Understanding AI Compliance Obligations, Following Colorado’s Scaled-Back Legislation

Key takeaways:

• In May 2026, Colorado replaced its rigorous AI Act with a significantly less demanding version that removes requirements for bias audits and risk assessments. This new law is not scheduled for implementation until January 2027.
• Staffing agencies remain subject to high compliance hurdles elsewhere, as active regulations in California, Illinois, and New York City continue to be enforced. Notably, New York City mandates independent bias audits prior to the use of automated screening tools.
• Liability rests with the entity deploying the technology. Because many statutes explicitly include “employment agencies” and “agents,” firms cannot offload legal responsibility to software vendors.

The most ambitious AI hiring law in the country was revamped three weeks before a related deadline. On May 14, 2026, Colorado Governor Jared Polis signed SB 26-189, which repealed and replaced the Colorado AI Act before it ever took effect. Gone are the risk management programs, the annual impact assessments, and the duty of care to prevent algorithmic discrimination that had made the original law the high-water mark for AI regulation. The replacement, effective January 1, 2027, asks for disclosure and human review instead.

However, this doesn’t mean AI hiring regulation is scaling back. Three other jurisdictions have enforceable AI hiring rules in effect today, and New York City’s is the strictest of them. 

Colorado dropped its bias audits and impact assessments, and won’t enforce the replacement until 2027

The Colorado AI Act, passed in 2024 as SB 24-205, was supposed to be the template. It created a risk-based framework governing AI used in “consequential decisions” across employment, housing, lending, healthcare, and education. Developers and deployers carried a duty of reasonable care to protect against algorithmic discrimination, backed by mandatory risk management programs and annual impact assessments.

It never took effect. The original February 2026 start date was pushed to June 30, 2026, then the law drew a legal challenge. In April 2026, a federal court paused enforcement after X.AI sued and the federal government intervened, the first federal intervention in a challenge to a state AI law. The Colorado legislature then repealed and replaced the act outright with SB 26-189.

The replacement regulates automated decision-making technology that “materially influences” a consequential decision, a narrower standard than the original “substantial factor” test. It requires deployers to notify consumers when covered technology influences a decision, explain adverse outcomes within 30 days, and offer meaningful human review. The high-risk classification, the risk management programs, the impact assessments, and the duty of care are all gone. Enforcement falls exclusively on the Colorado Attorney General, with no private right of action, and doesn’t begin until rulemaking concludes.

The law takes effect January 1, 2027.

Some states already enforce AI hiring rules, with NYC’s fining up to $1,500 a day

While Colorado retreated, three other jurisdictions moved forward. These are the rules a staffing firm placing candidates in 2026 has to meet now.

Illinois amended its Human Rights Act through HB 3773, effective January 1, 2026. It makes using AI that has a discriminatory effect on protected classes a civil rights violation, bars using zip codes as a proxy for protected classes, and requires employers to notify employees and applicants when AI is used in employment decisions. The discrimination provision carries a private right of action through the IHRA, which means plaintiffs can sue directly. The draft implementing rules define “use” of AI broadly, covering any instance where an AI system’s output influences or facilitates a covered employment decision.

California brought AI hiring tools under its anti-discrimination law. The Civil Rights Council’s regulations on automated decision systems took effect October 1, 2025. Using an automated system that produces a discriminatory outcome violates the Fair Employment and Housing Act, even without intent. The rules require employers to retain automated decision data for four years, extend liability to “agents” acting on an employer’s behalf, and treat the presence or absence of bias testing as relevant evidence in a discrimination claim. A separate set of California Privacy Protection Agency regulations adds pre-use notice, opt-out rights, and risk assessments for automated decision-making technology used in significant employment decisions.

New York City has the strictest regime, and it’s been in place since July 2023. Local Law 144 prohibits using an automated employment decision tool unless it has passed an independent bias audit within the prior year, the audit summary is posted publicly, and candidates get at least 10 business days’ notice. Penalties run $500 to $1,500 per violation, and each day of use counts as a separate violation. A December 2025 audit by the New York State Comptroller found enforcement had been weak and pushed the enforcing agency toward tougher oversight, so the risk is rising.

Texas has the Responsible Artificial Intelligence Governance Act, which took effect January 1, 2026. However, it bars only AI used with intent to discriminate, reaches no further into disparate impact, and requires no audits or applicant notice. 

Lastly, Connecticut has enacted the Artificial Intelligence Responsibility and Transparency Act and will be phasing in its employment provisions over two years. Starting October 1, 2026, using an automated tool is not a defense to a discrimination claim, and layoff notices must disclose whether AI drove the decision. The candidate notice and disclosure obligations follow on October 1, 2027. 

Staffing firms using AI are more at risk than the employers they serve 

Most of these laws don’t stop at the end employer. They impact the agent, the vendor, and the employment agency.

New York City’s Local Law 144 applies explicitly to employment agencies, not just employers. If a staffing firm uses an automated tool to screen or rank candidates for a New York City role, the firm carries the audit and notice obligations. California’s FEHA regulations extend liability to anyone “acting on behalf of an employer” to perform recruitment, screening, or hiring, which describes the core staffing function. Illinois’s draft rules apply to employers and “their agents, including recruiters and other third parties acting on an employer’s behalf.”

The federal Mobley v. Workday litigation, which cleared early procedural challenges on the theory that an AI vendor can be an employer’s agent, shows the liability can attach at multiple points in the chain. Staffing firms are sourcing, screening, and ranking candidates, often with AI tools embedded in an applicant tracking system or sourcing platform they didn’t build. These agencies can’t assume the tool vendor or the client employer absorbs the risk. 

Abide by strictest standard to ensure compliance

To ensure your agency is using AI responsibly as state laws emerge and strengthen, set the bar at the highest level. New York City’s audit-plus-notice standard is the strictest so far, making it the current template. Here’s how to meet it:

• Inventory every AI tool in the hiring workflow. Automated screening, ranking, and matching are frequently embedded in applicant tracking systems, sourcing platforms, and assessment vendors. List every tool that scores, ranks, screens, or recommends candidates, and note which jurisdictions each is used in.
• Commission independent bias audits where required. For any tool used to screen or rank candidates for New York City roles, an independent third party (not the firm or the vendor) must audit the tool for disparate impact within the prior year, and the summary must be posted publicly before use. The audit also doubles as evidence in a discrimination defense under California and Connecticut law, so it has value well beyond New York City.
• Build notice into the candidate workflow. Illinois and New York City both require telling candidates when AI is used to evaluate them, and New York City requires 10 business days’ lead time. Standardize a disclosure that covers what the tool assesses and how, and deliver it ahead of time.
• Set four-year data retention. California requires preserving automated decision data, selection criteria, outputs, and audit results for four years. Match that retention period across the board rather than tracking different clocks per state.
• Audit vendor contracts. Because liability reaches agents and deployers, a firm needs its vendor agreements to address bias testing, audit cooperation, and data access. A vendor’s assertion that its tool is fair is not a defense, and the vendor can’t audit its own tool.
• Keep meaningful human review in the loop. Some state laws require human review of automated decisions, making it important to have documented human checkpoints before decisions.

Colorado’s softened law isn’t permission to relax. As AI adoption grows, we’ll likely see more policies and laws designed to ensure fair hiring. Transparency with candidates, automated decision data retention, and independent bias audits will help staffing agencies build a solid defense against discrimination liability. 

This article is for general information and should not be considered legal advice. AI employment laws are changing fast and vary by jurisdiction, so consult qualified employment counsel before making compliance decisions.