Skip to content

Computer Says No to Compliance: 72% of Companies Using Illegal AI Hiring

Sotiris SpyrouUpdated on

Share this article

LinkedInXEmail
Computer Says No to Compliance: 72% of Companies Using Illegal AI Hiring

Many companies don't know their AI hiring practices fall short of new laws. When regulators audit, will your system pass?

Introduction

A growing number of companies using AI hiring systems are, in practice, out of step with at least one applicable regulation, often without realising it.

While companies debate whether AI hiring regulation will happen, enforcement is already here. Regulators aren't waiting for companies to figure it out. They're conducting audits, issuing fines, and setting precedents that will matter for non-compliant companies for years.

The Compliance Gap

In our advisory work, the pattern shows up again and again: organisations assume their AI hiring tools are compliant because a vendor said so, without an internal audit ever having checked the specifics against the regulations that actually apply to them. The common gaps we see are consistent across sectors: missing documentation, no regular bias testing, inadequate candidate disclosure, and little to no internal compliance review.

What "Illegal AI Hiring" Actually Means

Many companies assume "illegal AI hiring" means obviously discriminatory systems. The reality is more nuanced and, for compliance purposes, more demanding:

The Categories of Violation That Matter Most

Documentation failures

  • Missing required algorithm documentation

  • Inadequate risk assessments

  • No impact analysis documentation

  • Insufficient training data records

Audit failures

  • No regular bias testing

  • Missing required third-party audits

  • Inadequate statistical analysis

  • No demographic impact studies

Disclosure failures

  • Not informing candidates about AI use

  • Insufficient transparency about decision factors

  • Missing candidate rights notifications

  • No clear appeal processes

Oversight failures

  • Inadequate human review processes

  • No meaningful human control

  • Missing escalation procedures

  • Automated decision-making without human oversight

Where Companies Get Caught

Different jurisdictions focus on different violations:

New York City (Local Law 144)

Common violations:

  • Failure to conduct required annual bias audits

  • Not publishing required audit statistics

  • Missing candidate disclosure

California

Common violations:

  • No algorithmic impact assessment

  • Insufficient candidate rights provision

  • Missing transparency documentation

European Union (AI Act)

Common violations:

  • Inadequate conformity assessment for high-risk AI systems used in employment

  • Insufficient human oversight

Potential penalties: Under the EU AI Act, breaches involving high-risk systems (which include AI used in recruitment and employment decisions) can attract fines of up to EUR 15 million or 3% of global annual turnover, whichever is higher, and up to EUR 35 million or 7% for the most serious prohibited-practice breaches.

The "We Didn't Know" Defense Doesn't Work

Companies consistently reach for three defenses that regulators consistently reject:

Defense 1: "Our Vendor Handles Compliance"

Reality: The company using the AI system is generally liable, not the vendor. Regulation: Most laws place the compliance obligation on the "deployer" of the system, not just its developer. A vendor's assurances don't remove the employer's own duty to verify and document compliance.

Defense 2: "We're Not Discriminating Intentionally"

Reality: Impact matters more than intent under most employment discrimination frameworks. Legal principle: Disparate impact doctrine, well established in employment law, applies to AI-driven hiring decisions just as it applies to any other selection process.

Defense 3: "We're Based Outside Regulated Jurisdictions"

Reality: Most AI hiring laws have extraterritorial reach. Application: Processing candidates who live in or apply from a regulated jurisdiction can trigger that jurisdiction's compliance requirements, regardless of where the hiring company is based.

The Audit Reality: When Regulators Come Calling

Regulatory audits of AI hiring systems follow predictable patterns:

Phase 1: Document Request (Week 1-2)

  • Algorithm documentation

  • Training data records

  • Bias testing results

  • Impact assessments

  • Disclosure processes

Phase 2: Technical Testing (Week 3-6)

  • Independent bias analysis

  • Performance validation

  • Discrimination testing

  • Appeal process review

Phase 3: Findings and Penalties (Week 7-12)

  • Compliance determination

  • Penalty calculation

  • Remediation requirements

  • Public disclosure (often required)

Average Timeline: 12-16 weeks from initial contact to final determination

Who's Most at Risk

Technology Companies

Common violations:

  • Over-reliance on historical data containing bias

  • Insufficient testing for edge cases

  • Lack of transparent decision-making processes

  • No meaningful human oversight

Financial Services

Common violations:

  • Inadequate documentation of risk assessments

  • Missing required audits

  • Insufficient candidate disclosure

  • Discrimination based on financial indicators

Healthcare

Common violations:

  • Using AI for roles requiring regulatory credentials without proper validation

  • Insufficient bias testing across protected classes

  • Missing impact assessments for workforce decisions

Retail/Hospitality

Common violations:

  • No candidate notification of AI use

  • Inadequate testing for discriminatory outcomes

  • Missing required statistical disclosures

The Cost of Getting Caught

Regulatory penalties are just the tip of the iceberg. Under the EU AI Act, breaches involving high-risk employment AI systems can reach EUR 15 million or 3% of global turnover, and up to EUR 35 million or 7% for the most serious breaches. Local and state-level hiring laws in the US carry their own per-violation penalty structures, which vary by jurisdiction.

Beyond the direct fine, the indirect costs are often larger: legal fees for major cases, remediation costs to fix or replace non-compliant systems, third-party audit expenses, lost productivity during a regulatory investigation, and lasting reputational damage to the employer brand. A relatively modest initial fine can be the smallest line item in the total cost of a compliance failure.

The Enforcement Pattern: How Regulators Choose Targets

Regulators don't audit randomly. They target companies based on:

High-Profile Indicators

  • Discrimination complaints

  • Media attention on hiring practices

  • Whistleblower reports

  • Academic studies citing company practices

Market Position

  • Industry leaders (to set examples)

  • Companies with significant market share

  • Organizations with public diversity commitments

  • High-visibility employers

Previous Violations

  • History of employment law issues

  • Previous AI-related complaints

  • Pattern of regulatory non-compliance

  • Public statements about AI use

Random Selection

  • Sector-wide audits

  • Geographic sweeps

  • Technology platform reviews

  • Annual compliance checks

Warning Signs You're Next

Internal Red Flags

  • No regular bias testing of AI systems

  • HR team unclear on AI hiring regulations

  • Legal team hasn't reviewed AI compliance

  • No documentation of AI decision-making processes

  • Vendors can't provide compliance certifications

External Indicators

  • Candidate complaints about unfair treatment

  • Academic research citing your hiring practices

  • Journalist inquiries about AI in hiring

  • Regulatory inquiries from any jurisdiction

  • Industry associations highlighting your practices

The Emergency Compliance Action Plan

If you suspect non-compliance:

Immediate Actions (This Week)

  1. Stop using non-compliant AI for hiring decisions

  2. Conduct emergency compliance audit

  3. Document current state of all AI hiring systems

  4. Engage specialized legal counsel

  5. Prepare for potential regulatory contact

Short-term Remediation (30-60 Days)

  1. Complete comprehensive audit of all jurisdictions

  2. Fix obvious compliance gaps

  3. Implement required documentation

  4. Establish human oversight processes

  5. Train relevant staff on compliance requirements

Long-term Compliance (3-12 Months)

  1. Redesign systems for ongoing compliance

  2. Implement continuous monitoring

  3. Establish regular audit schedule

  4. Create compliance governance framework

  5. Build relationships with regulators

What Good Compliance Looks Like

The companies that stay ahead of AI hiring regulation share several characteristics:

Proactive Approach

  • Started compliance efforts before being regulated

  • Implemented highest standards globally

  • Regular third-party audits

  • Continuous monitoring systems

Technical Excellence

  • Bias testing built into development process

  • Documentation maintained from day one

  • Human oversight by design

  • Regular retraining with clean data

Cultural Commitment

  • Executive-level compliance ownership

  • Cross-functional compliance teams

  • Regular compliance training

  • Compliance metrics in performance reviews

Conclusion: Don't Wait for the Audit

If your organisation hasn't run a proper internal audit of its AI hiring systems, you're not alone. But that doesn't mean you're safe.

Regulatory enforcement is accelerating. Penalties are increasing. And public scrutiny of AI hiring is intensifying.

The question isn't whether you'll eventually face a regulatory audit. The question is whether you'll pass it.

Fix your compliance now, before a regulator or a candidate complaint forces the issue.

In our advisory work, we help organisations run that internal audit and close the gaps before regulators find them. Get in touch to talk it through.

More on how we approach it: AI governance and compliance help.

Frequently asked questions

What counts as an "illegal" AI hiring system?

An AI hiring system becomes non-compliant when it fails to meet the specific legal requirements of the jurisdictions it operates in, such as required bias audits, candidate disclosure, documentation, or human oversight. It doesn't need to be intentionally discriminatory to be in violation; missing paperwork or a skipped audit is enough to breach most current laws.

Is my company liable if the AI hiring vendor caused the problem?

In most current regulatory frameworks, the company using the AI system (the "deployer") carries the compliance obligation, not just the vendor that built it. Relying on a vendor's assurances doesn't remove the employer's own duty to verify and document compliance.

Do we need to worry about this if we only hire in one country?

Possibly not, but many of these laws have reach beyond their home jurisdiction if you're evaluating candidates who live or apply from a regulated area. A company based outside a regulated jurisdiction can still fall under its rules if it processes applications from candidates within it.

What's the first step to checking compliance?

Start with an internal audit: list every AI tool used anywhere in the hiring process, then check each one against the specific documentation, disclosure, and bias-testing requirements of every jurisdiction where you have candidates. Gaps found this way are far cheaper to fix than gaps found by a regulator.

Share this article

LinkedInXEmail
Sotiris Spyrou - Author

Sotiris Spyrou

Sotiris Spyrou is the founder of VerityAI, a Responsible AI advisory for boards and AI-deploying businesses. With 27 years across agencies, global in-house roles, and the C-suite, he advises leaders on AI governance and risk, and on answer-engine visibility engineered without the dark patterns the rest of the industry is getting penalised for. He is the author of TRANSFORM, AI Moats, and Ethical AI.

Founder at VerityAI