AI Compliance for Hiring & Recruiting

AI hiring compliance is not a document problem. It is an operated-workflow problem. The visible obligation in most state AI hiring laws is a notice or a disclosure — the part a candidate sees. The real obligation is the workflow behind it: where AI enters the hiring decision, which moments require consent or human review, what gets logged, what routes to a person before action, and which records you can produce if an outcome is challenged.

This hub maps AI hiring across six operating questions:

Where AI enters the hiring workflow
Which states require notice, consent, disclosure, or human review
What to log when AI influences a decision
What should route to a human before action
Which records to retain
How a governed deployment operates all of it

1. Where AI enters the hiring workflow

Every obligation attaches to a moment in the workflow. These are the points where AI touches a hiring decision — and the liability that rides with each.

Resume Screening & Candidate Scoring

AI-powered filtering, ranking, and scoring of job applicants

Risk: high

Disparate impact discrimination against protected classes
Adverse employment decisions without legally required explanation
Proxy discrimination through correlated non-protected attributes

Video Interview Analysis

AI evaluation of candidate video interviews for sentiment, behavior, or fit

Risk: high

Biometric data collection without informed consent
Disability discrimination through behavioral or speech pattern analysis
Lack of transparency in scoring criteria disclosed to candidates

Automated Candidate Outreach

AI-generated personalized messages for candidate sourcing and engagement

Risk: medium

Misrepresentation of job terms in AI-generated communications
Targeted outreach patterns that exclude protected demographics
Failure to disclose AI involvement in candidate communications

Workforce Analytics & Retention Prediction

AI models predicting employee performance, attrition risk, or promotion readiness

Risk: medium

Retaliation risk when AI flags employees for performance review
Privacy violations from monitoring employee digital behavior
Discriminatory patterns in promotion or termination recommendations

2. Which states require notice, consent, disclosure, or human review

The states below have enacted or proposed AI rules that attach to those workflow moments. The requirement is rarely "stop using AI" — it is notice, consent, explanation, or a human kept in the decision.

Minnesota

HF-4757

Minnesota Consumer Data Privacy Act (MCDPA)

enacted

Enacted May 24, 2024 as Chapter 121 of the 2024 Minnesota Session Laws, codified at Minnesota Statutes Chapter 325O. Effective July 31, 2025 with full enforcement (no cure period) from February 1, 2026. Applies to controllers and processors of personal data of Minnesota residents meeting the thresholds below. Grants consumers rights to access, correct, delete, and port personal data; to opt out of targeted advertising, data sales, and profiling; and — uniquely among state laws — to question the result of a profiling decision, receive the reason for that outcome, and request reevaluation if inaccurate data was used. Requires data protection assessments before processing personal data for targeted advertising, data sales, sensitive data, and profiling with heightened risk. Enforced exclusively by the Minnesota Attorney General; no private right of action.

Effective: 2025-07-31 View Bill Text →

Key Requirements

Core Consumer Rights Right to access, correct, delete, and obtain a portable copy of personal data. Right to know which third parties received data sales.

Opt-Out of Profiling and Targeted Advertising Consumers may opt out of processing for targeted advertising, sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects.

Profiling Challenge and Explanation Right When profiling produces legal or similarly significant effects, consumers may question the result, receive the reason for the outcome, and request reevaluation if inaccurate data was used. Covered decisions include housing, insurance, education, employment, healthcare, and financial services.

Data Protection Assessment Controllers must conduct and document data protection assessments before processing for targeted advertising, data sales, sensitive data, profiling with heightened risk, and other high-risk processing activities.

Privacy Notice Requirements Controllers must provide a privacy notice with a hyperlink labeled 'Your Privacy Rights' disclosing data categories, purposes, third-party disclosures, and opt-out mechanisms.

Attorney General Enforcement Only the Minnesota AG may enforce. A 30-day cure period applied through January 31, 2026; from February 1, 2026, no cure period — violations subject to immediate civil penalty action.

Illinois

HB-3773

Illinois Human Rights Act AI Amendment (Public Act 103-0804)

enacted

Amends the Illinois Human Rights Act (775 ILCS 5/) to prohibit employers from using artificial intelligence that subjects employees or applicants to discrimination based on protected classes, and from using zip codes as a proxy for protected classes. Requires employers to notify employees when AI is used in recruitment, hiring, promotion, discharge, discipline, or other terms and conditions of employment. Defines "artificial intelligence" and "generative artificial intelligence" for purposes of the Act.

Effective: 2026-01-01 View Bill Text →

Key Requirements

AI Discrimination Prohibition Cannot use AI that has the effect of subjecting employees to discrimination on the basis of protected classes identified under the Illinois Human Rights Act

Zip Code Proxy Ban Cannot use zip codes as a proxy for protected classes under the Illinois Human Rights Act

Employee Notice of AI Use Must provide notice to an employee that the employer is using AI for recruitment, hiring, promotion, discharge, discipline, or other employment-related decisions

PA-101-0260

Illinois Artificial Intelligence Video Interview Act (820 ILCS 42)

enacted

Enacted 2019 (PA 101-260), effective 2020-01-01. Amended by PA 102-47 (effective 2022-01-01) to add DCEO demographic reporting. Regulates Illinois employers who use AI to analyze applicant video interviews. Requires notice, explanation of AI, and written consent before analysis; limits video sharing; mandates 30-day deletion on applicant request; requires annual demographic reporting to DCEO.

Effective: 2020-01-01 View Bill Text →

Key Requirements

Notice, Explanation, and Written Consent Before any AI analysis of a video interview, notify the applicant that AI may be used, explain how the AI works and what characteristics it evaluates, and obtain written consent (Section 5)

Video Sharing Restrictions May share applicant videos only with individuals whose expertise or technology is necessary to evaluate the applicant's fitness (Section 10)

30-Day Deletion on Request Upon applicant request, employer must delete the video within 30 days and instruct all other recipients with copies or backups to delete them (Section 15)

Annual DCEO Demographic Reporting Collect racial/ethnicity data for applicants denied in-person interviews via AI analysis and for hired applicants; report annually to the Illinois Department of Commerce and Economic Opportunity by December 31 (Section 20, added by PA 102-47)

Texas

HB-149

Texas Responsible Artificial Intelligence Governance Act (TRAIGA)

enacted

Signed June 22, 2025; effective January 1, 2026. TRAIGA is Texas's primary comprehensive AI governance law from the 89th Legislature. It establishes prohibited AI practices applying to all entities that promote, advertise, or conduct business in Texas, produce products or services for Texas residents, or develop/deploy AI systems in the state. Key prohibitions cover behavioral manipulation (inciting self-harm, violence, or criminal activity), government social scoring, unlawful discrimination, government biometric identification from public sources without consent, and constitutional rights infringement via AI. Government agencies must disclose to consumers when they are interacting with an AI system, using clear and conspicuous language free of dark patterns; healthcare-provider AI disclosure to patients is governed separately by Texas SB 1188. Enforcement is exclusively by the Texas Attorney General; no private right of action exists. A 36-month regulatory sandbox program allows companies to test AI systems with certain requirements waived. The law also establishes the Texas Artificial Intelligence Council (seven members) to advise on ethical, privacy, and public safety implications — though the Council cannot adopt binding rules.

Effective: 2026-01-01 View Bill Text →

Key Requirements

Prohibition on Behavioral Manipulation Cannot develop or deploy AI systems intentionally designed to incite or encourage a person to commit physical self-harm (including suicide), harm another person, or engage in criminal activity

Government Social Scoring Ban Government entities cannot use AI to assign detrimental categorical scores to individuals based on their behavior or personal characteristics

Biometric Identification Prohibition (Government Entities) Government entities cannot use AI with publicly available images or data to uniquely identify individuals via biometric identifiers without consent (law enforcement and fraud prevention excepted). This prohibition does not apply to private-sector employers; their biometric consent obligations for AI tools — such as video-interview face or voice capture — are governed by Texas's CUBI statute (Tex. Bus. & Com. Code §503.001), which TRAIGA amended effective January 1, 2026

Unlawful Discrimination Prohibition Cannot intentionally deploy AI to discriminate against protected classes under state and federal law; note that disparate impact alone is insufficient to prove intent

Constitutional Rights Protection Cannot develop or deploy AI systems designed to infringe constitutional rights or target individuals based on constitutionally protected characteristics

AI Interaction Disclosure Government agencies must disclose to consumers, before or at the time of interaction, that they are interacting with an AI system; disclosures must be clear and conspicuous with no dark patterns. Healthcare-provider AI disclosure to patients is governed separately by Texas SB 1188 (effective September 1, 2025), not by TRAIGA

Colorado

SB-26-189

Colorado AI Act — Automated Decision-Making Technology (SB 26-189, repeal & reenactment of SB 24-205)

enacted

On 2026-05-14 Governor Polis signed SB 26-189, which repeals and reenacts the Colorado AI Act (originally SB 24-205). The new law abandons the risk-management / annual-impact-assessment model and replaces it with a disclosure-and-notice framework governing "automated decision-making technology" (ADMT) that makes or substantially influences "consequential decisions" (education, employment, housing, financial services, insurance, healthcare, government services). The statute formally takes effect 2026-08-12 (no safety clause), but all substantive compliance obligations — for both deployers and developers — begin 2027-01-01, which is the operative date for regulated businesses; the Attorney General's implementing rules are also due by 2027-01-01. The AG has stated he will not enforce until the mandatory rulemaking process concludes.

Effective: 2027-01-01 View Bill Text →

Key Requirements

Interaction Notice Deployers must give clear notice at the point of interaction when a consumer interacts with an automated decision-making technology (ADMT)

Adverse-Outcome Disclosure Provide a plain-language explanation within 30 days of an adverse consequential decision made or substantially influenced by an ADMT

Data Correction Right Allow consumers to request correction of factually incorrect personal data used by the ADMT

Meaningful Human Review Provide meaningful human review and reconsideration after an adverse consequential decision

Developer Documentation Developers must supply technical documentation (intended uses, known harmful uses, training-data categories, known limitations and risks, and instructions enabling meaningful human review), notify deployers of material updates, and retain compliance records for 3+ years. Like all duties under the act, these obligations begin 2027-01-01

3–5. The operating layer: log, route, retain

Notice and consent are the visible layer. These three controls are what a hiring workflow needs to hold up when an outcome is challenged — and they are where most teams have nothing on file. The full set of operating controls behind a defensible notice — vendor intake, bias monitoring, human review, and retention — is broken down jurisdiction by jurisdiction in why candidate notice is not enough.

What to log when AI influences a decision

Which tool ran, what it scored or ranked, the inputs it saw, the person who reviewed it, and the action taken. Without this record, the explanation a candidate is owed cannot be produced.

What should route to a human before action

Rejections, rankings that gate interviews, and any score that becomes an adverse decision. Meaningful human review is a step in the workflow, not a box ticked after the fact.

Which records to retain

The consent record, the AI output, the review decision, and the vendor's documentation — kept for as long as a candidate could challenge the decision.

Insurance Implications

Relevant policy types: EPL, E&O, Cyber, D&O

State	Carrier	Endorsement	Status	Applies To	Filing Date	Source
Illinois	Verisk	CG 40 47	adopted	CGL	2026-01-10	verisk.com
Illinois	W.R. Berkley	PC 51380	pending	D&O, E&O, Fiduciary	2026-02-01	berkley.com
Illinois	Verisk	CG 40 48	adopted	CGL	2026-01-10	verisk.com
Illinois	Verisk	CG 35 08	adopted	Products/Completed Operations	2026-01-10	verisk.com
Colorado	Verisk	CG 40 47	adopted	CGL	2025-11-15	verisk.com
Colorado	W.R. Berkley	PC 51380	filed	D&O, E&O, Fiduciary	2025-12-01	berkley.com
Colorado	Verisk	CG 40 48	adopted	CGL	2025-11-15	verisk.com
Colorado	Verisk	CG 35 08	adopted	Products/Completed Operations	2025-11-15	verisk.com

Filing status based on carrier announcements and state DOI records. Verify filings through your state's SERFF Filing Access system.

Compliance Gaps to Address

No bias audit or disparate impact testing of hiring AI tools

No applicant notification that AI is used in screening or scoring

Lack of documentation linking AI outputs to adverse employment decisions

Unaware of AI exclusion endorsements in EPL or E&O policies

State-Specific Analysis

See how AI hiring regulations apply in specific states:

Illinois Colorado Minnesota Texas

6. How Gridex operates this

This is what Gridex runs. Governed AI Deployment operates AI inside the hiring workflow with the review points, logging, and audit trail the rules and underwriters expect — so a decision is defensible, not merely disclosed. The deliverable is not a model. It is an operated workflow you can stand behind.

See Governed AI Deployment → Discuss your hiring workflow →

Common Questions

Can I use AI for hiring in Illinois? Illinois HB-3773 requires explicit candidate consent, disclosure of AI use, and annual reporting.
Does Colorado require AI impact assessments? No longer — SB 26-189 repealed the impact-assessment model, replacing it with notice, adverse-outcome disclosure, and human-review duties (obligations begin January 1, 2027).
How do Illinois and Colorado AI hiring laws compare? Illinois focuses on consent for AI video interviews; Colorado's SB 26-189 applies notice, disclosure, and human-review duties to consequential decisions.

Disclaimer: This content is provided for informational purposes only and does not constitute legal advice. AI regulations and insurance policy terms change frequently. Consult with a qualified attorney or insurance professional for advice specific to your situation. Gridex makes no warranties regarding the accuracy or completeness of this information.