State-level AI laws in the United States more than doubled from 49 to 131 in a single year [Stanford AI Index 2025]. Federal agencies issued 59 AI regulations in 2024, up from 25 the year before [Stanford AI Index 2025]. The regulatory surface area for AI expanded faster than any compliance domain since data privacy. One category of obligation sits at the center of this acceleration: algorithmic bias auditing.
Three jurisdictions now mandate bias testing for AI systems making decisions about people. NYC Local Law 144 has been enforceable since July 2023. Colorado SB 24-205 (as amended by SB 26-189, passed May 9, 2026) now takes effect January 1, 2027. The EU AI Act high-risk obligations arrive August 2, 2026. Among 391 NYC employers studied under the first law to take effect, 4.6% posted the required bias audit reports [FAccT “Null Compliance” study, 2024]. The compliance rate is not low. It is functionally zero.
Three regulations. Three different definitions of bias. Three different audit scopes, reporting requirements, and penalty structures. The organizations building audit programs now face a sequencing problem: which law to address first, which fairness metrics satisfy multiple jurisdictions, and where a single audit program covers two or three mandates at once.
An AI bias audit is an independent evaluation of an automated decision-making system for disparate impact across protected categories. NYC LL144 requires annual audits for hiring tools using the four-fifths rule. Colorado SB 24-205 mandates impact assessments for all high-risk AI (effective January 1, 2027 per SB 26-189). The EU AI Act Article 10(2)(f) requires bias detection and mitigation in training data. Audits cost $20,000 to $75,000 depending on system scope [Fisher Phillips 2026].
Why Is AI Bias Auditing Now a Legal Requirement?
AI-powered recruitment tools are increasingly the norm across enterprise hiring functions, with industry surveys consistently showing adoption rates above 60% and growing year-over-year. The tooling adoption outpaced the governance by three to five years. Regulators have caught up.
Bias auditing is one of the core operational pillars of AI governance. The discipline existed in academic settings for a decade. What changed in 2023 is the shift from voluntary best practice to statutory obligation, with three jurisdictions imposing audit requirements within a 14-month enforcement window.
The Three-Jurisdiction Timeline
NYC Local Law 144 became enforceable on July 5, 2023, making it the first U.S. law requiring independent bias audits for automated employment decision tools. The law has been in force for over two years. Colorado SB 24-205 originally scheduled for February 1, 2026, was delayed to June 30, 2026 through SB 25B-004 signed August 28, 2025. SB 26-189 (passed May 9, 2026) further pushes the effective date to January 1, 2027 and replaces the risk-based framework with a disclosure/transparency approach [Baker Botts, September 2025; SB 26-189]. The EU AI Act high-risk system obligations take effect August 2, 2026. The European Commission proposed the Digital Omnibus simplification package in late 2025, which reportedly includes proposals affecting enforcement timelines; the specific terms require confirmation against the Commission proposal text, and no formal enacted measure has extended the August 2026 application date as of May 2026.
The EEOC removed its AI-related employment guidance from its website on January 27, 2025 [K&L Gates, January 2025]. The removal reflects an administration change, not a legal change. Title VII’s disparate impact protections remain fully in force. Employers are still liable for discriminatory outcomes from AI hiring tools, regardless of whether the EEOC publishes guidance explaining how.
Enforcement Is Accelerating, Not Stalling
The NY State Comptroller audited the NYC Department of Consumer and Worker Protection’s enforcement of LL144 in December 2025 and found it “ineffective” [NY State Comptroller Audit, December 2025]. The Comptroller’s auditors identified 17 potential violations among 32 companies. DCWP, reviewing the same 32 companies, found only 1 case of non-compliance.
The complaint system was broken. 75% of 311 test calls about automated employment decision tools were misrouted and never reached DCWP [NY State Comptroller Audit, December 2025]. Only 2 formal AEDT complaints were received during the entire July 2023 to June 2025 audit period. DCWP has committed to reforms, and DLA Piper projects a “new phase of stricter enforcement” beginning in 2026.
The EEOC established precedent before the guidance removal. iTutorGroup paid $365,000 to settle the first AI discrimination case in 2023 after its hiring tool automatically rejected women over 55 and men over 60 [EEOC, August 2023]. In March 2025, complaints were filed against Intuit, HireVue, and AON for biased AI hiring technology [Fisher Phillips, January 2025]. AI incidents jumped 56.4% in a single year, with 233 reported cases in 2024 [Stanford AI Index 2025].
The Business Case Beyond Compliance
The financial damage is already measurable. Industry research on AI bias consequences has found that significant proportions of companies report direct negative impacts including lost revenue, customers, and employees. The litigation exposure is growing. The ACLU filed an EEOC charge against AON over AI-powered hiring tools allegedly screening out applicants with disabilities and targeting certain racial backgrounds [Fisher Phillips, January 2025]. Bias audit results under LL144 are public record. A published report showing disparate impact becomes Exhibit A in any subsequent employment discrimination claim.
The cost equation is straightforward. An AI bias audit costs $20,000 to $75,000 [Fisher Phillips 2026]. A single EEOC settlement starts at $365,000 and climbs from there. EU AI Act violations for provider/deployer obligations reach EUR 15 million or 3% of global annual turnover [EU AI Act Art. 99(4)]. Article 5 prohibited-practice violations carry a higher cap of EUR 35 million or 7% of worldwide annual turnover [Art. 99(3)]. The audit is the cheapest line item in the risk budget.
The audit fix. Map your AI tool inventory against the three jurisdictions. For each automated system influencing employment decisions: (1) Confirm whether the tool meets the AEDT definition under LL144. (2) Assess whether it qualifies as high-risk under Colorado SB 24-205 or EU AI Act Annex III. (3) Record the earliest applicable compliance deadline. Prioritize systems with the nearest deadline and the largest candidate volume.
What Do the Three Major Bias Audit Regulations Actually Require?
The three regulations share a common objective: prevent AI systems from discriminating against protected groups. The implementation details diverge on scope, audit methodology, reporting, and penalties. A compliance team building one program to cover all three needs to know where the requirements overlap and where they split apart.
Scope and Definitions Compared
NYC LL144 applies the narrowest scope: automated employment decision tools used for hiring and promotion within New York City. The law defines an AEDT as any computational process derived from machine learning, statistical modeling, data analytics, or artificial intelligence that issues simplified output used to substantially assist or replace discretionary decision-making [LL144 Section 20-871]. The definition is precise but limited to employment.
Colorado SB 24-205 (under SB 26-189’s revised framework, effective January 1, 2027) covers all high-risk AI systems making “consequential decisions” across eight domains: employment, education, financial services, healthcare, housing, insurance, government services, and legal services [Colorado SB 24-205]. The scope is statewide and applies to both developers and deployers. Under SB 26-189 (signed May 14, 2026), deployer obligations center on consumer notice at point of interaction, plain-language explanation within 30 days of adverse decisions, data correction rights, and meaningful human review requests.
The EU AI Act classifies AI systems used for recruitment, candidate evaluation, task allocation, and performance monitoring as high-risk under Annex III, Category 4 [EU AI Act, Regulation 2024/1689]. The scope extends across all 27 EU Member States and regulates providers, deployers, importers, and distributors. Employment AI systems fall under high-risk classification requiring mandatory bias testing.
| Dimension | NYC LL144 | Colorado SB 24-205 (per SB 26-189) | EU AI Act |
|---|---|---|---|
| Effective date | July 5, 2023 | January 1, 2027 (per SB 26-189) | August 2, 2026 |
| Geographic scope | New York City | Colorado (statewide) | European Union (27 Member States) |
| System scope | AEDTs in hiring/promotion | High-risk AI in 8 domains | Annex III high-risk categories |
| Who is regulated | Employers, employment agencies | Developers and deployers | Providers, deployers, importers, distributors |
| Audit type | Independent bias audit | Consumer notice + post-decision explanation (SB 26-189 replaces annual impact assessment) | Continuous risk management system |
| Public disclosure | Publish audit results on website | Public disclosure statement on AI use in consequential decisions (SB 26-189) | EU database registration + Declaration of Conformity |
| Consumer notice | 10 business days before use | Before consequential decisions, plus 30-day post-adverse-decision explanation (SB 26-189) | Before use of high-risk system |
| Max penalty | $500-$1,500 per violation (per day, per candidate) | Up to $20,000 per violation under Colorado CPA | EUR 15M or 3% global turnover for provider/deployer obligations [Art. 99(4)]; EUR 35M or 7% for Art. 5 prohibited practices [Art. 99(3)] |
| Affirmative defense | None specified | None under SB 26-189 (affirmative defense repealed; no NIST AI RMF safe harbor) | Presumption of conformity via harmonised standards |
Protected Categories Across Jurisdictions
The protected categories each jurisdiction requires you to test differ in scope and specificity. NYC LL144 tests for race, ethnicity, and sex, and requires intersectional analysis combining these categories. Colorado SB 24-205 defines algorithmic discrimination across protected categories drawn from Colorado anti-discrimination law (CADA) as enumerated in § 6-1-1701: age, color, disability, ethnicity, genetic information, limited English proficiency, national origin, race, religion, reproductive health, sex, veteran status, and any other class protected under Colorado or federal law. The EU AI Act does not enumerate specific categories but requires testing against “harmful biases” affecting “fundamental rights,” which is broader than any enumerated list.
Organizations operating under all three jurisdictions need to test Colorado’s comprehensive category list at minimum, then add fundamental rights analysis for EU compliance.
| Protected Category | NYC LL144 | Colorado SB 24-205 | EU AI Act |
|---|---|---|---|
| Race | Yes | Yes | Fundamental rights |
| Ethnicity | Yes | Yes | Fundamental rights |
| Sex / Gender | Yes | Yes | Fundamental rights |
| Age | No | Yes | Fundamental rights |
| Disability | No | Yes | Fundamental rights |
| National origin | No | Yes | Fundamental rights |
| Religion | No | Yes | Fundamental rights |
| Veteran status | No | Yes | Not specified |
| Genetic information | No | Yes | Not specified |
| Limited English proficiency | No | Yes | Not specified |
| Reproductive health | No | Yes | Fundamental rights |
| Intersectional analysis | Required | Not specified | Best practice |
Penalty Structures and Enforcement Mechanisms
LL144 penalties appear small on a per-violation basis: $500 for the first violation, $500 to $1,500 for each subsequent violation. The accumulation mechanism is what creates exposure. Each day of AEDT use without a valid audit is a separate violation. Each candidate not properly notified is a separate violation. Thirty days of non-compliance with 100 unnotified candidates produces $15,000 to $45,000 in penalties before litigation costs [LL144 penalty schedule].
Colorado SB 24-205 (as amended by SB 26-189, signed May 14, 2026) grants the Attorney General exclusive enforcement authority. Violations are treated as unfair trade practices under the Colorado Consumer Protection Act, with penalties up to $20,000 per violation. SB 26-189 repeals the affirmative defense; NIST AI RMF compliance provides no statutory protection under the signed Colorado framework [Colorado SB 24-205; SB 26-189].
Non-compliance with EU AI Act high-risk system requirements, including Article 10(2)(f) bias mitigation obligations, carries penalties up to EUR 15 million or 3% of global annual turnover, whichever is higher, under EU AI Act Article 99(4). Article 5 prohibited-practice violations carry the higher cap of EUR 35 million or 7% of worldwide annual turnover under Article 99(3). Reduced caps apply for SMEs and startups per Article 99. The penalty ceiling dwarfs both U.S. regulations and signals the EU’s enforcement posture.
The audit fix. Build a jurisdiction mapping matrix for every AI system in your portfolio. For each system: (1) Document which jurisdictions apply (city, state, country). (2) List the protected categories each jurisdiction requires you to test. (3) Default to Colorado’s expanded list for U.S. coverage and add fundamental rights analysis for EU. (4) Calculate cumulative penalty exposure per system under worst-case enforcement. Present this matrix to leadership as the business case for a unified bias audit program.
How Do You Conduct an Algorithmic Bias Audit?
The regulations define what bias means. They do not prescribe how to measure it. NYC LL144 points to disparate impact analysis. Colorado SB 24-205 references algorithmic discrimination without specifying a test. The EU AI Act requires bias detection and mitigation without naming a metric. Practitioners must choose a methodology, and the choice has legal consequences.
The Four-Fifths Rule and Disparate Impact Analysis
The four-fifths rule is the primary metric for LL144 compliance. It compares the selection rate of each protected group to the group with the highest selection rate. If any group’s rate falls below 80% of the top group, the tool shows potential disparate impact. For screening tools, the audit compares how often candidates in each group advance to the next stage. For scoring tools, the audit measures how often each group scores above the sample median [LL144 Section 20-871].
LL144 requires intersectional analysis. The auditor tests across combinations of race, ethnicity, and sex categories, not aggregated groups. A tool passing the four-fifths rule for Black candidates overall might still fail for Black women specifically. Intersectional testing catches compounded bias that aggregated metrics miss.
The rule has a known limitation: it does not test for statistical significance. A small sample size distorts the ratio. Ten candidates in a subgroup produce a volatile selection rate that swings between 0% and 100% based on a single hiring decision. Only 116 LL144 bias audits were published between July 2023 and November 2024 [FAccT “Auditing the Audits,” 2025], limiting the industry’s collective understanding of how auditors handle this problem in practice.
Statistical Parity, Equalized Odds, and the Impossibility Theorem
Beyond the four-fifths rule, the NIST AI RMF Measure 2.11 recommends multiple fairness metrics [NIST AI 100-1]. Statistical parity (demographic parity) checks whether positive outcome rates are equal across groups. Equalized odds checks whether true positive and false positive rates are equal across groups, detecting when the model is more accurate for one demographic than another. Equality of opportunity tests only the true positive rates. Counterfactual fairness asks whether the decision would change if a protected attribute were different.
The impossibility theorem (Chouldechova, 2017) proves that demographic parity and equalized odds cannot both be satisfied unless base rates are equal across groups. This is not a technical limitation to solve. It is a mathematical constraint. An AI system scoring candidates from two groups with different base qualification rates cannot simultaneously achieve equal selection rates and equal error rates. Practitioners must choose which metric to prioritize.
The choice is a legal decision, not a technical one. LL144 anchors to disparate impact (selection rate ratios). The EU AI Act’s Article 10(2)(f) requires bias detection and mitigation in training data, which aligns more closely with equalized odds (differential accuracy). Colorado references “algorithmic discrimination” broadly, leaving the metric selection to the deployer. Document which metric you chose and why. The selection rationale becomes part of your audit evidence.
| Methodology | What It Measures | Primary Jurisdiction | Strength | Limitation |
|---|---|---|---|---|
| Four-fifths rule (disparate impact) | Selection rate ratio across groups | NYC LL144, EEOC | Legally established, straightforward to calculate | No statistical significance test; small samples distort |
| Statistical parity | Equal positive outcome rates | NIST AI RMF | Intuitive fairness benchmark | Ignores differences in qualification rates |
| Equalized odds | Equal error rates across groups | NIST AI RMF, EU AI Act (best practice) | Detects differential accuracy | Requires labeled outcome data |
| Equality of opportunity | Equal true positive rates | Academic, NIST | Focuses on qualified candidates | Allows unequal false positive rates |
| Counterfactual fairness | Outcome change under attribute swap | NIST AI RMF Measure 2.11 | Tests causal discrimination | Computationally intensive; requires causal model |
| Intersectional analysis | Combined protected category testing | NYC LL144 (required) | Captures compounded bias | Exponential subgroup combinations; sample size issues |
Selecting the Right Methodology for Multi-Jurisdictional Compliance
Start with the four-fifths rule for LL144 compliance. It is required, not optional. Layer equalized odds testing for EU AI Act coverage. Article 10(2)(f) requires bias mitigation, not a specific metric, but equalized odds addresses differential accuracy across demographic groups, which is the closest operational interpretation of the Act’s “harmful biases” language [EU AI Act Article 10(2)(f)].
Use Colorado’s expanded protected category list as the testing baseline for all U.S. obligations. The NIST AI RMF provides a complete risk assessment framework that includes bias measurement as a core function under Measure 2.11. SB 26-189 (signed May 14, 2026) repeals the NIST AI RMF affirmative defense; the framework remains valuable for Texas TRAIGA compliance and EU AI Act alignment, but provides no statutory protection under Colorado law as amended.
Document the methodology selection rationale. This documentation serves three purposes: it satisfies any Colorado risk management policy requirement under the operative framework, it demonstrates due diligence for EU conformity, and it provides the evidentiary foundation for any future litigation defense.
The audit fix. Select your fairness metrics before running the first test. For LL144 compliance: run disparate impact analysis using the four-fifths rule across race, ethnicity, and sex categories with intersectional breakdowns. For EU AI Act coverage: add equalized odds testing to detect differential accuracy across demographic groups. For Colorado: use the SB 24-205 expanded protected category list (drawn from CADA) as your testing baseline. Document the selection rationale and retain it as part of your audit methodology record. Reference NIST AI RMF Measure 2.11 as the organizing framework.
What Tools and Platforms Support Bias Auditing?
Outsourced bias audits are a five-figure investment [Fisher Phillips 2026]. Open-source toolkits lower the cost of internal testing but do not generate compliance-ready reports. Commercial platforms automate compliance documentation. The right choice depends on team capability, audit volume, and whether the organization needs LL144 audit reports, SB 24-205 impact assessments, or EU conformity evidence.
Open-Source Toolkits for Internal Teams
IBM AI Fairness 360 (AIF360) provides the most complete open-source bias testing capability: 70+ fairness metrics, 10 bias mitigation algorithms, and pre-processing, in-processing, and post-processing methods. It runs in Python and R. Best fit: research teams and organizations building in-house bias testing capability with data science resources.
Fairlearn (Microsoft) integrates fairness assessment and mitigation directly with scikit-learn, the most widely used Python machine learning library. It implements demographic parity and equalized odds metrics with built-in visualization. Best fit: data science teams already working in the Python ML ecosystem who need to add bias testing to existing model evaluation pipelines.
Google What-If Tool provides visual exploration of ML model behavior through an interactive fairness analysis dashboard. Best fit: exploratory analysis and model comparison during development, not compliance reporting. The tool surfaces patterns in model behavior but does not produce audit-ready documentation.
Open-source tools handle the statistical testing. They do not generate compliance-ready audit reports, auditor independence attestations, or jurisdiction-specific documentation. Organizations using them for compliance must build their own documentation layer.
Commercial Platforms for Enterprise Compliance
Holistic AI runs a five-dimension audit covering bias, efficacy, robustness, explainability, and privacy. The platform offers an LL144-specific audit product with 2-week delivery from data receipt. It supports EU AI Act and NIST AI RMF compliance documentation. Best fit: organizations needing a turnkey LL144 audit from a qualified independent party.
FairNow takes a different approach with synthetic bias evaluation. The platform generates synthetic resumes reflecting diverse candidate pools and tests how AI hiring tools score them. It supports multi-regulation compliance (LL144, SB 24-205, EU AI Act) and integrates with over a dozen HR technology vendors including Dayforce, Ashby, and Plum. Best fit: HR technology vendors needing pre-deployment bias testing across their product portfolio.
Credo AI provides lifecycle AI governance from development through deployment with a focus on compliance documentation and audit trails. Best fit: enterprises managing multiple AI systems across regulatory jurisdictions who need a centralized governance platform. Arthur AI monitors bias in production models in real time with alerts for drift, bias, and unexpected behavior. Best fit: the EU AI Act’s continuous lifecycle monitoring requirement.
Build vs. Buy Decision Framework
Building with open-source tools costs less upfront but requires internal data science expertise, custom metric implementation, and a documentation layer the organization builds from scratch. The critical limitation: internal teams cannot satisfy LL144’s independent auditor requirement. The law requires an auditor with no financial interest in the employer or the AEDT vendor [LL144 Section 20-871]. An in-house team auditing its own AI tools does not qualify.
Buying from a commercial platform or engaging an independent auditor costs more upfront but delivers compliance-ready reports, faster turnaround, and qualified independent auditor status. Some platforms qualify as independent auditors under LL144, others do not. Confirm before engaging.
The hybrid approach works best for multi-jurisdictional programs. Use open-source tools (AIF360, Fairlearn) for continuous internal monitoring. Engage a commercial platform or independent auditor for annual compliance audits. The internal monitoring catches bias drift between formal audits. The external audit satisfies the legal requirements.
The audit fix. Choose your tooling stack based on the primary compliance obligation. For LL144: engage an independent auditor or platform (Holistic AI, FairNow) to produce the required published report. For ongoing monitoring under the EU AI Act lifecycle requirement: deploy Arthur AI or build an internal monitoring pipeline using AIF360 or Fairlearn. For Colorado SB 24-205 impact assessment requirements: use NIST AI RMF Measure 2.11 as the framework and document all tool outputs as evidence. Retain all raw test data, methodology documentation, and metric selection rationale for a minimum of three years.
What Does the Audit Evidence Package Look Like?
Running the bias test is half the work. The other half is documentation. Every regulation requires a different output format. LL144 mandates public disclosure. SB 24-205 requires impact assessments. The EU AI Act demands continuous risk management documentation. A unified evidence package covers all three without tripling the paperwork.
LL144 Audit Report Requirements
The audit must be conducted by an independent auditor: any person or entity with no financial interest in the employer or the AEDT vendor, apart from compensation for the audit itself. LL144 does not require specific certifications, accreditations, or professional credentials [LL144 Section 20-871]. This definitional gap means audit quality varies significantly across the market.
The audit report must include selection rates and impact ratios for each race, ethnicity, and sex category. For scoring tools, the report must show the rate at which each group receives a score above the sample median. Results must be published on the employer’s website before using the AEDT. Only 116 LL144 bias audits were published between July 2023 and November 2024 [FAccT “Auditing the Audits,” 2025].
Colorado SB 24-205 Impact Assessment Documentation
Under the original SB 24-205, annual impact assessments for each deployed high-risk AI system were required. SB 26-189 (signed May 14, 2026) replaces the risk-based framework with disclosure and transparency obligations: consumer notice at point of interaction, 30-day post-adverse-decision explanation workflow, data correction rights, and human review rights [Colorado SB 24-205; SB 26-189]. Consumer notice and appeal process documentation, and the 90-day obligation to report discovered discrimination to the Colorado AG, are likely to survive the framework transition in some form.
Building a Unified Evidence Package
Start with the NIST AI RMF as the organizing structure. It satisfies Texas TRAIGA’s safe harbor requirement (and potentially Colorado’s under whatever SB 26-189’s final framework establishes), maps to EU AI Act risk management expectations, and provides the methodology framework for LL144 bias testing. Organizations deploying AI hiring tools in the EU face specific deployer obligations including documented bias mitigation that the NIST structure addresses.
The unified evidence package contains eight core artifacts: (1) AI system inventory with jurisdiction mapping, (2) bias testing methodology document with metric selection rationale, (3) test results with intersectional protected category breakdowns, (4) remediation plan for identified disparities with SLA timelines, (5) independent auditor engagement letter and independence attestation, (6) consumer notice records for each jurisdiction, (7) risk management policy aligned with applicable state requirements and EU AI Act Article 9, and (8) continuous monitoring logs for the EU AI Act lifecycle obligation.
Retain all artifacts for a minimum of three years, covering the longest statute of limitations across the three jurisdictions. Assign a single program owner with the authority to stop deployment if test results reveal disparate impact.
The audit fix. Build your evidence package on the NIST AI RMF structure. Create eight artifact templates matching the list above. Store all artifacts in a dedicated compliance repository with version control. Assign a single program owner with deployment stop authority.
AI bias auditing is no longer a best practice. It is a legal obligation converging from three jurisdictions within the same 14-month window. The organizations treating this as a single-jurisdiction checkbox will build three separate audit programs and pay three times the cost. The organizations building one program on NIST AI RMF, testing against Colorado’s expanded protected category list, and retaining evidence for all three mandates will spend less, cover more, and have the documentation to prove it when regulators arrive.
Frequently Asked Questions
What does a bias audit measure under NYC LL144?
A bias audit under NYC Local Law 144 measures disparate impact by calculating selection rates and impact ratios across race, ethnicity, and sex categories. For screening tools, it compares how often candidates in each group advance to the next stage. For scoring tools, it measures how often each group scores above the sample median. The standard benchmark is the four-fifths (80%) rule. LL144 also requires intersectional analysis, testing across combinations of protected categories rather than aggregated groups.
How much does an AI bias audit cost?
Independent AI bias audits typically range from $20,000 to $75,000 depending on system scope, model count, data volume, and reporting depth [Fisher Phillips 2026]. Open-source tools like IBM AIF360 and Microsoft Fairlearn reduce internal testing costs but do not satisfy LL144’s independent auditor requirement. The hybrid approach, using open-source tools for continuous internal monitoring and engaging an external auditor for annual compliance audits, balances cost with legal coverage.
Does Colorado SB 24-205 require annual bias testing?
The original Colorado SB 24-205 required deployers of high-risk AI systems to perform annual impact assessments evaluating risks of algorithmic discrimination. SB 26-189 (signed May 14, 2026) replaces the risk-based framework with disclosure and transparency obligations effective January 1, 2027. The operative requirements under the signed law are consumer notice, 30-day post-adverse-decision explanation, data correction rights, and meaningful human review rights [Colorado SB 24-205; SB 26-189]. Begin building your AI system inventory and classification now, as these deliverables are required under any version of Colorado AI law.
How does the EU AI Act handle AI hiring bias?
The EU AI Act classifies all AI systems used for recruitment, candidate evaluation, task allocation, and performance monitoring as high-risk under Annex III, Category 4 [EU AI Act, Regulation 2024/1689]. Article 10(2)(f) requires providers to identify, detect, prevent, and mitigate harmful biases in training data. Providers must also maintain a continuous risk management system under Article 9 covering the full AI lifecycle. The high-risk system obligations take effect August 2, 2026. Penalties for provider/deployer obligation violations reach EUR 15 million or 3% of global annual turnover [Art. 99(4)]; Article 5 prohibited-practice violations carry a higher cap of EUR 35 million or 7% [Art. 99(3)].
What is the four-fifths rule in AI bias auditing?
The four-fifths rule flags potential disparate impact when a protected group’s selection rate falls below 80% of the group with the highest selection rate. It is the primary metric for NYC LL144 bias audits and has served as the EEOC’s standard benchmark under Title VII for decades. The rule does not test for statistical significance, which means small sample sizes produce misleading results. Practitioners should pair the four-fifths rule with confidence interval analysis when sample sizes are small.
NYC LL144 vs. Colorado SB 24-205: which is stricter?
Under the original SB 24-205, Colorado was broader in scope across six domains with annual impact assessments. SB 26-189 (signed May 14, 2026) retains the seven covered consequential-decision domains but replaces the audit/assessment structure with disclosure and transparency obligations. LL144 remains narrower in scope (NYC employment only) but more specific in methodology (intersectional analysis required, four-fifths rule mandated). Illinois HB 3773 creates the clearest litigation pathway through the IDHR process [LL144; Colorado SB 24-205; SB 26-189].
Who qualifies as an independent bias auditor under LL144?
An independent auditor under NYC LL144 is any person or entity with no financial interest in the employer using the AEDT or the vendor that developed it, apart from compensation for the audit itself [LL144 Section 20-871]. The law does not require specific certifications, accreditations, or professional credentials. The FAccT “Auditing the Audits” study reviewed 116 published LL144 audit reports and found wide variation in methodology, depth, and reporting standards [FAccT “Auditing the Audits,” 2025]. When selecting an auditor, evaluate their methodology documentation, sample reports, and experience with the specific type of AI system being tested.
How do you build an internal AI bias audit program?
Start by inventorying all AI systems influencing employment or consequential decisions across jurisdictions. Map each system to applicable regulations: LL144 for NYC hiring tools, SB 24-205 (under SB 26-189’s final framework) for Colorado high-risk AI, EU AI Act for systems deployed in the EU. Select fairness metrics aligned with each jurisdiction’s requirements and document the selection rationale. Establish a testing cadence: annual minimum for Colorado requirements, within one year before AEDT use for LL144, and continuous for EU AI Act lifecycle obligations. Assign program ownership with deployment stop authority. Use the NIST AI RMF as the organizing framework.
Subscribe to The Authority Brief for next week’s analysis.
