California Turned Your AI Bias Audit Into a Legal Defense
Part of AI Regulation News, our running brief on the laws reshaping how HR uses AI.
On October 1, 2025, California's automated decision system rules took effect under the Fair Employment and Housing Act. They came in quietly, folded into the regulations the Civil Rights Council writes to enforce the state's core anti-discrimination law. For most of 2025 they read like one more compliance headache stacked on a pile. They are not. Buried in the text is a line that changes the math for every HR leader who touches a hiring tool: an anti-bias test can be used in your defense, and the absence of one can be used against you.
That is the part to sit with. California did not just say "do not discriminate with software," which the law already said. It told you how to build the record that protects you when someone claims you did. The audit you have been treating as a nice-to-have is now an asset you produce in litigation. Skip it, and the gap in your file becomes the plaintiff's exhibit. This is the first full compliance year, 2026, and the four-year clock on what you keep is already running.
Key takeaways
- California's FEHA automated decision system rules took effect October 1, 2025 and apply to employers with five or more employees, a far lower bar than most federal hiring thresholds.
- An anti-bias test or audit can serve as an affirmative defense, and its absence is treated as evidence of unreasonable conduct, which makes the audit a legal asset rather than overhead.
- You are on the hook for third-party tools too. Using a vendor's automated decision system does not move disparate-impact liability off your desk.
- The rules carry a four-year recordkeeping duty covering the selection criteria, the tool's outputs, and the audit findings, so the paper trail is the compliance, not just proof of it.
What the FEHA automated decision system rules actually require
Start with scope, because it is wider than people expect. An automated decision system, in the rule's language, is a computational process that makes or substantially facilitates an employment decision. That sweeps in resume screeners, ranking and scoring tools, video assessment software, and the quiet algorithms inside an applicant tracking system that filter people before a human ever sees them. If software shapes who gets through, it is in scope. And the rules reach employers with five or more employees, which means a mid-size company with no dedicated counsel is just as covered as a Fortune 500.
The substance is disparate impact. California makes clear that an automated decision system that produces a discriminatory effect on a protected group can be unlawful even when no one intended harm and even when a human signs off at the end. Good intentions and a final human click do not cure a biased screen. The rule is interested in outcomes and in whether you took reasonable steps to test for and prevent a skewed result. That is the whole game, and it is why the audit moves to the center of the picture.
For HR, the practical translation is that "we bought it from a reputable vendor" is not an answer. The duty to test, document, and defend the outcome sits with the employer who uses the tool to make people decisions. The rule hands you a clear assignment: know what the system optimizes for, know how it performs across groups, and be able to show your work.
The bias-audit-as-affirmative-defense angle
This is the line that should reorganize your year. Under the FEHA rules, evidence that you conducted anti-bias testing of an automated decision system, and acted on what it showed, can be raised in your defense. The flip side is just as deliberate: an employer's failure to test is relevant to whether its conduct was reasonable. California built a carrot and a stick into the same sentence. Run the audit and you have something to stand on. Skip it and your silence speaks for the plaintiff.
Think about what that does to the cost-benefit. Before, a bias audit was a discretionary expense you could defer because nothing forced it. Now the audit is the cheapest insurance you can buy against a disparate-impact claim, and the decision not to run one is an affirmative liability you are choosing to carry. Few HR leaders would knowingly let a known defense expire. That is exactly what skipping the test does.
It also changes what "passing" means. An audit is only a defense if it is real: a documented look at how the tool performs across protected groups, with the criteria you selected, the outputs it produced, and what you did when the numbers looked off. As the companion case in passing the audit and still being unfair shows, a thin or box-checking audit can leave you exposed even when the report says you cleared it. California rewards the substance, not the certificate.
The four-year paper trail California now expects
The rules attach a recordkeeping duty, and the retention period is four years. That is not a filing-cabinet footnote. It defines the artifact you have to be able to produce, on demand, for any hiring algorithm you ran. In practice you are preserving three things: the selection criteria the system used, the data and outputs it generated, and the anti-bias testing and findings. Keep those, dated and intact, for four years from the relevant decision.
The trap is that most of this lives inside vendor platforms you do not control. The scoring logic, the rejection thresholds, the per-group performance numbers, often you can see them on a screen but cannot easily export and hold them. If the data sits only in the vendor's system and you have no copy, you do not have a record. You have a dependency. The fix is to decide now what you will capture and store yourself, before a charge lands and you are asking a vendor to reconstruct a year-old run.
This is also where a vendor questionnaire earns its keep. Because liability follows the employer, you want a standing document that pins down what the tool optimizes for, what testing the vendor has done, what it will share, and what it will hand you to retain. Getting those answers in writing, before you deploy a tool, is how you turn an opaque third-party system into a record you can actually defend.
A what-to-do-now audit and recordkeeping checklist
You are already inside the first compliance year, and the four-year clock runs from each decision, so the work is not "later." Build the file while the decisions are fresh.
- Inventory every automated decision system in your hiring and people processes, including the screening and ranking features hiding inside your applicant tracking system, so nothing in scope is invisible.
- For each tool, write down the selection criteria it actually uses and what it optimizes for, in plain language a non-engineer can defend.
- Run or commission a real anti-bias test that measures outcomes across protected groups, and record both the method and the results, not just a pass or fail.
- Act on what the test shows, and document the action, because the defense is testing plus response, not testing alone.
- Capture and store, in your own systems, the criteria, the outputs, and the audit findings for each tool, and set a four-year retention rule so nothing ages out early.
- Send every vendor a written questionnaire on what the tool does, what testing exists, and what they will provide for your records, and keep their answers in the file.
- Name a human decision-maker for each people decision and document that a person, not a model output, owned the call.
Guardrails
A few lines keep this honest. First, a real audit beats a reassuring one. An audit you ran to produce a clean headline, without looking hard at per-group outcomes, is worse than none, because it documents that you looked and chose not to see. Second, do not confuse a vendor's compliance claim with your own. Their certification can be a useful input, but the FEHA duty to test and retain is yours, and a regulator or plaintiff will hold you to it regardless of what the contract says.
Third, keep the records where you can reach them. A defense you cannot produce within a four-year window is not a defense. Fourth, write everything for the reader who is hostile and looking two years later. The selection criteria, the test method, the findings, and the human sign-off should each read clearly to someone trying to prove you were careless.
What AI does not replace
Used well, an AI assistant is a strong partner for exactly this kind of structured, repeatable compliance work. You can use Claude to draft the vendor questionnaire, to frame the selection criteria for a tool in clear defensible language, to organize the recordkeeping log so every required element has a home, and to turn a raw audit output into findings a regulator could follow. That is leverage: the discipline gets faster and more consistent, and the file gets built while the decisions are fresh. It is the core idea behind The Leveraged HR Professional, our course on building AI-assisted HR systems that hold up under scrutiny.
What the assistant does not do is decide. It cannot be the human decision-maker the rule expects, it cannot certify that your tool is fair, and it cannot judge whether a skewed result is acceptable. Those are human calls with human accountability, and California's rules are tightening that requirement, not loosening it. Use AI to build and maintain the record. Keep the judgment, the accountability, and the signature with a named person. An audit generated by software and filed without anyone standing behind it is the kind of empty paper the FEHA rules are designed to see through.
Not sure which AI skills your role needs first?
Take the two-minute course finder and get a path built for your work.
Join The Leverage Club for $49.
Working sessions, templates, and briefings like this one for senior professionals putting AI to work the right way.
Frequently asked questions
When did California's FEHA automated decision system rules take effect, and who has to comply?
The rules took effect October 1, 2025, with 2026 as the first full compliance year. They apply under the Fair Employment and Housing Act to employers with five or more employees and cover any automated decision system that makes or substantially facilitates an employment decision, including resume screeners, ranking tools, and the filtering features inside an applicant tracking system.
How does an anti-bias audit work as a defense under the California rules?
Evidence that you conducted real anti-bias testing of an automated decision system, and acted on the results, can be raised in your defense against a discrimination claim. The reverse is also built in: failing to test is relevant to whether your conduct was reasonable. That makes a genuine, documented audit a legal asset, and skipping one an affirmative liability you choose to carry.
What records do I have to keep, and for how long?
The rules carry a four-year recordkeeping duty. In practice you preserve the selection criteria the system used, the data and outputs it produced, and your anti-bias testing and findings, retained for four years from the relevant decision. Because much of this lives inside vendor platforms, capture and store your own copies rather than relying on a third party to reconstruct a past run.
Related briefings: Passing the AI hiring audit and still being unfair ยท The EEOC enforcement plan for AI hiring tools ยท Colorado AI hiring law: what HR owes now