Hiring & recruitment AI

Screening decisions, on the record.

New York City requires an annual bias audit. Colorado adds transparency duties for consequential decisions in 2027. The EU AI Act treats employment AI as high‑risk. All three ask what a screening model did at decision time. Glacis puts the answer on the record: a signed receipt for every screening decision, control execution and escalation included, witnessed and verifiable by the auditor.

Book the Sprint Verify a receipt

Forcing functions

Three regimes, one question.

Each one asks the same thing: not whether the model was tested once, but what it did when it screened a candidate.

NYC Local Law 144

Independent bias audits for automated employment decision tools, enforced since July 5, 2023. Penalties run $500–$1,500 per violation, and each day of non‑compliance counts as a separate violation. The DCWP has signaled a shift toward proactive investigations beginning in 2026.

Read the New York AI guide

Colorado SB 26-189

Transparency duties for consequential decisions, employment among them. Signed May 14, 2026, replacing the 2024 Colorado AI Act, with substantive compliance from January 1, 2027. Disclosure only works when there is a record of what the system did.

Read the Colorado guide

EU AI Act

Employment is an Annex III high‑risk category: recruitment, application screening, and candidate evaluation all qualify. Article 12 requires automatic logging of events over the system’s lifetime, an obligation that lives at runtime, not in a binder.

Read the EU AI Act guide

The gap

A bias audit is annual. Screening runs daily.

Local Law 144 requires one independent audit per year. Between audits, the screening model keeps deciding, thousands of times, and the only record of what it actually did is the vendor’s own logs. When a candidate complains, a regulator inquires, or the next audit begins, that record is an assertion, not evidence.

Signed runtime receipts close that gap. Every screening decision generates a receipt recording which controls executed and whether the decision was escalated for human review, operator‑signed and countersigned by an independent witness. The auditor verifies the receipts directly instead of taking anyone’s word for it. The same record serves Colorado’s transparency duties and the EU AI Act’s Article 12 logging obligations.

Control execution

Which adverse‑impact and policy rules ran on each decision, and what they found.

Escalation record

When a decision was routed to human review, captured at the moment it happened.

Independent witness

Every receipt is countersigned by a witness outside the operator’s control, so the log can’t be quietly rewritten.

Runtime artifact

One escalated screening decision, signed.

A résumé‑screening decision trips an adverse‑impact rule. The arbiter escalates it for human review and signs a receipt recording exactly that: the rule that fired, the action taken, and two Ed25519 signatures, the operator’s and an independent witness’s.

The receipt carries hashes of the inputs and outputs, never the candidate’s data itself. Proof travels; the résumé doesn’t.

Screening receipt · OVERT 1.1
Escalated

Illustrative scenario, real cryptography: both signatures verify. Paste it into the verifier and check it yourself.

{
  "receipt_version": "2.0",
  "overt_version": "1.1.0",
  "id": "glc_receipt_019765f2-8b4e-7a91-bd3c-e7f1a2c40588",
  "timestamp": "2026-06-11T14:27:45.102Z",
  "methodology_version": "1.0.0",
  "demonstration_note": "Illustrative receipt for a resume-screening workflow. The scenario is simulated; the cryptography is real and verifies at glacis.io/verify.",
  "subject": {
    "organization_id": "org_example_talent",
    "deployment_id": "dep_resume_screening_prod",
    "workflow": "resume-screening-decision",
    "model": "claude-sonnet-4-6",
    "provider": "anthropic"
  },
  "evidence": {
    "input_hash": "a34af39b11cbd901af59679f74fff99fd79d1d0e677e9ce949e8a37107ff0567",
    "output_hash": "5308cf98f703af73a7f5f85a070373b207cd5ee8f63753d70b0f49dd95956cef"
  },
  "signals": {
    "binary_hash": "8445ef214d71984f41f6fad9199b2dc41d036804df5fe75bbc1e94e0fb32913f",
    "network_state_hash": "02d0770849f806acc045ab5ce99c81938c3ca276c779bed0f2977416f4a5be42",
    "epoch_token": "1781101665204",
    "context_window_hash": "0f9f7dcf0848b42b146a040291bed18792359f4a52cb669d837cd01623713eb8",
    "composite_hash": "277d7239fc7232dbef9718f745aa7e2abc35b76aac880997ab0da256d28b38a3"
  },
  "controls": {
    "guardrail_action": "escalate",
    "nonconformity_score": 0.31,
    "rules_evaluated": 16,
    "rules_triggered": 1,
    "policy_mode": "enforce",
    "adverse_impact_check": "escalated"
  },
  "attestation": {
    "operator_signature": "e14de590ceab8dd7644cce3c836c2e2bc69cf47a9522d07ed538270c251531927820df32a04f621ba4cae15bb98dee20650287fa5dd97d7399d1b75a732ace00",
    "operator_public_key": "9c8eb1b83a59662ff76b84075dcb7f8c6b391e2e018666675211d93fc94723d8",
    "witness_signature": "203dc615ed599bfcaf0e11278866918eed84860469d5e0c9ae47b1f774b8bd9ee6308fb9c2756e01e202eebde360c3e8789840851023f5484fd8a20b5c645900",
    "witness_public_key": "7c038b40b8c6183c749c92079709a32e19b0d4572befcc23e0a348e7e4df39a5",
    "previous_receipt_hash": "genesis",
    "chain_position": 1
  }
}

Start with one screening workflow.

The Agent Runtime Security & Evidence Sprint runs 30 days on one named screening workflow. A live arbiter applies runtime controls to every decision and signs receipts for each control execution and escalation. The deliverable is a verifiable evidence pack the bias auditor can check themselves at /verify.

Book the Sprint