NYC Local Law 144 enforcement exposed a compliance gap. Most hiring-AI vendors failed the audit.
The November 2025 enforcement audit under New York City Local Law 144, the city's automated employment decision tool law, produced the first substantive public test of how prepared the hiring-AI vendor population was for the regulatory framework that has been on the books since 2023. The audit results were not flattering. Most vendors operating in scope did not pass the bias-audit requirement, with the gap concentrated in the smaller-and-mid-tier vendor population that had been operating under the assumption that the city's enforcement would be light-touch in practice.
The audit is the first major enforcement action under a U.S. AI hiring law and is operationally instructive for adjacent vertical-class operators in three specific ways.
The first is that the city's enforcement was not light-touch. The audit was substantive, the methodology was rigorous, and the compliance gap was identified at vendor specificity rather than at the broader market level. The vendor-class assumption that the law would be on the books without operational consequence was wrong. Operators in adjacent verticals (healthcare-AI, financial-services-AI, housing-AI, education-AI) running similar light-touch-enforcement assumptions about state-level legislation should recalibrate.
The second is that the bias-audit requirement is the kind of compliance work that takes substantial time to prepare for. The vendors who failed the audit had several years of advance notice that the bill had been signed, the regulatory framework was being developed, and the audit-class enforcement was approaching. The compliance work is not a sprint at the deadline; it is a multi-year preparation. Vendors planning their compliance work against the assumption that the audit-window is the deadline are planning against the wrong timeline.
The third is that the audit's compliance-gap findings will be used by regulators in adjacent jurisdictions as evidence that the broader category needs more-aggressive regulation. The compliance gap will be cited in California, Colorado, Texas, and the broader state-level regulatory environment as the operator-class failure to self-regulate, with the consequence that future legislation in adjacent verticals is likely to land with more substantial enforcement infrastructure than the current legislation includes.
For healthcare-AI vendors specifically, the read is that the procurement standards the buyer-class should be requiring (the heavier procurement discussed elsewhere with respect to the Texas AG settlement) are now substantially more politically supportable. Health systems and payers can point to the NYC compliance gap as evidence that the vendor population is not, on average, prepared for the regulatory environment, and the heavier procurement is the appropriate buyer-class response. Vendors that have done the compliance work substantively will benefit from the heavier procurement; vendors that have not will face the heavier-procurement consequences alongside the regulatory consequences.
For investors evaluating AI investments in regulated verticals, the read suggests that the compliance-readiness of the company is a substantive due-diligence dimension that should attend to the multi-year preparation timeline rather than to the bill-deadline timeline. Companies that have started the compliance work early are better-positioned than companies that have not, and the diligence framework should reflect this.
The NYC audit was the visible enforcement signal. The compliance gap is the operator-level data point. The healthcare-AI and adjacent-vertical operator class should be reading the gap as the warning the regulatory environment is sending. Build the compliance posture before the audit. The audit is coming.
—TJ