Six US regulations now govern AI in employment decisions. They don't agree on terminology. They don't agree on who's liable. They don't agree on what compliance looks like. For an HR tech vendor selling into multiple states, or an enterprise employer hiring across jurisdictions, that patchwork creates a compliance burden no single statute solves.

NYC Local Law 144 was the first US law to directly regulate AI in hiring, and it remains the only one mandating an annual independent bias audit by name. Colorado, California, and Illinois have followed with different structural choices — disclosure-and-human-review (Colorado), anti-discrimination overlay (California FEHA), transparency rights (California CCPA), and direct accountability for adverse impact (Illinois). A December 2025 federal preemption executive order promises to flatten the patchwork, but its scope is being tested in court — xAI's constitutional challenge to Colorado's law, which the DOJ has joined — and the outcome won't be clear until 2027 or beyond.

This guide walks through what each US regulation requires, compares them across substantive dimensions, and offers a multi-jurisdiction compliance playbook. For EU AI Act obligations, see our EU AI Act resources.

Key Takeaways

  • Six US regulations cover AI in hiring under different terminology — AEDT (NYC LL 144), ADMT (CA CCPA and CO SB 26-189), ADS (CA FEHA), Predictive Data Analytics + AI (IL HB 3773), and automated employment-related decision technology (CT SB 5). Tool classification matters before compliance analysis.
  • NYC LL 144 is the only US regulation mandating an annual independent bias audit by name. Colorado, California, and Illinois create discrimination liability that independent audits defend against, but don't require the audit itself.
  • Colorado SB 26-189 is the only US regulation explicitly imposing direct obligations on both developers (HR tech vendors) and deployers (employers) in a dual structure. Every other US regulation places primary obligations on employers and pulls vendors in indirectly.
  • California operates two distinct compliance tracks for AI in employment: FEHA (anti-discrimination, enforced by the Civil Rights Department) and CCPA/CPRA (automated decision-making transparency, enforced by the California Privacy Protection Agency). Compliance with one does not satisfy the other.
  • Connecticut SB 5 writes the bias-audit value proposition into statute: using an AI tool is not a defense to a discrimination claim, but courts and the Connecticut Commission on Human Rights and Opportunities are directed to weigh anti-bias testing as a mitigating factor — making documented, recent audits an express statutory mitigation.
  • The December 2025 federal preemption EO creates uncertainty about how state laws will be enforced going forward. Independent bias audits are preemption-resistant — they defend against discrimination liability under federal Title VII regardless of which state statutes survive.

The Patchwork Problem

Six US regulations now govern AI in employment decisions. They emerged within roughly three years of each other, none of them was designed to fit alongside the others, and each one reflects the specific concerns of its regulator. NYC's Department of Consumer and Worker Protection came at it from the consumer-protection angle. Colorado's legislature originally framed it as a high-risk-AI-systems question, since rewritten as an ADMT statute under SB 26-189. California's Civil Rights Council layered AI tools into the existing anti-discrimination framework, while California's Privacy Protection Agency treated the same technology as an automated decision-making transparency question. Illinois amended its Human Rights Act to add employment AI explicitly. Connecticut followed with the CART Act (SB 5), a comprehensive consumer-employment-government AI statute built around transparency and enforced by its Attorney General.

For an HR tech vendor selling into multiple states, or an enterprise employer hiring across jurisdictions, that patchwork creates a compliance burden that isn't solvable by reading any single statute. Each regulation uses its own definitional bucket for the regulated technology, its own trigger conditions, its own required actions, and its own enforcement mechanism. The federal preemption EO signed in December 2025 promises to flatten the patchwork — but its scope is being tested in court — xAI's constitutional challenge to Colorado's law, which the DOJ has joined — and the outcome won't be clear until 2027 or beyond.

In the meantime, employers and HR tech vendors need a baseline that satisfies the highest-bar jurisdictions while remaining defensible if the patchwork persists. The sections below cover each US regulation, compare them across substantive dimensions, and offer an operational playbook.

NYC Local Law 144

NYC Local Law 144 was the first US law to directly regulate AI in hiring. The statute took effect January 1, 2023, with enforcement by NYC DCWP beginning July 5, 2023 after a six-month grace period. It applies to any employer or employment agency using an Automated Employment Decision Tool (AEDT) for a role connected to New York City — including remote roles filled by city residents and remote roles posted from an NYC office.

The law has three core obligations: an annual independent bias audit measuring impact ratios across sex and race/ethnicity (including intersectional analysis); public disclosure of a summary of the most recent audit on the employer's website; and a candidate notice provided at least 10 business days before the AEDT is used, with the right to request an alternative selection process. Penalties run from $500 for a first violation to $1,500 per day for each day a non-compliant AEDT remains in use. For the full employer walkthrough, see our Employer's Guide to the NYC Bias Audit Law. For the AEDT definitional deep-dive, see Automated Employment Decision Tools (AEDT) Under NYC LL 144.

The December 2025 NY State Comptroller audit of DCWP enforcement concluded the agency had been enforcing the law ineffectively, and DCWP has since formalized its enforcement procedures and adopted an internal Enforcement Workbook. Employment-law practices including DLA Piper have advised clients to expect tighter enforcement through 2026 and beyond.

Colorado SB 26-189

Colorado SB 26-189 replaced Colorado's earlier SB 24-205 statute in May 2026 and takes effect January 1, 2027. Rather than mandating a bias audit, SB 26-189 uses a disclosure-and-human-review model: covered employers must disclose to candidates when AI is used in employment decisions and must provide a human-review pathway for adverse decisions. The Colorado Attorney General enforces the statute exclusively — violations are deceptive trade practices under the Colorado Consumer Protection Act. SB 26-189 creates no private right of action; candidates cannot sue under the statute itself, though they retain discrimination claims under other state and federal laws. (Enforcement is currently stayed pending the xAI litigation — see The Federal Preemption Variable below.)

The distinguishing feature of Colorado's regulation is its dual developer/deployer structure. Most US AI hiring laws regulate the employer (deployer) directly and pull HR tech vendors (developers) in indirectly through procurement diligence, aiding-and-abetting theories, or the Mobley v. Workday agent doctrine. Colorado is the exception: SB 26-189 explicitly creates compliance obligations for both. Developers must provide deployers with technical documentation — the ADMT's intended uses, categories of training data, known limitations, and instructions for appropriate use and human review — and notify them of material updates. Deployers face disclosure, human-review, and record-retention obligations. Both face discrimination liability if the AI system produces adverse outcomes, and both must retain compliance records for at least three years.

SB 26-189 does not mandate a bias audit by name. But the discrimination liability the regulation creates is precisely the kind of risk that an independent bias audit is the strongest evidentiary defense against — which is why Colorado-deploying vendors should not treat the absence of a bias-audit mandate as a reason to lower the audit bar.

California FEHA

California's Civil Rights Council adopted regulations governing automated-decision systems (ADS) under the existing Fair Employment and Housing Act framework. The Civil Rights Council secured final approval on June 27, 2025, with the regulations taking effect October 1, 2025. The regulations don't create a new ADS-specific compliance regime; they layer AI tools into FEHA's existing anti-discrimination architecture, with disparate-impact liability for tools that produce protected-class disparities.

FEHA's enforcement record on disparate impact is what makes the California regulation substantial even without an audit mandate. The Civil Rights Department (CRD) has a long history of pursuing disparate-impact claims, and California courts have long recognized private discrimination liability under FEHA. An AI tool that produces statistically significant adverse impact against a protected class creates direct litigation exposure — whether or not an AI-specific statute is in play.

Vendor exposure under FEHA runs through two doctrines. The aiding-and-abetting theory holds vendors liable for materially contributing to an employer's discriminatory practice. The agent theory, foregrounded by Mobley v. Workday, holds vendors liable as agents of the employers using their tools. That case has only escalated — the court has conditionally certified a nationwide ADEA collective covering applicants screened by Workday's AI and, in March 2026, rejected Workday's bid to exclude applicants from the statute's protection, keeping the vendor-as-agent theory squarely alive. Both are active litigation surfaces for HR tech vendors selling into California.

California CCPA

California operates a second AI-in-employment compliance track under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). The California Privacy Protection Agency (CPPA) — a different regulator from the Civil Rights Department — has issued regulations on Automated Decision-Making Technology (ADMT) that apply to any business using ADMT for a "significant decision," including employment, housing, lending, and education.

The ADMT compliance obligations are substantively different from anything in FEHA, NYC LL 144, or Colorado SB 26-189. Covered businesses must provide a pre-use notice to candidates explaining that ADMT will be used in the decision, must allow candidates to opt out of ADMT processing, must provide an access right (information about the logic used and the key parameters that influenced the decision), and must provide an appeal right. The CPPA regulations also require a pre-use risk assessment for ADMT used in significant decisions.

The practical consequence: an employer can be FEHA-compliant — passing every disparate-impact test — and simultaneously CCPA-noncompliant on the ADMT side, because the audit-based defense to FEHA discrimination liability doesn't address ADMT's notice, opt-out, and access obligations. These are separate compliance tracks with separate enforcement mechanisms and separate remedies.

For HR tech vendors, the CCPA architecture maps vendors as "service providers" or "third parties" depending on the data-processing relationship with the employer-business. Each role carries different obligations under the CCPA regulation — another distinction that makes California compliance a two-track problem.

Illinois HB 3773

Illinois HB 3773 amended the Illinois Human Rights Act to add AI in employment decisions explicitly to the state's anti-discrimination framework. Governor Pritzker signed the bill on August 9, 2024, with the amendments taking effect January 1, 2026. The statute uses two defined terms: Predictive Data Analytics (PDA) — "use of machine learning algorithms for the purpose of predicting outcomes" — and AI, defined as a machine-based system that infers from inputs to generate predictions, recommendations, or decisions (the OECD-derived definition, which includes generative AI). The statute requires employers to disclose to applicants and employees when AI is used in employment decisions and creates anti-discrimination liability for tools that produce adverse impact.

HB 3773 is structurally closer to NYC LL 144 than to Colorado SB 26-189 in that it regulates employers directly. Vendor exposure is indirect — through procurement diligence and the same aiding-and-abetting and agent theories at play in California. The Illinois regulation does not mandate a bias audit, does not require public disclosure of audit results, and does not impose a specific candidate-notification timeline. It also prohibits using zip codes as a proxy for protected classes. The compliance obligation is the disclosure + non-discrimination duty, with the Illinois Department of Human Rights (IDHR) as the primary enforcement body and private civil action available as a remedy.

Illinois has separately maintained the older AI Video Interview Act, which has narrower scope (video-interview tools specifically) but predates the broader HB 3773 statute. Employers using video-interview AI in Illinois may face both obligations.

Connecticut SB 5

Connecticut SB 5 — enacted as Public Act 26-15 and known as the AI Responsibility and Transparency Act, or "CART Act" — became the sixth US regulation to govern AI in employment when Governor Lamont signed it on May 29, 2026. It is a comprehensive AI statute spanning consumer, employment, and government uses, and its employment provisions phase in across two dates: the statutory framework, definitions, and an AI-related layoff disclosure take effect October 1, 2026, and the employer notice obligations follow on October 1, 2027.

The law regulates "automated employment-related decision technology" — any technology that processes personal data and uses computation to generate an output (a prediction, recommendation, classification, ranking, or score) that is a substantial factor in making or materially influencing an employment-related decision such as hiring, promotion, discipline, or discharge. Common tools like word processors, spreadsheets, spellcheckers, and spam filters are expressly excluded. Employers that deploy a covered tool must, from October 1, 2027, tell candidates and employees in plain language that they are interacting with automated technology, and provide a written pre-decision notice covering the tool's purpose, its trade name, the categories and sources of personal data it processes, and a contact. Separately, from October 1, 2026, employers issuing federal WARN Act layoff notices must disclose whether the reductions are related to their use of AI. Enforcement sits exclusively with the Connecticut Attorney General as an unfair or deceptive trade practice — there is no private right of action for the notice requirements, and a 60-day cure period applies to violations before the end of 2027.

Connecticut's distinguishing feature for compliance planning is what it does to the discrimination defense. SB 5 amends Connecticut's employment-discrimination law to state expressly that using an automated employment-related decision tool is not a defense to a discrimination complaint — but courts and the Connecticut Commission on Human Rights and Opportunities may weigh anti-bias testing and similar proactive efforts as a mitigating factor, considering the quality, efficacy, recency, scope, and results of that testing. In effect, Connecticut writes the value of an independent bias audit directly into the statute: the audit is not a shield that ends the inquiry, but documented, recent, rigorous bias testing is an express mitigating factor the regulator and the courts are directed to consider.

How These Regulations Compare

The six US regulations cover overlapping technology but make different structural choices. Two comparison surfaces below — terminology taxonomy and the operational comparison table — give employers and HR tech vendors the at-a-glance view that no single statute provides. Protected class coverage also varies — NYC LL 144's audit is narrow (sex and race/ethnicity) while CA FEHA, IL HB 3773, and federal Title VII cover substantially broader categories; for the full protected-class matrix across regulations, see our AI bias auditing methodology page.

AEDT vs ADMT vs ADS vs PDA vs ADM: The Terminology That Matters

Six terms appear across the US regulations, each with a different scope. Tool classification is the first compliance question, not the last — because a single tool can fall under multiple definitional buckets with different compliance obligations attached.

  • AEDT (Automated Employment Decision Tool) — NYC LL 144's narrow definition. Covers tools that substantially assist or replace human judgment in hiring or promotion decisions. Employment-specific. The substantial-assist/replace test (rely exclusively, weigh more heavily, or use to overrule human judgment) is what brings a tool into scope.
  • ADMT (Automated Decision-Making Technology) — Used by both California's CCPA/CPRA regulations and Colorado's SB 26-189. Broader than AEDT — covers any technology making significant or consequential decisions, including employment, housing, lending, and education.
  • ADS (Automated-Decision System) — California FEHA framing. Broader than AEDT, less specific than ADMT. Covers any computational process used in employment decisions, with the regulatory weight resting on the disparate-impact outcome rather than the procedural compliance.
  • PDA (Predictive Data Analytics) / AI — Illinois HB 3773 framing. Defined as "use of machine learning algorithms for the purpose of predicting outcomes." The Illinois statute pairs PDA with a separate AI definition (the OECD-derived machine-based system definition that includes generative AI), so Illinois actually carries two definitional anchors rather than one.
  • ADM (Automated Decision-Making) — generic term used across policy literature and some state regulations. Broadest of the bunch; conceptually covers any automated decision-making process. Not a precise regulatory term in any US statute.
  • Automated Employment-Related Decision Technology — Connecticut SB 5's term. Employment-specific like AEDT, but defined by a substantial-factor test: any technology that processes personal data to generate an output that is a substantial factor in making or materially influencing an employment-related decision. Triggers notice and disclosure obligations rather than an audit mandate

The classification implications are real. A single enterprise HR platform might be classified as an AEDT under NYC LL 144 (triggering annual independent bias audit + public disclosure + 10-day candidate notice), an ADS under CA FEHA (triggering anti-discrimination liability without a specific procedural mandate), and an ADMT under CA CCPA (triggering pre-use notice + opt-out + access + risk assessment). Each classification triggers a different compliance overlay.

Operational Comparison Table

Side-by-side across the six variables that drive employer and vendor compliance decisions:

AI hiring compliance across US jurisdictions: an operational comparison
Regulation Terminology Who's regulated Required actions Penalties Effective date
NYC LL 144 AEDT (Automated Employment Decision Tool) Employer / employment agency (vendors indirect) Annual independent bias audit; public disclosure of audit summary; 10-business-day candidate notice; alternative-process opt-out $500 first violation; $1,500 per day ongoing July 5, 2023
CO SB 26-189 ADMT (Automated Decision-Making Technology) BOTH — developer AND deployer Disclosure to candidates when AI used; human-review pathway; technical documentation to deployers (developers) Civil penalties (CO Consumer Protection Act); AG-exclusive enforcement, no private right of action January 1, 2027
CA FEHA Automated-Decision System (ADS) Employer (vendor via aiding-and-abetting + agent theories) Non-discriminatory outcomes; no specific procedural mandate (bias audit = strongest evidentiary defense) Full disparate-impact remedies (damages + injunctive) October 1, 2025
CA CCPA / CPRA ADMT (Automated Decision-Making Technology) Business + service provider (both roles) Pre-use notice; opt-out; access right; appeal right; pre-use risk assessment Statutory damages + administrative fines Phased 2026–2027
IL HB 3773 Predictive Data Analytics (PDA) + AI (machine-based system definition) Employer (vendors indirect) Disclosure to candidates; non-discrimination obligation; no zip-code-as-proxy Civil penalties via IHRA enforcement January 1, 2026
CT SB 5 (CART Act) Automated Employment-Related Decision Technology (substantial-factor test) Employer / deployer (vendors indirect) Plain-language interaction disclosure; written pre-decision notice; AI-related RIF disclosure under WARN; AI use is not a defense to discrimination (anti-bias testing weighed as mitigation) Unfair/deceptive trade practice; AG-exclusive enforcement, no private right of action (60-day cure pre-2028) Oct 1, 2026 (framework + RIF); Oct 1, 2027 (employer notice)

The Federal Preemption Variable

A December 11, 2025 White House executive order seeks to preempt or limit state-level AI regulation, citing the patchwork-compliance burden as the basis for federal action. That posture is already being tested in court: xAI — Elon Musk's AI company — sued to block Colorado's AI law on constitutional grounds, and in April 2026 a federal court paused enforcement of both SB 24-205 and SB 26-189. The U.S. Department of Justice then moved to intervene on xAI's side — the first time the federal government has sought to invalidate a state AI law. The operative scope of preemption is still being defined, and the litigation will shape the state-law picture through 2026 and 2027.

For employers and HR tech vendors, the prudent posture during this uncertainty is to maintain a multi-state compliance baseline calibrated to the highest-bar jurisdiction — which today is NYC LL 144 — while tracking preemption rulings as they land. The audit posture itself is preemption-resistant: an independent bias audit defends against discrimination liability under federal Title VII regardless of which state-specific statute is in scope. State-specific compliance items (NYC's audit publication requirement, CCPA's ADMT opt-out plumbing, Colorado's disclosure forms) could be federalized, narrowed, or rendered moot depending on how preemption resolves. But the underlying anti-discrimination liability — and the audit's value in defending against it — survives.

The strategic implication for compliance planning: invest in the audit infrastructure, the continuous-monitoring capabilities, and the documentation discipline that the bias-audit framework requires. That investment holds value across every scenario the preemption litigation could produce.

The Common Defense: Why Bias Audits Cover the Discrimination Floor

Across NYC LL 144, California FEHA, Illinois HB 3773, Connecticut SB 5, and the federal Title VII baselinee — the common thread is anti-discrimination liability based on disparate impact. The legal theories differ in their procedural specifics, but the substantive question is the same: does the AI tool produce outcomes that disadvantage protected groups at materially different rates than the most-selected group?

An independent bias audit that documents impact ratios across protected classes — using the 4/5ths rule as the baseline threshold and intersectional analysis for the more rigorous cuts — is the strongest evidentiary defense against this liability, regardless of which specific statute is in scope. A clean audit creates a defensible record. The absence of a current audit creates a vacuum that plaintiff's counsel fills with adverse inferences. The same audit documentation satisfies NYC LL 144's explicit mandate, defends against FEHA disparate-impact claims, supports the Illinois HB 3773 non-discrimination duty, stands as the express anti-bias-testing mitigation Connecticut SB 5 directs courts and the CHRO to weigh, and provides Title VII coverage at the federal level.

What bias audits do NOT cover: California CCPA's ADMT transparency obligations (notice, opt-out, access, appeal) and Colorado SB 26-189's disclosure and human-review obligations are separate compliance tracks. They require their own infrastructure — disclosure plumbing, opt-out interfaces, human-review workflows. The bias audit is the discrimination floor; these are additional overlays that the discrimination defense doesn't address.

A Multi-Jurisdiction Compliance Playbook

For employers and HR tech vendors operating across multiple US states, the operational playbook has five steps.

Step 1: Tool classification. Confirm whether each AI tool in your stack is an AEDT (NYC LL 144), an ADS (CA FEHA), an ADMT (CA CCPA or CO SB 26-189), AI in employment decisions under Illinois HB 3773, or automated employment-related decision technology under Connecticut SB 5.

Step 2: Jurisdiction inventory. Map your candidate and employee population to the six regulations. NYC roles or NYC-office remote roles trigger LL 144. Colorado operations trigger SB 26-189. California candidates trigger both FEHA and CCPA. Illinois employment decisions trigger HB 3773. C onnecticut roles trigger SB 5's notice and disclosure obligations. The same tool can trigger different regulations depending on which candidates it processes.

Step 3: Calibrate to the highest-bar discrimination defense. Commission an annual independent bias audit to NYC LL 144 standards (sex and race/ethnicity at minimum, intersectional analysis, 4/5ths rule threshold). That single audit satisfies the discrimination-defense floor across FEHA, IL HB 3773, federal Title VII, and the NYC LL 144 mandate itself.

Step 4: Layer jurisdiction-specific overlays. CCPA ADMT requires pre-use notice, opt-out plumbing, access mechanisms, and appeal workflows. Colorado requires disclosure forms and human-review pathways. NYC requires public publication of the audit summary and 10-day candidate notification. Illinois requires disclosure to applicants. Each overlay is structurally separate from the bias audit and must be operationalized independently. Connecticut requires plain-language interaction disclosure and written pre-decision notice (from October 1, 2027), plus an AI-related disclosure on WARN Act layoff notices (from October 1, 2026).

Step 5: Continuous monitoring. Annual audits set the compliance floor; continuous monitoring catches model drift between formal audit cycles and produces the evidentiary record that discrimination litigation will require. The regulatory direction across all six US regulations points toward continuous oversight, not annual snapshots.

For deployer-side detail on NYC LL 144 compliance, see the Employer's Guide to the NYC Bias Audit Law. For HR tech vendor-specific playbook, see the NYC LL 144 Vendor Compliance Playbook. For ongoing NYC enforcement developments, see NYC AI Hiring Law News: Enforcement & Compliance Updates. For independence requirements on bias auditors, see Choosing a Bias Auditor: Six Questions Under NYC LL 144.

Build a Compliance Baseline That Survives the Patchwork

Warden AI runs independent bias audits and continuous monitoring across all major US AI hiring regulations — engineered for multi-jurisdiction employers and HR tech vendors. Book a 30-minute demo.

Related Articles

Frequently Asked Questions: Multi-State AI Hiring Compliance

No. An independent bias audit conducted to NYC LL 144 standards (4/5ths rule across sex and race/ethnicity with intersectional analysis) satisfies the discrimination-defense floor across federal Title VII, CA FEHA, IL HB 3773, and the broader anti-discrimination liability that the other state regulations create. Most enterprise vendors run one comprehensive annual audit and use the same audit documentation across all jurisdictions. State-specific procedural overlays (Colorado disclosure forms, CCPA ADMT notices, NYC public publication) layer on top of the audit — they don't replace it.

No. The preemption EO is under litigation and won't be resolved until 2027 at earliest. Even if preemption ultimately succeeds at the federal level, the underlying federal anti-discrimination framework (Title VII) creates liability for AI tools producing disparate impact — which is the same liability state laws like CA FEHA and IL HB 3773 codify. The independent bias audit defends against this liability regardless of which statute is in scope. State-specific compliance items (NYC's audit publication, CCPA's ADMT opt-out) may be federalized, narrowed, or rendered moot depending on the preemption outcome, but the underlying discrimination defense remains.

NYC LL 144. It's the highest-bar jurisdiction in terms of explicit procedural requirements (audit + disclosure + notice), it has the most active enforcement signal (the December 2025 NY State Comptroller audit pushed DCWP toward tighter enforcement through 2026 and beyond), and calibrating compliance to NYC LL 144 gives you the strongest evidentiary defense against CA FEHA, IL HB 3773, and federal Title VII liability at the same time. A clean NYC LL 144 audit also serves as procurement-cycle documentation for enterprise buyers in any state.

AEDT (Automated Employment Decision Tool) is NYC LL 144's narrow definition, limited to tools that substantially assist or replace human judgment in hiring or promotion decisions. ADMT (Automated Decision-Making Technology) is California's CCPA framing, broader, covers any technology making significant decisions including employment, housing, lending, and education. A single tool can be both: an AEDT under NYC LL 144 and an ADMT under CCPA. The classification matters because the compliance obligations differ: bias audit + public disclosure for AEDTs; pre-use notice + opt-out + risk assessment for ADMTs.

It depends on the jurisdiction. Colorado SB 26-189 explicitly regulates both developers (vendors) and deployers (employers) — vendors face direct compliance obligations including pre-use risk assessments. California CCPA covers vendors as service providers when they process personal information on behalf of an employer-business — vendors carry distinct CCPA obligations in that role. NYC LL 144, CA FEHA, IL HB 3773, and CT SB 5 regulate employers (deployers) directly (CT's developer obligations are aimed at frontier-model whistleblower duties, not HR-tech vendors — for hiring tools the deployer/employer is the regulated party). Vendors are pulled in indirectly through procurement diligence, aiding-and-abetting theories, and the Mobley v. Workday agent doctrine. For a vendor-specific multi-jurisdiction playbook, see NYC LL 144 for HR Tech Vendors: A Compliance Playbook.

No. SB 5 is a notice-and-transparency statute — it requires employers to disclose when automated employment-related decision technology is used, not to commission a bias audit. But it amends Connecticut's discrimination law so that using the tool is not a defense to a discrimination claim, and it directs courts and the Connecticut Commission on Human Rights and Opportunities to weigh anti-bias testing as a mitigating factor — considering its quality, efficacy, recency, scope, and results. That makes a documented, recent independent bias audit an express statutory mitigation in Connecticut, even though the audit itself isn't mandated.