AI hiring tools are being sold as efficiency gains. Screen more resumes faster. Rank candidates more objectively. Reduce time-to-hire. The pitch is compelling, and organizations are buying it.
The problem is what happens after deployment. Most organizations have no policy governing how the tool is used, no process for auditing its outputs, no documentation trail if a candidate challenges a decision, and no one who has asked whether the tool produces biased results against protected groups. That combination is a serious legal and reputational liability.
Before you deploy an AI hiring tool, here is what needs to be in place.
One threshold question is whether the tool you are evaluating is actually an AI tool in the regulatory sense. The OECD framework defines AI as a machine-based system that infers from inputs how to generate outputs such as predictions, recommendations, or decisions. That is a broad definition, and regulators are expected to apply it broadly. If your applicant tracking system ranks candidates, flags resumes, or scores applications using any model-based logic, it likely qualifies regardless of how the vendor markets it.
There is also a shadow AI problem that most organizations underestimate. Research from the 2025 Technology at Work report found that 46% of office workers use AI tools not provided by their employers. Hiring managers are using AI to generate interview questions, summarize candidate profiles, or draft assessments without those tools being in scope for any governance framework. An AI use policy that covers only enterprise-licensed tools is covering less than half the actual exposure.
Understand what the tool actually does
This sounds obvious. It rarely happens in practice. AI hiring tools vary enormously in how they work. Some screen resumes for keywords. Some rank candidates using predictive models trained on historical hiring data. Some analyze video interviews for speech patterns, facial expressions, or tone. Each carries different risks.
Before deployment, get answers to the following questions directly from the vendor:
- What data was the model trained on, and how old is it?
- What variables does the model weight most heavily in its rankings?
- Has the tool been independently audited for bias? If so, by whom, and what were the findings?
- What protected characteristics, if any, has the vendor tested for disparate impact?
- What is the tool's documented error rate, and how does that error present?
If the vendor cannot answer these questions, that is your first signal.
Run a bias assessment before going live
Bias in AI hiring tools is not hypothetical. The US Equal Employment Opportunity Commission has issued guidance on AI and employment discrimination. New York City requires bias audits for automated employment decision tools used in hiring. Several Canadian provinces are developing similar frameworks.
A pre-deployment bias assessment looks at whether the tool produces different outcomes for candidates from different demographic groups and whether those differences correlate with protected characteristics under applicable human rights law. This is not something your vendor should be doing unilaterally. It should involve an independent reviewer with expertise in employment law and HR, not just the vendor's internal data team.
A practical starting benchmark is the EEOC's four-fifths rule, also called the 80% rule. If the selection rate for a protected group is less than four-fifths of the selection rate for the highest-selected group, that is a statistical indicator of adverse impact. It is not a legal threshold in itself, but it is the standard the EEOC uses to flag situations warranting further review. Running this calculation against your tool's outputs before deployment tells you whether you have a problem before it shows up in a complaint.
Document the assessment. If a candidate or regulator later challenges a decision made using the tool, that documentation is the difference between a defensible process and a significant exposure.
Develop an AI use policy before the tool is live
An AI use policy for hiring does not need to be lengthy. It does need to cover the following:
- What the tool is used for and what decisions it informs
- What the tool is explicitly not used for
- What role human judgment plays in the process and at what stage
- Who has authority to override the tool's outputs and on what basis
- How candidate data is stored, retained, and deleted
- What disclosure obligations exist toward candidates
The disclosure question is no longer a future consideration in Ontario. Amendments to the Ontario Employment Standards Act under Bill 149 require employers with 25 or more employees to disclose the use of AI in their hiring process in publicly advertised job postings. That requirement came into effect on January 1, 2026. Organizations operating in Ontario that are using AI screening or ranking tools in any publicly posted hiring process are now legally required to disclose that fact. Candidates who discover after the fact that their resume was screened by an algorithm they were not told about tend to have strong feelings about it. In Ontario, they may also have a legal complaint.
Assign clear accountability
One of the most common gaps in AI governance is diffuse accountability. Everyone assumes someone else is watching the tool. No one is.
Before deployment, name a person or role responsible for the following:
- Ongoing monitoring of the tool's outputs for anomalies or drift
- Periodic bias audits after initial deployment (annually at minimum)
- Reviewing and responding to candidate complaints about AI-informed decisions
- Staying current on regulatory developments in the jurisdictions where you hire
This accountability should be documented. It should be in someone's job description or terms of reference. Informal arrangements do not hold up when something goes wrong.
Train the people using the tool
Hiring managers and recruiters using AI-assisted tools need to understand what the tool does and does not do. They need to know that the tool's rankings are not objective truth. They need to understand that overriding the tool requires documentation and a reasoned basis. They need to know what questions they cannot ask regardless of what the tool surfaces.
Training does not need to be extensive. It does need to happen before the tool goes live, not after the first complaint.
The bigger picture
Deploying an AI hiring tool without governance in place is not a tech decision. It is an HR and legal decision with HR and legal consequences. The efficiency gains are real. So is the exposure.
Getting the governance right before deployment is significantly easier than retrofitting it after a complaint, an audit request, or a news story. It is also better for candidates, which should matter independently of the legal calculus.
If you are evaluating an AI hiring tool or have already deployed one without these pieces in place, a compliance review is a reasonable starting point. The gaps are usually fixable. They are easier to fix before something goes wrong.