Colorado just gutted its AI Act under federal pressure. New York’s bias-audit law just got a failing grade and is about to tighten. California’s regulations took effect October 1 and are the most stable obligation in the country. The staffing firm, not the vendor, is the employer of record under every one.
On May 14, 2026, Governor Jared Polis signed SB 189, repealing the Colorado AI Act six weeks before its scheduled effective date and replacing it with a narrower disclosure regime that does not take effect until January 1, 2027.
But the state didn’t change its mind on its own. A federal magistrate judge stayed enforcement on April 27. The Department of Justice joined a constitutional challenge by xAI. The December 2025 executive order on AI policy named SB24-205 specifically as excessive state regulation. The risk management programs, the impact assessments, and the duty of reasonable care to prevent algorithmic discrimination are all gone. What remains is candidate notice and disclosure.
Going the other direction, on December 2, 2025, the New York State Comptroller’s office published an audit of how New York City’s Department of Consumer and Worker Protection (DCWP) had been enforcing Local Law 144, the country’s first bias-audit mandate. The audit concluded enforcement was “ineffective.” Seventy-five percent of test calls to NYC’s 311 line about AEDT issues were misrouted. When the Comptroller’s auditors reviewed the same 32 publicly posted bias audits that DCWP had reviewed, the DCWP had flagged one issue of non-compliance. The Comptroller’s auditors flagged 17. As a result,
The DCWP has committed to implementing most of the Comptroller’s recommendations. When a regulator gets told publicly that enforcement is too soft, oversight typically intensifies.
Compliance teams that built around impact assessments and risk-management programs over the last 18 months were building to a category of regulation that is now being actively rolled back. The category that survives is documentation, candidate notice, and retention.
The vendor is not the employer. You are.
The staffing firm carries the liability under every framework that is currently enforceable. Under Local Law 144 and California’s amended Fair Employment and Housing Act (FEHA) regulations (effective October 1, 2025), the obligation for bias audits, candidate notice, recordkeeping, and impact assessment runs to the employer using the tool, not the vendor selling it. The scope may include resume parsing, candidate scoring, automated outreach with prioritization logic, SMS qualification bots, and video-interview analysis.
California is the only stable obligation left
With Colorado hollowed out and Texas, Virginia, and Illinois still in pre-effective-date mode, California is the framework staffing CEOs should plan against.
The California Civil Rights Department’s final regulation text requires four-year retention of automated-decision records, including inputs, outputs, decision criteria, audit results, and correspondence. It requires bias testing as a regular and systemized maintenance practice rather than a one-time launch validation. Applicants and employees must receive both pre-use and post-use notice with a path to opt out or request human review.
But the penalty headline is not the line item that matters. The true exposure is in the FEHA private right of action. One class action on a screening tool that excluded protected applicants, brought by a candidate, is what changes a year.
The DCWP flagged 1 violation. The state auditor flagged 17.
Specific findings from the Comptroller audit shows us what the next enforcement phase could look like.
The DCWP did no public outreach after May 2023. Most NYC employers were not posting bias audits. Many claimed the law did not apply to their tools. The Comptroller flagged this as a scoping problem. The next round of NYC guidance is likely to narrow the safe harbor on this issue.
For staffing firms operating in NYC, the documentation gap is the case against you. The regulator doesn’t need to prove the tool discriminated. They need to prove the firm didn’t perform the required audit, didn’t give the required notice, or didn’t retain the required records.
Your MSA puts the liability on you, not the vendor
Most staffing firms adopted AI hiring tools without governance infrastructure. There is no audit cadence, no model card on file from the vendor, no documented bias review, no candidate notice template, and no record of which roles each tool screened.
The vendor contract is the secondary problem. Most master service agreements with AI hiring vendors place liability for the tool’s outputs on the using employer. They don’t commit the vendor to produce bias audits on the firm’s behalf. They don’t indemnify against regulatory claims. A staffing CEO checking vendor contracts this quarter is the cheapest single move in this stack.
The 5 items in the defensible stack
The infrastructure required to be defensible under NYC and California is small and specific:
- An inventory of every AI or rules-based tool that touches a hiring decision, with vendor, model description, and use case for each.
- A bias audit on file, no older than 12 months, for each tool that meets the scope definition in each state where it is used. NYC requires public posting. California requires retention.
- A candidate notice template, deployed at the appropriate point in the funnel. California requires both pre-use and post-use notice and a path to opt out or request human review.
- A documented bias-testing cadence. Per the California regulations, a single validation at launch is not enough.
- Retention. Four years in California. A bias-audit record refreshed before it lapses in NYC.
That is the entire package. Most firms can implement it in a quarter if they start now.
Disclosure obligations survive. Risk-management obligations get rolled back.
If the federal government is willing to intervene against a state AI law that hasn’t yet taken effect, the next state to ship a risk-management regime is going to face the same headwind. Plan compliance against disclosure-style obligations, not internal risk-management obligations. The disclosure work is more likely to survive across jurisdictions and political cycles.
What changes by Monday
Staffing leaders have three questions to answer this week:
- Which of our AI-touching tools is in scope in NYC or California, and which are not?
- Of those in scope, which have a bias audit on file and which don’t?
- Who in the company owns the governance stack, and is there a calendar item for the first audit refresh?
