Workday AI hiring lawsuit illustration showing algorithmic bias in job applicant screening, 2026 legal risk concept.Workday's AI hiring tools are now at the center of a landmark bias lawsuit reshaping how companies screen job applicants in 2026.
Mobley v. Workday: Why HR’s AI Hiring Tools Are a Legal Time Bomb
AI & Employment Law

Mobley v. Workday: The AI Hiring Lawsuit HR Can’t Ignore

Derek Mobley applied to more than 150 jobs on Workday’s platform. He got rejected from almost all of them, some in minutes, some at 2 a.m., all by software he never spoke to. Three years later, that rejection pile has turned into the case reshaping how every company in America is allowed to use AI to hire people, and most HR departments still haven’t read the ruling.

If your company uses an applicant tracking system, a resume screener, or a “candidate scoring” tool built by a vendor, Mobley v. Workday is not background noise. It’s the reason your legal exposure just changed, whether or not anyone told you.

What Mobley v. Workday Actually Decided

Filed in February 2023, Mobley v. Workday started as a straightforward discrimination complaint. Derek Mobley, an African American man over 40 with a disclosed disability, alleged Workday’s applicant screening tools rejected him on the basis of race, age, and disability, not the humans who happened to be using the software.

The legal theory is what made this case different. Mobley didn’t just sue the employers who rejected him. He sued Workday itself, arguing the vendor acted as an “agent” of every employer using its screening tools, and could therefore be held directly liable under federal anti-discrimination law.

In July 2024, Judge Rita Lin of the Northern District of California let that theory proceed. By May 2025, she certified a collective action under the Age Discrimination in Employment Act, keeping the disparate impact claim alive even after dismissing the intentional discrimination claim. Then, in early 2026, Workday tried a new angle: it argued that a 2024 Supreme Court ruling, Loper Bright Enterprises v. Raimondo, which ended Chevron deference, should invalidate decades of precedent applying age discrimination protections to job applicants, not just existing employees.

Judge Lin didn’t buy it. She found the EEOC’s longstanding interpretation “persuasive” under a lower legal standard called Skidmore deference, and let the applicant claims move forward.

Why this matters if you’re not being sued: the “agent” theory means your AI vendor’s exposure and your company’s exposure are no longer separate questions. If the vendor gets sued and loses, the precedent lands on your desk too, whether your contract says the vendor is liable or not.

There’s a second wrinkle most compliance guides skip. In May 2026, a magistrate judge denied a motion to force Workday to hand over its internal bias-testing data, ruling that because Workday’s lawyers curated the data for legal advice, it was protected by attorney-client privilege. That’s a genuinely uncomfortable fact for anyone selling “just audit everything and publish it” as the safe path. Routing bias testing through counsel can shield results from discovery. It can also sit awkwardly next to public disclosure laws that assume the opposite. More on that tension below.

The Lawsuits Stacking Up Behind Mobley

Mobley isn’t an outlier anymore. It’s a template. Three other cases filed in 2026 use variations of the same argument, and each one targets a different weak point in how companies deploy AI screening.

  • Kistler & Bhaumik v. Eightfold AI (filed January 2026): plaintiffs allege Eightfold, used by companies including Microsoft and PayPal, secretly generated “likelihood of success” scores on a 0 to 5 scale without disclosing it, a claim built on the Fair Credit Reporting Act and California’s investigative consumer reporting law rather than discrimination statutes.
  • Swanson v. IBM (filed May 2026): a 24-year IBM employee alleges age discrimination tied to an AI-generated rejection following a 2024 layoff, applying Mobley’s logic to a company’s own internal tool rather than a third-party vendor.
  • Harper v. SiriusXM (filed 2025): alleges screening software used education and home address, essentially race proxies, across roughly 150 applications.

Notice what’s happening here. These aren’t four versions of the same lawsuit. They’re four different legal theories converging on the same conclusion: courts are willing to treat algorithmic hiring decisions the same way they’d treat a human recruiter’s decisions, and sometimes with less patience.

The Stanford Study That Broke the “We Passed Our Audit” Defense

If Mobley is the legal story, a Stanford study published in May 2026 is the data story, and it’s the more damaging one for HR teams who thought a vendor’s compliance certificate meant they were covered.

Researchers led by Rishi Bommasani at Stanford HAI, alongside Sarah Bana, Kathleen Creel, Dan Jurafsky, and Percy Liang, analyzed more than 4 million job applications from roughly 3 million applicants across 156 large employers, all screened through the same vendor’s algorithm, Pymetrics (now owned by Harver). The paper, “Algorithmic Monocultures in Hiring,” is headed to ACM FAccT in Montreal.

Here’s the finding that should worry every HR leader relying on a vendor’s own bias report: when the researchers examined outcomes position by position, the legally correct method under the “four-fifths rule” used in U.S. employment law, they found 10.62% of the 1,746 job positions studied showed adverse impact against Black applicants. The vendor’s own published, aggregated audits showed no measurable bias at all.

“I think the most significant result of our study is how much bias we find in this algorithmic hiring system. The vendor has published aggregated audits that demonstrate that their tools do not demonstrate measurable bias. I was surprised because I thought that their algorithms would be an example of best practice.” Sarah Bana, Digital Fellow, Stanford Digital Economy Lab, via Stanford Digital Economy Lab Q&A

The study also surfaced something new to the compliance conversation: “systemic rejection.” Among applicants who applied to four positions through the same vendor, 10% were rejected from every single one, a rate the researchers show is statistically inconsistent with independent decisions (a chi-squared value of 18,481, for the statistically inclined). One vendor’s algorithm, used across hundreds of employers, can create a single point of failure that no individual company’s internal audit would ever catch.

“I don’t think we want to discourage the application of AI in this domain, but recognize the stakes are high and be judicious in the approach.” Rishi Bommasani, Senior Research Scholar, Stanford HAI

Bommasani’s framing matters. This isn’t an argument to rip out AI screening tools. It’s an argument that the industry’s go-to proof of fairness, a vendor’s own aggregated audit, isn’t proof of anything at the level that actually matters legally: the individual job position.

The State Law Patchwork HR Teams Are Missing

While the federal government has pulled back on AI hiring enforcement (the EEOC’s 2023 guidance on AI screening was quietly removed from its website, and an April 2025 executive order directs agencies to deprioritize disparate impact claims generally), states and cities are moving in the opposite direction. If your governance plan is built around federal rules alone, it’s already out of date.

JurisdictionRuleStatus in 2026
New York CityLocal Law 144: annual bias audits for Automated Employment Decision ToolsIn force since 2023; enforcement was found weak by state auditors, tighter enforcement promised for 2026
ColoradoSB 26-189 (replaced the original SB 24-205)Delayed to January 1, 2027; scaled back from a broad duty of care to a narrower notice-and-review regime
IllinoisAI employment decision disclosure statuteIn effect since January 1, 2026
CaliforniaCivil Rights Council ADS rules and CPPA ADMT rulesEffective October 2025 and January 2026; make bias testing (or its absence) explicit evidence in discrimination claims

New York City’s law is the one worth paying closest attention to, and not for the reason most compliance memos suggest. A December 2025 audit by the New York State Comptroller found the city’s own enforcement agency had reviewed 32 companies and identified just one non-compliance issue. Independent auditors reviewing the exact same 32 companies found at least 17. Roughly three-quarters of test calls to the city’s complaint hotline never even reached the right department.

That’s the “toothless law” era. It’s ending. The Comptroller’s findings came with a public commitment from the city’s consumer affairs department to tighten enforcement in 2026, which means the penalty structure, $500 to $1,500 per violation per day, with each day of non-compliant use counted separately, is about to start getting used the way it was written. A single non-compliant screening tool left unaudited for a month can generate $15,000 to $45,000 in exposure before any per-candidate multiplier even applies.

Companies covered by NYC’s rule, even if they’re not based there: Local Law 144 applies to any employer or agency using an AEDT to evaluate NYC-based candidates, including remote roles. If you hire remote employees who happen to live in the five boroughs, this law already applies to you.

For context on how the parallel financial-sector and healthcare rules are moving, including the EU AI Act’s shifting high-risk deadlines and the Fed’s model risk guidance, NeuralWired covered the sector-by-sector explainability requirements in detail in our EU AI Act 2026 explainer. This piece deliberately doesn’t retread that ground; the hiring track runs on its own, older set of laws (Title VII, the ADEA, the ADA) that are largely immune to the federal deregulatory pressure hitting newer AI-specific state statutes.

What an Actual Governance Framework Looks Like

Most companies deploying AI hiring tools in 2026 don’t have a governance gap because nobody’s heard of NIST or ISO. They have a gap because the frameworks that exist are voluntary, self-attested, and easy to satisfy on paper while missing the exact problem the Stanford study exposed.

A framework that actually reduces risk, rather than just producing a policy binder, needs a few specific things:

  • Position-by-position bias testing, not aggregated audits. The Stanford study proves aggregated numbers can hide double-digit adverse impact rates at the individual job level.
  • A documented vendor liability allocation. Mobley shows vendors can be directly liable, and that employers can’t assume the vendor absorbs all the risk just because the contract says so.
  • An inventory of every AEDT actually in use, including tools embedded inside applicant tracking systems that HR may not realize qualify as automated decision tools under NYC or California rules.
  • A deliberate, documented choice about whether bias testing runs through counsel (for privilege protection) or is conducted for public disclosure (as LL144 requires). Doing both without a plan creates contradictions a plaintiff’s attorney will find.
  • Human review checkpoints that are real, not rubber-stamp, since Colorado’s revised law and California’s ADMT rules both lean on documented human oversight as a compliance anchor.

Roughly 12% of enterprises currently have what researchers classify as “mature” AI governance processes, according to HFS Research and Infosys data cited in industry analysis published in 2026, despite how widely these tools are already deployed. That gap is the story. The tools showed up years before the governance did.

Why “We Have a Framework” Isn’t the Same as “We’re Safe”

Here’s the uncomfortable part of this story that vendors selling governance platforms don’t lead with: adopting NIST’s AI Risk Management Framework or getting ISO 42001 certified demonstrates that you have a process. It doesn’t independently verify that anyone actually ran the specific test that matters, position-level adverse impact analysis, on your specific tool, on your specific job postings.

Our read: the industry has spent three years selling “governance” as a checkbox exercise, and the Stanford study is the first large, methodologically serious dataset to show what happens when the checkbox gets checked but the underlying test never runs. A vendor’s aggregated audit passed. Real candidates still lost out because of their race, at the position level, in over one in ten jobs studied.

The regulatory landscape isn’t converging around a clean answer either. The EU is delaying high-risk AI obligations, currently expected to shift from August 2026 to December 2027, pending formal adoption of the “Digital Omnibus” package. Colorado gutted its own comprehensive AI law and pushed it back eighteen months. The EEOC pulled its guidance. Meanwhile New York City, Illinois, and California are all tightening in the same window. A framework calibrated to satisfy one jurisdiction won’t satisfy the others, and right now those jurisdictions are moving in opposite directions inside the same country.

Is a rushed governance rollout actually going to hold up? Probably not, if it’s built to today’s rules rather than to the underlying civil rights statutes (Title VII, the ADEA, the ADA) that Mobley and its sibling cases are actually built on. Those laws aren’t going anywhere, regardless of what happens to any single state’s AI-specific statute.

FAQ

Can a company be sued for AI hiring bias?

Yes. Mobley v. Workday established that an AI vendor can be directly liable for employment discrimination under an “agent” theory, not just the employer using the tool. The case allows disparate impact claims to proceed under the ADEA, ADA, and Title VII based on algorithmic outcomes alone, without proof of intentional bias.

What is NYC Local Law 144?

It requires any employer or agency using an Automated Employment Decision Tool on NYC-based candidates to commission an independent bias audit within the prior 12 months, publicly post a summary, and give candidates 10 business days’ notice before use. Penalties run $500 to $1,500 per violation per day.

Does a vendor’s bias audit guarantee an AI hiring tool is fair?

Not necessarily. A 2026 Stanford-led study of 4 million job applications found a vendor’s own published, aggregated audit showed no measurable bias, while independent position-by-position analysis, the method U.S. employment law actually applies, found adverse impact against Black applicants in over 10% of individual job positions.

Is the EEOC still enforcing AI hiring rules in 2026?

The EEOC’s 2023 guidance on AI hiring discrimination was removed from its website, and a 2025 executive order directs federal agencies to deprioritize disparate impact theories generally. Private litigants can still pursue these claims independently, and state and local laws in New York City, Illinois, and California have separately tightened requirements.


Where This Goes Next

Three things are now true that weren’t true two years ago. AI hiring vendors can be sued directly, not just the employers who use their tools. A vendor’s own bias audit is no longer credible proof of fairness on its own. And the regulatory map is fragmenting rather than converging, with federal enforcement receding just as city and state rules tighten.

Watch three things over the next 6 to 18 months: how NYC’s promised 2026 enforcement crackdown actually plays out once the Comptroller’s findings force DCWP’s hand, whether the Mobley discovery ruling on attorney-client privilege gets tested again as more plaintiffs demand vendor bias data, and whether the EU’s Digital Omnibus delay to December 2027 actually gets formally adopted or falls apart before the original August 2026 deadline.

If your company runs any AI screening tool and hasn’t run a position-level bias check on it, independent of whatever your vendor handed you, that’s the gap to close first, not the last one.

Subscribe to The Neural Loop for the stories HR, legal, and compliance teams need before they hit the docket.

Leave a Reply

Your email address will not be published. Required fields are marked *