For the past three years, the dominant narrative around AI hiring risk has focused on disparate impact, adverse selection rates, and the audit obligations imposed by laws like NYC Local Law 144 and Illinois' Artificial Intelligence Video Interview Act. The recent class action filed against Eightfold AI shifts that narrative in an important direction. The complaint alleges that the vendor aggregated candidate information, including inferred attributes and data scraped from third-party sources, without adequate consent or notice, and then made that enriched profile available to employer customers across its platform. Whether or not the plaintiffs prevail, the case forces a question most talent acquisition leaders have not seriously confronted: do you actually know where your candidate data comes from?
From Output Bias to Input Provenance
Most AI hiring audits to date have been output-focused. The four-fifths rule from the Uniform Guidelines on Employee Selection Procedures, the bias audit requirements in NYC Local Law 144, and the impact assessment obligations in Colorado SB 21-169 and the EU AI Act all ultimately ask the same question: are the model's decisions distributed fairly across protected groups? The Eightfold complaint is different. It targets the inputs, specifically the lawfulness of how candidate profiles are assembled in the first place. That is a claim rooted less in Title VII and more in consumer privacy law, wiretap statutes, and common-law theories of intrusion and unjust enrichment [VERIFY specific counts pled]. Even a model that passes every bias audit can expose its customers to liability if the training data or the candidate records it operates on were collected improperly.
Why Every Customer Is Implicated
The uncomfortable structural feature of enterprise AI hiring platforms is shared infrastructure. When a vendor enriches candidate profiles using scraped web data, inferred skills, or cross-customer behavioral signals, every employer using that platform inherits the provenance risk, regardless of whether that specific employer ever touched the questionable data source. Plaintiffs' attorneys understand this. A single vendor-level defect produces a ready-made list of co-defendants or, at minimum, a list of companies facing discovery subpoenas, regulator inquiries, and reputational exposure. Under the FTC's evolving posture on unfair data practices, and under state privacy laws like the CCPA and Illinois BIPA, the employer-as-controller is rarely insulated by pointing at the vendor.
The Five-Pillar Response
AIVL's framework treats data provenance as a first-class compliance concern sitting at the intersection of Data Privacy and Security, Transparency and Accountability, and Audit and Compliance Frameworks. Practically, that translates into a short list of questions procurement and legal teams should be asking every AI hiring vendor right now. Where does candidate data originate: resumes submitted directly, ATS integrations, public profiles, purchased datasets, or scraped sources? What consent and notice were obtained at the point of collection, and do those notices cover the downstream uses the vendor actually performs, including model training? What inferred or derived attributes does the vendor generate, and are any of them proxies for protected characteristics under Title VII, the ADA, or the ADEA? What contractual flow-downs exist between the vendor and its own data suppliers, and can the vendor produce them on request?
Updating Vendor Due Diligence
The due diligence questionnaires most enterprises use were written for a pre-generative-AI world and tend to stop at SOC 2 reports and a bias audit summary. That is no longer sufficient. Contracts should require vendors to maintain a data lineage record for every candidate profile, to notify customers of any material change in data sources, and to indemnify for claims arising from improperly sourced training or inference data. Data processing agreements should explicitly prohibit the use of one customer's candidate data to enrich profiles served to another customer without clear legal basis. Annual vendor reviews should include a provenance attestation, not just a bias audit, and procurement should treat the absence of that attestation as a material deficiency.
The Takeaway
The Eightfold litigation is a signal, not an anomaly. As AI hiring tools become more sophisticated at enrichment and inference, the legal surface area expands from how models decide to what models know and how they came to know it. Employers who continue to audit only outputs will find themselves defending collection practices they never examined and, in many cases, never knew existed. Don't trust. Validate the data, not just the decision.
