The compliance paradox nobody warns you about
Here's the strange part about using AI to evaluate candidates: it usually produces fairer, better-documented hiring than a room full of humans, and yet it draws far more legal scrutiny. Not because it's riskier. Because it's new, the rules are still being written, and an algorithm making decisions is simply more visible than a hiring manager's gut feel that never gets written down.
That visibility cuts both ways. If you set it up carelessly, every decision is logged and discoverable. If you set it up well, that same logging becomes the best legal defense you've ever had. This guide is about landing on the right side of that line.
This is a practical guide, not legal advice (talk to your own counsel before you rely on any of it). But by the end you'll know which rules actually apply to you, how to run the one math test regulators care about most, what a compliant setup looks like line by line, and the notification wording you can adapt today. If you're earlier in the journey and still asking whether AI hiring is fair at all, start with our guide to bias in AI hiring; this piece picks up where that one leaves off and goes deep on the legal mechanics.
The rules that actually apply to you
You don't need to know all of these. You need to know which ones touch your company, based on where you hire and what you hire for. Here's the map.
EEOC (United States)
The EEOC holds you to the same anti-discrimination standard whether a human or an AI makes the call. The core test is the four-fifths rule: the pass rate for any protected group should be at least 80% of the pass rate of the best-performing group. (There's a worked example of the math in the next section.) The EEOC's 2023 guidance is blunt about one thing: you own the outcome of any AI tool you deploy. You can't push the blame onto your vendor.
State and local laws (United States)
These are spreading fast, and they're specific:
- Illinois (AI Video Interview Act): if you use AI in video interviews you must notify candidates, explain how it works, and get consent.
- New York City (Local Law 144): automated hiring tools need a yearly independent bias audit, and you have to post the results publicly.
- Coming next: Maryland, Colorado, and California have all moved on similar rules. The direction is the same everywhere: notify, be transparent, and keep monitoring for bias.
GDPR and UK GDPR (EU / UK)
The moment you process a candidate's data, this applies. The piece that matters most for screening is Article 22, which covers automated decisions. In plain terms: candidates must be told AI is being used, the criteria must be transparent, they can ask a human to review the result, and the AI's score can't be the sole reason for a rejection without a human in the loop.
FCA (UK financial services)
For regulated SMCR roles, the FCA wants proof that hiring is consistent, fair, and documented, which is exactly where subjective human interviews tend to fall apart. This is the clearest example of the paradox: structured AI evaluation can make FCA compliance easier, because "same questions, same rubric, every candidate" is auditable in a way that scattered interviewer notes never are. The London fintech example uses its scorecards directly as part of FCA documentation.
Industry-specific layers
On top of general employment law: healthcare adds HIPAA when interviews touch patient scenarios, banking adds insider-risk and background rules, government contracting adds OFCCP and clearance requirements. For screening, these almost always come down to two things: how you handle the data, and how good your audit trail is.
The one test regulators care about most: the four-fifths rule
If you remember one piece of math from this whole guide, make it this. Most adverse-impact questions start here.
Say you screened candidates for a role and tracked who passed:
| Group | Applied | Passed | Pass rate |
| Group A (highest) | 200 | 100 | 50% |
| Group B | 200 | 90 | 45% |
| Group C | 200 | 56 | 28% |
Step 1: find the highest pass rate. That's Group A at 50%.
Step 2: divide each other group's rate by it.
Group B: 45 ÷ 50 = 0.90 (90%), which is above 0.80, so it's fine.
Group C: 28 ÷ 50 = 0.56 (56%), which is below 0.80, so that's a flag.
A flag doesn't automatically mean the AI is biased. It means you have to investigate and document why. That's the whole job, and the next section is how you do it.
Running a bias audit (the 5 steps)
Done well, a bias audit gives you real confidence and a paper trail. Done as a checkbox, it gives you false confidence that hides the problem. The difference is in steps 3 and 5.
- Pick the categories to track. At minimum race, gender, age. Add disability, veteran status, or national origin where your industry expects it. Collect this with proper consent and store it separately from the evaluation data.
- Measure pass rates per group and run the four-fifths math above.
- Investigate any flag, don't panic at it. Ask: are the criteria actually job-relevant? Is the AI scoring something it shouldn't? This is where evidence-based scoring earns its keep, because you can read the exact reason each candidate scored low instead of guessing. (How that scoring works is covered in how AI interview questions are scored.)
- Fix the criteria if needed. Trim them to the minimum that actually predicts success on the job. Every criterion beyond that adds legal risk without adding signal.
- Document everything: the rates over time, the investigations, the changes you made, the ongoing checks. This record is your defense if anyone ever asks.
Your compliant-setup checklist
Configure for compliance on day one. Retrofitting it later is painful. Here's the short version you can hand to whoever sets up the tool:
- ☐ Content-only scoring. The tool should judge what candidates say and how they reason, full stop. Avoid anything that scores faces or tone of voice (more on why below).
- ☐ Every criterion maps to the job. If you can't say why a criterion predicts success, cut it.
- ☐ Scores come with evidence. Each score links to the exact quote and moment, so it can be checked, not just trusted.
- ☐ A human makes the final call. The AI informs the decision; it doesn't make it. This is what satisfies GDPR Article 22 and the EEOC's accountability expectation.
- ☐ Notification is built into the application, not buried or sent after the fact.
- ☐ Data is encrypted in transit and at rest, with role-based access and access logging.
- ☐ Retention and deletion policies are set (usually 1-3 years), with a working right-to-delete process.
Why "content-only" is non-negotiable
Some tools market facial analysis or tone analysis. Avoid them. These methods have repeatedly scored differently across demographic groups, several US states already restrict them, and they add real legal exposure for no reliable gain. Judge the substance of the answer, never the face making it.
A candidate-notification template you can adapt
Notification trips up more companies than the math does, usually because it's an afterthought. Put something like this in the application flow itself, before the interview, in plain sight:
NOTIFICATION TEMPLATE
This role uses an AI-assisted interview as part of our screening.
What that means for you:
- An AI interviewer will ask you role-specific questions in a live
video conversation. It evaluates your answers, not your appearance
or tone of voice.
- A member of our team reviews the results. The AI does not make the
final hiring decision on its own.
- You can request a human review of your interview, and you can ask
what criteria were used to evaluate you.
- Your recording and transcript are stored securely and deleted after
[RETENTION PERIOD]. You may request deletion at any time at [CONTACT].
By continuing, you consent to an AI-assisted interview. If you'd prefer
an alternative, contact us at [CONTACT] and we'll arrange one.
Run the final wording past your counsel and adjust the bracketed parts. The point is that it's clear, it's before the interview, and it's the same on every posting, which makes your documentation trivial.
What the audit trail should contain
When an audit comes, you're being asked one question: how was this decision made? A compliant AI setup answers it better than human interviews ever could, if it captures four things:
- The criteria, version-controlled. What was evaluated, the weights, the pass threshold, and what those were on any given date.
- Per-candidate evidence. Every score tied to a specific quote and timestamp, not a vague "seemed strong."
- The human decision. Who made the final call and what they reviewed (the scorecard plus their own notes).
- Change history. When and why you changed criteria or rubrics. Showing intentional, documented improvement is itself evidence of good-faith effort.
What it looks like in your industry
Fintech and banking
Align the evaluation criteria to FCA competencies for SMCR roles, document them in your firm-level governance, and use the scorecards as part of compliance records. The consistency is the selling point to your regulator, not just your recruiter.
Healthcare
Stand up HIPAA-appropriate infrastructure, limit recording access to people with a genuine clinical-hiring need, and set retention to match HIPAA. (For the operational side of healthcare hiring, see AI video interviews for healthcare.)
BPO and high-volume
When you hire 100+ a month, even a small disparate-impact rate touches a lot of real people, so audit quarterly, not annually, and document every adjustment. (The volume mechanics are in AI interviews for BPO and staffing.)
Government contracting
For OFCCP-covered work, keep applicant-flow data that includes AI screening outcomes, support your affirmative-action goals, and be ready for an audit that may inspect the tool itself.
The five mistakes that cause most problems
- Thinking the vendor's compliance is your compliance. Their SOC 2 doesn't cover your EEOC duties; their GDPR posture doesn't write your notification. You own the deployment.
- Skipping demographic tracking. Companies avoid it thinking it's safer. The opposite is true: with no data you can't spot a problem or prove good faith if challenged.
- Treating the audit as a once-a-year event. Pass rates drift as volume, criteria, and candidate pools change. Quarterly is the floor; monthly for high volume.
- Using facial or tone analysis. Demonstrated bias, growing legal restrictions, no reliable upside. Content only.
- Weak notification. Buried in fine print or sent after the interview doesn't count in most places. Clear, prominent, before.
Putting a real program together
A complete program isn't complicated, it's just written down. You want: policy docs (AI use, criteria, notification, data, retention, audits), process docs (where the human review sits, how decisions are recorded), training for everyone who uses the tool, scheduled monitoring with documented findings, vendor records (certifications, agreements), and a simple incident-response path for complaints or inquiries.
Pick a platform that makes this possible by default: content-only scoring, evidence behind every score, a real audit trail per interview, and rubrics you control. From there, the smartest move is to run a small batch, do a sample four-fifths analysis on the results, and confirm the audit trail actually meets what your documentation needs, all before you commit. If you're still choosing tools, the AI recruiting platform guide covers selection, and AI hiring vs traditional recruiting covers the bigger "why" for skeptical stakeholders.
The takeaway worth keeping: compliance for AI screening isn't a tax you pay to use the technology. Done right, it's the byproduct of doing the technology well. Judge content, document everything, keep a human in the loop, and the audit trail defends itself.