The employer liability point applies in the US as well: technology does not transfer employer liability. If an AI tool produces discriminatory screening outcomes, the employer who deployed it is liable under existing employment discrimination law.
The 6-Question Vendor Evaluation Checklist
This is the section most directly matching what searchers landing on this article are actually looking for. For each vendor you evaluate, get written answers to these six questions:
Question 1: Can you provide local explainability for individual decisions?
The vendor must be able to explain why a specific candidate received a specific score or outcome — not just how the model works in general. Ask for a live demonstration using a test candidate profile. Red flag: they can only show feature importance rankings or global model explanations.
Question 2: Do you provide documentation compatible with EU AI Act Article 11 technical requirements?
This is a specific document, not a general data sheet. It should cover training data sources, model architecture, validation methodology, accuracy metrics disaggregated by demographic group, and known limitations. Red flag: they offer a "compliance summary" rather than technical documentation at the level of detail Article 11 requires.
Question 3: Have you completed an independent bias audit? For which jurisdictions?
NYC Local Law 144 requires an independent bias audit — not self-assessed. Ask for the audit report, the auditor's name and methodology, and the date of the most recent audit. Red flag: bias testing is described as internal, or the last audit was more than 12 months ago.
Question 4: What is your data handling architecture — does candidate data reach your model before pseudonymization?
If your vendor's model processes raw candidate data including names, addresses, and demographic indicators, that creates GDPR exposure at the point of processing — regardless of the vendor's own compliance status. Red flag: the vendor cannot confirm where in the pipeline pseudonymization or anonymization occurs.
Question 5: What human oversight mechanism do you provide, and how is it implemented?
EU AI Act Article 14 requires a physical halt/override mechanism assigned to a named person with defined authority. "HR reviews all AI recommendations" is a process statement, not an oversight mechanism. Red flag: human oversight is described as a policy or process, not a built-in system control.
Question 6: Who is liable when a candidate challenges an AI-influenced decision — and what evidence can you produce?
Ask the vendor to walk you through the evidence chain they can provide if a candidate files a discrimination complaint or GDPR Article 22 challenge against a specific hiring decision. Red flag: the vendor refers you to their legal team rather than demonstrating an audit trail.
The Data Privacy Layer — What Most HR Teams Miss
Most explainability discussions focus on the model's output transparency. The compliance exposure most HR teams haven't mapped is at the input level: what data is the model seeing, in what form, and where is it processed?
The specific risk: an HR AI that processes candidate CVs, cover letters, and application data is processing personal data — and in many cases special category data (age, national origin, disability status inferable from employment gaps). Under GDPR, this processing requires a lawful basis and data minimization. Under the EU AI Act, Article 10 requires that training and validation data be relevant, representative, and free of errors.
The practical architecture that addresses both: A pseudonymization layer between your applicant tracking system and the AI vendor's model strips personal identifiers before the data reaches the model. The AI sees: employment history, skills, experience duration, and role-relevant qualifications — not name, address, age, or national origin. This:
- Reduces GDPR processing risk (model processes pseudonymized data)
- Reduces AI Act Art. 10 bias risk (demographic identifiers not available to the model)
- Strengthens your position in any candidate challenge (the model demonstrably could not have used protected characteristics)
- Enables you to satisfy Art. 9 GDPR if special category data was inferable from the CV
Frequently Asked Questions
What is explainable AI (XAI) in HR?
An AI system that can produce a human-readable account of how it reached a specific employment decision — what inputs were weighted, what thresholds were applied, and why a specific outcome was generated. In the HR context, this means the system can explain why a candidate was screened in or out, why an employee received a particular performance rating, or why a promotion recommendation was made — in sufficient detail to be audited, challenged, or defended legally.
Which vendors offer explainable AI for HR compliance?
Vendors that credibly offer explainability for HR compliance should be able to provide: Article 11-compatible technical documentation (for EU Act compliance), an independent bias audit report (for NYC Local Law 144 compliance), local explainability for individual decisions (not just global model explanations), and a documented human oversight mechanism. Use the 6-question checklist in Section 3 to evaluate any specific vendor against these criteria. Questa AI provides local redaction and pseudonymization architecture that protects the data layer before it reaches any AI vendor's model.
Is the employer or the AI vendor liable for discriminatory hiring decisions?
The employer. Under existing employment discrimination law (EEOC guidance), NYC Local Law 144, Illinois' 2026 HR Act amendments, and the EU AI Act's deployer obligations, the employer who deploys an AI tool is responsible for its outcomes — even when the AI is provided by a third-party vendor. "We used a third-party tool" is not a legal defense.
What is the difference between global and local explainability in AI?
Global explainability describes how the model works overall — which features drive outcomes across all decisions. Local explainability explains why a specific individual received a specific outcome. Both matter for compliance: global explainability satisfies EU AI Act Art. 11 technical documentation requirements; local explainability is what's required when a candidate exercises their GDPR Article 22 right to explanation or challenges a decision in court.
What is NYC Local Law 144 and does it apply to my company?
Local Law 144 requires New York City employers to conduct an annual independent bias audit of any AI tool used in employment decisions affecting NYC candidates or employees, and to notify candidates before using such a tool. It applies to any employer using an automated employment decision tool (AEDT) in NYC hiring or promotion decisions — the employer's headquarters location is irrelevant.
What does the EU AI Act require for AI used in recruitment?
AI used in recruitment, screening, promotion, performance evaluation, or termination is classified as Annex III high-risk under the EU AI Act. Before deployment, this requires: a conformity assessment, Article 11 technical documentation, a Fundamental Rights Impact Assessment (distinct from a GDPR DPIA), a human oversight mechanism (Art. 14), registration in the EU AI systems database (Art. 49), and a post-market monitoring plan.
Can we use a US-based AI vendor for EU candidates?
Yes, with conditions. The EU AI Act applies based on where the AI system is deployed and affects individuals — not where the vendor is based. A US-based AI vendor serving EU employers or processing EU candidate data must meet EU AI Act requirements if their system is used to make or influence high-risk employment decisions involving EU individuals.
Why does it matter whether candidate data is pseudonymized before reaching the AI model?
Because the model cannot use what it cannot see. If a candidate's name, address, age, or national origin is stripped before reaching the model, the system demonstrably cannot have weighted those factors — which is your strongest defense in a discrimination challenge and your most efficient route to EU AI Act Art. 10 bias prevention compliance.
Conclusion
The compliance landscape around AI in HR is converging on one operational requirement: every employment decision influenced by AI must be explainable, auditable, and defensible. NYC, Illinois, Colorado, and the EU AI Act are all pointing in the same direction — and the EEOC has already confirmed that existing employment law reaches AI-influenced decisions without waiting for new legislation.
The vendor evaluation checklist in Section 3 gives you the six questions that separate compliant systems from compliant-sounding ones. The data architecture in Section 4 gives you the input-level control that most HR teams haven't mapped. Together, they're what "explainable AI" means in practice — not as a product feature, but as a compliance posture.