Somewhere in 2022 and 2023, Derek Mobley was doing what a lot of people do when they’re job hunting: applying. A lot. Over 100 applications, by his account, sent to companies that all had one thing in common — they used Workday to manage hiring.
He didn’t get the jobs. What he alleges is that he didn’t get them in part because an AI system was evaluating his applications and filtering him out — based, he claims, on his race, age, and disability status.
What happened next is where it gets interesting for anyone in IT or Security.
He didn’t just sue the companies that rejected him. He sued Workday.
A New Kind of Defendant
This is the part of the story that should make every technology leader sit up a little straighter. The legal theory at the center of Mobley v. Workday isn’t just “this AI was biased.” It’s “Workday, as a vendor, functioned as an agent of the employers — and therefore shares their legal obligations under federal anti-discrimination law.”
That’s new territory. Historically, if a company used a bad tool and it caused harm, the company was liable. The tool vendor was just… the tool vendor. This case is testing whether that’s still true when the tool is making consequential decisions about people.
As of early 2026, the court has certified the case as a collective action — meaning it’s not just Mobley anymore. It’s a class. And the court ordered Workday to disclose which of its customers had specific AI features enabled.
Which brings us to HiredScore.
The Acquisition Nobody Talked About at the All-Hands
In 2023, Workday acquired a company called HiredScore. If you’ve never heard of HiredScore, you’re not alone — it wasn’t exactly front-page news outside of HR tech circles. What HiredScore does is score, rank, and filter job candidates using AI. Feed it applications, get back a prioritized list. Efficient, fast, and — as we’re now discovering — legally complicated.
When Workday completed the acquisition, HiredScore’s capabilities became part of the Workday platform. And at some point, inside organizations using Workday, that capability became available to enable.
So someone did.
Maybe it was an HR admin. Maybe it was an IT admin helping with a platform upgrade. Maybe it was someone following a vendor’s setup guide at 4:45 on a Friday. The point is: a feature with significant legal and ethical implications went live in production environments, and in many cases, the people who should have been consulted — Legal, Security, Compliance — probably weren’t in the room.
The court agrees this matters. It ordered Workday to produce a list of every customer that had HiredScore AI features turned on. Not because those customers are necessarily in trouble. Because it needs to know who was affected.
That’s the kind of discovery request that makes General Counsels age in real time.
“But We’re Not Workday.”
No, you’re not. But here’s the thing — this story isn’t really about Workday. Workday is just the one that ended up in federal court.
The behavior — AI capabilities appearing inside trusted platforms, enabled by someone who may not have fully understood what they were turning on — is happening everywhere, right now, in tools you already use and trust.
Your CRM probably has an AI lead scoring feature. Your ITSM platform may be auto-routing and prioritizing tickets using a model you’ve never reviewed. Your productivity suite almost certainly has generative AI features that touch your documents, your email, your calendar. Each of those came with a button, or a toggle, or a checkbox buried in an upgrade screen.
And somebody, somewhere in your organization, clicked it.
Here’s what that click can mean that most people don’t think about in the moment:
What data does this feature have access to? AI features don’t work in a vacuum. They need data. Is it using data you’re comfortable with it using? Is that covered by your Data Processing Agreement with the vendor? Did that DPA even exist before the feature was added?
What decisions is it influencing? Some AI features are informational — they surface insights, suggest options. Others are decisional — they filter, rank, route, approve, or reject. The legal and ethical risk profile of those two categories is very different. Do you know which one you have?
Who’s accountable when it goes wrong? The Mobley case is stress-testing the assumption that accountability sits entirely with the end customer. Increasingly, that assumption may not hold. “The vendor is also liable” is cold comfort if your organization is named alongside them.
Where did the model actually come from? Acquisitions are now one of the primary ways AI capabilities get added to established platforms. When a vendor acquires an AI company, their model, their training data, their design choices, and their biases come with it. You didn’t evaluate that model. You didn’t agree to it. It just arrived, quietly bundled in an update.
So What Do You Actually Do?
Here’s where I’m going to talk to you like a friend and not a compliance framework.
Start with a simple question: What AI features are currently active in the software we pay for?
Not “what AI did we buy.” What’s on. Because those are increasingly different answers.
Go through your major platforms — HR, CRM, ITSM, finance, productivity — and find out what AI capabilities exist and which ones are enabled. Your vendor’s admin console is usually the right place to look, and if it isn’t obvious, ask your account rep directly. Make them tell you. That’s what they’re paid for.
For each one that’s active, ask: who approved this, what data does it touch, and does Legal know about it?
You don’t need a 60-page AI governance policy to start. You need a spreadsheet and a few uncomfortable conversations. The policy can come later. The conversations need to happen now.
None of this is an argument against AI in your business. AI is a legitimate accelerator — for sales, operations, hiring, support. The goal isn’t to avoid the button. It’s to make sure the right person is reading the label before anyone pushes it.
The companies getting into trouble aren’t usually the ones that thought carefully about AI and made a deliberate choice. They’re the ones where AI showed up quietly, nobody asked questions, and everyone assumed someone else had checked.
Don’t be that company.
These buttons are everywhere. They’re going to keep appearing. The teams clicking them are often moving fast, trying to solve real problems, and trusting that if the feature is in the platform, it must be fine.
It might be. But “it must be fine” isn’t a risk assessment. Neither is “the vendor said it was compliant” — we’ve all learned that one the hard way.
Know what’s running in your stack. All of it.
