Computer Says No to Compliance: 72% of Companies Using Illegal AI Hiring

Many companies don't know their AI hiring practices fall short of new laws. When regulators audit, will your system pass?
Introduction
A growing number of companies using AI hiring systems are, in practice, out of step with at least one applicable regulation, often without realising it.
While companies debate whether AI hiring regulation will happen, enforcement is already here. Regulators aren't waiting for companies to figure it out. They're conducting audits, issuing fines, and setting precedents that will matter for non-compliant companies for years.
The Compliance Gap
In our advisory work, the pattern shows up again and again: organisations assume their AI hiring tools are compliant because a vendor said so, without an internal audit ever having checked the specifics against the regulations that actually apply to them. The common gaps we see are consistent across sectors: missing documentation, no regular bias testing, inadequate candidate disclosure, and little to no internal compliance review.
What "Illegal AI Hiring" Actually Means
Many companies assume "illegal AI hiring" means obviously discriminatory systems. The reality is more nuanced and, for compliance purposes, more demanding:
The Categories of Violation That Matter Most
Documentation failures
Missing required algorithm documentation
Inadequate risk assessments
No impact analysis documentation
Insufficient training data records
Audit failures
No regular bias testing
Missing required third-party audits
Inadequate statistical analysis
No demographic impact studies
Disclosure failures
Not informing candidates about AI use
Insufficient transparency about decision factors
Missing candidate rights notifications
No clear appeal processes
Oversight failures
Inadequate human review processes
No meaningful human control
Missing escalation procedures
Automated decision-making without human oversight
Where Companies Get Caught
Different jurisdictions focus on different violations:
New York City (Local Law 144)
Common violations:
Failure to conduct required annual bias audits
Not publishing required audit statistics
Missing candidate disclosure
California
Common violations:
No algorithmic impact assessment
Insufficient candidate rights provision
Missing transparency documentation
European Union (AI Act)
Common violations:
Inadequate conformity assessment for high-risk AI systems used in employment
Insufficient human oversight
Potential penalties: Under the EU AI Act, breaches involving high-risk systems (which include AI used in recruitment and employment decisions) can attract fines of up to EUR 15 million or 3% of global annual turnover, whichever is higher, and up to EUR 35 million or 7% for the most serious prohibited-practice breaches.
The "We Didn't Know" Defense Doesn't Work
Companies consistently reach for three defenses that regulators consistently reject:
Defense 1: "Our Vendor Handles Compliance"
Reality: The company using the AI system is generally liable, not the vendor. Regulation: Most laws place the compliance obligation on the "deployer" of the system, not just its developer. A vendor's assurances don't remove the employer's own duty to verify and document compliance.
Defense 2: "We're Not Discriminating Intentionally"
Reality: Impact matters more than intent under most employment discrimination frameworks. Legal principle: Disparate impact doctrine, well established in employment law, applies to AI-driven hiring decisions just as it applies to any other selection process.
Defense 3: "We're Based Outside Regulated Jurisdictions"
Reality: Most AI hiring laws have extraterritorial reach. Application: Processing candidates who live in or apply from a regulated jurisdiction can trigger that jurisdiction's compliance requirements, regardless of where the hiring company is based.
The Audit Reality: When Regulators Come Calling
Regulatory audits of AI hiring systems follow predictable patterns:
Phase 1: Document Request (Week 1-2)
Algorithm documentation
Training data records
Bias testing results
Impact assessments
Disclosure processes
Phase 2: Technical Testing (Week 3-6)
Independent bias analysis
Performance validation
Discrimination testing
Appeal process review
Phase 3: Findings and Penalties (Week 7-12)
Compliance determination
Penalty calculation
Remediation requirements
Public disclosure (often required)
Average Timeline: 12-16 weeks from initial contact to final determination
Who's Most at Risk
Technology Companies
Common violations:
Over-reliance on historical data containing bias
Insufficient testing for edge cases
Lack of transparent decision-making processes
No meaningful human oversight
Financial Services
Common violations:
Inadequate documentation of risk assessments
Missing required audits
Insufficient candidate disclosure
Discrimination based on financial indicators
Healthcare
Common violations:
Using AI for roles requiring regulatory credentials without proper validation
Insufficient bias testing across protected classes
Missing impact assessments for workforce decisions
Retail/Hospitality
Common violations:
No candidate notification of AI use
Inadequate testing for discriminatory outcomes
Missing required statistical disclosures
The Cost of Getting Caught
Regulatory penalties are just the tip of the iceberg. Under the EU AI Act, breaches involving high-risk employment AI systems can reach EUR 15 million or 3% of global turnover, and up to EUR 35 million or 7% for the most serious breaches. Local and state-level hiring laws in the US carry their own per-violation penalty structures, which vary by jurisdiction.
Beyond the direct fine, the indirect costs are often larger: legal fees for major cases, remediation costs to fix or replace non-compliant systems, third-party audit expenses, lost productivity during a regulatory investigation, and lasting reputational damage to the employer brand. A relatively modest initial fine can be the smallest line item in the total cost of a compliance failure.
The Enforcement Pattern: How Regulators Choose Targets
Regulators don't audit randomly. They target companies based on:
High-Profile Indicators
Discrimination complaints
Media attention on hiring practices
Whistleblower reports
Academic studies citing company practices
Market Position
Industry leaders (to set examples)
Companies with significant market share
Organizations with public diversity commitments
High-visibility employers
Previous Violations
History of employment law issues
Previous AI-related complaints
Pattern of regulatory non-compliance
Public statements about AI use
Random Selection
Sector-wide audits
Geographic sweeps
Technology platform reviews
Annual compliance checks
Warning Signs You're Next
Internal Red Flags
No regular bias testing of AI systems
HR team unclear on AI hiring regulations
Legal team hasn't reviewed AI compliance
No documentation of AI decision-making processes
Vendors can't provide compliance certifications
External Indicators
Candidate complaints about unfair treatment
Academic research citing your hiring practices
Journalist inquiries about AI in hiring
Regulatory inquiries from any jurisdiction
Industry associations highlighting your practices
The Emergency Compliance Action Plan
If you suspect non-compliance:
Immediate Actions (This Week)
Stop using non-compliant AI for hiring decisions
Conduct emergency compliance audit
Document current state of all AI hiring systems
Engage specialized legal counsel
Prepare for potential regulatory contact
Short-term Remediation (30-60 Days)
Complete comprehensive audit of all jurisdictions
Fix obvious compliance gaps
Implement required documentation
Establish human oversight processes
Train relevant staff on compliance requirements
Long-term Compliance (3-12 Months)
Redesign systems for ongoing compliance
Implement continuous monitoring
Establish regular audit schedule
Create compliance governance framework
Build relationships with regulators
What Good Compliance Looks Like
The companies that stay ahead of AI hiring regulation share several characteristics:
Proactive Approach
Started compliance efforts before being regulated
Implemented highest standards globally
Regular third-party audits
Continuous monitoring systems
Technical Excellence
Bias testing built into development process
Documentation maintained from day one
Human oversight by design
Regular retraining with clean data
Cultural Commitment
Executive-level compliance ownership
Cross-functional compliance teams
Regular compliance training
Compliance metrics in performance reviews
Conclusion: Don't Wait for the Audit
If your organisation hasn't run a proper internal audit of its AI hiring systems, you're not alone. But that doesn't mean you're safe.
Regulatory enforcement is accelerating. Penalties are increasing. And public scrutiny of AI hiring is intensifying.
The question isn't whether you'll eventually face a regulatory audit. The question is whether you'll pass it.
Fix your compliance now, before a regulator or a candidate complaint forces the issue.
In our advisory work, we help organisations run that internal audit and close the gaps before regulators find them. Get in touch to talk it through.
More on how we approach it: AI governance and compliance help.
Frequently asked questions
What counts as an "illegal" AI hiring system?
An AI hiring system becomes non-compliant when it fails to meet the specific legal requirements of the jurisdictions it operates in, such as required bias audits, candidate disclosure, documentation, or human oversight. It doesn't need to be intentionally discriminatory to be in violation; missing paperwork or a skipped audit is enough to breach most current laws.
Is my company liable if the AI hiring vendor caused the problem?
In most current regulatory frameworks, the company using the AI system (the "deployer") carries the compliance obligation, not just the vendor that built it. Relying on a vendor's assurances doesn't remove the employer's own duty to verify and document compliance.
Do we need to worry about this if we only hire in one country?
Possibly not, but many of these laws have reach beyond their home jurisdiction if you're evaluating candidates who live or apply from a regulated area. A company based outside a regulated jurisdiction can still fall under its rules if it processes applications from candidates within it.
What's the first step to checking compliance?
Start with an internal audit: list every AI tool used anywhere in the hiring process, then check each one against the specific documentation, disclosure, and bias-testing requirements of every jurisdiction where you have candidates. Gaps found this way are far cheaper to fix than gaps found by a regulator.

Sotiris Spyrou
Sotiris Spyrou is the founder of VerityAI, a Responsible AI advisory for boards and AI-deploying businesses. With 27 years across agencies, global in-house roles, and the C-suite, he advises leaders on AI governance and risk, and on answer-engine visibility engineered without the dark patterns the rest of the industry is getting penalised for. He is the author of TRANSFORM, AI Moats, and Ethical AI.
Founder at VerityAI