NYC Local Law 144
Resumen ejecutivo
Why NYC Local Law 144 is the test case for operational AI enforcement
The most common framing of NYC Local Law 144 describes it as a narrow municipal employment regulation — a New York City rule for hiring tools that mostly mattered locally. The framing is partially correct and structurally misleading. Local Law 144 is the first AI regulation in the United States with operational enforcement experience. It has been live for nearly three years. It has produced the institutional knowledge, the auditor ecosystem, the bias audit methodology, and the public disclosure infrastructure that other US AI regimes (Colorado AI Act, Utah AI Policy, the federal architecture) are now consciously building toward or against.
The dominant narrative reads the law as employment-specific and geographically narrow. The reading misses the institutional logic. Local Law 144 was the operational pilot for the rest of US AI regulation. Its experience answers questions that more comprehensive regimes have not yet had to answer: What does an AI bias audit look like in practice? Who qualifies as an independent auditor? How do you publish meaningful audit summaries? How do you handle vendor-provided AI tools embedded in applicant tracking systems? What happens when enforcement is uneven? The law has produced answers to all of these, with mixed results.
What Local Law 144 actually is, then, is the operational experiment for whether municipal-level AI regulation can produce real compliance behavior change. The answer for the first 30 months of enforcement was: partially. The law produced an industry of independent auditors, a body of bias audit reports published on employer websites, a methodology rooted in the EEOC four-fifths rule, and meaningful awareness among employers and HR-tech vendors. But the December 2025 New York State Comptroller audit demonstrated that DCWP enforcement during the 2023–2025 period was significantly under-resourced and inconsistent. DCWP surveyed 32 companies and found one case of non-compliance; the Comptroller’s auditors reviewing the same companies identified at least 17 potential violations.
The Comptroller audit is the structural turning point. DCWP has committed publicly to more rigorous enforcement starting in 2026. Major employment law firms have warned employers to expect a stricter enforcement phase, with more frequent investigations and higher cumulative penalties. Reported cases include $18,000 in penalties triggered by a single missed independent bias audit on an AI resume screener for a remote role linked to a Manhattan office. The pattern that defined the first three years of the law — visible compliance among large public employers, quiet non-compliance among smaller private employers — is no longer a safe operating assumption.
For organizations that use AEDTs to evaluate candidates for NYC-associated roles, the practical implication is that the previous «enforcement-light» period is over. Compliance work that was deferred during 2023–2025 needs to be completed. Bias audits that were performed once need to be renewed annually. Public disclosure that was buried needs to be made conspicuous. Candidate notice processes that were never operationalized need to be built. The law has not changed substantively. Enforcement is now catching up.
—
What is an Automated Employment Decision Tool
The definition of AEDT is the most operationally consequential element of the law. The DCWP rules adopted on 6 April 2023 narrow the statutory definition to specific characteristics that determine whether a tool falls within scope.
An AEDT under Local Law 144 is any computational process — derived from machine learning, statistical modeling, data analytics, or artificial intelligence — that:
- Produces a simplified output (a score, classification, tag, ranking, or recommendation)
- That substantially assists or replaces discretionary human decision-making in hiring, promotion, or other employment decisions
The «substantially assists» standard is met when the AEDT output is the sole factor in the decision, the most heavily weighted factor among multiple factors, or has authority to override other factors used in the decision.
This definition captures most modern HR-tech tools: AI-powered resume screening software, candidate scoring platforms, video interview analysis tools, automated chatbot assessments, recruitment marketing optimization platforms, and AI-driven candidate ranking inside applicant tracking systems. It does not capture pure data-collection tools, manual workflow management software, or tools whose output is not a simplified score or classification.
Vendor tools embedded in ATS systems. A particularly common compliance failure mode is treating AEDT scope as limited to AI tools the employer directly procures. If an applicant tracking system or recruitment marketing platform includes AI-powered screening, ranking, or scoring as a feature, that feature is an AEDT — and the compliance obligation falls on the employer, not the vendor. Many employers operate AEDTs without recognizing them.
Categories excluded from sample testing. The DCWP rules permit auditors to exclude any demographic category representing less than 2% of the data set, but the auditor must justify the exclusion in writing in the audit report.
—
Subjective and material scope
Who it addresses. Local Law 144 addresses employers and employment agencies that use AEDTs to evaluate candidates or employees for positions that are:
- Performed in New York City (any of the five boroughs), or
- Remote positions associated with an NYC office
The company’s headquarters location is irrelevant. A SaaS company headquartered in California with 40 employees and one NYC office is subject to the law if it uses AEDTs to evaluate candidates for any role tied to that office. A staffing agency operating in NYC is subject to the law for any AEDT use, regardless of the candidate’s location.
Who it does not directly address. The law’s primary obligations fall on the employer or employment agency that uses the AEDT, not on the AEDT vendor that built it. However, vendors are indirectly affected: their tools must support compliance for their employer customers, which has driven a market of vendor-prepared bias audit reports that employers can adopt for their own deployment.
Material scope. The three obligations apply to AEDTs used for hiring and promotion decisions. Other uses of AI in employment — performance reviews, terminations, compensation decisions, work scheduling — fall outside the law’s principal scope. They may be covered by other regulations (federal employment discrimination law, state law, sectoral regulation) but not by Local Law 144 specifically.
—
The three core obligations
1. Annual independent bias audit
Before an employer or employment agency may use an AEDT, an independent auditor must conduct a bias audit of the tool. The audit must be renewed annually — a single audit is valid for 12 months, after which the AEDT cannot be lawfully used until a new audit is completed.
Who qualifies as an independent auditor. The auditor must:
- Not be employed by the employer or AEDT vendor
- Have no financial interest in the AEDT being audited
- Not have a consulting or employment relationship with the AEDT vendor that creates a conflict
- Have technical capacity to conduct adverse impact analysis under EEOC standards
A vendor cannot audit its own AEDT. A vendor can coordinate data collection for a third-party auditor and can have an independent auditor audit the tool, with results that customer employers can adopt for their own deployments.
The bias audit methodology. The audit applies established adverse impact analysis methodology drawn from EEOC enforcement of Title VII civil rights law. Two metrics anchor the analysis:
- Selection rate for each demographic category: candidates passed or selected divided by total candidates evaluated, or for AEDTs producing continuous scores, the proportion of candidates scoring above the median
- Impact ratio: the selection rate for each group divided by the selection rate of the highest-performing group. Ratios below 0.80 signal potential adverse impact under the EEOC four-fifths rule
The audit must analyze impact across sex (2 categories), race/ethnicity (7 categories per EEOC standards), and the 14 intersectional combinations of sex by race/ethnicity. The auditor may exclude any category representing less than 2% of the data set but must justify the exclusion in writing.
The audit can be conducted on historical data from the employer’s actual past use of the AEDT, or on test data when historical data is unavailable, with appropriate methodology disclosure.
2. Public disclosure
The bias audit results must be published in a clear and conspicuous manner on the employer’s website, in the employment section. The published summary must include:
- The date of the most recent bias audit
- The summary of audit results, including selection rates and impact ratios across all required demographic categories and intersectional combinations
- The distribution date of the AEDT prior to its use
- A description of the data sources used in the audit
- The name of the independent auditor and confirmation of independence
Burying the summary in a PDF behind multiple clicks does not satisfy the conspicuousness requirement. Publishing the summary alongside other privacy or employment notices on a clearly accessible employment page is the operating standard.
3. Candidate notice and alternative process
Employers must provide notice to candidates at least 10 business days before the AEDT is used to evaluate them. The notice must include:
- A statement that an AEDT will be used in the assessment
- The job qualifications and characteristics that the AEDT will evaluate
- Information about the data sources used by the AEDT, the type of data collected, and the data retention policy (or instructions to obtain this within 30 days of written request)
- Instructions for requesting an alternative selection process or reasonable accommodation
The alternative selection process is a substantive obligation: candidates have the right to request that the AEDT not be used to evaluate them, and the employer must offer a reasonable alternative (such as manual resume review, panel interview, or non-ML standardized assessment). The alternative does not have to be specifically defined by law but must be a real option, not a paper-only commitment.
—
The December 2025 Comptroller audit and the 2026 enforcement reset
The most operationally significant development for Local Law 144 in 2026 was not a change to the law itself but a change to its enforcement posture. On 2 December 2025, the New York State Comptroller published an audit of DCWP enforcement of Local Law 144 covering the period July 2023 through June 2025. The findings were unflattering:
- 75% of 311 hotline calls about AEDT compliance issues were misrouted and never reached DCWP
- DCWP surveyed 32 companies and identified just one case of non-compliance
- Comptroller’s auditors reviewing the same 32 companies identified at least 17 potential violations
- DCWP was criticized for failing to use technical resources available from the NYC Office of Technology and Innovation, which has the technical capacity DCWP lacks for evaluating AEDT bias audit reports
- Enforcement was described as predominantly complaint-driven rather than proactive, despite the law’s broad scope
DCWP committed publicly to substantially more rigorous enforcement starting in 2026: improved complaint handling and routing, cross-trained enforcement staff, more rigorous investigations of identified non-compliance, proactive (not just complaint-driven) enforcement, and integration of technical resources from the NYC Office of Technology and Innovation.
Major employment law firms (DLA Piper, others) have warned employer clients to expect a stricter enforcement phase in 2026. Reported cases support the warning: a mid-sized agency was reported to have incurred $18,000 in penalties for missing an independent bias audit on an AI resume screener for a remote role linked to a Manhattan office. Each use of a non-compliant AEDT can constitute a separate violation, so high-volume employers can accumulate penalties rapidly. Failing to conduct a bias audit for 30 days could produce $15,000 to $45,000 in penalties just for that single AEDT in that single month, before any per-use multiplier kicks in.
The practical compliance implication is straightforward: organizations that deferred Local Law 144 compliance during the 2023–2025 enforcement-light period should treat 2026 as the year compliance becomes operationally non-negotiable.
—
12-month implementation roadmap
For employers and employment agencies operating AEDTs against NYC-associated roles, the 2026 enforcement reset has changed the operational reality. Compliance work that was deferred during the 2023–2025 enforcement-light period is now operationally non-negotiable. The roadmap below structures a complete Local Law 144 compliance programme over 12 months, calibrated to the law’s three core obligations and the broader management system that makes ongoing compliance manageable across multiple AEDTs.
🗺️ Phase 1 — Months 0–3 · AEDT inventory and scoping
- AEDT inventory across the full hiring and promotion technology stack — directly procured tools and vendor-embedded features in ATS, HRIS, and recruitment marketing platforms
- Scope determination for each tool: simplified output (yes/no), substantially assists or replaces discretionary decisioning (yes/no), used to evaluate NYC-associated candidates (yes/no)
- NYC-associated role mapping — includes remote roles linked to NYC offices regardless of candidate location
- Vendor relationship review — contracts, audit cooperation clauses, data-access provisions for bias audit
- Existing audit and disclosure assessment — prior bias audits, posted summaries, candidate notices already in place
- Compliance gap baseline — documented inventory of which AEDTs are non-compliant and on what dimensions
🗺️ Phase 2 — Months 3–6 · Independent bias audit programme
- Independent auditor selection — verified independence from employer and AEDT vendor, technical capacity for EEOC adverse impact analysis
- Data preparation for each AEDT in scope — historical data from actual use where available, test data with disclosed methodology where not
- Bias audit execution — selection rates and impact ratios across sex (2 categories), race/ethnicity (7 categories), and 14 intersectional combinations
- Documentation of category exclusions under the 2% rule with written justification
- Audit report drafting — results, methodology, data sources, distribution date, auditor independence confirmation
- Annual audit calendar established — each AEDT’s audit anniversary tracked, with renewal triggers 60 days before expiry
🗺️ Phase 3 — Months 6–9 · Public disclosure and candidate notice
- Public disclosure infrastructure — employment section of website with conspicuously linked audit summaries (not buried PDFs)
- Bias audit summary publication for each AEDT in scope — audit date, results, distribution date, data sources, auditor name
- Candidate notice templates — statement of AEDT use, qualifications evaluated, data sources, retention policy, instructions for alternative process and accommodation
- 10-business-day notice workflow integrated into the recruitment process before AEDT use
- Alternative selection process designed and operationally available — not just a paper commitment
- Vendor coordination for vendor-prepared bias audit summaries that customer employers can adopt
🗺️ Phase 4 — Months 9–12 · Management system and continuous compliance
- AEDT register integration with the AI management system — each AEDT documented with risk classification, audit status, disclosure status, vendor relationship
- Annual bias audit cycle operationalised with calendar triggers and documented procedures
- Vendor management programme — contractual audit cooperation, vendor-side independent audit coordination, vendor change tracking that may invalidate prior audits
- Incident handling for adverse impact findings — mitigation, retraining, vendor escalation, AEDT decommissioning where required
- Multi-jurisdiction integration — the same AEDT inventory and audit programme supports Colorado AI Act, Illinois AIVI, EU AI Act high-risk system obligations, and other state AI hiring laws
- ISO/IEC 42001 alignment for organisations seeking accredited certification of the broader AI management system
🎯 Outcome
By month 12, organisations have built a complete Local Law 144 compliance programme: AEDT inventory with scope documentation, independent bias audits with annual renewal calendar, conspicuous public disclosure on the employment section of the website, candidate notice and alternative process workflows operational, and a management system that integrates Local Law 144 with parallel obligations under Colorado AI Act, Illinois AIVI, EU AI Act high-risk hiring AI, and other state AI hiring laws. The accumulated audit and disclosure work also positions the organisation for the EEOC adverse impact litigation environment that operates independently of any specific AI law, where Title VII disparate impact liability is enforced through private litigation regardless of federal enforcement priorities.
—
Intersections with other regimes
Five intersections shape how Local Law 144 operates within the broader US and international AI regulatory architecture.
Colorado AI Act. Local Law 144 is narrower than the Colorado AI Act — employment only versus all consequential decisions — but Colorado borrows methodologically from Local Law 144’s bias audit approach. Organizations subject to both laws can build integrated compliance programs that satisfy Local Law 144 employment-specific obligations and Colorado’s broader high-risk AI system framework.
Federal employment discrimination law. Local Law 144 operates alongside Title VII of the Civil Rights Act, the Age Discrimination in Employment Act, the Americans with Disabilities Act, and other federal employment statutes. The four-fifths rule used in the bias audit comes from EEOC enforcement guidance under Title VII. Disparate impact liability under Title VII was codified by Congress in 1991 and is enforceable through private litigation regardless of federal enforcement priorities. Trump EO 14281 (Restoring Equality of Opportunity and Meritocracy) directs federal agencies to deemphasize disparate-impact enforcement; Local Law 144 continues to apply regardless.
EU AI Act. The EU AI Act classifies AI systems used in employment, recruitment, and promotion as high-risk under Annex III. Organizations operating in both NYC and EU markets need to satisfy Local Law 144 bias audit requirements and EU AI Act high-risk system obligations. The two regimes are compatible — EU AI Act technical documentation and post-deployment monitoring overlap substantially with Local Law 144 bias audit and disclosure requirements.
Other state AI hiring laws. Several US states have enacted or are considering AI-specific employment laws: Illinois Artificial Intelligence Video Interview Act (in effect since 2020), Maryland HB 1202 (facial recognition in hiring), New Jersey, Texas, Tennessee, Connecticut, others. Local Law 144 was the operational pioneer; subsequent state laws have built on its methodology while adjusting scope and detail.
ISO/IEC 42001 and NIST AI RMF. Both frameworks support Local Law 144 compliance: ISO/IEC 42001 provides the management system structure that integrates AEDT inventory, bias audit scheduling, vendor management, candidate notice, and incident handling. NIST AI RMF provides the risk management methodology that supports adverse impact analysis. Organizations holding accredited ISO/IEC 42001 certification have the governance infrastructure that makes Local Law 144 compliance operationally manageable across multiple AEDTs and vendor relationships.
—
## ⚖️ How Zertia operates within the NYC Local Law 144 regime
Built for NYC Local Law 144 compliance from day one
Accreditations and memberships: 🎖️ ANAB-accredited (US) · 🎖️ UKAS process (UK) · 🎖️ ENAC process (EU) · 🏛️ IAPP member · 🏛️ INCITS member · 🏛️ UKAI member · 📜 EU AI Pact signatory
Zertia is an ANAB-accredited AI management system certification body, with offices in Boston, Madrid, and London, and ANAB accreditation in the United States. NYC Local Law 144 produces a specific operational compliance program around AEDT inventory, annual bias audits, public disclosure, and candidate notice. Our work supports that program through the management system structure that makes ongoing compliance manageable across multiple AEDTs and across the broader US state AI law landscape.
Certification — ISO/IEC 42001, AIUC-1, ISO/IEC 27001, ISO/IEC 27701, ISO/IEC 22301. ISO/IEC 42001 certification provides the management system structure that organizes Local Law 144 compliance work across an organization’s full AEDT portfolio: inventory of AEDTs, annual bias audit scheduling, vendor relationship management, public disclosure infrastructure, candidate notice workflows, and incident handling. The same management system supports Colorado AI Act, EU AI Act, and other state AI law compliance simultaneously. AIUC-1 provides agent-level technical assurance for AI vendors whose AEDTs are deployed by Local Law 144-affected employers.
Regulatory frameworks — EU AI Act Conformity Assessment, NIST AI RMF Attestation, ISO/IEC 23894 Risk Assessment, Algorithmic Impact Assessment, Pre-Certification Assessment. Algorithmic Impact Assessments are structured to support employer Local Law 144 obligations on AEDT inventory, scope evaluation, and risk management, with documentation that integrates with annual bias audit workflows.
Audit — AI Management System audits, High-Risk AI System audits, AI Model audits, EU AI Act audits, NIST AI risk audits. Local Law 144 specifically requires independent bias audits by auditors with no financial relationship to the employer or AEDT vendor. Zertia’s audit work is structured around this independence requirement and the EEOC four-fifths rule methodology that the law incorporates. For organizations with multiple AEDTs across multiple vendor relationships, integrated audit programs reduce the operational complexity of annual compliance.
Training — AI Governance, Data Governance, Privacy Governance through Zertia Academy. Programmes treat Local Law 144 explicitly, including the December 2025 Comptroller audit and the 2026 enforcement reset, the AEDT identification challenge for vendor-embedded tools in applicant tracking systems, the four-fifths rule methodology, and the integration of Local Law 144 compliance with broader US state AI law programs. Particularly relevant for HR, talent acquisition, legal, and compliance teams operating across NYC-associated and Colorado-affected roles.
Zertia operates from Boston, Madrid, and London, with ANAB accreditation in the United States and active accreditation processes with UKAS (United Kingdom) and ENAC (Spain/EU). Member of IAPP, INCITS, and UKAI. Signatory to the EU AI Pact.
🎯 Take action
🔍 Diagnose your AEDT exposure 📊 Build the management backbone Pre-Certification Assessment → ISO/IEC 42001 Certification → Independent diagnosis of AEDT scope, bias audit readiness, and Local Law 144 disclosure obligations. Output: gap report and remediation plan. The accredited management system that operationalises hiring AI governance into auditable practice across NYC LL144, Colorado AI Act, and Illinois AIVI requirements. Discuss NYC Local Law 144 and US state AI law compliance integration →
—
Regulación que entiendes es regulación que puedes convertir en ventaja competitiva.
¿No estás seguro de si este marco aplica a tu organización? Hablemos.
