Does LL 144 apply to outsourced screening services?

The law applies to the employer's use of the tool, regardless of who runs the inference. An employer that outsources screening to a vendor still owes the bias audit and the notice. The vendor typically provides the audit-summary contribution; the employer publishes it.

What if the AEDT is used in only part of the hiring funnel?

The law applies where the AEDT substantially assists or replaces discretionary decision-making. A pure ranking tool that produces a score the recruiter reviews against other data may or may not meet the test depending on how the recruiter uses the score. The audit applies the test conservatively.

How is the bias audit refreshed?

The audit must be performed at least annually. Material changes to the tool trigger a fresh audit; the DCWP guidance treats meaningful model upgrades as material changes.

What about candidates outside NYC who apply for an NYC role?

The law applies based on where the candidate is and where the job is performed. A candidate outside NYC applying for an NYC-located job is in scope.

How does the audit firm get access to the data?

The employer provides historical data under an engagement letter. The data flows through a secure transfer and is segregated from the rest of the auditor's work. The per-decision audit log is the natural source.

NYC Local Law 144: What the Bias Audit Requires Three Years In, and Where the AI Gateway Fits

NYC Local Law 144 began enforcement on July 5, 2023. The law requires employers and employment agencies using an Automated Employment Decision Tool (AEDT) within the city to commission an independent bias audit, publish the audit summary, and provide candidates with notice. Three years in, the enforcement record exists: fines have been issued for non-disclosure, audit firms have iterated on methodology, and the law has become the reference point other US jurisdictions cite.

I want to walk through what the bias audit requires in practice, where the per-decision audit log fits the law's "current" data-source requirement, and how the NYC rule lines up with the EU AI Act and Colorado SB 26-189.

What an AEDT actually is under the law

The Department of Consumer and Worker Protection's final rules (effective July 5, 2023) define an AEDT as a computational process derived from machine learning, statistical modeling, data analytics, or artificial intelligence that issues simplified output, including a score, classification, or recommendation, that is used to substantially assist or replace discretionary decision making for employment decisions.

The "substantially assist or replace" test is what catches systems that produce a score the hiring manager reviews. A pure-resume-keyword filter is not always an AEDT; a model-based screener that produces a fit score per applicant is.

Coverage applies when the candidate or employee is in NYC, or the job is performed in NYC.

The bias audit requirement

The bias audit calculates selection rates and impact ratios across the protected categories the law names (race, ethnicity, sex). Under the DCWP rules:

The selection rate for each category is the rate at which applicants in that category are selected by the tool.

The impact ratio compares each category's selection rate to the most-selected category. The Equal Employment Opportunity Commission's four-fifths rule (impact ratio below 0.80) is a presumptive marker of adverse impact.

The audit must use either historical data from the employer's own use of the tool, or, where historical data is unavailable, test data. The audit must be performed by an independent auditor.

The audit summary must be posted publicly on the employer's website. The summary includes the date of the audit, the categories analyzed, and the impact ratios.

What the notice requirement adds

Candidates must receive notice at least 10 business days before the AEDT is used. The notice includes:

The job qualifications and characteristics the AEDT will use to assess the candidate.

The data type the AEDT collects and the data source.

The candidate's option to request an alternative selection process (where one is available).

The notice can be in the job posting, in the application instructions, by email, or by physical mail.

The data source requirement and where the audit log fits

The DCWP rules require the bias audit to use historical data where the employer has been using the tool for at least one selection cycle. The audit pulls the data from the employer's records.

The records that survive the audit are the per-decision audit rows the gateway produces. Each row carries the applicant identifier (pseudonymized), the model used, the inputs the model scored, the output score, the policy version, and the human-review state. The auditor reads the rows and computes the impact ratios.

The protected_category_self_id is a hash of the applicant's self-identified demographic data, stored separately from the application data and joined at audit time. The auditor never sees the names; the audit ratios are computed against the demographic categories.

How LL 144 lines up with the EU AI Act

The EU AI Act classifies AI systems used for HR screening as high-risk under Annex III. Article 27 requires a FRIA. Article 14 requires human oversight. Article 12 requires record-keeping.

The NYC bias audit covers a narrower question (impact ratios on protected categories) than the FRIA (full fundamental-rights impact across hiring practice). The FRIA does not require an independent auditor; the NYC audit does. The two artifacts complement each other and the underlying per-decision audit log is the shared source.

How LL 144 lines up with Colorado SB 26-189

Colorado SB 26-189 (revised, signed May 14, 2026) imposes deployer obligations on consequential decisions, including in hiring contexts. The Colorado law's deployer impact assessment overlaps with the NYC bias audit but covers a wider risk surface. Colorado does not currently mandate an independent auditor; the NYC requirement remains the most independent-leaning US rule.

The enforcement record

The DCWP has issued violations for failure to post the audit summary and failure to provide notice. The fines are modest by EU AI Act standards (the LL 144 ceiling is $1,500 per violation), but the cumulative reputational and audit-firm-relationship cost is the real exposure.

The state of the audit firms in 2026 includes the original pioneers (Holistic AI, BABL AI), academic groups (NYU Center for Responsible AI), and a growing set of consultants. The audit-methodology variance has narrowed as the DCWP guidance has settled.

The 2026 question: AI Bill of Materials integration

A bias audit that knows only the model output cannot detect drift in the inputs. An AIBOM that tracks the model version, the training-data lineage, the feature set, and the policy version gives the audit firm a more rigorous baseline. The per-decision audit row's policy_version field is the join key into the AIBOM.

DeepInspect

DeepInspect produces the per-decision audit log the LL 144 bias audit operates against. The applicant identifier, the model, the inputs, the output, the human-review state, and the policy version live on each row. The pseudonymized protected-category data joins at audit time through the hash field. The audit firm reads the rows and computes the impact ratios; the employer publishes the summary.

The gateway runs in-line with sub-50ms p95 enforcement overhead from internal DeepInspect testing. The LL 144 notice requirement is satisfied at the application layer; the gateway provides the operational evidence that the law's data-source requirement points at. Book an AEDT-mapping session at deepinspect.ai to walk through the audit against your current hiring AI stack.