Algorithmic bias is the employer's problem, not the vendor's
When a hiring or lending algorithm produces discriminatory outcomes, the legal exposure runs to the business that deployed it. The software contract almost never changes that.
Anti-discrimination law is structured around outcomes, not intent. Title VII does not require an employer to have meant to discriminate; it requires the employer to be responsible for the discrimination. The same is true under the Equal Credit Opportunity Act, the Fair Housing Act, and most state anti-discrimination statutes. That structure made sense in a world where the decision-maker was a human being whose reasoning could be examined. It produces a particular kind of legal exposure in a world where the decision-maker is a model the employer licensed from a third party and does not fully understand.
The pattern I see most often is a company that deploys an off-the-shelf hiring algorithm, lending model, or tenant-screening tool, runs it for twelve to eighteen months, and then learns from a class-action complaint or an EEOC charge that the system has been producing materially different outcomes for protected groups. The company’s first response is usually to point at the vendor, on the theory that the vendor built the model and the vendor should answer for its behavior. The software license, when actually read, almost always says the opposite. Vendor liability is capped at fees paid, vendor representations about model behavior are narrow and qualified, and the indemnification runs in the wrong direction. The employer is on the hook for the outcome, the vendor is not.
The Workday hiring-algorithm litigation, which has been moving through the federal courts since 2023, is the clearest example. The plaintiffs there alleged that Workday’s screening system produced discriminatory outcomes against older applicants, Black applicants, and applicants with disabilities, and the litigation has tested whether the vendor itself can be held directly liable as an “agent” of the employers using its product. The case has survived several rounds of dispositive motions and was certified as a collective action in 2025. Even if that theory eventually succeeds against Workday, it does not absolve the employers, who face their own direct claims for the same outcomes. The risk is concurrent, not transferred.
The legal exposure breaks into three patterns worth recognizing.
The first is the historical-training-data pattern. Models built on hiring decisions, lending decisions, or tenant decisions made in earlier decades absorb the discriminatory patterns embedded in those decisions and treat them as targets to optimize against. A model trained on a company’s past “successful” hires will reproduce the demographic composition of those hires, because that is what the model was rewarded for predicting. The discrimination is not introduced by the algorithm; it is encoded in the data and amplified at scale.
The second is the proxy-variable pattern. Even when training data has been cleaned of explicit demographic information, models routinely identify proxies, zip codes, school names, extracurricular activities, that correlate strongly with protected characteristics. The model is not “trying” to discriminate by race or sex; it is optimizing against a target, and the proxies are mathematically useful. The outcome is the same. Courts have not been receptive to the defense that the model did not “know” it was discriminating.
The third is the black-box pattern, where the deployer has no insight into which features the model relied on or how decisions were reached. The opacity is sometimes a feature of the model architecture (deep neural networks resist post-hoc explanation) and sometimes a feature of the contract (the vendor will not share model internals). Either way, the deployer cannot mount the defense that depends on showing the model relied on legitimate, job-related criteria, because the deployer does not know what the model relied on.
The operational work to reduce exposure has three pieces, and none of them requires deep technical expertise. Run regular adverse-impact testing on the model’s outputs, comparing outcomes across protected groups using the four-fifths rule or comparable statistical measures, and document the testing. The mere fact of testing matters to courts and regulators evaluating whether the employer acted in good faith. Build human oversight into the workflow at the decision point, so that the model’s recommendation is not the final word and a human review step exists that is meaningful rather than rubber-stamped. And renegotiate the vendor contract at renewal to include representations about training-data composition, support for adverse-impact testing, indemnification for discrimination claims arising from the model’s design, and access to enough model documentation to actually understand what the model is doing.
The insurance piece is worth flagging separately. Standard EPLI policies often exclude or sub-limit algorithmic discrimination claims, and standard tech E&O policies typically do not cover the employer at all. The renewal cycle is the right time to ask the broker whether the existing policies respond to a class action alleging algorithmic discrimination, because the answer is often no, and the gap is worth closing before the claim arrives.
The headline shift is that “we did not know” is no longer a defense. Regulators and courts treat the choice to deploy an algorithm in a consequential decision-making domain as the choice to be responsible for the algorithm’s outcomes. The companies that get this right are the ones that build a governance posture around their AI deployments that looks like the governance posture they already have around their human decision-makers: testing, documentation, oversight, and a clear chain of accountability. The companies that get caught are the ones that treated the vendor as the responsible party and discovered, too late, that the law disagreed.