53% of Companies Using AI Hiring Tools May Already Be Breaking the Law — Here's What the Audit Found, and What Defensible Compliance Actually Requires
When New York City passed Local Law 144 to regulate automated employment decision tools, employers were told the rules were clear: conduct annual bias audits, publish results, notify candidates. Simple enough. But a December 2025 audit by the NYC Comptroller's office revealed that the gap between the law on paper and enforcement in practice is far wider than anyone assumed — and it is putting companies at serious legal risk.
The audit found that of the same 32 companies reviewed by the Department of Consumer and Worker Protection (DCWP), at least 17 had potential Local Law 144 violations. DCWP, the agency responsible for enforcement, had identified just one. Meanwhile, 75% of 311 calls about AEDT issues were misrouted and never reached the enforcement agency at all (NYC Comptroller Audit, December 2025).
The takeaway for HR leaders is counterintuitive: weak enforcement does not mean low risk. It means that when enforcement does catch up — and it will — the companies that assumed silence meant compliance will be the most exposed.
The Enforcement Gap Is About to Close
The Comptroller's findings triggered immediate attention from employment law firms. DLA Piper's January 2026 analysis warned that the audit "signals increased risk for employers" and predicted that DCWP will face political pressure to ramp up enforcement actions. The firm advised employers to treat the audit as a "wake-up call" to review their AEDT compliance documentation proactively — before investigators arrive, not after (DLA Piper, January 2026).
And New York is no longer operating in isolation. The EU AI Act classifies AI tools used in recruitment and candidate screening as high-risk, with mandatory requirements taking effect on August 2, 2026 — now less than 15 weeks away. Non-compliance penalties reach up to EUR 15 million or 3% of global annual turnover, whichever is higher. Required documentation includes risk assessments, technical documentation, bias testing, human oversight mechanisms, transparency disclosures, and continuous monitoring (EU AI Act Recruiting Compliance Guide, Ross Saunders).
For companies operating across jurisdictions — which, in 2026, describes most enterprises — the compliance surface has expanded dramatically. The question is no longer whether your AI hiring tools need documentation. It is whether your documentation would survive scrutiny.
What Defensible Compliance Documentation Actually Requires
Based on the NYC Comptroller findings and the EU AI Act framework, defensible compliance for AI hiring tools now requires documentation across five areas:
1. Bias audit and testing records
Annual independent bias audits under LL144. Under the EU AI Act, ongoing bias testing with documented methodology, datasets used, and results — not just a summary, but auditable records showing how disparate impact was measured and what thresholds triggered remediation (NYC LL144 Compliance Checklist, VerifyWise).
2. Human oversight architecture
The EU AI Act requires that high-risk AI systems include "appropriate human oversight measures." For hiring tools, this means documenting that AI outputs function as decision-support — not as automated decisions. If a recruiter cannot override, modify, or reject an AI recommendation with a documented process, the tool likely triggers full AEDT classification.
3. Technical documentation and risk assessments
Under the EU AI Act, high-risk AI systems require technical documentation covering the system's purpose, capabilities, limitations, and performance metrics. Risk assessments must identify potential harms to fundamental rights, including employment discrimination risks.
4. Transparency disclosures
Both LL144 and the EU AI Act require candidate-facing disclosures. Candidates must be told that AI is being used, what data is collected, and how decisions are influenced. Under the EU AI Act, this extends to the right to obtain meaningful information about the logic involved.
5. Continuous monitoring and incident response
The EU AI Act requires ongoing monitoring of high-risk AI systems after deployment, with documented incident response procedures. Annual audits alone are insufficient — compliance requires evidence of continuous oversight.
What Documented Compliance Looks Like in Practice
Meeting these five requirements is the baseline. But the operational challenge for most HR teams is translating regulatory language into vendor evaluation criteria. What does a compliant AI hiring tool actually look like?
OVI provides a concrete reference point. The platform operates with 59 documented security controls and a publicly accessible Trust & Compliance Center that maps its architecture to specific regulatory requirements.
Three architectural decisions are particularly relevant to the compliance documentation requirements above:
Human-in-the-loop by design. OVI's AI provides decision-support only — all final hiring decisions remain with the recruiter. This architecture meaningfully reduces AEDT exposure under NYC Local Law 144, since the tool does not fit the "automated decision" definition that triggers full compliance obligations. Under the EU AI Act, documented human oversight is a core requirement for high-risk systems; OVI's architecture addresses this structurally, not as an afterthought.
No biometric analysis. OVI uses audio-only screening chats — not video interviews. Voice characteristics, facial recognition, and emotion detection are not used. Analysis is based on transcript content only. This eliminates an entire category of biometric-data risk under both GDPR and the EU AI Act's prohibitions on emotion recognition in the workplace.
Documented regulatory alignment. OVI's compliance posture aligns with GDPR (with DPA and Standard Contractual Clauses available for EU/UK candidates), UAE PDPL, EU AI Act readiness ahead of the August 2026 deadline, and practices that follow SOC 2 Type II and ISO 27001 standards. OVI is well-prepared on compliance for a startup at its price point — starting at $99/month — which makes documented compliance accessible to mid-market employers, not just enterprises with dedicated legal teams.
The Bottom Line for HR Leaders
The NYC Comptroller audit exposed a gap that employment lawyers have been warning about: the distance between believing you are compliant and being able to prove it. With the EU AI Act deadline 15 weeks away and U.S. enforcement tightening, the time to audit your AI hiring tools' documentation is now — not when the investigation letter arrives.
Three immediate actions:
Audit your current vendor's documentation against the five requirements above. If your vendor cannot produce bias audit records, human oversight documentation, technical risk assessments, transparency disclosures, and monitoring evidence, you have a compliance gap.
Map your tools to jurisdictional requirements. If you operate in NYC, the EU, or the UAE, your AI hiring tools are subject to specific documentation mandates. Vendors that can demonstrate alignment across multiple frameworks — as OVI does through its Trust & Compliance Center — reduce your cross-jurisdictional risk.
Prioritize human-in-the-loop architecture in vendor evaluation. The single most effective way to reduce AEDT classification risk under both LL144 and the EU AI Act is to ensure AI outputs remain advisory, with documented recruiter override capabilities.
The companies that treated weak enforcement as permission to defer compliance will be the case studies other HR leaders learn from. The companies that documented their compliance posture proactively will be the ones still hiring.