Key takeaways

 

1. Connecticut Public Act 26-15 (Substitute Senate Bill 5), signed by Governor Lamont in May 2026, is the most comprehensive state AI statute passed to date in the United States. The employment provisions in Sections 7 through 14 phase in between October 2026 and October 2027.




2. The act does not mandate a bias audit. It amends two Connecticut discrimination statutes to make evidence of anti-bias testing relevant in any case involving an automated employment-related decision technology, with the quality, efficacy, recency, scope, results, and response to results all admissible.




3. The same evidentiary framework operates in California through the Civil Rights Department’s ADS regulations, effective October 1, 2025. Two states now apply the same six-factor analysis to bias testing in discrimination cases touching automated hiring tools.




4. Vendors selling AEDTs into Connecticut, large multi-state employers using them, and recruitment process outsourcers operating them across portfolios each have a distinct exposure profile. The unifying response is independent testing scoped to the deployment context and conducted against recognized assurance criteria.

 

An AI hiring law inside a broader Online Safety Act

 

On May 14, 2026, Governor Ned Lamont signed Public Act 26-15, the substantive enactment of Substitute Senate Bill 5, into Connecticut law. The Online Safety Act is the most comprehensive state-level AI statute passed in the United States to date. It takes effect in stages starting October 1, 2026, with the employment-related provisions phasing in through October 1, 2027 and the Independent Verification Organization pilot beginning July 1, 2027. The act addresses a wide field of AI policy concerns, including frontier model whistleblower protections, generative AI content provenance, online subscription disclosures, AI literacy programming for public schools, and the IVO pilot program at the Department of Consumer Protection.

This post is concerned with the employment portion, which appears in Sections 7 through 14. Those sections establish a developer and deployer disclosure framework for automated employment-related decision technologies, and they amend two of Connecticut’s discrimination statutes in a way that should change how vendors, employers, and process outsourcers think about bias testing. The amendments do two specific things. First, they state that the use of an AEDT is not itself a defense to a discrimination claim. Second, they direct courts and the Commission on Human Rights and Opportunities to consider evidence (or its absence) of anti-bias testing in deciding those claims, with the quality, efficacy, recency, scope, results, and response to results all relevant.

That second feature is what links Connecticut to California. The California Civil Rights Department’s Automated-Decision Systems regulations, in effect since October 1, 2025, use nearly identical evidentiary language at 2 CCR Section 11009(f). Two state regimes now uphold the same evidentiary framework for anti-bias testing in AEDT discrimination cases, and the practical consequences for hiring tool vendors and the employers who buy them are concrete enough to act on.

 

What Connecticut PA 26-15 does: frontier model provisions, the IVO pilot, and the AEDT disclosure framework

 

The frontier model provisions in Section 2 establish whistleblower protections and incident reporting obligations for covered employees at large frontier developers, defined to include only organizations with annual revenues above five hundred million dollars that have trained a model using more than 10²⁶ integer or floating-point operations. The frontier portion has drawn the most trade press attention, but it applies to a very small set of organizations and is unlikely to be operationally relevant to readers concerned with hiring tools. I note it here so the reader understands the scope of the statute as a whole and can move past the part that does not apply.

The Independent Verification Organization pilot in Section 33 is more relevant. It directs the Department of Consumer Protection to approve up to five IVOs to verify AI models against defined risks, with verification admissible in private civil actions for personal injury or property damage but not in state enforcement actions. The application requirements in Section 33(c) read closely with how an independent AI assurance firm operates under international assurance standards. They cover defined risks and acceptable risk levels, measurable metrics, alignment with the NIST AI Risk Management Framework and recognized ISO and IEEE frameworks, governance and conflict-of-interest policies, ongoing monitoring and reassessment procedures, and personnel qualifications. No IVOs have been approved yet, since the pilot does not begin until July 2027. The point worth making is that the description in Section 33(c) is what state legislatures now consider the operating model of a credible third-party AI verifier. I have written elsewhere about why the existing professional assurance infrastructure, particularly ISAE 3000, already supplies most of the answers state IVO frameworks are reaching for.

The employment provisions in Sections 7 through 12 set up the AEDT framework that is the focus of this post. Section 7 defines automated employment-related decision technology in language that parallels New York City Local Law 144, but the scope is broader because the Connecticut definition reaches hire, promote, discipline, discharge, training, and tenure decisions rather than only hire and promote. Section 8 places direct disclosure obligations on developers, and Section 8(c) permits deployers and developers to reallocate certain Section 10 deployer duties to the developer by contract. Section 9 requires plain-language disclosure to applicants and employees that they are interacting with an AEDT. Section 10 requires pre-decision written notice that includes the tool name, purpose, data categories, data sources, and deployer contact information. Section 11 carves out trade secret information with a notification requirement. Section 12 vests enforcement in the Attorney General, with a 60-day cure period for violations occurring before December 31, 2027, and no private right of action under that section.

 

Sections 13 and 14: how Connecticut’s discrimination amendments make anti-bias testing relevant evidence in AEDT cases

 

Sections 13 and 14 amend Connecticut’s general employment discrimination statute (CGS Section 46a-60) and its sexual orientation provision (CGS Section 46a-81c). The amendments insert two principles into both statutes. The first principle is that the “use of an automated employment-related decision technology shall not be a defense” to a complaint alleging a discriminatory employment practice. The second principle, drawn directly from the operative text, is that the Commission on Human Rights and Opportunities or a court “may consider evidence of anti-bias testing or other similar proactive efforts to avoid the discriminatory practice, including, but not limited to, the quality, efficacy, recency, and scope of such testing or efforts, the results of such testing or efforts, and the response thereto.”

The California analogue, at 2 CCR Section 11013(f), reads in operative part that “Relevant to any such claim or available defense is evidence, or the lack of evidence, of anti-bias testing or similar proactive efforts to avoid unlawful discrimination, including the quality, efficacy, recency, and scope of such effort, the results of such testing or other effort, and the response to the results.” The textual parallel is close enough that the two regimes can be read as one evidentiary framework operating in two jurisdictions: both make anti-bias testing relevant evidence in a discrimination claim arising from an automated system, both treat the absence of testing as equally admissible, and both identify the same six factors that determine evidentiary weight (quality, efficacy, recency, scope, results, and response to results).

The analytical point I want to make is that this framework does not require an audit, but it shapes the incentive landscape for testing more directly than a mandate would. Neither statute prescribes a methodology, an audit format, or a specific bias metric, and the silence is deliberate because the technology is moving quickly enough that a state-by-state methodological lock-in would age poorly. The consequence is that the evidentiary weight assigned to a piece of testing will be determined by trial courts, by administrative agencies in enforcement contexts, and by plaintiffs’ counsel in deposition. The criteria those parties apply, when they get to apply them, are exactly the criteria a serious independent auditor uses: that the testing was performed by someone other than the party making the claim about it, that it covered the actual deployment configuration rather than a sanitized version of it, that it was current as of the relevant decision date, that the methodology was defensible against an informed challenge, and that adverse results were addressed rather than filed away.

The contrast with New York City Local Law 144 is worth a few sentences because it clarifies what kind of regime Connecticut has chosen. LL144 specifies the audit methodology in considerable detail, requires impact ratios across race and sex categories, mandates an annual independent audit, and requires public posting of the audit summary. Connecticut and California take none of those steps, and instead make the absence or weakness of testing admissible against the employer, which produces a different incentive structure. Under LL144 a vendor or employer is incentivized to meet a defined checklist; under Connecticut and California the incentive is to produce testing that will hold up under adversarial scrutiny in a discrimination case.

Colorado SB 26-189 is the third active state regime, taking a transparency-and-notice approach with no audit mandate and no anti-bias evidentiary language; it takes effect January 1, 2027. The Colorado design does not change the practitioner posture I describe in the rest of this post.

 

What Connecticut’s AEDT regime means for AI hiring tool vendors, multi-state employers, and RPO firms

 

The first implication is for vendors of AI hiring tools selling into Connecticut. Section 8 places direct disclosure obligations on the developer, and Section 8(c) contemplates contracts in which the developer takes on some of the deployer’s Section 10 duties. From October 2027 forward, a vendor selling into Connecticut needs to be ready to give deployers the information necessary for those deployers to meet their pre-decision notice requirement, which is the mechanical part of the obligation. The harder question is what the vendor’s answer looks like when a deployer’s general counsel asks for bias testing evidence in advance of a discrimination case rather than after one has been filed. A vendor whose answer is internal-only documentation is offering the customer something that is admissible against them and not for them, while a vendor who can supply an independent audit report covering a bounded claim, conducted under recognized assurance standards, is offering the customer something the customer’s legal team can actually rely on. I have written separately about how to make a claim about an AI system that holds up under procurement scrutiny, and the Connecticut amendments make the same argument from a different direction: the same kind of claim is now relevant evidence in any discrimination case touching the tool.

The second implication is for large employers that deploy AEDTs across multi-state operations. The deployer’s exposure under the Connecticut amendments is independent of any vendor audit, because a discrimination claim under amended Section 46a-60 will be filed against the employer, not the vendor, and the employer’s testing record will be evaluated against the six statutory factors as applied to the employer’s specific use of the tool. A vendor audit conducted before the employer began using the tool, on data that did not include the employer’s applicant pool, may be useful as background, but it will not be sufficient on its own to bear the employer’s evidentiary burden. I have written elsewhere about why point in time assurance has a foundational role that continuous monitoring cannot replace, and the Connecticut amendments add a complementary point: stale or scope-limited testing evidence is admissible against the employer in addition to being unhelpful to it. Recency is one of the six statutory factors, and an audit that was credible two years ago, on a model version that has since been retrained twice, will not carry the weight the employer would want it to carry.

The third implication is for recruitment process outsourcers and similar firms that operate AEDTs across multiple client portfolios. The amended definitions of employer and employment agency in Sections 46a-60 and 46a-81c reach Recruitment Process Outsourcing (RPO) operations directly, and the firm’s testing record across its deployments will be relevant evidence in any discrimination claim arising from any single client deployment. The economics of producing credible testing are different at the RPO level than at the single-deployer level, because one defensible audit of a standardized AEDT stack, scoped against the relevant subgroups and decision points, can carry compliance and litigation-evidence weight across a portfolio of clients. That is not an argument that an RPO can audit once and ignore the result, but it is an argument that the unit economics of credible testing improve when the testing covers an entire operational stack rather than a single client’s instance of one.

 

Why an independent AI bias audit is now a reasonable response under Connecticut and California law

 

Neither Connecticut nor California requires a bias audit. That is a real statutory fact and the post would be weaker if it overstated it. What both states do is make the substance of an audit relevant in any discrimination case touching an AEDT, and they identify the factors that determine evidentiary weight. Those factors (quality, efficacy, recency, scope, results, and response to results) are exactly what a credible independent audit produces and an internal first-party assessment does not.

Three observations follow from that. The first is that the work of producing audit-grade evidence is the same whether the audit is statutorily required, as under NYC Local Law 144, or evidentiary, as under California and Connecticut; the criteria for what makes testing credible are not set by the statute in the evidentiary states, which means the responsibility for producing credible testing falls on the party making the claim. The second is that the cost structure of an independent audit is more tractable than prospective buyers usually assume: engagements conducted under ISAE 3000 typically run five to eight weeks from kickoff to final report, and the same report supports procurement diligence, regulatory inquiry, and discrimination defense across multiple jurisdictions when the claim and the criteria are chosen with that in mind. The third is that the field is moving toward continuous monitoring as a complement to periodic audits rather than as a replacement for them, and the Connecticut IVO pilot in Section 33 includes ongoing monitoring and reassessment requirements in Section 33(c)(4)(B) that mirror the architecture I have argued for in earlier writing on continuous assurance.

The question for anyone selling or deploying an AEDT in a jurisdiction with an active anti-bias testing evidentiary rule is not whether to invest in defensible testing. It is who is going to do it and what claim it is going to support. The answer to that question will determine whether the testing helps or hurts when it is examined under oath.

 

Conclusion: Connecticut, California, and the emerging evidentiary standard for AEDT anti-bias testing

 

Connecticut Public Act 26-15 is the most comprehensive state AI statute passed in the United States to date, and the employment portions are an incremental but consequential extension of an evidentiary framework California established eight months earlier. The combined effect of the two regimes is to make the substance of an independent bias audit relevant in every discrimination case touching an AEDT in either state. The audit is not required. The absence of one is now admissible against the employer, and against the developer through Section 8 in the Connecticut framing. The practitioner response is the same response we have been recommending under New York Local Law 144, under the EU AI Act conformity assessment regime, and under the state-level proposals that have followed: define the claim, measure it, and engage an independent party to attest to the result against suitable criteria.

However the shape of this body of law may change over the next two or three years, the same testing will continue to support buyer diligence, regulator inquiry, and assurance disclosures, regardless of which doctrine is upheld in a given courtroom.

 

Frequently asked questions about Connecticut PA 26-15 and AI hiring tools

 

Does Connecticut Public Act 26-15 require employers to conduct bias audits of AI hiring tools?

 

No. The statute does not impose an audit mandate. It makes evidence of anti-bias testing relevant in discrimination claims arising from automated employment-related decision technologies, with the quality, efficacy, recency, scope, results, and response to results all admissible. The absence of testing is admissible on the same terms as its presence.

How does the Connecticut framework relate to California’s CRD regulations?

Connecticut’s amendments to CGS Sections 46a-60 and 46a-81c use language closely paralleling 2 CCR Section 11013(f) in California. Two states now operate the same evidentiary framework for anti-bias testing in discrimination cases involving automated systems. The same six factors apply in both jurisdictions.

Does the Connecticut law require disclosure to applicants?

Yes. Section 9 of PA 26-15 requires plain-language disclosure to an applicant or employee that the person is interacting with an automated employment-related decision technology. Section 10 requires pre-decision written notice that includes the tool name, the purpose of the tool, the categories of data used, the sources of that data, and contact information for the deployer.

Who is liable under the Connecticut AEDT provisions?

Sections 8 through 11 place obligations on both developers and deployers, with Section 8(c) permitting contractual reallocation of certain deployer duties to the developer. Enforcement under Section 12 is by the Attorney General only, with a 60-day cure period for violations occurring before December 31, 2027, and no private right of action under that section. The amended Sections 46a-60 and 46a-81c remain enforceable through the standard discrimination complaint process at the Commission on Human Rights and Opportunities.

How does Connecticut’s IVO pilot relate to independent AI assurance?

Section 33 establishes a Department of Consumer Protection program approving up to five Independent Verification Organizations to verify AI models against defined risks. The application requirements in Section 33(c) describe the operating model of an independent AI assurance firm working under recognized international standards, including alignment with the NIST AI RMF and ISO frameworks, governance and conflict-of-interest policies, and ongoing monitoring procedures. The pilot is effective July 1, 2027.

Is a vendor audit sufficient to cover an employer’s exposure under the Connecticut amendments?

Not on its own. The employer’s discrimination claim will be evaluated on the employer’s testing record as applied to the employer’s specific use of the tool. A vendor audit on data unrelated to the employer’s applicant pool can be useful background, but the employer’s evidentiary position improves when testing covers the actual deployment context, the actual applicant population, and the decisions the tool is making in production.

When do the Connecticut AEDT provisions take effect?

The act takes effect in stages beginning October 1, 2026. The core employment disclosure provisions in Sections 7 through 12 phase in through October 1, 2027, with a 60-day cure period for violations occurring before December 31, 2027. The Independent Verification Organization pilot in Section 33 begins July 1, 2027. The discrimination statute amendments in Sections 13 and 14 follow the same staged schedule.

Sources and further reading on Connecticut SB 5, California ADS regulations, and AI hiring tool compliance

Primary sources

• • Connecticut Public Act 26-15 (Substitute Senate Bill 5), Sections 2, 7 through 14, and 33.

• • California Code of Regulations, Title 2, Section 11008.1 (definition of automated-decision system), Section 11009 (anti-bias testing language), and Section 11013 (recordkeeping).

• • California Civil Rights Department announcement of June 30, 2025 approving the ADS regulations.

• • New York City Local Law 144 of 2021 and implementing rules.

• Colorado SB 26-189 (2026 session).

Secondary sources

• • Industry analyses of Connecticut SB 5 published in May 2026 by DLA Piper, Littler, Davis Wright Tremaine, and Freshfields.

• • Kelley Drye AI Regulatory Roundup coverage of Colorado, Connecticut, and California.

Related posts at BABL AI

• • “Continuous AI Assurance Still Starts With a Point in Time.” The APRA / CABCA piece referenced in the employer implication section and in the discussion of the IVO pilot.

• • “We Already Have a Framework for AI Assurance… What We Need is the Right Content.” The ISAE 3000 article referenced in the discussion of Connecticut’s IVO concept.