Colorado's AI Act Died May 14. Mobley v. Workday Is the Real Regime.

If your compliance calendar still had a red circle around June 30, 2026, erase it. Governor Polis signed SB 189 on May 14, 2026, which gutted the original Colorado AI Act and pushed what remains to January 1, 2027. The deadline most talent leaders were bracing for is gone, but the legal exposure isn't. It just moved to a federal docket in Northern California, and it now reaches into the contracts you signed with your sourcing and screening vendors.

The Colorado deadline you prepped for no longer exists

The original Colorado AI Act (SB 24-205) would have imposed a "duty of reasonable care to prevent algorithmic discrimination" on both developers and deployers of high-risk AI systems used in employment. That language is what made HR counsel nervous. It's also what got killed.

The revised statute drops the term "artificial intelligence" entirely. It regulates "automated decision-making technology" instead, defined as tech that processes personal data to generate recommendations, rankings, or scores used in "consequential decisions" like hiring. The duty of care is gone. So is the requirement for deployers to maintain risk management programs, conduct impact assessments, or report to the Colorado Attorney General.

What's left for employers is narrow: pre-use notice to candidates, an adverse action process that includes a right to correct and a right to meaningful human review, and three-year record retention. That's it. And none of it kicks in until January 1, 2027.

Before SB 189 even passed, the original law was already on ice. xAI sued Colorado on constitutional grounds on April 9, 2026. The DOJ moved to intervene on April 24. A federal magistrate stayed enforcement on April 27. By the time Polis signed the replacement bill, the original framework was a dead letter.

So why are talent leaders still in more trouble, not less?

Because the binding constraint on AI hiring tools was never going to be a Colorado statute. It's a 23-cv-00770 docket in N.D. Cal. titled Mobley v. Workday. And it applies to every employer in the country.

What Mobley v. Workday actually held

Derek Mobley is an African American man over 40 with a disability who applied to more than 100 positions through employers running Workday. He kept getting rejected, sometimes within an hour of submitting. The opinion notes one rejection arrived at 1:50 a.m., less than an hour after he applied. The court treated that timing as evidence of automation.

Mobley sued Workday directly, not the employers. Workday argued it was just a tool. Judge Rita Lin disagreed. She held that Workday's software "is not simply implementing in a rote way the criteria that employers set forth, but is instead participating in the decision-making process by recommending some candidates to move forward and rejecting others." Under agency theory, that participation makes Workday a covered "agent" of the employer for purposes of federal anti-discrimination law.

On May 16, 2025, Judge Lin granted conditional certification as a nationwide ADEA collective action. The class potentially covers millions of applicants aged 40 and over screened since September 2020. Workday was ordered to turn over a list of customers using its AI screening features.

1.1B

Then on June 16, 2026, a California federal judge ruled Workday can face liability under state civil rights law (FEHA) for AI-driven hiring discrimination, even for employers operating outside California. That's the part talent leaders keep missing. A California vendor with California-resident data can drag your Texas or Florida hiring process into California court.

Sourcing tools are more exposed than ATS screeners, not less

Most coverage of Mobley frames it as a screening case. The screen is where the rejection happens. But the court's logic, that the vendor "participates in the decision-making process by recommending some candidates," applies even more cleanly upstream.

A sourcing tool decides who gets considered in the first place. Workday's 2024 acquisition of HiredScore brought Spotlight (candidate review) and Fetch (a sourcing tool that suggests individuals for open jobs) into the same product surface. Eightfold, HireVue, Pymetrics, and HireEZ sit in the same agency-liability zone under the Mobley framing. The funnel they shape is the funnel the employer never sees.

This is the part of the procurement conversation that matters most for founders and engineering leaders. If your sourcing vendor's ranking model has disparate impact on the slate it returns, you are not insulated by the fact that a recruiter clicked "outreach" on the names. The recruiter clicked on the names the model surfaced. That's the agency theory.

It's also why we built Refolk around plain-English search rather than a black-box ranker trained on past hire outcomes. You describe the person you want ("staff-level Rust engineers who've shipped a database, ideally from a fintech, open to remote"), and you get a ranked shortlist you can interrogate. The signals are explicit. The criteria are yours. You can audit why a name made the list because the prompt is right there.

A 12-month fee cap against a class action covering 1.1 billion applications is not risk transfer. It's theater.

The vendor privilege trap

Here's the procurement detail most teams haven't priced in. In May 2026, Magistrate Judge Laurel Beeler denied plaintiffs' motion to compel Workday's bias-testing data. She found attorney-client privilege protected it, because Workday's attorneys had curated the data and used the results in providing legal advice.

Read that again. The bias tests your vendor points to in the sales cycle ("we audit for fairness, here's our SOC 2") are likely structured to sit behind the vendor's own privilege. You can't see them in procurement. You can't validate them. And critically, you can't use them in your own defense if you get sued.

"Trust us, we tested" is now an actively dangerous procurement signal. If the vendor won't share methodology and results under NDA, what they're really telling you is that their testing exists to protect them, not you.

Three contract terms to demand before your next renewal

Standard SaaS templates do not survive Mobley. Across AI vendor contracts, Stanford Law found 92% claim broad data usage rights, only 17% commit to full regulatory compliance, and just 33% provide indemnification for third-party IP claims. Discrimination claim indemnification is even rarer. Fix this at renewal.

1. Mutual indemnification with a discrimination super-cap

Most vendor contracts still cap total liability at twelve months of fees, or some modest multiplier. Against a nationwide ADEA collective with a billion-applicant class, that cap is decorative. Demand a carve-out from the general cap for discrimination claims arising from vendor outputs, the same way IP indemnification, data breaches, gross negligence, and willful misconduct are typically excluded or super-capped. If the vendor's model recommends a slate that produces disparate impact, the vendor should sit at the defense table and pay alongside you.

2. Customer-side audit rights covering bias-test methodology

Not a SOC 2 letter. Not a one-page "fairness statement." Actual access, under NDA, to the methodology, the protected-class testing approach, the result thresholds, and the remediation log. If the vendor's bias testing is privileged, negotiate a separate non-privileged testing track that you can rely on. Without this, your AI screening bias audit story in litigation is "the vendor told us it was fine."

3. Model-change notification and human-review thresholds

You should know when the model that scored your candidates last quarter is not the model scoring them this quarter. Require contractual notice of material model changes, with a defined window to re-validate before the new version goes live in your tenant. Pair it with a contractual right to require human-review thresholds at specific funnel stages, so the vendor cannot quietly raise the auto-reject confidence and route more decisions to the model without your sign-off.

What this means for your sourcing stack this quarter

Three practical moves.

First, inventory every tool in the funnel that ranks, scores, or recommends candidates, not just the ATS. That includes sourcing assistants, outbound personalization tools, resume parsers, and anything that decides which inbound applications a human sees first. Each of these is a potential co-defendant under the Mobley framing.

Second, ask each vendor for its position on the agency-liability question in writing. The answer tells you whether they understand the regime they're operating in. Vendors that say "we're just a tool, the employer makes the final call" are quoting a legal theory Judge Lin already rejected.

Third, prefer tools where the sourcing logic is legible. The reason plain-English search matters here isn't aesthetic. It's evidentiary. When you can show that the criteria for a slate were "senior Go engineers in Berlin with infra experience," and that the criteria were applied uniformly, you have a defense. When the vendor says "our model surfaced these candidates based on 400 signals," you have a discovery problem. Tools like Refolk give you the prompt as the audit trail, which is exactly the kind of artifact you want if a plaintiff's lawyer ever asks how a slate was built.

The Colorado AI Act being delayed to 2027, and stripped of its duty of care, will read in many trade publications as a win for employers. It isn't. It's a head fake. The federal pullback on EEOC disparate-impact enforcement (the May 2023 AI guidance was removed from the EEOC's website, and EO 14281 from April 2025 told agencies to scale back disparate-impact theories) creates the same false comfort. Private plaintiffs don't need the EEOC. They have Title VII, ADEA, ADA, FEHA, and now a published agent-theory opinion that names vendors directly.

Algorithmic discrimination recruiting risk did not get easier this summer. It got narrower and sharper. The compliance question is no longer "what does my state require." It's "what does my vendor contract say when the class action names us together."

FAQ

Does the delay of the Colorado AI Act mean I can deprioritize AI hiring compliance?

No. The Colorado AI Act hiring framework that was scheduled for June 30, 2026 was repealed and replaced by a narrower January 2027 regime that requires pre-use notice, an adverse action process with human review, and three-year records. The bigger exposure now is federal and California civil rights law through Mobley v. Workday, which applies regardless of where you're based and reaches your vendors directly. Treat Mobley as the operative threat, not Colorado.

Are sourcing tools really covered by Mobley v. Workday vendor liability, or just ATS screeners?

The court's reasoning covers any vendor that "participates in the decision-making process by recommending some candidates." Sourcing and ranking tools that decide who a recruiter sees first fit that description as cleanly as screeners that decide who gets rejected. Products in Workday's own HiredScore line (Spotlight, Fetch) blur the line, and competitors like Eightfold, HireVue, and HireEZ sit in the same zone.

What's the single most important contract term to fix at renewal?

A carve-out from the general liability cap for discrimination claims arising from vendor outputs. A 12-months-of-fees cap is not meaningful protection against a class action involving millions of applicants. Pair that super-cap with mutual indemnification so the vendor has skin in the defense.

How do I run an AI screening bias audit if the vendor's own testing is privileged?

Negotiate a separate, non-privileged testing track in the contract, with defined access to methodology, protected-class testing approach, thresholds, and remediation logs under NDA. If the vendor refuses, that's a signal their bias testing exists to defend the vendor, not the customer. Tools that expose their sourcing logic in plain English give you an auditable record without needing to pierce vendor privilege.