AI bias testing: what it is and why it's becoming a procurement question

In-depth analyses of real-world cyber incidents and emerging threat trends, authored exclusively by our analysts.

Joanna Larson
7 min read
14 July 2026

Until recently, bias in AI systems was mostly a conversation for researchers and ethicists. That has changed quickly. In 2026, whether an AI system has been tested for bias is turning into a genuine procurement question, sitting alongside SOC 2 reports and penetration test results in the documents a serious enterprise buyer asks for. If you are building an AI product, it is worth understanding what bias testing actually involves, why buyers are starting to ask, and where it fits alongside the rest of your security and compliance work.

What AI bias testing actually is

Bias testing is the practice of checking whether an AI system produces systematically different outcomes for different groups of people in ways that are unfair or discriminatory, even when nobody intended that to happen. It typically involves statistical analysis of how a model performs across demographic segments, and checking for what is sometimes called proxy discrimination, where a factor that seems neutral, such as postcode or a particular pattern of activity, ends up standing in for a protected characteristic like race or gender.

This is a genuinely different discipline from the security testing most of this library covers. Prompt injection testing and penetration testing ask whether your AI can be attacked or manipulated. Bias testing asks whether your AI treats people fairly, using statistical and data science methods rather than adversarial security techniques. They are related, in that both are about whether your AI product can be trusted, but they require different expertise and different tools.

Why this is becoming a procurement question now

A few forces are converging at once, and together they explain why bias has moved from an academic concern to something buyers actively ask about.

  • The EU AI Act requires it directly for high risk systems. Under the Act, high risk AI systems, the category that includes most recruitment, credit, and similar tools, must be trained and tested on data that is checked for bias, and providers must document their bias testing results as part of the required technical documentation. This is not a vague expectation. It is a specific, written requirement tied to a deadline.
  • US state laws are adding specific bias audit requirements. New York City's Local Law 144 requires an independent bias audit for automated tools used in hiring decisions, and other US states have introduced similar requirements for high risk automated decision systems. If you sell into these markets, this is not optional.
  • Insurance underwriters are starting to ask. Cyber and professional liability insurers are increasingly asking whether an applicant has an AI governance policy and runs bias testing, and are pricing or excluding cover for AI systems where the answer is no. That turns bias testing into a cost of doing business, not just a compliance nicety.
  • Large enterprise buyers are simply asking earlier. Bigger organisations are starting to request evidence of bias testing or a recognised AI governance certification as part of procurement, particularly where the AI product touches hiring, lending, insurance, or anything else that affects people's access to opportunity.

Put together, this means bias testing is shifting from something only heavily regulated industries thought about to something that shows up in ordinary enterprise procurement for any AI product that makes or supports decisions about people.

When it genuinely matters for your product

Not every AI product needs a formal bias testing programme, and it is worth being honest about that rather than manufacturing urgency where none exists. The products where this matters most are the ones that score, rank, filter, or decide about individual people, particularly around employment, credit, insurance, or access to services. If your product summarises documents, assists with coding, or helps with internal analytics, bias testing in the formal sense is far less pressing, though basic fairness thinking is still good practice.

If your product does touch decisions about people in a sensitive category, the honest signal to watch for is the same one that determines your EU AI Act risk tier. If you are high risk under the Act, bias testing and documentation are not optional, they are a written requirement. If you are outside that category, it becomes a matter of good practice and buyer expectation rather than strict legal obligation, at least for now.

What bias testing practically involves

At a high level, a proper bias testing exercise looks at a handful of things.

  • Representativeness of your training and validation data, checking whether the data your model learned from actually reflects the population it will be used on, rather than skewing toward one group.
  • Performance differences across groups, measuring whether your model's accuracy or outcomes differ meaningfully across categories like gender, ethnicity, age, or other relevant characteristics.
  • Proxy discrimination, checking whether features that look neutral are quietly correlating with a protected characteristic and driving unfair outcomes through the back door.
  • Documentation of findings and mitigations, recording what was tested, what was found, and what was done about it, because for regulated use cases this record is exactly what the Act and other frameworks expect to see.

This work typically sits with data scientists and specialist fairness auditors, using statistical techniques built for exactly this purpose, and for a high risk product it is worth treating as its own workstream rather than a side task.

Where this fits alongside your security work

Here is the honest, useful way to think about this. Bias testing and AI security testing are both part of the broader case that your AI product can be trusted, but they are different disciplines answering different questions. Security testing, the kind covered throughout the rest of this library, asks whether your product can be attacked, manipulated, or made to leak data. Bias testing asks whether your product treats people fairly. A buyer's procurement process is increasingly asking about both, and increasingly treating AI governance as a whole, spanning security, compliance, and fairness together.

For a startup, the practical takeaway is not that you need to become experts in fairness statistics overnight. It is to know honestly whether your product is the kind that needs this, to say so clearly if a buyer asks, and to bring in the right expertise, whether that is a specialist bias auditor for a high risk product or simply good data practices for a lower risk one. Pretending the question does not apply to you when it does is the mistake that damages trust. Being clear about where you stand, and what you are doing about it, is what buyers actually want to see.

The honest takeaway

AI bias testing has moved from an academic conversation to a real procurement question, driven by the EU AI Act's documentation requirements, specific laws like New York's bias audit rule, insurers tightening their questions, and enterprise buyers simply becoming more aware of the risk. It matters most for products that make or support decisions about people, particularly around employment, credit, and access to services.

Know honestly where your product sits, treat bias testing as its own discipline rather than folding it into general security work, and be ready to speak to it clearly if a buyer asks. That clarity, more than a perfect answer, is what keeps a security and governance conversation moving forward rather than stalling a deal.

Not sure whether your AI product needs bias testing?

Book a free review and we'll help you understand where your product sits and what buyers will expect.

Tags
#Compliance
#Cybersecurity
#Founder
#GDPR
#ISO 27001
#ISO 42001
#Procurement
#SOC
#SOC2
#SSO
#United Kingdom

AI Security Insights

AI bias testing: what it is and why it's becoming a procurement question

Until recently, bias in AI systems was mostly a conversation for researchers and ethicists. That has changed quickly. I…

Read article

Security diligence at Series A vs seed: what actually changes

Founders raising a seed round rarely think about security diligence at all, and for good reason, because most seed inve…

Read article

The security bar Y Combinator and top accelerators expect

Founders researching this topic are usually looking for one thing, a checklist of security requirements Y Combinator ha…

Read article

Self-hosting an open source LLM: the security trade-offs nobody mentions

Self-hosting an open source model is having a real moment. Llama, Mistral, Qwen and others have closed much of the gap…

Read article

More insights, delivered monthly

Get the latest insights on AI security and compliance.