The US AI Regulatory Landscape
Unlike the European Union, which enacted a comprehensive AI Act covering all member states, the United States has taken a fragmented approach to AI regulation. In the absence of federal legislation, individual states have begun enacting their own AI laws—creating a complex compliance landscape for organizations operating across state lines.
Why States Are Acting
Several factors are driving state-level AI regulation:
- Federal inaction: Despite multiple proposed bills, Congress has not passed comprehensive AI legislation, leaving a regulatory vacuum
- Consumer protection concerns: High-profile cases of algorithmic discrimination in hiring, lending, and insurance have prompted state responses
- Privacy law extension: States with existing privacy laws (California, Virginia, Connecticut, Colorado) are extending those frameworks to address AI
- Economic competition: States like California and Colorado are positioning themselves as leaders in responsible AI governance
Types of State AI Laws
State AI legislation generally falls into several categories:
Categories of State AI Legislation
| Category | Focus | Example States |
|---|---|---|
| Comprehensive AI Laws | Broad regulation of high-risk AI systems across multiple domains | Colorado (enacted), Texas (enacted, HB 149), California (pending) |
| Employment AI | AI in hiring, promotion, termination decisions | Illinois (AIPLA), New York (Local Law 144), Maryland |
| Biometric AI | Facial recognition, voice recognition, biometric data | Illinois (BIPA), Texas, Washington |
| Privacy + AI | Automated decision-making provisions in privacy laws | California (CCPA/CPRA), Virginia (VCDPA), Connecticut (CTDPA) |
| Healthcare AI | AI in clinical decisions, insurance, care management | California (pending), New York (proposed) |
| Government AI | AI use by state and local government agencies | California, Washington, multiple states |
Colorado: From the 2024 AI Act to the SB 26-189 ADMT Regime
Colorado was the first state to enact a comprehensive AI law — and the first to walk it back. The 2024 Colorado AI Act (SB 24-205) was repealed and replaced before it ever took effect by SB 26-189, titled “Automated Decision-Making Technology,” which Governor Polis signed on May 14, 2026. The new law trades the old reasonable-care-and-impact-assessment model for a narrower transparency and disclosure regime built around “covered automated decision-making technology (ADMT).” Substantive obligations commence January 1, 2027, by which date the Attorney General must also adopt clarifying rules.
Colorado SB 26-189 Key Points
- Scope: Covered ADMT used to materially influence a consequential decision in education, employment, housing, financial or lending services, insurance, health-care services, and essential government services
- Trigger: “Materially influence” — a non-de-minimis factor in the outcome; incidental or clerical uses are excluded
- Model: Transparency and disclosure — the reasonable-care duty, impact assessments, and the NIST/ISO safe harbor are not part of the new law
- Penalties: Up to $20,000 per violation under the Colorado Consumer Protection Act; a 60-day cure right that sunsets January 1, 2030
- Enforcement: Colorado Attorney General only (no private right of action); not yet operative — obligations begin January 1, 2027
Developer Requirements
Under SB 26-189, developers of covered ADMT must provide each deployer documentation that includes:
- Intended uses and known harmful or inappropriate uses
- The categories of training data, to the extent known
- Known limitations and risks, and circumstances where the ADMT should not be used
- Instructions for appropriate use, monitoring, and meaningful human review
- The information a deployer needs to meet its own obligations
Records are retained for at least three years. No disclosure of proprietary source code, model weights, or trade secrets is required.
Deployer Requirements
Deployers of covered ADMT owe four operational duties, with at least three-year recordkeeping:
- Pre-use notice — clear-and-conspicuous notice before covered ADMT is used to materially influence a consequential decision
- Post-adverse-outcome disclosure within 30 days — a plain-language description of the ADMT’s role plus the consumer’s rights and how to exercise them
- Data correction — on request, access to and correction of factually inaccurate personal data used by the ADMT
- Meaningful human review or reconsideration — on request, to the extent commercially reasonable
The earlier risk-management-program requirement, annual impact assessments, the 90-day Attorney General notification on discovering discrimination, and the standalone “you are interacting with an AI” chatbot disclosure did not survive the rewrite. Discrimination is now addressed under existing Colorado anti-discrimination law, and there is no longer a size-based small-business exemption.
For comprehensive coverage, see our Colorado AI Act Complete Compliance Guide.
California: The Privacy Leader Expands to AI
California leads US states in data privacy regulation, and its frameworks increasingly address AI. While California hasn’t enacted a comprehensive AI law equivalent to Colorado’s, multiple overlapping regulations affect AI deployment:
California Consumer Privacy Act (CCPA/CPRA)
CCPA/CPRA AI Provisions
- Profiling opt-out: Consumers can opt out of automated decision-making
- Access rights: Consumers can access information about automated decisions
- Risk assessments: Required for processing posing significant risk (including profiling)
- Penalties: $2,500-$7,500 per intentional violation
California Automated Decision-Making Technology (ADMT) Regulations
The California Privacy Protection Agency (CPPA) finalized its ADMT, risk assessment, and cybersecurity audit regulations, which took effect January 1, 2026. The rules phase in over the following 24 months, with the most consequential obligations for AI systems used in "significant decisions" beginning January 1, 2027. Key provisions:
- Pre-use notice: Detailed disclosure before ADMT is used in significant decisions
- Opt-out rights: Consumers may request human review or alternative processes
- Access to logic: Businesses must explain how automated decisions are made
- Risk assessments: Required for ADMT used in significant decisions and other high-risk processing
- Cybersecurity audits: Annual independent audits for businesses whose processing presents significant risk
The regulations are now in force. Businesses already had to begin complying on January 1, 2026 for baseline obligations; significant-decision ADMT requirements, risk assessments, and the first cybersecurity audit cycle phase in through 2027 and 2028 depending on business size.
California Pending AI Legislation
California’s legislature has considered multiple AI bills, including proposals modeled on the EU AI Act:
- SB 1047 (2024): "Safe and Secure Innovation for Frontier Artificial Intelligence Models Act" - Originally imposed significant requirements on large AI models; later amended significantly before passing
- AB 2013 (2024): AI training data transparency for generative AI
- AB 2885 (2024): AI watermarking for synthetic content
- Healthcare AI bills: Multiple proposals addressing AI in clinical settings
Illinois: Biometrics and Employment AI Pioneer
Illinois has been at the forefront of regulating specific AI applications, particularly biometric data and employment decisions:
Illinois Biometric Information Privacy Act (BIPA)
BIPA Requirements
- Scope: Fingerprints, face geometry, iris scans, voice prints, hand geometry
- Notice & consent: Written consent required before collection
- Private right of action: Individuals can sue directly
- Penalties: $1,000 per negligent violation; $5,000 per intentional violation
BIPA has generated significant litigation against AI companies using facial recognition technology, with settlements reaching hundreds of millions of dollars. The law effectively prohibits most commercial facial recognition uses without explicit consent.
Illinois Artificial Intelligence Video Interview Act (AIVIA)
AIVIA Requirements
Employers using AI to analyze video interviews must: (1) notify applicants that AI will be used; (2) explain how the AI works and what characteristics it evaluates; (3) obtain applicant consent before the interview; (4) limit who can view the video; (5) delete videos upon applicant request.
Illinois Employment AI Legislation
Illinois continues to expand employment AI regulation:
- HB 3773 (2024): Broader employment AI transparency and discrimination prevention requirements
- Amendments to AIVIA: Expanded disclosure and consent requirements
- Human Rights Act integration: AI discrimination treated as civil rights violation
Texas: TRAIGA Now in Force
Texas, with its large technology sector and business-friendly reputation, has moved from a measured stance to enacting one of the most consequential state AI laws. Texas HB 149, the Texas Responsible Artificial Intelligence Governance Act (TRAIGA), took effect January 1, 2026 and is now live. It prohibits certain AI uses (including intentional discrimination and unlawful manipulation), establishes disclosure obligations for consumer-facing AI, and creates Attorney General enforcement with civil penalties up to $200,000 per violation.
Texas HB 149 (TRAIGA)
Texas Responsible AI Governance Act
- Scope: Developers and deployers of AI systems doing business in Texas, producing AI products or services used by Texas residents, or whose AI affects Texas residents
- Prohibited uses: AI intentionally developed or deployed for unlawful discrimination, unlawful behavioral manipulation, social scoring by government, or generation of unlawful visual content
- Government disclosure: State agencies interacting with consumers via AI must disclose the interaction
- Enforcement: Attorney General exclusive; civil penalties up to $200,000 per prohibited use and $40,000 per day for continuing violations; 60-day cure period
- Regulatory sandbox: Establishes a sandbox program administered by the Texas Department of Information Resources for testing innovative AI systems
Texas Capture or Use of Biometric Identifier Act (CUBI)
Texas CUBI
Requires notice and consent before capturing biometric identifiers for commercial purposes. Unlike Illinois BIPA, Texas does not provide a private right of action—enforcement is through the Attorney General. Penalties up to $25,000 per violation.
Texas Data Privacy and Security Act (TDPSA)
Effective July 1, 2024, the TDPSA includes provisions affecting AI:
- Profiling opt-out: Consumers can opt out of profiling for decisions with legal or significant effects
- Data protection assessments: Required for processing that presents heightened risk, including profiling
- No private right of action: Attorney General enforcement only
Texas AI Advisory Council
Texas established an AI Advisory Council to study AI issues and recommend legislation. Areas under consideration include:
- AI in government decision-making
- AI in healthcare and insurance
- AI workforce implications
- AI safety and security standards
New York: Local and State AI Regulation
New York presents a complex regulatory landscape with both city-level and state-level AI requirements:
New York City Local Law 144 (Automated Employment Decision Tools)
NYC Local Law 144
- Scope: Automated employment decision tools (AEDTs) used in NYC hiring/promotion
- Bias audit: Annual independent audit for disparate impact by race, ethnicity, sex
- Publication: Audit summary must be publicly posted
- Notice: Candidates must be notified at least 10 days before AEDT use
- Penalties: $500 first violation; $500-$1,500 subsequent violations per day
April 2026 enforcement update. The New York State Comptroller’s December 2, 2025 audit found NYC DCWP enforcement of Local Law 144 “ineffective” — 75% of 311 calls about AEDTs were misrouted. DCWP committed to proactive investigations starting in 2026, increasing the likelihood of enforcement actions for employers and AEDT vendors operating in NYC.
New York RAISE Act (frontier AI)
The Responsible AI Safety and Education Act (S6953B / A6453B) was originally signed by Governor Hochul on December 19, 2025; the final chapter amendment was signed on March 27, 2026. It is the second US state frontier-model law (after California SB 53) and takes effect January 1, 2027.
- Scope: Large frontier developers (training-compute and revenue thresholds aligned to SB 53).
- Obligations: Publish safety protocols; report critical incidents to the Department of Financial Services within 72 hours.
- Oversight: A new oversight office within DFS will assess large frontier developers.
- Enforcement: Attorney General may bring civil actions; penalties up to $1 million for first violation, $3 million for subsequent.
Other New York AI legislation
- NY SHIELD Act: data security requirements applicable to AI systems processing personal information.
- NYDFS Insurance Circular Letter No. 7 (2024): AI underwriting and pricing guidance for licensed insurers.
- Healthcare AI bills: requirements for AI in clinical decision-making (pending).
Other State AI Laws and Pending Legislation
Beyond the major states covered above, AI regulation is advancing across the country:
States with Privacy Laws Including AI Provisions
Virginia (VCDPA)
EnactedEffective January 1, 2023
- • Profiling opt-out rights
- • Data protection assessments for profiling
- • No private right of action
Connecticut (CTDPA)
EnactedEffective July 1, 2023
- • Profiling opt-out for legal/significant decisions
- • Data protection assessments required
- • 60-day cure period
Utah (UCPA)
EnactedEffective December 31, 2023
- • Consumer access to profiling information
- • More limited than other state laws
- • AG enforcement only
Montana (MCDPA)
EnactedEffective October 1, 2024
- • Profiling opt-out rights
- • Data protection assessments
- • 60-day cure period
Oregon (OCPA)
EnactedEffective July 1, 2024
- • Profiling opt-out for automated decisions
- • Data protection assessments
- • Cure period through 2026
Delaware (DPDPA)
EnactedEffective January 1, 2025
- • Profiling opt-out rights
- • No revenue threshold
- • Broad applicability
States with Biometric/Facial Recognition Laws
| State | Law | Private Action | Key Requirements |
|---|---|---|---|
| Illinois | BIPA | Yes | Most stringent; written consent required |
| Texas | CUBI | No | Notice and consent; AG enforcement |
| Washington | HB 1493 | No | Notice required; enrollment consent |
| Arkansas | PIPA | No | Notice and consent requirements |
| Maryland | SB 169 | No | Facial recognition restrictions in employment |
States with Government AI Restrictions
Several states have enacted or proposed restrictions on government use of AI:
- California: Restrictions on law enforcement facial recognition
- Massachusetts: Proposed moratorium on government facial recognition
- Maine: Limits on law enforcement use of facial recognition
- Vermont: Restrictions on government AI without human oversight
- Washington: State agency AI accountability requirements
State AI Law Comparison Matrix
This matrix provides a high-level comparison of key AI regulatory requirements across major states:
| Requirement | Colorado | California | Illinois | New York | Texas |
|---|---|---|---|---|---|
| Comprehensive AI Law | ✓ Enacted | Partial | Partial | Pending | ✓ HB 149 |
| Employment AI | ✓ | CPRA | ✓ AIVIA | ✓ LL144 | — |
| Biometric AI | — | CCPA | ✓ BIPA | Pending | ✓ CUBI |
| Impact Assessments | — (repealed) | ✓ CPRA | — | ✓ LL144 | ✓ TDPSA |
| Consumer Opt-Out | Correction / human review | ✓ | Limited | — | ✓ |
| Private Right of Action | No | Limited | Yes (BIPA) | No | No |
| Safe Harbor (Frameworks) | — (repealed) | — | — | — | — |
Federal context and the preemption push
The federal landscape changed materially in late 2025 and now actively shapes how state AI law plays out.
The December 2025 executive order
On December 11, 2025, President Trump signed “Eliminating State Law Obstruction of National Artificial Intelligence Policy.” The order:
- Establishes an AI Litigation Task Force within the Department of Justice to challenge state AI laws on commerce-clause and preemption grounds. (Colorado’s 2024 SB 24-205 had drawn early scrutiny, but the state has since repealed and replaced it with SB 26-189 — a state legislative change, not a federal preemption.)
- Directs the FTC to articulate when state laws “requiring alterations to truthful AI outputs” are preempted by Section 5 of the FTC Act.
- Conditions roughly $42 billion of BEAD broadband funding on state repeal of “burdensome” AI regulation.
- Carves out child-safety, AI-compute and data-centre infrastructure, and state procurement from preemption.
A bipartisan coalition of 36 state attorneys general publicly opposed broad federal preemption in March 2026; the Senate previously voted 99–1 to strip a similar preemption provision from the budget reconciliation bill, and a rumored FY2026 NDAA moratorium was omitted from the final bill text. No federal statute or court has preempted or paused state AI law; the political contest remains unresolved as of June 2026.
Senate AI Working Group and proposed federal bills
Senator Marsha Blackburn’s TRUMP AMERICA AI Act would codify the executive order into statute and create comprehensive federal AI governance, but remains in committee. The Bipartisan Senate AI Working Group reports continue to be a roadmap document rather than enacted law.
NAAG state AG AI Task Force
In early 2026 Utah Attorney General Derek Brown (R) and North Carolina Attorney General Jeff Jackson (D) launched a bipartisan AI Task Force in partnership with OpenAI, Microsoft, and the Attorneys General Alliance. The task force coordinates state AG investigations and monitors emerging AI risks — especially child-safety and chatbot harms.
Why no comprehensive federal AI law yet
Despite bipartisan interest, federal AI legislation has stalled due to:
- Partisan disagreement on the regulation-versus-innovation balance.
- Preemption disagreement — many governors of both parties (CA, FL, CO) oppose stripping state authority.
- Definitional challenges in scoping “AI” and “high-risk” applications.
- Jurisdictional complexity across Senate and House committees.
Existing Federal AI-Related Laws
While no comprehensive AI law exists, several federal laws affect AI deployment:
- Civil Rights Act (Title VII): Prohibits employment discrimination, including via AI
- Fair Credit Reporting Act (FCRA): Governs AI used in credit and background checks
- Equal Credit Opportunity Act (ECOA): Prohibits lending discrimination
- Fair Housing Act: Applies to AI in housing decisions
- Americans with Disabilities Act: AI accessibility requirements
- HIPAA: Governs AI processing protected health information
Federal Agency Guidance
Federal agencies have issued AI guidance within their regulatory domains:
- EEOC: Guidance on AI in employment decisions (May 2023)
- FTC: Enforcement actions against deceptive AI practices
- CFPB: Statements on AI in consumer financial services
- FDA: Guidance on AI/ML medical devices
- HHS OCR: AI guidance for HIPAA covered entities
NIST AI Risk Management Framework
The NIST AI RMF, released January 2023, provides a voluntary framework that multiple state laws reference. Colorado’s 2024 AI Act once offered a rebuttable-presumption safe harbor for following NIST AI RMF or ISO/IEC 42001, but SB 26-189 removed it and provided no replacement; the frameworks remain sound governance practice rather than a codified legal defense in Colorado. NIST 1.1 has not yet been released; through 2026 NIST is publishing addenda and profiles, including the Generative AI Profile (NIST AI 600-1, July 2024) and an AI RMF Profile on Trustworthy AI in Critical Infrastructure (concept note released April 7, 2026).
Multi-State Compliance Strategy
Organizations operating across multiple states need a strategic approach to managing divergent requirements:
Highest Common Denominator Approach
Rather than maintaining separate compliance programs for each state, implement controls satisfying the strictest applicable requirements:
Multi-State AI Compliance
Adopt NIST AI RMF
Implement NIST AI Risk Management Framework as baseline. It maps to most state requirements and remains sound governance practice — though, following SB 26-189, it is no longer a codified safe harbor in Colorado. Document implementation across all four functions: Govern, Map, Measure, Manage.
Implement Comprehensive Impact Assessments
Create impact assessment templates that satisfy California CPRA, NYC LL144, and pending state requirements. (Colorado’s SB 26-189 no longer mandates impact assessments, but the same artifacts still support its disclosure duties.) Include bias testing, discrimination risk analysis, and consumer rights documentation.
Build Unified Consumer Rights Infrastructure
Implement consumer-facing capabilities: opt-out mechanisms, explanation rights, data correction, appeal processes with human review. Design once, deploy across all states.
Document for Multiple Regulators
Maintain documentation that can be adapted for any state regulator: risk management policies, bias testing results, training records, incident response procedures. Use standardized formats (model cards, dataset cards).
Monitor Regulatory Evolution
Establish processes to track new state legislation, regulatory guidance, and enforcement actions. Update compliance programs proactively rather than reactively. Subscribe to AG office updates and industry associations.
Sector-Specific Considerations
Certain industries face additional state-specific requirements:
Healthcare AI
- HIPAA compliance remains primary federal requirement
- State health privacy laws may impose additional AI restrictions
- Insurance AI regulations vary significantly by state
- Telehealth AI may trigger multiple state licensing requirements
Employment AI
- NYC LL144 sets high bar for bias auditing
- Illinois AIVIA requires video interview AI disclosure
- Colorado SB 26-189 treats employment as a consequential-decision domain for covered ADMT
- EEOC guidance applies nationally to Title VII compliance
Financial Services AI
- FCRA and ECOA provide federal baseline
- State fair lending laws may be more restrictive
- Insurance AI regulations are state-by-state
- Model risk management (SR 11-7) applies to banks
Frequently asked questions
Which state has the strictest AI law?
Texas HB 149 is among the broadest enacted state AI laws. Colorado’s new SB 26-189 (which repealed and replaced the 2024 AI Act) is comparatively light — a transparency and disclosure regime for covered ADMT rather than a reasonable-care duty. Illinois BIPA remains the strictest for biometric AI due to its private right of action and significant damages. For employment AI, NYC Local Law 144 sets rigorous bias audit requirements. California’s ADMT regulations, now in force since January 1, 2026, add a substantial automated decision-making layer on top of CCPA/CPRA.
Do state AI laws apply to companies headquartered elsewhere?
Yes. State AI laws typically apply based on where consumers are located, not where companies are headquartered. If you serve Colorado residents, make decisions affecting Illinois employees, or deploy AI impacting NYC job candidates, you must comply with those jurisdictions’ laws regardless of your company’s location.
Will federal AI law preempt state laws?
Uncertain. If comprehensive federal AI legislation passes, it may or may not preempt state laws depending on the law’s language. Historically, federal privacy laws (like HIPAA and FCRA) have included limited preemption, allowing states to enact more protective requirements. Current state AI laws generally don’t conflict with federal requirements—they fill gaps in federal coverage.
How do I know which state laws apply to my AI system?
Consider: (1) Where are the people affected by your AI decisions located? (2) What type of AI application is it (employment, healthcare, credit, etc.)? (3) What data does it process (biometric, personal information)? (4) Who deploys the system (government, private sector)? Most organizations operating nationally should assume the strictest applicable requirements apply.
What’s the difference between a developer and deployer under state AI laws?
Developers create or substantially modify AI systems (model providers, algorithm developers). Deployers use AI systems to make decisions affecting consumers (employers using hiring AI, lenders using credit scoring). An organization can be both if they build and use their own AI. Each role has distinct compliance obligations under laws like Colorado’s SB 26-189 ADMT regime, which assigns developers documentation duties and deployers notice, disclosure, correction, and human-review duties.
Do small businesses need to comply with state AI laws?
It depends on the law. Some states (like California and Virginia) have revenue or data volume thresholds. Colorado’s SB 26-189 applies to any developer or deployer of covered ADMT doing business in the state, with no size-based exemption (the old "fewer than 50 employees" carve-out is gone). NYC LL144 applies to any employer using AEDTs in NYC hiring. Illinois BIPA has no size exemption. Check specific law thresholds, but assume requirements apply if you’re using covered automated decision-making technology.
Key takeaways
- Colorado reset: The 2024 AI Act was repealed and replaced by SB 26-189, an ADMT transparency regime with compliance from January 1, 2027 — no more reasonable-care duty
- Patchwork is growing: 30+ states have AI bills; major states have enacted targeted laws
- NIST AI RMF stays a strong baseline: still sound governance practice, though Colorado’s SB 26-189 no longer codifies it as a safe harbor
- Illinois BIPA is highest risk: Private right of action creates significant litigation exposure
- National companies need unified approach: Implement highest common denominator controls
- More regulation coming: California ADMT significant-decision phase in January 2027, healthcare AI bills, and new state laws through 2026 and 2027