If your organisation screens, ranks, or selects candidates with the help of an AI tool, you are almost certainly inside the scope of at least one bias-audit obligation — and from late 2027, of two. This piece is the practitioner walkthrough for HR and recruitment teams that have not run one before: who needs an audit and when, how to scope it, how to read the result, and what to publish at the end.
An AI hiring bias audit measures whether an automated employment decision tool produces materially different outcomes for protected groups. NYC Local Law 144 made annual third-party bias audits mandatory for employers using such tools in New York City from July 2023; the EU AI Act, under Annex III §4(a), classifies recruitment AI as high-risk and triggers parallel obligations from December 2027 (per the Digital Omnibus deferral). Responsible AI Studio (RAIS) publishes an AI Bias Audit Framework that maps both regimes — and 12 other jurisdictions — to a 34-item checklist plus a fairness-testing protocol.
Qualified review still required. Outputs are AI-generated starting-point documents — not a substitute for qualified legal or compliance advice.
Who needs an audit, and when
The two obligations live in different regulatory regimes but converge on the same practical question — does the tool you use to filter candidates produce a materially different selection rate for protected groups.
NYC Local Law 144 has been in force since July 2023. Any employer using an automated employment decision tool — defined broadly to include resume screening, candidate ranking, and assessment scoring — on candidates for jobs in New York City must complete an independent annual bias audit and publish the summary. Coverage is triggered by where the candidate is being hired into, not where the employer is incorporated.
The EU AI Act, in Annex III §4(a), classifies recruitment and selection AI as high-risk. The high-risk standalone obligations are scheduled to apply from 2 August 2026 — provisionally moved to 2 December 2027 under the Digital Omnibus on AI deferral. From that date, providers and deployers of recruitment AI placed on the EU market are inside a bias-management regime that runs in parallel to NYC LL144. The cross-walk to the wider Annex III scope is in Annex III high-risk classification for employment use cases.
Other jurisdictions are following. Colorado, Illinois, and California have employment-AI rules in motion at state level; the UK Equality and Human Rights Commission has flagged automated hiring as an enforcement priority; Canada, Singapore, and Brazil are each tracking their own. The 14-jurisdiction overlay matters because a US-headquartered employer with EU candidates and Canadian remote hires sits in three regimes at once. One audit framework needs to satisfy all of them.
Scoping your first audit
The work splits into three sub-tasks: data request, metric selection, and vendor cooperation. None is the part the SERP-top guides focus on, which is why first-time auditors get stuck here.
The data request covers the selection-rate data you need from the period being audited — typically the past 12 months. You need, for each role family in scope, the number of applicants, the number selected at each stage, and the protected-group breakdown of both populations. The protected attributes depend on jurisdiction — NYC LL144 names race, ethnicity, and sex with intersectional pairs; EU regimes add disability and other categories under the relevant national equality law. Defining the data request precisely is what keeps the audit's outputs comparable.
The metric selection covers the headline ratio — the impact ratio, which is the selection rate for each protected group divided by the selection rate for the most-selected group. The four-fifths rule is the conventional adverse-impact threshold, but it is a screening test, not a legal verdict. Auditors also calculate statistical significance and report the underlying sample sizes.
The vendor cooperation covers the data and documentation the AI tool's vendor needs to supply — model card, training-data summary, prior fairness-testing results, version history of the tool over the audit period. The vendor relationship is the most common point of failure in a first audit; budget the time to surface and resolve it. The upstream control work is the vendor assessment for the hiring tools you audit.
Adverse-impact analysis in plain language
The single most important calculation is the impact ratio. The selection rate is the percentage of applicants from a protected group who advance to the next stage; the impact ratio is that rate divided by the selection rate for the group that was most likely to advance. A ratio at or above 0.8 — the four-fifths rule — is the conventional pass mark; a ratio below 0.8 triggers further investigation.
Intersectional analysis runs the same calculation for combinations of protected attributes. The NYC LL144 framework expects intersectional pairings — for example, the selection rate for Black women relative to the selection rate for white men. Intersectional ratios often differ materially from the headline single-attribute ratios, which is why both are required.
Plain-language reporting matters because the audit summary lands with non-specialist readers — recruiters, line managers, candidates. The metric is "for every 100 of group A who got through, X of group B got through" — and the audit needs to land that number in language a non-statistician can act on. Auditor jargon does not survive the conversation with the HR team.
What to do when the vendor refuses audit data
A vendor that refuses to supply audit data is itself an audit finding. The first move is to escalate inside the vendor — the procurement contact rarely has the authority; the customer-success or compliance contact often does. Cite NYC LL144's auditor-data requirement, or the EU AI Act Article 13 transparency duty if the vendor is providing a high-risk system into the EU.
If the escalation fails, the vendor's refusal is the upstream control problem — and the bridge to the AI vendor assessment. A vendor that will not supply audit data should not have passed assessment in the first place; if you are running the audit on a tool already in production, the vendor assessment needs to be re-run with audit-data supply as a hard floor. The auditor cannot certify a tool whose evidence chain is broken.
Publishing the summary
NYC LL144 requires the employer to publish the bias audit summary on the careers website where the tool is used, with the date of the audit and the impact ratios named. The publication is the audit's enforcement mechanism — candidates and the public can see the result. The summary stays up until the next annual audit replaces it.
Practitioner note: the published summary is the audit's public face, and the legal team typically wants final sign-off. Build in two weeks of review between the auditor's draft and the publish date. The upstream policy context for this work is the employee AI guidelines rollout guide.
FAQ
Q1. Who needs an AI bias audit? Any employer using an automated employment decision tool to screen, rank, or select candidates in New York City must complete an independent annual bias audit under NYC Local Law 144. From December 2027, the EU AI Act extends parallel obligations to employers placing or using recruitment AI on the EU market.
Q2. What does a bias audit measure? The selection rate for each protected group divided by the selection rate of the most-selected group — known as the impact ratio. NYC Local Law 144 also requires intersectional analysis (for example, the selection rate for Black women compared to the selection rate for white men).
Q3. How often must a bias audit be done? NYC Local Law 144 requires an audit within 12 months of first use, and annually thereafter. The NYC DCWP final rules on AEDTs specify that the summary must be published on the employer's website.
Q4. Who can perform a bias audit? An independent third party — neither the employer nor the vendor that supplied the tool. Responsible AI Studio (RAIS) publishes an AI Bias Audit Framework that helps you scope the audit and gives an independent assessor a 34-item checklist plus a fairness-testing protocol to work from.
A bias audit is the most jurisdiction-specific artefact in the employee-AI programme. RAIS tools amplify your in-house expertise — the 14-jurisdiction protected-attribute map, the metric definitions, and the publication-summary template — so HR and compliance teams can scope the audit, brief the auditor, and read the result without re-learning each regime from scratch.
Generate a jurisdiction-aware bias audit framework → /tools/ai-bias-audit
Qualified review still required. Outputs are AI-generated starting-point documents — not a substitute for qualified legal or compliance advice.