Start with visibility: inventory every AI tool

Find what is already live

• Ask each team (HR, IT, marketing, operations, security) to list tools, pilots, and plug-ins.
• Scan for “shadow AI” (personal ChatGPT accounts, browser extensions, automation bots).
• Capture core details: owner, purpose, data used, outputs, location of users, and vendor.

Classify risk

• High risk: tools that influence hiring, promotion, pay, termination, or customer eligibility.
• Medium risk: tools that summarize or analyze internal data but don’t make people decisions.
• Lower risk: tools for drafts or productivity that never touch sensitive data.

Workplace AI compliance checklist

1) Map the laws that apply

• Federal: Anti-discrimination laws like Title VII require monitoring for disparate impact in hiring and promotion. If impact exists, follow recognized validation standards.
• State and local: Many jurisdictions require notices, bias audits, opt-outs, or published results for automated hiring tools (for example, New York City’s AEDT rule).
• Privacy and security: Confirm data rights, retention, access controls, and breach duties.

2) Validate tools that affect employment decisions

• Test for adverse impact before launch and on a schedule (e.g., quarterly or per hiring cycle).
• If impact appears, engage qualified experts (e.g., industrial-organizational psychologists) for validation.
• Document scope, data, methods, results, and corrective actions.

3) Build governance and assign an owner

• Create a cross-functional team: legal, HR, DEI, data science, IT security, procurement, and communications.
• Assign a single accountable owner for each tool and define an escalation path.
• Set risk thresholds, approval gates, and a change-control process.

4) Complete vendor due diligence

• Review model purpose, training data sources, bias testing methods, and update cadence.
• Require security controls, SOC reports, and incident response terms.
• Add audit rights, cooperation on bias audits, data-return/deletion, and indemnity for violations.

5) Manage data the right way

• Minimize inputs; avoid sensitive data unless required and lawful.
• Set retention periods and access rules. Encrypt data in transit and at rest.
• Prohibit input of trade secrets or personal data into public tools unless approved.

6) Give clear notices and offer human review

• Tell candidates and employees when AI is used and how it affects decisions.
• Where required, provide an opt-out or alternative process.
• Keep a human in the loop for meaningful decisions and appeal paths.

7) Test, monitor, and keep records

• Set metrics: selection rates by protected group, false positives/negatives, accuracy drift.
• Retest after model updates, data changes, or role changes.
• Log tests, decisions, notices, and published audits to prove compliance.

8) Policy, training, and shadow AI controls

• Publish an AI use policy: approved tools, banned uses, privacy rules, and escalation.
• Train managers, recruiters, and end users on bias, data handling, and prompt hygiene.
• Control access: block risky tools, whitelist approved vendors, and disable data sharing settings.

9) Plan your rollout by geography

• Launch in compliant states first; geofence where needed.
• Adjust notices, audit timing, and publishing to match local rules.
• Use feature flags to align tool behavior with each jurisdiction.

10) Track new rules and refresh the plan

• Keep a compliance calendar for audits, notices, and revalidations.
• Subscribe to trusted updates and meet quarterly to review changes.
• Update the workplace AI compliance checklist as laws evolve.

Common mistakes that lead to fines

• Skipping candidate or employee notices before using automated screening.
• Launching a tool without a bias audit where the law requires one.
• Failing to publish audit results when a jurisdiction mandates disclosure.
• Not keeping records that show monitoring, validation, and corrective steps.
• Relying only on vendor marketing instead of documented testing.
• Ignoring shadow AI and allowing sensitive data into public models.
• Letting models drift without scheduled monitoring and revalidation.

A simple 30-60-90 day plan

Days 1–30: Baseline and freeze

• Inventory tools and set an approval pause for high-risk use cases.
• Issue a quick AI policy and block risky, unapproved tools.
• Start legal mapping for covered roles and locations.

Days 31–60: Controls and contracts

• Run initial bias tests on hiring/promotion tools; plan validations if needed.
• Add notices, opt-outs, and a human review path.
• Finalize vendor due diligence and update contracts.

Days 61–90: Prove and improve

• Publish required audits and set a monitoring schedule.
• Train end users and managers; launch an intake process for new tools.
• Adopt the workplace AI compliance checklist as a standing governance artifact.

FAQ