–2026 that changed: NYC's bias audit law went live (July 2023), the EU AI Act entered into force (Aug 1, 2024, with HR provisions applying Aug 2, 2026), and Colorado passed the first US state-level economy-wide AI law (effective Feb 1, 2026). At least 15 other US states have similar bills in progress.
1. EU AI Act (high-risk HR systems)
- 1ClassificationAI used for recruitment, candidate evaluation, promotion/termination decisions, work allocation, and performance/behaviour monitoring is 'high-risk' (Annex III). This is the bulk of HR AI.
- 2Provider obligationsRisk management system, data governance (training data quality, bias mitigation), technical documentation, transparency, human oversight, accuracy/robustness, post-market monitoring, conformity assessment with CE marking.
- 3Deployer (employer) obligationsUse according to instructions, ensure human oversight by competent staff, inform workers and representatives before deployment, monitor and log, conduct fundamental rights impact assessment for public-sector/critical deployers.
- 4TimelineEntered into force Aug 1, 2024. Prohibited practices: Feb 2, 2025. GPAI rules: Aug 2, 2025. High-risk obligations (including HR): Aug 2, 2026. Legacy systems in operation before Aug 2, 2026 get until Aug 2, 2027 to comply.
- 5PenaltiesUp to EUR 35M or 7% of global annual turnover (whichever is higher) for prohibited practices; up to EUR 15M or 3% for high-risk non-compliance.
2. NYC Local Law 144 (AEDT bias audits)
- 1ScopeAny 'Automated Employment Decision Tool' (AEDT) used to substantially assist or replace discretionary decisions in hiring or promotion for positions in NYC — even for remote roles tied to a NYC office.
- 2Bias auditAnnual, by an independent auditor (not the vendor, not internal staff). Calculates selection rate and impact ratio across sex, race/ethnicity, and intersectional categories. Results must be published on the employer's website before use.
- 3Notice to candidatesAt least 10 business days before use of the AEDT, notify candidates: that an AEDT will be used, the job qualifications/characteristics it assesses, and the data types collected. Provide an alternative selection process if requested.
- 4Vendor realityMost ATS / video-interview / assessment vendors now provide pre-packaged bias audits. They are insufficient — the law requires the audit to reflect the actual user's data, not generic vendor benchmarks.
- 5PenaltiesUSD 500 first violation, USD 500–1,500 per subsequent violation, per day. DCWP enforces; class actions also possible under NYCHRL.
Most employers using a vendor 'bias audit' are non-compliant. The audit must reflect *your* candidate data within the last 12 months, conducted by an auditor with no material business relationship to the vendor. If your AEDT vendor provided the auditor, the audit is likely invalid.
3. Colorado AI Act (SB 24-205)
- 1ScopeAny 'high-risk AI system' used in 'consequential decisions' — including employment, housing, insurance, healthcare, lending, legal services, education, government services. The first US state law to regulate AI economy-wide.
- 2Reasonable care standardDevelopers and deployers must use 'reasonable care' to protect consumers from any known or reasonably foreseeable risk of algorithmic discrimination.
- 3Employer obligations (deployer)Risk management policy, annual impact assessments, notice to affected individuals (including right to appeal adverse decisions and request human review for employment decisions), notice to Attorney General of discovered algorithmic discrimination within 90 days.
- 4Affirmative defenseCompliance with NIST AI Risk Management Framework or a comparable framework creates a rebuttable presumption of reasonable care — making NIST AI RMF the de-facto US standard.
- 5Timeline & enforcementEffective Feb 1, 2026. Enforcement exclusively by Colorado AG (no private right of action after 2024 amendments). Penalties under the Colorado Consumer Protection Act — up to USD 20,000 per violation.
The common compliance floor
All three regimes converge on a small set of practices. Build to this floor and you cover the substance of all three, plus most pending state bills (Texas, California, New Jersey, Connecticut, Illinois).
| Requirement | EU AI Act | NYC LL 144 | Colorado AI Act |
|---|---|---|---|
| AI inventory of HR tools | Required (risk-mgmt system) | Required (must identify AEDTs) | Required (impact assessment) |
| Bias / impact audit | Required (in conformity assessment) | Required annually by independent auditor | Required annually (impact assessment) |
| Candidate / employee notice | Required (transparency obligation) | Required ≥10 business days before use | Required (with appeal right) |
| Human oversight in decision | Required (Art. 14) | Implicit (AEDT must 'substantially assist or replace') | Required for adverse employment decisions |
| Vendor / developer documentation | Required (technical docs) | Required (auditor needs vendor data) | Required (developer must provide info) |
| Logging & post-market monitoring | Required (Arts. 12, 72) | Implicit in annual audit refresh | Required (continuous monitoring) |
| Notification to regulator on discovered harm | Serious incident reporting (Art. 73) | Not specified | Required within 90 days to AG |
Implementation: a 90-day plan
- Days 1–15: Build the AI HR inventory. Every tool used in sourcing, screening, interviewing, scoring, scheduling, onboarding, performance, comp recommendations, or termination — including features added to existing tools (e.g. LinkedIn AI Recruiter, Greenhouse AI screening).
- Days 16–30: For each tool, classify under each regime: EU high-risk? NYC AEDT? Colorado consequential decision? Where applicable in all three.
- Days 31–45: Commission independent bias audits for any NYC AEDT. Begin EU AI Act conformity work with vendors. Draft Colorado-style impact assessment template aligned to NIST AI RMF.
- Days 46–60: Publish bias audit summaries on website. Update candidate communications (notice ≥10 business days for NYC). Set up alternative process intake.
- Days 61–75: Train hiring teams and managers on human-oversight obligations. Document who has authority to override AI recommendations. Set logging requirements with each vendor.
- Days 76–90: Establish quarterly governance review (AI HR Council with HR, Legal, IT, DEI, Data). Pre-set the impact-assessment refresh cycle (annually + on material change).
FAQ
Frequently asked questions
We're a US company with no NYC office — does LL 144 apply?
Only if you hire for positions located in NYC or remote positions tied to a NYC office. Otherwise, no. But pay attention to similar bills in California (SB 7), Illinois (HB 3773), and New Jersey (A 3854) which expand the model.
Is using ChatGPT to draft a job description regulated?
Drafting JDs is not 'consequential' under any of the three. But using GPT to screen resumes, score candidates, or recommend hire/no-hire decisions is — and many companies casually doing the latter haven't realised they're now in scope.
Who's responsible — us or the vendor?
Both, but differently. Vendors (providers/developers) have technical and documentation obligations. Employers (deployers) have use-time obligations: oversight, notice, monitoring, impact assessment. You can't outsource employer obligations to the vendor.
Are open-source LLMs exempt?
Under the EU AI Act, open-source GPAI models have lighter obligations than commercial GPAI — but if you fine-tune or deploy them for a high-risk HR use, the high-risk obligations attach to you as the deployer regardless.
- The EU AI Act for HR: a practitioner's guide to the parts that affect people work
- AI policy templates for HR: what to write, what to forbid, what to leave open
- AI-augmented hiring decisions: where to let AI in, where to keep it out
- The Async-First Operating Model: What Works in 2026
- Climate and HR: green skills, climate quitting, and carbon-linked compensation
Read next
All playbooksWhat the EU AI Act actually requires of HR teams — which AI uses are high-risk, the compliance obligations, the timeline, and what to do if you're outside the…
A practical AI usage policy for HR teams to issue to employees — what to allow, what to forbid, training requirements, monitoring, and incident response.
A practical decision framework for AI in hiring — what AI can safely do (sourcing, screening assist, interview notes), what it must not do (final ranking…