AI hiring bias: the vendor can be on the hook too

The Workday case shifts liability for bias toward the vendor of the scoring tool, not just the employer. What that changes for how you choose your tool.

7 min read
Alexandre NotoArticle
AI hiring bias: the vendor can be on the hook too

A U.S. federal court has just refused to let Workday dismiss a bias claim against its hiring AI. The new point is not the bias. It is who answers for it.

For years the implicit rule was simple: the tool sorts, the employer takes the responsibility, the vendor sells software and stops there. That line just moved. In Mobley v. Workday, the court holds that the vendor of the scoring tool can be held liable for discrimination, not just the client company using it. For any vendor, us included, that is a signal to read coldly.

What the court actually held

The case is before the U.S. federal court for the Northern District of California (case 3:23-cv-00770). The plaintiff, Derek Mobley, claims Workday's screening tools rejected candidates on protected criteria, including age.

On May 16, 2025, the court granted conditional certification of a nationwide collective action under the U.S. age discrimination law. Then, on March 6, 2026, Judge Rita F. Lin rejected Workday's central argument: that this law protected only employees, not applicants.

The legal mechanism is worth pausing on. The court relies on agent theory: an employer cannot escape liability by delegating hiring to a third party, and that third party, by exercising it, becomes liable itself. Workday is no longer a mere software vendor, but an actor in the sorting.

The most recent development goes further. On June 22, 2026, Judge Lin denied in part a new Workday attempt and preserved the claims grounded in California's FEHA. Workday argued that this state law could not reach non-California plaintiffs. The court answered the opposite: it applies even outside California, because Workday designs and operates its tools from its California headquarters. Jurisdiction does not follow the candidate's location, it follows whoever operates the system. Exactly our thesis on sovereignty: the law attaches to the actor deploying the tool, not to where the data sits.

The scale is dizzying: roughly 1.1 billion applications processed, more than ten thousand employer clients. Liability is no longer confined to one isolated client.

This is not a trial of AI. It is a trial of the ungoverned system

The court does not fault Workday for using an algorithm, it looks at what it produces and at the ability to account for it. The real question is not to dissect the model, it is the process: what data enters, who decides, with what real human margin.

Let us be direct on a point many vendors prefer to blur. A language model, including open source and self-hosted, stays opaque by structure. No one can explain, criterion by criterion, why a neural network produced a given score, and that holds for American as well as sovereign models. Selling an AI you could open and reread line by line is an untenable promise a lawyer turns against you at the first hearing. Model opacity is a baseline of the sector.

The real problem lies elsewhere: depending on a third party whose system you do not govern, that you cannot document, and that can cut off your access or be compelled by a foreign authority. That is the black box that becomes a liability: not an opaque model, they all are, but an unmastered dependency. When a judge asks what data fed the scoring and how a human decided, answering that the service is proprietary and hosted elsewhere is not a defense, it is a confession.

The vise closes: discrimination on one side, transparency on the other

Workday is no longer alone in the dock. On January 20, 2026, two applicants sued Eightfold AI in California, on entirely different ground. Where Mobley plants vendor liability on discrimination through agent theory, Eightfold opens a second front on transparency, under the Fair Credit Reporting Act. The plaintiffs argue the scores work like secret reports that rate candidates without their knowledge: no prior disclosure, no access, no correction, and a rejection before any human review. The charge is not discrimination, it is the procedural opacity of the setup.

Taken together, the two cases form a vise. You can neither produce discriminatory results while hiding behind your vendor status, nor rate candidates in a closed process without human oversight or access to what was used to evaluate them. Non-discrimination and transparency: two jaws closing on vendors, and neither is handled by opening the model, both by governing the process. With U.S. state regulation diluting rather than tightening (Colorado eased its obligations in May 2026), the real lever is not local law but the vendor's civil liability.

In Europe, the framework is already here, and it is stricter

Agent theory and the U.S. age law do not apply in France. But no European vendor should take comfort in that: the framework here points the same way, and it predates the Workday case.

GDPR Article 22 has governed automated decision-making since 2018: a person has the right not to be subject to a decision based solely on automated processing that significantly affects them. Rejecting an application is one such decision. The SCHUFA ruling (CJEU, December 7, 2023), confirmed by the CK judgment of February 27, 2025, hardened the reading: a human who mechanically validates a recommendation without real judgment is not enough to leave the scope of Article 22.

On top of that, the AI Act (EU Regulation 2024/1689) classifies recruitment as high-risk activity in its Annex III and requires effective human oversight, technical documentation, and heavy penalties from its main date of application, December 2, 2027. A European vendor therefore already operates in a demanding perimeter. The Workday case does not create it here, it confirms from the other shore that you do not leave it by presenting yourself as a mere vendor.

We are a vendor. We have no immunity, and that is the point

Let us be clear, because this is the reflex to avoid. No one here will tell you JobAffinity is shielded: we provide an AI that scores applications, we sit in the same legal perimeter as any vendor. Our structural choices, made long ago, are not about a supposed model transparency, which exists for no LLM, but about governance of the process.

Our AI assists the recruiter, it does not replace them. The score is a decision aid, never the decision: the human decides, there is no automated rejection, and the recruiter can always ignore, change, or contest a suggestion. Human oversight is not a checkbox, it is the very mechanics of the tool. We control what data enters the scoring, and the system is self-hosted in France, under our end-to-end control, as detailed in our analyses on sovereignty.

Concretely: in JobAffinity, it is the recruiter who sets the scoring criteria at the job level (experience, language, education). The AI reads and understands the CV, then measures it against those criteria. Each score is broken down: on hover, the recruiter sees on which criteria the candidate gains or loses points. If they disagree, they adjust the job's parameters and the ranking follows. We do not explain the inside of the model, we make the frame we impose on it readable and editable.

This is not a defensive posture, it is liability coverage. The day accounts have to be rendered, what gets demonstrated is not the model but the process: a third-party API leaves you nothing to show, a system you govern does.

The grid to apply to your vendor

The Workday case changes the question to ask before you sign. Three questions, this week. What data enters your scoring, and where it is hosted. How the process is documented, knowing no serious vendor will claim to open the model. How human oversight is guaranteed so no rejection is purely automated. If the vendor hesitates or sells you a model transparency no LLM allows, you have just identified who will carry the risk: you.

Liability for bias does not vanish: it gets governed, or it lands on you.

Sources

JobAffinity

The ATS that simplifies your hiring

★★★★★4,9/5 Google
Discover JobAffinity

Frequently Asked Questions

Topics covered:

IARecrutementConformitéAI Act

Ready to optimize your recruitment?

Discover JobAffinity and transform the way you recruit