The California ADMT regulations are not a privacy policy update. They are a redesign of how significant hiring decisions get made — across people, process, and systems — so that the regulator’s seven-factor risk assessment can be honestly completed, the candidate-facing notice can be honestly published, the opt-out can operate in practice, and the access and appeal rights can be honoured with infrastructure that actually works.
That is the work that has to happen between now and 1 January 2027 — the date by which businesses already using ADMT for significant employment decisions must be in compliance. The work cannot be done in three months. The companies that have started in early 2026 are still iterating. The companies that wait until late 2026 to begin will not complete the build in time. The companies that wait until 2027 will be operating outside the law from the date enforcement begins.
This is an eight-step operational playbook, sequenced the way the work has to be done. Each step covers the obligation, where the typical HR programme breaks down, and what compliant operational practice looks like. It is written from the experience of supporting US clients through their first year of ADMT readiness work.
Step One: Inventory Every Automated Step in the Hiring Workflow
The foundation of every ADMT compliance programme is a complete inventory of the automated technologies operating in the organisation’s hiring workflow. The inventory has to be wider than the obvious AI tools. The CPPA’s functional definition captures any technology that uses computation to replace or substantially replace human decision-making for significant employment decisions, regardless of whether the technology is AI, machine learning, statistical scoring, or a simple deterministic rule.
For most organisations, the complete inventory includes the AI tools that the HR team already thinks of as AI — resume screening platforms, assessment tools, video interview analytics, AI-driven sourcing. But it also includes:
Automated rules embedded in the applicant tracking system — keyword filters that auto-reject resumes missing certain terms, conviction-based auto-reject logic linked to BGV outputs, education or experience thresholds that route candidates without human review.
Algorithmic scoring inside the BGV workflow — pass/fail logic in the vendor system, automated routing of “fail” outcomes to rejection workflows, scoring layers in adverse action processes.
Compensation algorithms — automated offer calculation tools, equity allocation systems, bonus calibration models.
Scheduling and work assignment algorithms — shift optimisation systems, project allocation tools, schedule changes that affect compensation or work hours.
Performance and promotion algorithms — automated performance scoring, succession recommendation systems, automated promotion eligibility logic.
Each of these is a candidate for ADMT classification. Whether it actually qualifies as ADMT for a significant decision is the analysis of Step Two. But the inventory has to surface every candidate first. Organisations that scope only the obvious AI tools typically miss between two and ten covered systems in their first pass, and discover them later in the compliance work — usually after a regulatory inquiry surfaces them.
Step Two: Apply the Functional Definition
Once the inventory exists, each item has to be tested against the regulatory definition. The questions are:
Does the technology process personal information? For hiring tools, the answer is almost always yes. The candidate is supplying personal information, the system is using it.
Does it use computation to replace or substantially replace human decision-making? The “substantially replace” test turns on whether meaningful human review exists. Meaningful review requires the human to understand how to interpret the output, to consider the output alongside other relevant information, and to have authority to change the decision.
If a recruiter reviews an AI screening tool’s output, but the tool has already filtered out 90% of applicants who never reach the recruiter’s desk, the screening tool has substantially replaced human decision-making for the filtered candidates regardless of what the recruiter does with the surfaced 10%. The compliance perimeter follows the actual functional impact.
Is the decision a significant decision? For employment, the categories are hiring, compensation, work allocation/assignment, promotion, demotion, suspension, and termination. Most candidate-facing automation in the hiring workflow leads to one of these. Some workplace automation that does not — for example, internal performance dashboards that surface information to managers without automated decisioning — falls outside the ADMT framework, though it may still trigger the risk assessment requirement under a different provision.
Each system that meets all three tests is in scope. The output of Step Two is a confirmed list of in-scope ADMT systems against which the rest of the compliance work is structured.
Step Three: Make the Meaningful-Human-Involvement Decision
For each in-scope system, the next decision is whether to keep it in scope and build full ADMT compliance, or to redesign the workflow to insert meaningful human involvement that takes the system out of scope.
The cost-benefit analysis is significant. Full ADMT compliance requires risk assessment, pre-use notice, opt-out infrastructure (with the narrow employment exception), access mechanisms, and appeal processes. Meaningful human involvement requires reorganising the workflow so that a qualified human is reviewing the output, considering it alongside other information, and has authority to change the decision. The right answer depends on the volume of decisions, the operational cost of human review, the regulatory exposure of the ADMT capabilities, and the litigation defence value of human involvement.
For low-volume, high-stakes decisions — executive hiring, sensitive role assignments, terminations — meaningful human involvement is often the cleaner path. The volume is manageable, the human review adds genuine value, and the workflow can be designed to keep the system out of ADMT scope.
For high-volume decisions — applicant screening, mass hiring, schedule optimisation — full ADMT compliance is often the more practical path because inserting meaningful human review at scale is prohibitively expensive. The compliance overhead is real, but the capabilities can be built once and operated at scale.
This decision frames the rest of the build. It has to be made early, because the downstream work — risk assessment scope, capability design, vendor management — depends on it.
Step Four: Build the Four Capabilities (For In-Scope Systems)
For systems that remain in scope, the four capabilities have to be built:
Pre-use notice. The notice has to appear at or before the point where the candidate’s data enters the ADMT workflow. For most hiring use cases, this means the notice is presented at application — either in the career site flow, in the application form itself, or in the application confirmation. The notice has to state the specific purpose for using the ADMT and explain how the candidate can exercise their rights. Generic language (“we may use automated tools”) will not satisfy the requirement. The notice has to be specific to the use case.
Opt-out mechanism. Unless the employment hiring exception applies, the candidate must be able to opt out of ADMT use. The opt-out has to operate in practice — meaning the technical mechanism works, the workflow actually routes opted-out candidates around the ADMT, and a defined alternative process exists for those candidates. The alternative process has to be defined before opt-out is offered. If opt-out is offered but no real alternative exists, the regulation is not satisfied.
Access mechanism. The candidate must be able to request and receive information about the ADMT’s logic, the specific output for them, and how the output was used in the decision. The response has to be substantive — generic descriptions will not satisfy the regulator’s expectation under the access right. Trade secret and security carve-outs apply but are narrower than businesses often assume.
Appeal process. For significant decisions made via ADMT, an appeal mechanism with qualified human review must exist. The reviewer has to be a human with the authority to change the decision. The process has to be operationally distinct from the original decision — meaning the same person who applied the ADMT cannot be the appeal reviewer. Defined timelines for response have to be established and met.
Each of these capabilities is a build project of meaningful scale. Technical infrastructure, workflow redesign, documentation, training, and operational support all have to be in place by the deadline.
Step Five: Conduct the Risk Assessment
For each in-scope use case, a risk assessment has to be conducted before the ADMT is used. The assessment covers seven factors:
The purposes for using the ADMT — what is the business reason for deploying this technology in this workflow, and what benefits are expected.
The logic of the ADMT — how does the technology work, what are the inputs, how does it process them, what are the outputs.
The foreseeable negative impacts — what could go wrong, who could be harmed, what biases could be introduced.
The planned safeguards — what controls, monitoring, testing, and accountability mechanisms are in place.
The policies and procedures to limit negative impacts — how does the organisation handle the risks identified.
The categories of personal information processed.
The specific processing operations.
The assessment must evaluate whether the privacy risks outweigh the benefits. If they do, the business may not proceed unless the risks can be sufficiently mitigated. An executive responsible for the processing activity has to approve the assessment. The assessment must be reviewed at least every three years, or within 45 calendar days of any material change. It must be retained for five years.
For employers using the hiring opt-out exception, the risk assessment is also where the documentation of “works properly” and “does not unlawfully discriminate” sits. Bias testing results, accuracy evaluations, ongoing monitoring data, and disparate impact analysis are all part of the assessment package. The depth of this documentation directly affects whether the exception is sustainable under regulator review or in litigation.
Step Six: Manage the Vendor Relationships
Most ADMT in hiring workflows is supplied by vendors. The vendor relationship has to support the employer’s compliance obligations:
Vendor due diligence has to extend beyond capability and pricing to ADMT compliance. Does the vendor have bias testing documentation? Accuracy evaluation? A risk assessment template the employer can build on? Audit support capability? Documentation that survives regulator review and litigation discovery?
Vendor contracts have to include ADMT-specific provisions. Cooperation with the employer’s risk assessment process. Support for access requests. Indemnification for vendor-side bias or accuracy failures. Audit rights. Data usage and retention limitations. Termination rights if the vendor’s tool produces results that cannot be defended under the regulation.
Vendor monitoring has to be ongoing. The ADMT regulations require that the technology continues to work properly and not discriminate — not just that it did so at deployment. Ongoing monitoring of vendor performance, bias metrics, and accuracy is part of the employer’s compliance posture, regardless of where the vendor is technically responsible.
For employers with multiple ADMT vendors across the hiring workflow, the vendor management work multiplies. The right sequencing is usually to start with the highest-volume, highest-stakes vendors and work outward.
Step Seven: Build the Executive Certification and Reporting Infrastructure
The ADMT regulations create several executive-level certification and reporting obligations:
Risk assessment approval by an executive responsible for the processing.
Annual risk assessment summary report to the CPPA, signed by an executive (first report due 1 April 2028).
Cybersecurity audit certification, for businesses subject to that layer, with annual certification to the CPPA.
Designated points of contact for regulator engagement, candidate access requests, and appeals.
The infrastructure to support these obligations has to exist independently of the underlying compliance work. The executive who signs the risk assessment needs the documentation supporting the signature. The annual report requires the systems to track the count and scope of assessments conducted. The audit certification requires the relationship with the qualified independent auditor.
Most organisations build this infrastructure too late. The certification deadlines are the visible artefacts of compliance, but the infrastructure that supports them takes months to build. Starting in mid-2026 to support the April 2028 first annual report is the workable timeline. Starting in early 2027 is not.
Step Eight: Establish Ongoing Programme Management
The ADMT regulations are not a one-time compliance event. The ongoing programme has to handle:
Inventory updates. New ADMT systems get added to the workflow. Existing systems get updated or replaced. The inventory has to be reviewed continuously, not just at programme launch.
Risk assessment reviews. The three-year review cycle starts running from the date of each assessment. Material changes trigger 45-day reassessment requirements. The cadence has to be tracked.
Capability operations. Pre-use notices need updating as ADMT use cases change. Opt-out alternatives need to be maintained. Access requests need to be handled with defined turnaround times. Appeals need qualified human reviewers available and trained.
Regulatory monitoring. The CPPA continues to issue guidance, refine interpretations, and develop enforcement positions. The Mobley and Eightfold litigation will produce rulings that shape best practice. The programme has to incorporate these developments into operations.
Vendor renewal. Vendor contracts need ADMT-aligned terms at renewal. Vendor performance needs ongoing monitoring. Vendor exits need ADMT-conscious offboarding.
The programme office that owns this work cross-functionally — privacy, legal, HR, IT, procurement — is the difference between a compliance posture that operates and one that exists only on paper.
What the Right Posture Looks Like
The companies that finish 2026 in defensible ADMT posture are doing several things:
They have completed the full inventory and scoping analysis, with an in-scope ADMT list that surprised them with its size.
They have made the meaningful-human-involvement decision use case by use case, with documented rationale.
They have started the capability build for in-scope systems, with the four capabilities targeted for completion by Q4 2026.
They have started the risk assessment work, with assessments for the highest-volume use cases substantially complete and the rest in progress.
They have begun vendor renegotiations, with ADMT-aligned terms targeted for completion before the January 2027 deadline.
They have established the executive certification and ongoing programme management infrastructure.
The companies that look like this in mid-2026 will be in good shape for the January 2027 deadline, the April 2028 first annual report, and the enforcement environment beyond. The companies that have not yet started this work need to begin now. The eighteen months that fit comfortably for the build do not fit at all in nine.
California’s ADMT regulations are the first real US state compliance test for automated employment decisions. The framework they establish is going to be the structural baseline for how this category of compliance is built across the country. The work to do it well, once, defends across multiple jurisdictions and against parallel litigation. The work to do it poorly produces paper that will not survive the first enforcement action.
The right time to do this work was January 2026. The next-best time is now.
AMS Inform provides background verification and workforce screening services across 160+ countries, with structured support for clients building their ADMT compliance posture — particularly where the BGV workflow itself contains automated decisioning elements that fall within the regulation’s functional definition. To assess your current state and build a plan to the January 2027 deadline, visit AMSinform.com.
