A hiring team that sends a candidate a disclosure email and files it under “AI compliance” has done the one part of the law a plaintiff can actually read. Everything the plaintiff cannot read — what data the model used, whether a human reviewed the outcome, what records exist, how a rejected applicant gets an explanation — is where the real liability lives.

That gap is the subject of this piece. Most coverage of AI hiring law answers the question lawyers are paid to answer: what does the statute require? That question matters, and we’ll walk the current landscape jurisdiction by jurisdiction. But it is not the question that determines whether you are actually compliant on a Tuesday afternoon when a candidate is auto-screened out of a role. That question is operational: what does your workflow have to do, every time, for the notice to mean anything?

This is an operations analysis, not legal advice. Treat the statutory summaries below as a map of where the obligations live, and confirm specifics with counsel for your jurisdictions.

The Law Requires Notice. Your Workflow Has to Do the Work.

Notice is visible. It is easy to check off, easy to screenshot, easy to point to. That is exactly why it is a poor proxy for compliance. The obligations that decide whether a notice is accurate — whether it names the right tool, covers the right decisions, and is backed by the consent, deletion, review, and recordkeeping it implies — are not in the notice. They live in the vendor contract, the ATS configuration, the recruiting team’s review protocol, and the retention schedule.

Notice is the output of a compliance process, not the compliance process itself. The employer who skipped the disclosure is exposed. The employer who sent the disclosure but cannot prove consent, review, or deletion is often exposed in exactly the same way — and doesn’t know it.

What the Law Actually Requires by Jurisdiction

The point of this section is the factual landscape, kept tight. The value is in what comes after it.

Illinois: Three Laws, One Recruiting Workflow

Illinois has the most operational surface area of any state, because three separate regimes converge on a single workflow — AI-assisted candidate evaluation.

The Artificial Intelligence Video Interview Act (820 ILCS 42, enacted as PA 101-0260) requires an employer to tell applicants that AI may be used to analyze a video interview, explain how the AI works and what characteristics it evaluates, and obtain written consent before that analysis happens. Video may be shared only with people whose expertise or technology is necessary to evaluate the applicant, and on request the employer must delete all copies within 30 days and instruct third-party recipients to do the same. A 2022 amendment (PA 102-47) adds that employers who rely on AI analysis to decide whether to advance applicants must collect applicant race and ethnicity data and report it annually to the state by December 31. The consent and deletion mechanics are covered in our Illinois AI Video Interview Act consent answer; the reporting obligation is detailed in Illinois HB-3773 annual reporting requirements.

HB-3773, effective January 1, 2026, amends the Illinois Human Rights Act. It requires employers to notify employees and applicants when AI is used to influence or facilitate covered employment decisions — recruitment, hiring, promotion, discipline, discharge, and related terms — and it prohibits the use of AI that has the effect of discriminating against protected classes. Note the standard: the effect-based prohibition does not require discriminatory intent. The statute also specifically bars using zip codes as a proxy for protected classes in AI employment decisions. (The statutory language names zip codes specifically; it does not, on its face, reach every form of geolocation data — a narrowness worth keeping in mind when scoping an input audit.) Draft implementing rules from the Illinois Department of Human Rights would add more: notice that names the AI product and its developer, the decisions affected, the data categories used, a contact point and accommodation rights; annual notice to current employees and notice within 30 days of adopting new or substantially updated AI; and four-year retention of notices and records of AI use. These IDHR rules are proposed, not final — treat the four-year figure and the notice-content specifics as the likely shape of the obligation rather than settled law, and watch for the final rule.

Separately, the Biometric Information Privacy Act (740 ILCS 14) applies independently if a hiring tool captures biometric identifiers such as facial geometry or voiceprints. BIPA carries a private right of action and statutory damages of $1,000 per negligent violation or $5,000 per intentional or reckless violation; a 2024 amendment (SB 2979) clarified that repeated collection of the same identifier from the same person by the same method counts as a single violation, which caps the per-scan multiplier that earlier drove headline judgments. The penalty framework is laid out in Illinois AI hiring penalties, and the three regimes are synthesized in Can I use AI for hiring in Illinois? and on the Illinois regulation page.

The plain-terms gap: the notice tells the applicant AI was used. Whether the employer can prove consent was obtained, videos were deleted on request, zip-code correlations were kept out of the model, demographic data was collected and reported, and biometric capture was consented to — none of that is notice. All of it is workflow.

Colorado: Meaningful Human Review Is an Operating Standard, Not a Title

Colorado’s SB 26-189, signed May 14, 2026, repealed and reenacted the state’s original AI Act (SB 24-205); its obligations begin January 1, 2027. This matters because the original model — algorithmic impact assessments, “high-risk AI system” classification, and a risk-management duty of care — was repealed. Do not plan around it. The current law takes a disclosure-and-review approach, confirmed in Does Colorado require AI impact assessments? and compared side by side in Illinois vs Colorado AI hiring.

Under SB 26-189, a deployer using automated decision-making technology to make or substantially influence a consequential employment decision must: give notice at the point of interaction; provide a plain-language description of the AI’s role within 30 days after an adverse outcome, with the applicant’s rights and a path to request more information; allow correction of factually incorrect personal data; and offer meaningful human review when commercially reasonable. Developers must hand deployers technical documentation — intended uses, training-data categories, known limitations, and instructions for appropriate use and human review.

The operational center of gravity is meaningful human review, which the statute defines as a workflow, not a job title. The reviewer must have the authority to approve, modify, or override the decision; must not default to the system’s output; must be trained to conduct the review; and must have access to information about the system’s intended use, material limitations, categories of inputs, and the principal factors behind the output. A recruiter who skims a ranked list and clicks approve does not satisfy that standard. Add the 30-day adverse-outcome clock and a three-year per-decision record-retention requirement, and the notice is nearly the last step in the sequence — the steps before it are vendor-documentation intake, a trained reviewer role with real authority, and a response process that can hit a 30-day SLA.

One genuinely unsettled point: the human-review right is qualified by “commercially reasonable,” and the Colorado Attorney General is directed to define that term through rulemaking by January 1, 2027. As of this writing those rules have not been published, so the boundary is open. We are not going to predict where it lands. The defensible posture in the meantime is to document the basis for any decision to decline a review request — which is itself a recordkeeping obligation.

Texas: The Absence of a Disclosure Law Is Not the Absence of Risk

Texas’s Responsible Artificial Intelligence Governance Act (TRAIGA, HB-149), effective January 1, 2026, is built on prohibitions, not affirmative disclosure duties. There is no private-sector hiring-disclosure mandate; the consumer-facing “you are interacting with AI” disclosure applies only to government agencies and healthcare providers, not to private employers generally. Enforcement is the Attorney General’s alone, with no private right of action and a 60-day cure period, and the law includes a 36-month regulatory sandbox. The full framework is in Texas TRAIGA private-sector AI obligations and What AI rules apply to hiring in Texas?.

That does not make Texas a free zone. TRAIGA prohibits using AI to uniquely identify individuals biometrically from publicly available images or data without consent (with exemptions for fraud prevention and security that do not obviously cover routine hiring assessment). Whether a hiring tool that extracts facial geometry from a video the applicant submitted — rather than from publicly available images — falls inside this prohibition is not clearly resolved in the available sources; an employer using video-analysis AI should treat that as an open question and document consent rather than assume the exemption. TRAIGA also bars the intentional deployment of AI to discriminate, a higher bar than disparate impact alone — but documented knowledge of skewed outcomes plus continued deployment is the kind of fact that makes “intentional” arguable. And Title VII runs in parallel regardless: its disparate-impact theory does support private suit even where TRAIGA’s intent bar is not met. The Texas gap is the implied standard — an employer who cannot document what the tool does, what data it used, who reviewed the outcome, and what was logged is exposed on the federal side even with no state notice law to violate.

New York City: The Only Law That Requires the Employer to Run an Audit Before Deploying

NYC Local Law 144 flips the order: the audit precedes deployment. An employer using an automated employment decision tool to evaluate NYC candidates must commission an independent bias audit, post a summary of the results publicly on its employment website, and give candidates at least 10 business days’ notice before the tool is used. The audit must assess disparate impact by sex, race, and ethnicity — including intersectional categories — computing selection or scoring rates and impact ratios under the EEOC’s four-fifths methodology, and it must be no more than a year old at the time of use. There is no employer-size floor: the obligation attaches to the use of a covered tool on NYC candidates, not to headcount. Penalties run $500–$1,500 per day per violation, and enforcement is tightening — a December 2025 New York State Comptroller audit found compliance deficiencies at 17 of 32 reviewed companies, and the city’s enforcement agency has signaled stricter posture in 2026. LL144 remains the clearest model of an operating obligation that precedes disclosure; see which states require bias audits for hiring AI.

Federal: Guidance Gone, Statute Intact

The EEOC’s May 2023 technical assistance on AI and Title VII was removed from the agency’s website on January 27, 2025. The document is gone; Title VII is not. Disparate-impact liability for AI hiring tools remains operative federal law, and the agency’s Strategic Enforcement Plan through FY2028 still lists AI and machine-learning technology as a priority. The practical effect of losing published guidance is counterintuitive: with less written safe-harbor direction, defensible documentation of bias testing, human review, and adverse-outcome handling matters more, not less.

The Seven Operating Controls That Actually Determine Compliance

Move from jurisdiction-by-jurisdiction to the cross-cutting controls a hiring workflow needs. These are not a legal summary; they are the operations checklist underneath the legal summary. Each one carries a note on what breaks when it’s missing.

  1. Vendor documentation intake. Before deploying any AI in hiring, obtain from the vendor: training-data categories, known limitations, intended uses, and human-review guidance. Colorado requires this by statute; Illinois and Texas compliance depends on it as a practical matter. What breaks if missing: you cannot construct accurate notice, conduct meaningful review, or run a bias audit without knowing what the system actually does.

  2. AI tool inventory and process mapping. Map which tools touch which employment decisions. Illinois HB-3773 reaches anything that “influences or facilitates” a covered decision — ranking, scoring, filtering, flagging. What breaks if missing: your notice names tools you can’t identify, or omits tools that are quietly influencing decisions.

  3. Bias testing and demographic monitoring. NYC mandates an annual independent audit; Illinois’s effect-based standard makes outcome monitoring an early-warning system; Texas employers are not exempt from Title VII. What breaks if missing: the first evidence of disparate impact is a lawsuit, not an internal alert.

  4. Meaningful human review protocol. Colorado defines this precisely — a trained reviewer with authority to override, access to system information, who does not default to the model’s output. It is a role-design and training obligation, not a policy sentence. What breaks if missing: a reviewer who ratifies AI output without deliberation fails the statutory standard, and the right to request review is formally present but substantively empty.

  5. 30-day adverse-outcome response process. Colorado’s post-decision clock requires knowing which decisions were AI-influenced, who was adversely affected, and how to generate the required explanation within 30 days. Illinois deletion requests run on a parallel 30-day cadence. What breaks if missing: the clock runs out, the explanation isn’t delivered, and there is no evidence of a functioning process.

  6. Record retention tied to hiring events. Colorado: three years per consequential decision. Illinois (proposed IDHR rules): four years for notices and records of AI use. NYC: audit results on the public record. These are hiring-event-level, not program-level. What breaks if missing: an enforcement inquiry or discovery request produces no contemporaneous evidence of notice, review, or explanation.

  7. Biometric consent and deletion workflow. If the tool captures facial geometry or voiceprints, Illinois BIPA applies on top of the Video Interview Act, with separate written consent and per-collection statutory damages; Texas TRAIGA separately restricts AI biometric identification without consent. What breaks if missing: BIPA statutory damages and private suit, plus PA 101-0260 deletion duties and potential TRAIGA exposure, all running at once.

What Vendors Owe You (and What They Don’t Automatically Provide)

A common and expensive assumption is that the AI vendor handles compliance. They mostly don’t. Colorado SB 26-189 deliberately splits the roles: the developer must provide documentation, but the deployer — the employer — is responsible for operating the tool in compliance. A vendor handing you bias-audit data does not satisfy NYC LL144, which requires the employer to commission an audit from an independent auditor. And the now-withdrawn EEOC guidance made explicit what Title VII still implies: you are responsible for your AI, and you cannot transfer liability by pointing to a vendor’s compliance assurances.

So the vendor relationship is itself a control. Before deploying, request — and store — the training-data categories, the known limitations, any bias-audit history, the human-review guidance, and the data-retention and deletion handling. If the vendor cannot produce these, that is not a paperwork gap; it is a signal that you cannot meet your own obligations downstream.

The Governed Workflow Layer

Read the seven controls together and a pattern emerges: this is a workflow-design problem, not a legal-drafting problem. The employers most exposed are usually not the ones who forgot the disclosure. They’re the ones with no system for vendor intake, no bias-monitoring cadence, no human-review routing that logs who reviewed what and when, no adverse-outcome SLA, and no retention tied to hiring events.

The workflow that actually satisfies these requirements has specific moving parts: a vendor-documentation intake gate before any AI deployment is authorized; a bias-monitoring cadence aligned to the audit cycle; a human-review routing layer that records the reviewer, the inputs they saw, and the decision; an adverse-outcome response process built around the 30-day clock; and record retention attached to each hiring event rather than archived at the program level. Designing that operating layer — where human review, audit trails, and accountability are the compliance mechanism rather than an afterthought — is the actual work, and it’s what our governed AI deployment practice exists to build. The broader hiring-compliance picture lives on the AI compliance for hiring hub.

What Multistate Employers Should Prioritize First

For employers operating across these jurisdictions, the cumulative surface area is real, but it is not undifferentiated. A defensible starting order, by current legal effect and enforcement activity:

  1. Illinois — two regimes already in force (the Video Interview Act and HB-3773 since January 2026), BIPA ongoing, and the most operational obligations of any state.
  2. New York City — LL144 is actively enforced, the 2025 Comptroller audit flagged widespread deficiencies, and the city has signaled tighter enforcement in 2026.
  3. Colorado — obligations begin January 1, 2027, but vendor-documentation intake and human-review protocol design should start now, because they are the slow parts to build.
  4. Texas — no disclosure law, but Title VII and TRAIGA’s biometric and intentional-discrimination provisions reward documentation discipline.

A broader cross-state view is collected in AI hiring for multistate employers, AI hiring laws by state, and AI resume screening disclosure requirements by state.

The common thread across all four: the notice is the part you can show a regulator in a screenshot. The controls behind it are the part that determines whether the screenshot is true.

Gridex builds and runs governed AI operations — the intake, review, traceability, and human-approval layer that turns AI capability into work a business can stand behind. When AI touches a regulated decision, that operating layer is the compliance mechanism, not an add-on to it.