AI Hiring Laws by State in 2026: A Compliance Playbook

US state AI-hiring laws share four recurring duties: tell candidates when AI is used, don’t let the tool discriminate (disparate impact counts, intent doesn’t), keep a human with real override authority in the loop, and be ready to explain and appeal an adverse decision. Master that intersection and you are covered no matter which way the patchwork breaks next. If you run a small team using AI somewhere in hiring and have no employment counsel, this is the “what do I do Monday” version, not a statutory exegesis.

A quick note before the panic sets in: this is not legal advice. It’s an operational map for founders and People-teams-of-one who read one scary law-firm alert and want a checklist.

Did Colorado’s AI Act take effect?

No. Colorado’s original AI Act (SB 24-205) never went live. A federal court paused enforcement on April 27, 2026, after xAI sued on April 9 and the U.S. Department of Justice intervened. Then Colorado repealed and replaced the whole thing with SB 26-189, signed May 14, 2026, which takes effect January 1, 2027, not June 30, 2026.

If you read a 2024 or early-2025 explainer calling Colorado “the first comprehensive US state high-risk AI law” with a reasonable-care duty, annual impact assessments, and mandatory risk-management programs, that version is dead. The replacement is a much lighter notice-and-transparency regime. As Crowell & Moring put it, Colorado hit reset.

This matters for you in two ways. First, do not build a compliance plan around a statute that no longer exists. Second, be suspicious of any “50-state AI tracker” that still describes SB 24-205 as live, because a lot of them do.

The federal void fractured into a patchwork

There was never a single federal AI-hiring law to comply with. What filled the gap was a moving target: some states pushed forward, the federal government pushed back, and the ground keeps shifting.

On December 11, 2025, a federal executive order, “Ensuring a National Policy Framework for AI,” created a DOJ AI Litigation Task Force whose job is to challenge state AI laws. That task force is why the DOJ jumped into the xAI suit against Colorado. It is the first concrete federal move to invalidate a state AI law.

It’s tempting to read that as “Washington will preempt all of this, so I can wait.” That’s a risky bet. The order seeks preemption but, as Sidley notes, it expressly does not preempt otherwise-lawful state laws today, and it carries carve-outs. More importantly, anti-discrimination law sits underneath every AI statute and isn’t going anywhere. Title VII, the EEOC, and state civil-rights acts already make it illegal to discriminate in hiring, with or without an AI-specific law on the books. The exposure exists regardless of which AI statute survives the courts.

The state map that actually matters for hiring

Forget the 50-state spreadsheet. For hiring in mid-2026, four jurisdictions carry the weight.

Illinois is the one that’s already live

Illinois HB 3773 amended the Illinois Human Rights Act effective January 1, 2026. Employers must notify applicants and employees when AI is used in hiring decisions, AI-driven discrimination is now an explicit civil-rights violation, and using ZIP code as a proxy for a protected class is prohibited.

There’s no headcount exemption. It tracks the Human Rights Act’s coverage, enforced through the Illinois Department of Human Rights, with civil penalties up to $5,000 per violation for willful or repeated conduct. If you employ or hire in Illinois, this rule already applies to you.

Colorado, rewritten and arriving in 2027

The new SB 26-189 drops the heavy machinery, the mandatory risk-management programs, the annual impact assessments, the self-reporting of algorithmic discrimination. What remains is a notice-and-transparency core: deployers must give clear pre-use notice, provide a plain-language explanation within 30 days of an adverse-outcome decision, and offer a right to meaningful human review by someone with authority to override the system who doesn’t just rubber-stamp it.

“Consumer” expressly includes employees and Colorado job applicants. Enforcement is by the Colorado Attorney General alone, as a deceptive trade practice, with a 60-day cure period. There’s no private right of action. And notably, the small-business exemption that existed in the original Act was removed.

California, NYC, and a New Jersey warning shot

California’s CCPA ADMT rules were finalized in fall 2025 and take effect January 1, 2027, layering pre-use notice, opt-out, and access rights onto automated “significant decisions,” employment included.

New York City’s Local Law 144 has required independent annual bias audits of automated employment decision tools since 2023. Don’t read low enforcement as low risk: a December 2025 NY State Comptroller audit found enforcement was weak, which is exactly the kind of gap that closes fast once it gets political attention.

And New Jersey’s Division on Civil Rights issued rules in December 2025 making employers liable for algorithmic discrimination regardless of intent or third-party vendor use. Which brings us to the trap most lean teams miss.

The multi-state remote trap

A fully remote 30-person startup headquartered in Texas hires a candidate who lives in Illinois. Illinois notice duties apply, even though the company has no Illinois office. The candidate’s residence, not your HQ, pulls in the rule. Hire across CO, IL, CA, and NYC, and you can trigger four different regimes from one applicant pool. This is why “we’re too small” and “we’re not in that state” are both shaky foundations.

Does using an AI ATS make you liable even if the vendor built the model?

Yes. These laws attach duties to the deployer, the employer using the tool, not just the developer who built it. New Jersey’s rules say so explicitly: liability attaches regardless of third-party vendor use. The ongoing Mobley v. Workday litigation, which we cover in the Workday AI hiring lawsuit, tests whether an AI hiring vendor can be sued as an “agent” of employers, but it does nothing to remove your own exposure as the company that pressed go. You cannot outsource the liability to your ATS.

The discrimination floor that survives every reset

Here’s the part that doesn’t change when a statute gets paused, rewritten, or preempted. Underneath all the AI-specific laws sits ordinary anti-discrimination law: Title VII, the EEOC’s guidance, and state civil-rights acts. Disparate impact counts, which means a tool that screens out a protected group at a higher rate can be unlawful even if no one intended to discriminate.

This is the durable bedrock. AI screening tools are not theoretical risks here. In SHRM’s 2025 research, 19% of organizations using AI or automation in hiring said their tools had overlooked or screened out qualified applicants. If your tool is doing that along a protected characteristic, the AI statute is almost beside the point. We unpack how this happens mechanically in how AI hiring bias creates industry-wide exclusion and the AI hiring doom loop.

The 5-step compliance playbook for teams with no legal department

Strip away the statutory differences and the same handful of duties repeat. Build for the intersection and you’re covered across the patchwork. None of this requires a compliance consultant or a bias-audit vendor.

1. Disclose that you use AI. Tell candidates plainly, in the application flow or a posting notice, that AI tools assist your hiring process. This is the live Illinois duty today and the 2027 pre-use duty in Colorado and California. It’s also a trust win: a 2023 Pew Research survey found 66% of Americans would not want to apply to an employer that uses AI to help make hiring decisions, so saying “AI helps us organize applications; humans make every decision” is reassuring, not alarming.

2. Keep a human in the loop with real override authority. Not a rubber stamp. A named person who reviews and can overrule the tool. This is the explicit standard in Colorado’s SB 26-189 and the practical answer to any “the algorithm rejected me” claim.

3. Log every advancement and rejection. When someone requests an adverse-outcome explanation (Colorado’s 30-day plain-language disclosure) or exercises appeal rights, the record needs to already exist. Retrofitting an audit trail after a complaint is how small teams get hurt.

4. Don’t let the tool decide. Make the AI assistive, not autonomous. It ranks, summarizes, and surfaces; a human disposes. This single architectural choice lowers risk across every law in the patchwork at once.

5. Be ready to explain and appeal. Have a simple path for a candidate to ask “why” and to request human re-review. If you’ve done steps 2 and 3, this is mostly a matter of pointing at records you already keep.

Am I exempt if I have fewer than 50 employees?

Probably not, and you shouldn’t plan around it. Illinois has no headcount exemption. Colorado’s replacement SB 26-189 removed the small-business carve-out that existed in the original Act. Even under that original Act, sub-50-FTE deployers still owed pre-decision notice, adverse-action explanations, and appeal rights. The lesson across every version: do not build your strategy on being too small to matter.

For broader context, the volume of AI in hiring is exactly why regulators are moving. SHRM found 43% of organizations used AI in HR tasks in 2025, up from 26% in 2024, and among companies using AI in hiring, 82% apply it to resume review. This is mainstream now, and the law is catching up to it.

Why “assistive, not autonomous” is the safest architecture

If you read the four duties side by side, they describe a single product shape: AI that helps a human decide, with the decision logged and the candidate informed. That happens to be exactly how Kit is built.

No application is auto-rejected by AI in Kit. A human with override authority makes the final disposition before anyone is turned down, which maps directly onto Colorado’s “meaningful human review” definition and neutralizes the “AI discriminated against me” claim under Illinois and New Jersey. Candidate disclosure is built into the flow, satisfying Illinois’s live notice duty and the 2027 pre-use notices. And every advancement and rejection is logged, so when an explanation or appeal is requested, the audit trail already exists, no governance suite required. This is the same posture we describe for the EU regime in the EU AI Act and high-risk hiring; the US-state layer rhymes with it because both reward the same architecture. If you’re new to the category, what an AI-native ATS actually is explains the assistive model in depth.

To be clear, no ATS can make you “compliant” with a specific statute, and don’t trust one that claims it can. What the right architecture does is put you on the durable side of the common core, so the next pause, rewrite, or executive order doesn’t send you scrambling.

What to do this week

The patchwork will keep shifting. Colorado proved a “first broad law” can vanish in a single court term, and the federal task force guarantees more turbulence. But the durable core is stable: disclose, keep a human deciding, log the decisions, let the AI assist not decide, and be ready to explain. Set those five up once and you stop chasing headlines.

You don’t need a compliance department. You need a hiring process where AI assists, humans decide, and every decision is logged. Start your free trial and the playbook is the default, not a project.