Skip to main content
Popular insights
Employee Scheduling Software HRMS For Small Business Employee Management Systems
Join Community
Join Community Join Community
HR Operations

AI Drift Is Already Inside Your Workforce Systems. Here’s What To Do About It

David Rice
By
David Rice
David Rice Senior Editor

David Rice is a long time journalist and editor who specializes in covering human resources and leadership topics. His career has seen him focus on a variety of industries for both print and digital publications in the United States and UK.

Interested in being reviewed? Find out more here.

More about David
QUICK SUMMARY

The AI tools making decisions about your people were tested once. The world has changed since then. Are your tools changing with it?

TABLE OF CONTENTS What Is AI Drift? Why AI Drift Demands Attention The Cost Why Governance Frameworks Fail How to Detect and Quantify AI Drift From Detection to Action Three Questions Every Leader Must Answer
PMP – Editorial – AI drift-37561
Key Takeaways

AI Drift: AI systems evolve over time, potentially altering decisions without new code changes or authorization.

Legal Risks: Recent legal cases highlight significant liability for AI vendors and employers using AI in hiring.

Governance Failures: Most organizations lack the monitoring needed to effectively govern AI decision-making systems.

Regulatory Challenges: New state laws require strict documentation and monitoring of AI systems to avoid penalties.

Actionable Governance: Implement continuous monitoring and documented corrective actions to prevent drift and liability.

Nobody authorized the change. Your engineering didn’t push any new code. But the AI system making hiring recommendations for your organization is not doing today what it was doing when you approved it. 

The applicant pool shifted and the labor market moved while the model kept running on assumptions that aged out months ago. This is AI drift, and it's already inside the workforce systems of companies ranging from startups to enterprise level, not as a hypothetical risk, but as a present condition.

What Is AI Drift?

AI drift is the gradual divergence between how an AI system was designed to perform and how it actually performs over time. For technical teams, this is familiar territory. They’re already familiar with data distribution shift, concept drift, and model decay.

Keep Reading—and Keep Leading Smarter

Create a free account to finish this piece and join a community of forward-thinking leaders unlocking tools, playbooks, and insights for thriving in the age of AI.

Have an account? Log In

Step 1 of 3

Name*
This field is hidden when viewing the form

For leaders running organizations, the definition needs to be broader and more blunt: AI drift is the slow, compounding process by which your AI tools stop doing what you think they're doing.

In workforce systems such as hiring platforms, performance evaluation tools, compensation engines, scheduling algorithms, drift takes forms that matter far more to a CHRO or CEO than a data scientist's distribution chart.

  • Output drift is the most visible. The system's decisions shift from baseline patterns. Hiring recommendations begin skewing toward certain candidate profiles. Performance scores start clustering differently across teams. Scheduling outcomes change in ways no one authorized. None of these shifts require a code change. The model is reacting to new data, or old data that no longer reflects the world it's operating in.
  • Fairness drift is subtler and more dangerous. Protected-class outcomes diverge over time, even when the system passed bias testing at deployment. A hiring tool that screened equitably in 2022 may not screen equitably in 2026 if the applicant pool has shifted, if job requirements have evolved, or if the underlying data reflects patterns the model was never trained to handle.
  • Decision authority drift is the form most leaders miss entirely. The AI's scope of autonomous decision-making quietly expands beyond its original mandate. A tool deployed to rank candidates begins effectively eliminating them. A performance scoring system starts influencing compensation decisions it was never designed to touch. No one authorized the expansion. It happened incrementally, through workflow integration and user behavior, and nobody flagged it because nobody was watching for it.
  • Governance drift is the gap between what your policies say the AI is doing and what it's actually doing. This is where legal exposure concentrates. Your responsible AI policy describes a system that was validated at launch. The system operating today may bear little resemblance to that description. The policy didn't drift, but the system did.

The critical thing to understand about drift is that it isn't a failure event so much as a decay process. An AI system that was compliant at deployment can become a liability without a single line of code changing, simply because the world around it changed.

By the time symptoms surface in the form of a discrimination complaint, an audit finding, or an outcome pattern that doesn't match expectations, exposure has been compounding for months.

Why AI Drift Demands Attention Now

Most organizations have deployed AI into workforce systems and then stopped paying attention. They tested at launch. They documented at launch. They haven't tested or documented since. In the meantime, enforcement caught up.

The litigation landscape

Mobley v. Workday is now the defining case. Five plaintiffs, all over 40, alleged that Workday's AI screening tools discriminated based on age. In May 2025, a federal court in the Northern District of California certified the case as a nationwide collective action under the Age Discrimination in Employment Act.

The ruling's reach potentially covers every applicant over 40 screened through Workday's platform since September 2020. Workday itself represented in filings that 1.1 billion applications were rejected using its tools during the relevant period.

The court's reasoning was direct. Judge Rita Lin held that Workday was sufficiently involved in the hiring process to be treated as an agent of the employers using its tools. 

Drawing a distinction between software decision-makers and human decision-makers, the court warned, would gut anti-discrimination law in the modern era.

In July 2025, the scope expanded further to include individuals processed through HiredScore, an AI platform Workday acquired after the original complaint was filed.

Then came Eightfold AI. In January 2026, a class action alleged that Eightfold scraped data on over a billion workers, scored applicants on a zero-to-five scale, and rejected candidates before any human ever reviewed their application, all without the disclosures required by the Fair Credit Reporting Act.

This case is different from Mobley in an important way in that it doesn't allege bias. It alleges secrecy. The algorithm existed, operated, and filtered people out of opportunities without anyone outside the company knowing it was happening. The case was filed by former EEOC Chair Jenny R. Yang, a signal of the caliber of legal attention now focused on workforce AI.

Read together, these cases form a pincer. Mobley attacks outcomes. Eightfold attacks process. Both point in the same direction: AI vendors that make or materially influence employment decisions will be held accountable for those decisions.

Lead Smarter in the Age of AI
Join the People Managing People community for access to exclusive content, practical templates, member-only events, and weekly leadership insights—it’s free to join.

Join the People Managing People community for access to exclusive content, practical templates, member-only events, and weekly leadership insights—it’s free to join.

Name*

The vendor liability squeeze

Here's where the math gets uncomfortable for employers. Research from legal tech platforms shows that 88% of AI vendors cap their own liability, often limiting damages to monthly subscription fees. Only 17% warrant regulatory compliance. Broad indemnification clauses routinely require customers to hold vendors harmless for discriminatory outcomes.

That means employers are legally responsible for results they can't control, generated by data they can't audit, processed through logic they can't examine. When a class action lands, the vendor agreement caps liability, disclaims compliance warranties, and restricts algorithmic audits. The employer holds the bag.

The "human in the loop" problem

Having a person nominally in the review chain is no longer a viable defense. 

Aaron Pease, an attorney at Highbridge Law Firm who advises on AI governance and workforce compliance, put it bluntly in a recent presentation on autonomous workforce risks.

Supervision without visibility is theater, and it collapses under legal discovery.

Pease-42374
Aaron PeaseOpens new window

Founding Member and Principal Attorney

Organizations can't demonstrate what the human actually reviewed, what they overrode, or what criteria they applied. Courts and regulators are moving toward requiring documented, demonstrable oversight, not a stated policy that someone, somewhere, looked at something before it went through.

Regulatory enforcement Is materializing

Colorado's AI Act, enacted in May 2024, is the nation's first comprehensive state law regulating AI systems used in high-stakes decisions, including employment. The law requires mandatory impact assessments, risk management programs, disclosure obligations, and carries $20,000-per-violation penalties.

Its path to enforcement has been turbulent as more than 150 lobbyists descended on a special legislative session in August 2025, and four competing bills attempted to gut or repeal it. None succeeded. The legislature agreed only to delay enforcement to June 30, 2026, leaving the law's substantive requirements intact.

As of early 2026, the Colorado legislative session has produced no agreement on further changes.

Meanwhile, California has finalized regulations governing employers' use of AI in discrimination claims, and Illinois has enacted AI disclosure requirements. The pattern is consistent across states: delay is possible, but retreat from regulation is not happening.

The Cost of Passive Governance

Zillow's $569 million write-down in November 2021 remains one of the clearest case studies in what happens when algorithmic drift goes unmonitored. The company's iBuying platform used a pricing model to value homes and make purchase offers. As post-pandemic market conditions shifted, the algorithm continued to assume the market was hot while real conditions were cooling.

Zillow was buying homes at inflated prices for months before anyone caught it. When the reckoning came, the company shut down the entire iBuying unit, laid off 25% of its workforce, and absorbed total losses exceeding $900 million. The stock lost roughly $7.8 billion in market value within days.

The write-down wasn't caused by a sudden failure. It was caused by gradual drift that compounded because no one was watching the signals. Replace "home pricing" with "hiring decisions" or "performance evaluations," and the pattern is identical. The drift is quiet. The exposure accumulates. The reckoning is not.

For executives running workforce AI, the cost categories are concrete.

  • Financial exposure comes from flawed AI decisions compounding over time in the form of bad hires, wrongful terminations, misallocated talent
  • Litigation exposure comes from the fact that months of biased screening decisions, all documented in system logs, create exactly the kind of systematic evidence class-action attorneys look for
  • Regulatory fines are no longer theoretical as enforcement frameworks mature
  • Reputational damage hits employer brand in a competitive talent market
  • Board-level disruption enters the picture as governance failures in AI decision-making reach fiduciary duty territory. Directors are asking whether the organization can demonstrate oversight, and "we have a policy" is not an answer.

Why Most Governance Frameworks Fail

Most organizations adopted the language of responsible AI. They have policies. They have principles. Some reference NIST. But they never embedded the internal monitoring to verify they're living up to any of it. They can describe their AI governance posture. They cannot measure it.

This is the instrumentation gap, and it's where the real risk lives.

Dr. Fern Halper, VP and Senior Research Director for Advanced Analytics at TDWI references a late-2025 survey the company did of several hundred organizations. Only about a third described their AI governance as mature in terms of organizational buy-in, defined processes, accountability, tools, and the ability to measure outcomes.

Monitoring capabilities were even less common. Fewer than 25% reported using any kind of AI monitoring tools that might detect drift.

In many organizations, the breakdown isn’t between policy and measurement, it occurs earlier. Many organizations are still developing basic governance structures such as policies, accountability models, and model inventories. They haven’t yet reached the stage where continuous monitoring of models in production is operationalized.

Fern Halper-73172
Dr. Fern HalperOpens new window

VP and Senior Research Director for Advanced Analytics at TDWI

That finding reframes the governance problem for many leaders. The conversation in boardrooms tends to assume that governance exists and the question is whether it's good enough. For most organizations, the infrastructure to govern AI decisions in any measurable way simply hasn't been built yet.

The NIST AI Risk Management Framework, released in January 2023, defines four core functions: Govern, Map, Measure, and Manage. Most organizations know the framework exists. Few have operationalized it past the first two.

  • Govern is the cross-cutting foundation — risk culture, accountability structures, leadership commitment, roles and responsibilities. NIST designed it to be infused throughout the other three functions, not treated as a standalone checkbox. Without Govern, Map, Measure, and Manage are exercises on paper.
  • Map identifies where AI has been delegated decision authority, what data feeds it, who's affected, and what the stakes are. This is the inventory phase, and it's where most organizations stop. They completed the landscape assessment. They documented which systems touch which decisions. Then they moved on.
  • Measure is where governance becomes real. It requires quantitative, qualitative, or mixed-method tools to analyze, benchmark, and monitor AI risk against defined baselines. NIST is explicit: AI systems should be tested before deployment and regularly while in operation. Regularly. Not once.
  • Manage is remediation — prioritizing and addressing identified risks, logging corrective actions, connecting detection signals to documented responses.

The problem is that most organizations stop at Map, or more accurately, they stop at a partial Map that lacks the Govern foundation to make it actionable. They rarely quantify drift, track exposure signals, or log corrective actions.

According to Pease, they definitely don't connect signals to documented remediation. Mapping without measuring is a catalog. Measuring without governing is just data. None of it protects you in discovery unless it connects to documented action.

Worth noting: NIST alignment is becoming more than a best practice. Colorado's AI Act explicitly cites the NIST AI RMF as a benchmark for compliance. Deployers who align to it receive a rebuttable presumption that they used "reasonable care." That means NIST is becoming the standard against which legal liability is measured, not just a voluntary guideline.

How to Detect and Quantify AI Drift

The fundamental shift organizations need to make is conceptual before it's technical. Stop treating AI oversight as an audit function with annual or quarterly review, scheduled in advance, reported after the fact, and start treating it as an operational function. Continuous signal monitoring with defined thresholds, running alongside the systems it's watching.

What to monitor

In workforce AI systems, five categories of signals matter.

  • Output patterns: are hiring recommendations, performance scores, or compensation decisions shifting from deployment baselines?
  • Fairness metrics: are outcomes for protected classes diverging, even gradually?
  • Data inputs: has the composition of the data feeding the system changed in ways the model wasn't designed for?
  • Decision scope: has the AI's effective authority expanded beyond its original mandate?
  • Regulatory alignment: are requirements evolving faster than your governance documentation?

None of these are exotic data points. They're operational metrics that should already exist in any system making consequential decisions about people. Most organizations never set up the infrastructure to track them continuously, or never defined the baselines against which to measure change.

From description to quantification

The gap most organizations need to close is the distance between qualitative governance and quantitative governance. Between "we have a responsible AI policy" and "we can show month-over-month drift metrics with documented thresholds and corrective actions."

Quantification means measuring:

  • Drift magnitude: how far outputs have moved from baseline and in which direction
  • Financial exposure scoring: translates technical metrics into business language in terms of estimated cost of uncorrected drift per month.
  • Legal exposure indexing: based on patterns in protected-class outcomes over time
  • Compliance gap measurement: the distance between current system behavior and applicable regulatory requirements.

Think of it as a risk sensitivity engine in that its a continuous tracking mechanism that converts drift signals into financial and legal exposure metrics, month over month.

This is what turns governance from a document into a dashboard. It's what gives leadership the visibility to act before exposure compounds into the kind of liability that ends up in a courtroom.

From Detection to Action: Governance Telemetry

"Governance without telemetry is litigation waiting to happen," said Pease. "Delegation needs oversight."

The framework he lays out draws a sharp line between governance as a document and governance as an operating capability. Standards describe what governance should look like. Telemetry operationalizes it. The difference is the difference between a policy manual and an operating system.

Telemetry, in this context, means continuous signal capture combined with threshold evaluation and a documented action trail. Five components make it work.

  • Signal Capture is the continuous collection of drift indicators across every AI-delegated decision point. Not sampling. Not quarterly audits. Continuous. If the system is making decisions every day, the monitoring should be running every day.
  • Threshold Logic defines pre-set boundaries that distinguish acceptable variation from actionable drift. These must be calibrated to organizational risk tolerance and regulatory requirements. A 2% shift in hiring recommendation patterns means something different in a federal contractor environment than in a startup. The thresholds need to be defined before they're needed, not reverse-engineered after a problem surfaces.
  • Escalation Routing moves flagged signals to the right decision-maker at the right level through automated pathways. Not every drift signal requires the CHRO's attention. Some do. Escalation logic is what turns drift from an unnoticed data point into managed risk. Without it, signals accumulate in dashboards that nobody checks until it's too late.
  • Audit Log provides immutable documentation of what was detected, when it was detected, what action was taken, and by whom. This is the artifact that survives legal discovery. This is what proves governance happened and that it was more than a statement of intent.
  • Corrective Action Loop closes the chain. Detection leads to evaluation. Evaluation leads to action. Action is recorded. Without this, you have monitoring. With it, you have governance.

These five components map directly to the NIST AI RMF. Govern provides the accountability structure that ensures telemetry exists, is resourced, and has leadership visibility. Map identifies where telemetry points need to exist — every AI-delegated decision point. Measure is what telemetry captures: drift magnitude, exposure signals, threshold breaches, fairness metrics. Manage is what telemetry triggers: escalation, corrective action, documented remediation, closed-loop accountability.

This mapping matters because it connects operational practice to the compliance standard that Colorado's AI Act — and likely subsequent state laws — will use to evaluate whether an organization exercised reasonable care.

Three Questions Every Leader Must Answer Now

Pease frames the minimum viable governance posture around three questions. If leadership can't answer all three, the organization's governance is reactive, managing reputation risk rather than operational risk.

  1. Where has AI been delegated decision authority inside your workforce systems? Not where AI is "used." Where it has been given the authority to make or materially influence decisions about people, such as hiring, screening, evaluation, compensation, scheduling, termination risk scoring. If you can't produce this map, you can't govern what you can't see.
  2. Can you quantify governance drift month over month? Not "do we have a policy." Can you produce a metric that shows whether your AI systems are operating within defined parameters and whether that's changed since last month? If governance can't be measured, it can't be managed.
  3. Can you demonstrate documented corrective action? When drift was detected, what happened? Who was notified? What was the decision? What changed? If you can't show the trail from detection to response, you have monitoring at best. You don't have governance.

Where to Start

For many companies, the implementation priorities are practical.

  • Start with workforce systems. These carry the highest exposure because they affect people directly and face the heaviest regulatory scrutiny.
  • Build the audit trail first. This is what regulators and courts will ask for. The ability to demonstrate that governance happened is more immediately protective than perfecting the monitoring itself.
  • Instrument before you scale. Adding telemetry after deployment is exponentially harder and more expensive than building it in. Every new AI deployment without governance instrumentation is new unmonitored exposure.

Organizations that build governance telemetry into their AI operations are building the infrastructure that allows them to deploy AI with confidence, move faster on adoption, and demonstrate to regulators, boards, and employees that the people affected by these systems are being protected. Not processed. Protected.

The enforcement window is narrowing. The question is whether you'll have the evidence to show you were paying attention.

David Rice
By David Rice

David Rice is a long time journalist and editor who specializes in covering human resources and leadership topics. His career has seen him focus on a variety of industries for both print and digital publications in the United States and UK.

Interested in being reviewed? Find out more here.

Follow the author: Opens new window
You may also like