Chapter 10 · Phase 7 of 8

Govern — Bias, Compliance, Vendor Risk

The governance work is what makes the rest of the program sustainable. Skip it and the next compliance incident — or the next regulator inquiry — ends the whole program.

1 · Assess 2 · Charter AI COEE 3 · Buy-in 4 · Pilot 5 · Deploy 6 · Train 7 · Govern 8 · Scale

Bob Pulver delivered the line that should be on the wall of every AI COEE conference room:

If you can't explain to a candidate exactly how AI was used in their hiring decision, you're not ready to use AI in hiring decisions.

Bob Pulver · Founder, Elevate Your AIQ Listen →

Governance is not a phase you complete. It's a discipline you sustain. Phase 7 establishes the operating cadence — vendor vetting, bias audits, policy maintenance, candidate transparency, regulatory monitoring — that the AI COEE will run continuously from here forward.

The AI policy — principle-based, not tool-specific

Maren Hogan and Bob Pulver both make the same point: the policy must be principle-based. Tool-specific rules go obsolete every quarter. Principles survive the next vendor cycle.

A workable AI policy covers six areas:

Data privacy & residency. What candidate data can be processed by AI, where, by which vendors, and under what data processing agreements.
Bias monitoring. The audit cadence, the disparate impact thresholds, the remediation protocol.
Candidate transparency. What candidates are told about AI use in their process — and when. (Disclosure language belongs in the application flow, not buried in the privacy policy.)
Explainability. Which decisions require explainable outputs vs. probabilistic scoring with human review.
Human review thresholds. Which AI outputs require human review before action. (Almost all consequential ones.)
Incident response. What happens when something goes wrong — who's notified, what's paused, how candidates are made whole.

Vendor due diligence — Jeff Pole's four-question framework

Jeff Pole runs Warden AI, which audits AI hiring systems for fairness and compliance. His four-question framework is the cleanest vendor evaluation I've found:

1. Effectiveness & usefulness. Does the tool actually improve outcomes over your existing process? Get the data. Run a pilot on real cases.
2. Data privacy & security. How is candidate data stored, encrypted, retained, and deleted? What's the data processing agreement?
3. Compliance with civil rights & AI laws. Third-party bias audits? NYC Local Law 144 compliance? Colorado AI Act? EU AI Act high-risk classification readiness?
4. Bias mitigation protocols. Does the tool de-identify before scoring? Are statistical fairness reports published? What's the remediation process when bias is detected?

Bob Pulver's three vendor questions are the companion set — ask them in every initial call:

What AI model are you using? (And which version?)
Are you training on my data? (If yes, walk away.)
Have you been audited for bias? (And can you share the report?)

Watch out

"If it's free, it probably means your data is the product."

Bob Pulver's warning applies to most free or freemium AI tools. Public ChatGPT, free Claude, free Gemini — if you're not paying, your inputs may be training data. Check the privacy settings. Turn off model training. For HR work touching PII or HIPAA-adjacent data, use only enterprise licenses with explicit data processing agreements.

The bias audit cadence

Every AI tool that touches candidate decisions gets audited. Annually at minimum. After every model update from the vendor. After every material change in the candidate pool or job requirements. The audit is performed by a third party where the regulatory environment requires it (NYC Local Law 144 mandates this) and by the AI COEE's analytics partner for everything else.

The data Keirsten Greggs surfaced applies to every screening tool you'll evaluate:

Imagine what someone who is neurodivergent, or has a thick accent, experiences when a bot is analyzing their speech and providing feedback that you're going to use to decide whether to move them forward. It's based on what the system has normalized.

Keirsten Greggs · Founder, Trap Recruiter Listen →

Keirsten's bottom line is the AI COEE's bottom line: "I'm not against AI. I'm against using it to make human decisions." AI collects information. Humans make consequential decisions about candidates. That's the line. Every governance decision flows from it.

The regulatory map

Three jurisdictions matter most for U.S.-based recruiting orgs in 2026:

NYC Local Law 144. Bias audit requirement for any AEDT (automated employment decision tool) used on NYC candidates. Public summary required.
Colorado AI Act. First U.S. state-level comprehensive AI hiring law. Notice, impact assessment, and risk management requirements.
EU AI Act. Recruitment is high-risk. Conformity assessment, technical documentation, human oversight, and post-market monitoring requirements. Penalties up to 4x GDPR.

Even if your hiring is U.S.-only, the global trend matters: jurisdictions are converging on the same posture. Bias audits, candidate disclosure, human-in-the-loop. Build for that posture now — retrofitting is more expensive than building it in.

EU AI regulations are four times more punitive than GDPR. Once again, that's the first shot in this space. There's a lot more to come. So it's going to be very interesting because now you're going to have to be very well informed before you make any buying decision on how well aligned it is to global regs.

Jim Griffin · HR Tech Integration Strategist, Partner Science Listen →

The candidate transparency standard

Maren Hogan's framing is the right standard: candidates are not data points. The disclosure they deserve goes into the application flow — visible, plain-language, and specific. A workable template:

"As part of our hiring process, we use AI-based tools to [specific use cases — for example, summarize your application, suggest interview times, and assist our recruiters in reviewing your skills against the role]. A human always reviews every candidate decision. You can request more information about our AI use, or opt out of specific AI-assisted steps, by contacting [contact]."

The quarterly governance review

Every quarter, the AI COEE produces a one-page governance report for the CEO:

Bias audit status for every candidate-facing AI tool
Any incidents (errors, candidate complaints, vendor outages)
Regulatory updates affecting the program
Vendor portfolio changes (added, removed, under review)
Policy changes recommended for the next cycle

From Jonathan's Playbook

Why I bake governance into the rollout, not after

The enterprise rollouts that survived audits and regulatory scrutiny were the ones where governance ran in parallel with deployment — not after. We weren't bolting on bias monitoring six months in. We were architecting around it from Week 1. That posture is now the standard for any AI program touching consumers or employees. Build the governance loop into Phase 1, and every subsequent phase is easier.

With governance running on a sustainable cadence, the program is durable. Now the AI COEE can focus on what scaling actually looks like.