What liability exposure do HR tech vendors have for AI tools?

Last verified: March 24, 2026

Answer

HR tech vendors face dual exposure: as AI developers under Colorado's developer obligations, and through client contracts when their AI tools contribute to employment discrimination claims covered by state hiring laws.

Applicable Regulations

SB-26-189

Colorado AI Act — Automated Decision-Making Technology (SB 26-189, repeal & reenactment of SB 24-205)

enacted

On 2026-05-14 Governor Polis signed SB 26-189, which repeals and reenacts the Colorado AI Act (originally SB 24-205). The new law abandons the risk-management / annual-impact-assessment model and replaces it with a disclosure-and-notice framework governing "automated decision-making technology" (ADMT) that makes or substantially influences "consequential decisions" (education, employment, housing, financial services, insurance, healthcare, government services). The statute formally takes effect 2026-08-12 (no safety clause), but all substantive compliance obligations — for both deployers and developers — begin 2027-01-01, which is the operative date for regulated businesses; the Attorney General's implementing rules are also due by 2027-01-01. The AG has stated he will not enforce until the mandatory rulemaking process concludes.

Key Requirements

Interaction Notice Deployers must give clear notice at the point of interaction when a consumer interacts with an automated decision-making technology (ADMT)
Adverse-Outcome Disclosure Provide a plain-language explanation within 30 days of an adverse consequential decision made or substantially influenced by an ADMT
Data Correction Right Allow consumers to request correction of factually incorrect personal data used by the ADMT
Meaningful Human Review Provide meaningful human review and reconsideration after an adverse consequential decision
Developer Documentation Developers must supply technical documentation (intended uses, known harmful uses, training-data categories, known limitations and risks, and instructions enabling meaningful human review), notify deployers of material updates, and retain compliance records for 3+ years. Like all duties under the act, these obligations begin 2027-01-01
Effective: 2027-01-01 Penalties: Enforced exclusively by the Colorado Attorney General; violations are treated as deceptive trade practices under the Colorado Consumer Protection Act. Before enforcement the AG must give 60 days' written notice and an opportunity to cure; this cure right sunsets 2030-01-01, after which enforcement may be immediate. The AG has stated no enforcement will occur until the mandatory rulemaking process concludes.
HB-3773

Illinois Human Rights Act AI Amendment (Public Act 103-0804)

enacted

Amends the Illinois Human Rights Act (775 ILCS 5/) to prohibit employers from using artificial intelligence that subjects employees or applicants to discrimination based on protected classes, and from using zip codes as a proxy for protected classes. Requires employers to notify employees when AI is used in recruitment, hiring, promotion, discharge, discipline, or other terms and conditions of employment. Defines "artificial intelligence" and "generative artificial intelligence" for purposes of the Act.

Key Requirements

AI Discrimination Prohibition Cannot use AI that has the effect of subjecting employees to discrimination on the basis of protected classes identified under the Illinois Human Rights Act
Zip Code Proxy Ban Cannot use zip codes as a proxy for protected classes under the Illinois Human Rights Act
Employee Notice of AI Use Must provide notice to an employee that the employer is using AI for recruitment, hiring, promotion, discharge, discipline, or other employment-related decisions
Effective: 2026-01-01 Penalties: Enforced through the Illinois Human Rights Act framework by the Illinois Department of Human Rights (IDHR); remedies follow IHRA procedures (injunctive relief, damages, attorney's fees) rather than a specific monetary penalty schedule in the amendment itself.

Industry Context

HR & Recruiting Firms

Staffing agencies, recruiting firms, and HR technology providers that use AI for candidate sourcing, resume screening, interview analysis, and employment decision support. These firms face heightened regulatory scrutiny because AI in hiring directly affects individuals' economic opportunities.

Typical Compliance Gaps

No bias audit or disparate impact testing of hiring AI tools
No applicant notification that AI is used in screening or scoring
Lack of documentation linking AI outputs to adverse employment decisions
Unaware of AI exclusion endorsements in EPL or E&O policies

Full State Analysis

Colorado AI Regulations Illinois AI Regulations

Where this lands operationally

Gridex turns the compliance or coverage question into operated workflow controls: intake, review points, audit trails, and the places a person stays in the decision.

Governed AI DeploymentRun AI inside real work with audit trails, human review points, and the operating controls underwriters and regulators expect.Managed Workflow AutomationOperate multi-step workflows where AI drafts and routes, and a person approves the actions that carry risk.

Discuss a Governed Hiring Workflow

Use this research to identify the workflow, review points, and operating controls that would matter in your organization.

Discuss a Governed Hiring Workflow

Related Questions

  • What is the difference between developer and deployer obligations under the Colorado AI Act? Colorado's AI Act (reenacted by SB 26-189; the statute formally takes effect 2026-08-12 but all obligations begin 2027-01-01) splits obligations between deployers and developers. Deployers — businesses using ADMT to make or substantially influence consequential decisions — have 4 duties: interaction notice, adverse-outcome disclosure within 30 days, data-correction rights for consumers, and meaningful human review after an adverse decision. Developers — those who build ADMT — must supply technical documentation (intended uses, training-data categories, known limitations), notify deployers of material updates, and retain compliance records 3+ years. Both deployer and developer duties begin 2027-01-01. Impact assessments and risk management programs from SB 24-205 are gone. A company can be both developer and deployer if it builds and uses the same system.
  • Can I use AI for hiring in Illinois? Yes, but two distinct Illinois laws apply. HB-3773 (effective January 1, 2026) amended the Illinois Human Rights Act to prohibit employers from using AI that discriminates against protected classes or uses zip codes as a proxy, and it requires notice to employees that AI is being used in employment decisions (recruitment, hiring, promotion, discipline, tenure, or terms and conditions). Separately, the Illinois Artificial Intelligence Video Interview Act (PA 101-0260, 820 ILCS 42), in effect since 2020, applies specifically when AI analyzes applicant video interviews: employers must notify the applicant, explain how the AI works, obtain written consent, limit video sharing to necessary evaluators, delete videos within 30 days of an applicant's request, and — per the 2022 amendment (PA 102-47) — report applicant racial/ethnicity data annually to DCEO. If AI hiring tools also capture biometric identifiers (e.g., facial geometry from video), the separate Illinois Biometric Information Privacy Act (BIPA) creates additional consent and liability obligations. Illinois employers using AI for any form of employment decision should map their process against all three regimes.
Disclaimer: This content is provided for informational purposes only and does not constitute legal advice. AI regulations and insurance policy terms change frequently. Consult with a qualified attorney or insurance professional for advice specific to your situation. Gridex makes no warranties regarding the accuracy or completeness of this information.