Can one assessment satisfy multiple regulations?

Yes, with proper planning. A comprehensive bias assessment can satisfy LL144 annual audit requirements while contributing to EU AI Act documentation. A unified risk management framework can address NIST AI RMF, EU AI Act Articles 9-15, and ISO 42001 simultaneously.

Service

AI Risk Assessment

Bias, privacy, and fairness evaluation across LL144, GDPR Article 22, and EU AI Act high-risk requirements. One assessment methodology, multiple regulatory frameworks.

Check your exposure first Request a consultation

until the next EU AI Act obligation takes effect

Why AI risk assessment is no longer optional

Every AI system that makes or influences decisions about individuals carries risk: risk of bias, risk of privacy violation, risk of non-compliance. In New York City, Local Law 144 mandates annual bias audits for employment AI. In the EU, the AI Act requires continuous risk management for high-risk systems. GDPR Article 22 adds protections against purely automated decisions. These are not separate problems — they are layers of the same obligation.

What we assess

Algorithmic bias and fairness. We evaluate whether your AI system produces differential outcomes across protected categories. For employment AI subject to LL144, this includes disparate impact analysis across race/ethnicity, sex, and their intersections (e.g., Hispanic women, Asian men). For EU-facing systems, we extend this to cover all characteristics protected under the EU Charter of Fundamental Rights. Our analysis goes beyond statistical parity to examine whether differential outcomes are justified by legitimate, documented criteria.

Data governance and privacy. AI systems are only as fair as the data that trains them. We assess data provenance, representativeness, completeness, and potential sources of bias. For systems processing EU personal data, we evaluate compliance with GDPR principles including data minimization, purpose limitation, and lawfulness of processing — and the additional data governance requirements of EU AI Act Article 10.

Transparency and explainability. The EU AI Act (Article 13) requires high-risk systems to be transparent enough for deployers to understand and supervise their output. GDPR Articles 13-14 require individuals to be informed about automated decision-making. LL144 requires candidate notification about AEDT use. We assess whether your system meets all applicable transparency obligations and recommend improvements where gaps exist.

Human oversight adequacy. Article 14 of the EU AI Act requires that high-risk AI systems be designed to enable effective human oversight. We evaluate whether your human-in-the-loop processes are substantive or merely procedural — because rubber-stamping AI outputs does not satisfy the requirement. We assess for automation complacency risk and recommend oversight structures that provide genuine control.

Regulatory coverage

A single Lexara risk assessment is designed to address obligations across multiple frameworks simultaneously. The following regulations are evaluated within a unified methodology:

NYC Local Law 144 — annual independent bias audit, publication of results, candidate notification, intersectional demographic analysis. Enforcement intensified following the NYS Comptroller's December 2025 audit findings.

EU AI Act (Annex III high-risk) — risk management system (Art. 9), data governance (Art. 10), transparency (Art. 13), human oversight (Art. 14), accuracy/robustness (Art. 15). Conformity assessment required by 2 August 2026 under the regulation as currently in force; the Digital Omnibus on AI provisionally agreed on 7 May 2026 proposes to defer this deadline to 2 December 2027 (Annex III stand-alone) and 2 August 2028 (Annex I embedded). Until the Omnibus is formally adopted and published in the Official Journal, the original deadline applies.

GDPR Article 22 — rights related to automated decision-making, right to explanation, right to human intervention. Applies in parallel with the AI Act for systems affecting EU individuals.

EEOC/Title VII — federal anti-discrimination framework applicable to employment decisions. Four-fifths rule for adverse impact analysis.

Note — Digital Omnibus on AI (7 May 2026)

The Digital Omnibus, provisionally agreed on 7 May 2026, proposes to defer the EU AI Act high-risk deadlines but does not change the substantive risk-management, data-governance, transparency, or human-oversight requirements that this assessment addresses. The substance of the assessment is unchanged under either timeline.

A separate new obligation under the proposed regime takes effect on 2 December 2026: Article 50 transparency for synthetic content, plus a new Article 5 prohibition on AI-generated CSAM and nudifier applications. If your AI generates synthetic media, this obligation is the nearest binding milestone.

Deliverables

A comprehensive risk assessment report documenting: algorithmic fairness analysis with statistical methodology and results, data governance evaluation, transparency gap assessment, human oversight adequacy review, multi-regulatory compliance matrix showing which obligations are met and which require remediation, and a prioritized remediation plan.

LL144 enforcement is intensifying

The NYS Comptroller's December 2025 audit found that DCWP identified only 1 violation where auditors found 17. Stricter enforcement is expected throughout 2026. Penalties: $500–$1,500 per violation.

Common questions

LL144 requires a narrow, annual bias audit focused on disparate impact across race/ethnicity and sex in employment decisions. The EU AI Act requires a broader risk management system covering the entire AI lifecycle — data governance, accuracy, robustness, cybersecurity, human oversight, and transparency — across all high-risk sectors, not just employment.

Yes. GDPR Article 22 protects individuals from purely automated decisions with legal or significant effects. The EU AI Act adds requirements on top: risk management logs, user transparency, conformity assessments, and 10-year documentation retention for high-risk systems. Both apply simultaneously when your AI makes automated decisions about EU individuals.

Yes, with proper planning. A comprehensive bias assessment methodology can satisfy LL144 annual audit requirements while contributing to EU AI Act technical documentation. A unified risk management framework can address NIST AI RMF, EU AI Act Articles 9-15, and ISO 42001 simultaneously. We design assessments to maximize cross-regulatory coverage.

No, not substantively. The Omnibus, provisionally agreed on 7 May 2026, proposes to defer the EU AI Act high-risk deadlines but does not change the underlying risk-management, fairness, transparency, or human-oversight requirements. The same assessment methodology applies under either timeline. LL144 obligations are unaffected. GDPR Article 22 obligations are unaffected. Only the EU AI Act high-risk deadline shifts — and only if the Omnibus is formally adopted.

Related services

EU AI Act Compliance Audit

Full system inventory, classification, and compliance roadmap.

Cross-Border AI Compliance

Unified strategy across multiple jurisdictions and frameworks.

Last updated 8 May 2026 to reflect the Digital Omnibus provisional agreement reached on 7 May 2026. Lexara Advisory LLC — AI governance consulting. Not legal advice under U.S. law.