The four-fifths rule is the EEOC’s primary tool for identifying adverse impact. The math is straightforward: calculate the selection rate for each demographic group, then compare each group’s rate to the group with the highest selection rate. If any group’s rate is less than 80% of the highest rate, there is evidence of adverse impact.

Selection rate = Number selected ÷ Number of applicants in that group

This applies at every stage where AI influences a decision: resume screening, interview invitations, assessments, and final offers. Each stage must be analyzed independently.

Phase 1: Scope & Setup (Weeks 1-2)
Define which AI tools are in scope. Identify the decisions each tool influences. Engage an independent third-party auditor — NYC Local Law 144 requires independence, and best practice demands it everywhere.

Phase 2: Data Collection (Weeks 3-5)
Collect demographic data for all individuals processed by the AI tool. This requires careful handling — demographic data may come from self-identification, EEOC reporting, or visual survey. Ensure data is anonymized for the auditor.

Phase 3: Analysis (Weeks 6-10)
Calculate selection rates by race/ethnicity, sex, and age. Test intersectionality (e.g., Black women vs. white men, not just Black vs. white). Analyze which input features drive disparate outcomes. Run statistical significance tests.

Phase 4: Report & Remediation (Weeks 11-14)
Document findings, identify root causes, recommend mitigation strategies, and create an action plan.

Important context: The EEOC’s 2023 guidance on AI in hiring was removed from its website following the rescission of the Biden-era AI executive order. However, the enforcement mechanism is unchanged — Title VII, ADA, and ADEA are the legal basis for every charge, not the guidance documents. The guidance was explanatory; the statutes are the source of liability.

1. Charge filed: An applicant or employee files a charge of discrimination with the EEOC, alleging that an AI-driven process discriminated against them.

2. Investigation: The EEOC investigates. They will ask for documentation of the AI tool, its decision-making process, selection rates by demographic group, and any bias audits conducted. This is where documentation either saves you or sinks you.

3. Finding: The EEOC either finds “reasonable cause” (evidence supports discrimination) or “no reasonable cause.”

4. Conciliation or litigation: If reasonable cause is found, the EEOC attempts conciliation (settlement). If that fails, the EEOC may file a lawsuit — or issue a right-to-sue letter allowing the individual to sue directly.

5. Resolution: Settlements in AI discrimination cases have included monetary damages, required bias audits, changes to hiring practices, and ongoing monitoring agreements.

New front — private litigation: The Eightfold AI class action (January 2026) alleges the platform created secret applicant scoring dossiers without disclosure, potentially violating the Fair Credit Reporting Act and California consumer reporting laws. This case demonstrates that EEOC enforcement is not the only path — private class actions under FCRA and state consumer laws are an emerging and significant threat.

Standard SaaS contracts were not designed for AI. They cover uptime, data security, and liability caps — but they don’t address model transparency, bias accountability, algorithmic change notification, or audit access. If your AI vendor’s tool creates adverse impact, your standard contract likely doesn’t give you the tools to investigate, remediate, or recover damages. You need AI-specific provisions.

Bias audit rights: You can commission independent bias audits at any time. Vendor must cooperate and provide necessary data and access.

Model documentation: Vendor must provide model card, training data description, validation methodology, and known limitations upon request.

Change notification: Vendor must notify you in writing at least 30 days before any model update, retraining, or algorithmic change that could affect outcomes.

Sub-processor disclosure: Vendor must disclose any third parties that process your data, including AI model providers they use under the hood.

The EU AI Act requires a quality management system (QMS) for high-risk AI. This is a documented set of policies and procedures covering the entire AI lifecycle:

Design & development: How AI tools are selected, configured, and validated before deployment.
Data management: How training data is sourced, cleaned, assessed for bias, and maintained.
Testing & validation: How the system is tested against accuracy, robustness, and fairness benchmarks.
Deployment: How the system is rolled out, monitored, and maintained in production.
Post-market monitoring: How you track performance, detect drift, and respond to incidents after deployment.

The Act requires that high-risk AI systems allow effective human oversight. This means humans must be able to: understand the system’s capabilities and limitations, monitor its operation, interpret its outputs correctly, override or halt the system at any time, and intervene in real-time when necessary.

AI incidents will happen. A bias audit reveals adverse impact. A candidate complains that the AI rejected them unfairly. A model update changes outcomes dramatically. The question isn’t whether, it’s when. Having a documented incident response plan before an incident occurs is the difference between a controlled response and a chaotic scramble that makes the legal situation worse.

1. Containment: Stop the AI from making additional potentially harmful decisions. This may mean suspending the tool, reverting to manual processes, or adding human review to every decision.

2. Investigation: Determine scope and root cause. How many decisions were affected? Which demographic groups were impacted? What caused the issue — model drift, data problem, vendor update?

3. Remediation: Fix the root cause. This may involve retraining, reconfiguring, or replacing the AI tool. Review all affected decisions and determine if any need to be reversed.

4. Notification: Notify affected individuals, regulatory bodies (if required), and leadership. Timing and content of notification may be governed by regulation.

5. Prevention: Update monitoring to catch similar issues earlier. Document lessons learned. Update the risk register.

Model selection rationale: Why this tool was chosen over alternatives. What evaluation criteria were used. What due diligence was performed.

Training data description: What data the model was trained on (from the vendor). How representative it is. Known limitations.

Validation results: Pre-deployment testing results, including bias testing across demographic groups.

Bias audit results: All bias audit reports, findings, and remediation actions taken.

Deployment decisions: Who approved deployment, what risk assessment was conducted, what human oversight was established.

Override logs: Every instance where a human overrode the AI’s recommendation, with the reason documented.

Complaint records: Any complaints from candidates or employees about AI-driven decisions, with investigation notes and outcomes.

AI systems drift, regulations change, vendors update models, and your workforce evolves. An annual governance review is the minimum cadence for a comprehensive assessment. High-risk tools should have quarterly bias monitoring in between. The annual review is a structured process to step back and evaluate the full picture: are we compliant, are our tools performing, and are we prepared for what’s coming?

1. Inventory update: Confirm the AI tool inventory is complete. Identify any new AI tools deployed since last review.
2. Compliance assessment: Map current regulations to each tool. Identify any new regulations that have taken effect.
3. Bias audit review: Review all bias audit results from the past year. Track trends across audit cycles.
4. Incident review: Assess any AI incidents that occurred. Evaluate response effectiveness and lessons learned.
5. Vendor evaluation: Review vendor compliance with contract provisions. Assess any model updates and their impact.
6. Policy updates: Update AI governance policies based on regulatory changes and operational learnings.
7. Leadership reporting: Present findings, risks, and recommendations to leadership or the board.