AI audits are no longer optional for many organizations. New York City has required annual independent bias audits for automated hiring tools since July 2023. Colorado's AI Act requires impact assessments for high-risk AI systems before deployment and annually thereafter. And even where specific audit requirements are not yet in effect, documented self-assessment is the foundation of the affirmative defense available under most AI laws.
This guide walks through the audit requirements under the two most demanding current frameworks—NYC Local Law 144 and Colorado SB 205—and provides a step-by-step preparation process for compliance teams.
Understanding the Two Audit Models
There are two distinct AI audit frameworks currently in effect or taking effect, differing materially in structure, purpose, and who conducts them.
NYC Local Law 144: The Independent Bias Audit
NYC LL 144 requires an independent third-party bias audit of any AEDT used for hiring or promotion decisions affecting NYC jobs. The audit must be conducted by a genuinely independent auditor—not the employer and not the tool vendor. Its purpose is statistical: it tests whether the AEDT produces disparate impact across demographic groups defined by race/ethnicity, sex, and intersectional categories. Results must be made public and retained for at least six months.
Colorado SB 205: The Impact Assessment
Colorado's AI Act requires deployers of high-risk AI systems to conduct impact assessments—internally or with outside assistance—before deployment, annually, and within 90 days of substantial modifications. Unlike the NYC bias audit, the impact assessment is a broader governance document, not a purely statistical test. It is retained internally and is not required to be made public, but it is subject to AG review in an enforcement investigation.
Preparing for a NYC Local Law 144 Bias Audit
Step 1: Determine If You Are Subject to LL 144
You must comply if you are an employer, employment agency, or recruiter (regardless of company size or location) that uses an AEDT for screening, ranking, or evaluating candidates or employees, and the job in question is performed in New York City or is associated with an NYC office, even if fully remote.
Step 2: Identify Your AEDTs
Under LL 144, an AEDT is any computational process derived from machine learning, statistical modeling, data analytics, or AI that is used to substantially assist or replace discretionary decision-making in employment. Covered tools include AI resume screening, automated video interview analysis, skills assessment platforms with AI scoring, and AI-based applicant ranking systems.
Step 3: Gather Your Data
Before engaging an auditor, compile: historical data on all applicants evaluated by the AEDT; demographic data (race/ethnicity and sex categories for each applicant, to the extent available); the AEDT's scoring or selection outputs for each applicant; and documentation from your vendor on how the tool works and what inputs it uses. Note: LL 144 permits auditors to exclude demographic categories representing fewer than 2% of the total dataset from the analysis. If your NYC hiring volume is small, document this limitation.
Step 4: Select an Independent Auditor
The auditor must be genuinely independent—not the employer, not the tool vendor, and not an entity with a financial interest in the audit outcome. Assess candidates on: technical expertise in statistical bias testing; experience with the four-fifths (80%) rule and impact ratio calculations; familiarity with LL 144's required disclosure format; and understanding of intersectional analysis requirements.
Step 5: Understand What the Audit Measures
The LL 144 bias audit calculates the impact ratio for each demographic group: (group's selection rate) / (highest-performing group's selection rate). For scored tools: (share of group scoring above median) / (same share for highest group). An impact ratio below 80% signals potential disparate impact under the four-fifths rule, though LL 144 does not automatically prohibit use of a tool with such ratios.
Step 6: Publish Results and Notify Candidates
After the audit: post results on your website (including the audit date, data sources, applicant counts per group, and impact ratios) and keep them posted for at least six months. Provide at least 10 business days' advance notice to candidates before using the AEDT, including information about what it assesses and what data it uses.
Preparing for a Colorado SB 205 Impact Assessment
Step 1: Identify High-Risk AI Systems
Map all AI systems that make or materially influence consequential decisions for Colorado residents. Consequential decisions include employment, housing, education, healthcare, insurance, financial services, government services, and legal services. See the full definition on our SB 205 law page.
Step 2: Build Your Assessment Template
| Assessment Element | What to Document |
|---|---|
| System purpose | Intended use cases; type of consequential decision influenced |
| Known discrimination risks | Known or foreseeable risks of algorithmic discrimination; mitigation measures |
| Data inputs and outputs | Categories of data processed; nature of outputs (scores, recommendations, decisions) |
| Customization data | Any proprietary data used to train or fine-tune the system |
| Transparency measures | How consumers are notified; opt-out processes if applicable |
| Monitoring plan | How issues will be detected and addressed post-deployment |
| Vendor documentation | Model cards, dataset cards, documentation received from the developer |
Step 3: Align with NIST AI RMF
Colorado SB 205's affirmative defense requires compliance with NIST AI RMF or ISO/IEC 42001. The NIST AI RMF is organized around four core functions: GOVERN, MAP, MEASURE, and MANAGE. Structure your impact assessment and risk management program around these functions to most clearly demonstrate framework alignment. Organizations comparing AI governance and audit platforms should evaluate whether the vendor's framework mappings cover both NIST AI RMF and ISO/IEC 42001.
Step 4: Build in Ongoing Monitoring
Impact assessments are point-in-time documents, but the risk management obligation is continuous. Your compliance program should include scheduled annual reassessments (calendar these before deployment); triggers for 90-day reassessment after any intentional, substantial modification to the AI system; monitoring processes to detect signs of algorithmic discrimination between formal assessments; and escalation procedures if discrimination is discovered (90-day AG notification requirement applies).
Step 5: Document Vendor Relationships
Obtain and retain all documentation your AI vendors provide: model cards, dataset cards, known limitations, evaluation methodologies. This documentation forms part of your impact assessment and demonstrates the due diligence required for the affirmative defense. Confirm in your vendor contracts that documentation delivery is a contractual obligation, not a voluntary practice.
What Auditors and Regulators Look For
- Evidence of proactive effort: Organizations that began compliance activities before a violation was alleged are treated far more favorably than those with no documented effort.
- Documentation quality: Vague assertions ("we take bias seriously") do not substitute for quantitative test results or completed impact assessment templates.
- Consistency between disclosure and practice: If your public disclosure says AI is used only for initial screening but your AEDT is also used in promotion decisions, the inconsistency creates significant enforcement risk.
- Vendor due diligence: Regulatory agencies and auditors will ask what documentation you obtained from your AI vendor before deployment. "We didn't ask" is a poor answer.
- Human override capacity: Under SB 205, the right to human review of adverse decisions is a legal requirement, but it also signals to regulators that consequential decisions have not been delegated entirely to an algorithm.
Need Help With AI Compliance?
Connect with a compliance specialist who understands your state's AI regulations.
Thanks. Your request has been received.
A compliance specialist will review your request and reach out within 1 business day.
Documentation Checklist
- ☐ AI system inventory (name, vendor, purpose, date deployed, covered population)
- ☐ NYC LL 144 bias audit report (most recent, dated within 12 months)
- ☐ Bias audit publication record (URL, publication date, six-month retention log)
- ☐ Colorado SB 205 impact assessment(s) for each high-risk system
- ☐ Risk management policy and program documentation (NIST/ISO alignment)
- ☐ Consumer notice templates and delivery records
- ☐ Vendor model cards and dataset documentation
- ☐ AI vendor contracts with documentation and compliance clauses
- ☐ Employee training records on AI use policies
- ☐ Incident log: adverse events or discrimination concerns identified post-deployment
For detailed guidance on NIST AI RMF alignment and impact assessment templates, visit our AI audit requirements page and AI in hiring compliance guide.
This article is for informational purposes only and does not constitute legal advice. Consult a qualified attorney for guidance specific to your situation.
Subscribe to the daily AI law digest →