By Chanté Eliaszadeh | June 22, 2026
On July 1, 2025, the United States Senate stripped the proposed ten-year AI regulatory moratorium from the federal budget reconciliation bill in a near-unanimous 99-1 vote. The provision was not killed quietly in committee; it was struck on the Senate floor by amendment during the overnight “vote-a-rama,” leaving states free to enforce their own AI laws and accelerating a wave of state-level legislation that has reshaped the American AI regulatory landscape.
The result is a dense and fast-moving patchwork. According to the National Conference of State Legislatures, approximately 100 AI-related measures were enacted across 38 states in 2025, and every state plus the District of Columbia, Puerto Rico, and the Virgin Islands introduced AI-related legislation. For companies operating nationally, that divergence creates a genuine compliance challenge: distinct definitions, requirements, effective dates, penalties, and enforcement mechanisms across dozens of jurisdictions.
This guide maps the state AI regulatory landscape, examines the ten most active jurisdictions in detail, provides a state-by-state summary table covering all 50 states plus the District of Columbia, Puerto Rico, and the Virgin Islands, and sets out a practical compliance framework for multi-state operations. It closes with the federal picture, which changed materially in late 2025: the executive branch is now actively working to preempt the very state laws this guide describes.
Why the Federal Moratorium Failed---And What It Means for AI Companies
The proposed federal moratorium would have barred enforcement of state and local AI regulation for a decade. Much of the technology industry supported it, arguing that inconsistent state requirements would burden innovation and impose impractical compliance costs across 50 jurisdictions.
A broad and bipartisan coalition opposed the measure:
- Seventeen Republican governors urged Congress to preserve state authority over AI regulation
- Forty state attorneys general, from both parties, warned that federal preemption would leave consumers unprotected
- Civil liberties organizations opposed an industry-led deregulation of an emerging technology
- Consumer advocacy groups pressed for protections now, not after a ten-year pause
When the Senate voted 99-1 to strip the moratorium on July 1, 2025, the message was unambiguous: in the near term, states would lead AI regulation in the United States. With no comprehensive federal statute on the books, companies must navigate this multi-jurisdictional landscape as the operative reality---even as the federal executive branch has since moved to challenge it, a development addressed in the federal-preemption section below.
Strategic implications:
- State law is, for now, the operative regime - Even if federal legislation eventually passes, it may establish a floor rather than a ceiling, leaving room for states to impose additional requirements; the late-2025 federal posture (discussed below) is preemption by executive action and litigation, not a comprehensive statute
- California sets the practical standard - As the world’s fourth- or fifth-largest economy with roughly 39 million residents, California’s AI laws function as de facto national requirements, because companies rarely find it economical to maintain California-specific and non-California AI systems
- Compliance complexity compounds - Each new state law adds overlapping obligations, divergent definitions, and multiplicative compliance work
- Enterprise procurement drives adoption - Large customers often demand compliance with the most stringent state requirements regardless of strict legal necessity
- Early compliance is a competitive position - Companies that build durable compliance infrastructure early position themselves as trusted partners and attract AI-safety talent
The Ten Most Active AI Regulatory States: Deep Dive
1. California: The Comprehensive Leader
California’s AI framework spans several laws addressing different facets of AI development, deployment, and use. Governor Newsom vetoed the high-profile SB 1047 (which targeted frontier AI models) in 2024, but California has since enacted a frontier-AI safety statute and a series of other AI laws that together form the most comprehensive state-level framework in the country.
Key California AI Laws:
SB 53---Transparency in Frontier Artificial Intelligence Act (signed September 29, 2025; most requirements effective January 1, 2026) - The most significant recent development in California. SB 53 makes California the first state to impose frontier-AI safety obligations. Large frontier developers---those training models above the statute’s 10^26 floating-point-operations threshold---must publish a safety and security framework, file transparency reports, and report critical safety incidents to the California Office of Emergency Services within fifteen days. The statute includes whistleblower protections and is enforced by the Attorney General, with civil penalties up to $1 million per violation.1
AB 1008 (effective January 1, 2025) - Amended the California Consumer Privacy Act (CCPA) to confirm that “personal information” can exist in AI systems capable of outputting it. The effect is to bring such AI systems within CCPA’s requirements for notice, consumer rights, and reasonable security.2
SB 243---Companion Chatbot Safeguards (signed October 13, 2025; effective January 1, 2026, with certain provisions phasing in later) - The first U.S. law directed specifically at companion chatbots. It requires operators to disclose that users are interacting with AI, to implement protocols addressing self-harm and sexual content (with particular attention to minors), and to provide periodic reporting. This was a pending bill when earlier versions of this guide were written; it is now law.3
AB 1018---Automated Decision Systems (stalled in 2025; two-year bill) - Would have imposed disclosure and fairness requirements on AI used in consequential decisions such as hiring, housing, credit, and insurance. The bill was placed on the inactive file on September 13, 2025, did not advance, and was carried over as a two-year bill into the 2026 session. It is not current law.4
SB 420---AI “Bill of Rights” (did not advance in 2025) - Would have required impact assessments and transparency measures for certain AI systems. The measure did not advance out of committee before the 2025 session closed. It is not current law.
Bot Disclosure Law - Requires disclosure when a bot is used to sell goods or services or to influence an election. Enforcement is public (state and local prosecutors), with no private right of action; the commonly cited figure is up to $1,000 per violation.
Deepfake Laws - Several statutes address deepfakes across distinct contexts (elections, intimate images, likeness), with remedies ranging from civil penalties to criminal liability depending on the conduct.
California Compliance Costs (estimated):
- Small AI companies (under 50 employees): $75,000-$150,000 annually (compliance staff time, legal counsel, documentation systems)
- Medium AI companies (50-250 employees): $200,000-$500,000 annually (dedicated compliance officer, third-party audits, enhanced documentation)
- Large AI companies (over 250 employees): $750,000-$2,000,000 annually (full compliance team, continuous monitoring, legal representation)
Penalties: Vary by statute. CCPA violations run up to $7,500 per intentional violation; bot disclosure is commonly cited at $1,000 per violation; SB 53 authorizes civil penalties up to $1 million per violation; deepfake statutes range from civil penalties to criminal prosecution.
Strategic considerations: California law effectively sets a national floor. Companies serving California customers---which most national companies do---should plan to comply even if they are not California-based, and SB 53 now makes frontier-model developers a distinct compliance population.
2. Colorado: First Comprehensive AI Anti-Discrimination Law
On May 17, 2024, Colorado enacted SB 24-205, the Colorado Artificial Intelligence Act (official short title “Consumer Protections for Artificial Intelligence”), making Colorado the first state to impose broad obligations on private-sector use of high-risk AI. As originally enacted, the law was to take effect February 1, 2026. During the August 2025 special session, the legislature passed SB 25B-004, which moved the effective date to June 30, 2026.5
Coverage: “High-risk AI systems”---systems that make, or are a substantial factor in making, “consequential decisions” affecting consumers in areas including:
- Education, employment, financial services, and healthcare
- Housing, insurance, and legal services
- Essential government services
Key Requirements:
For developers (those who develop or substantially modify high-risk AI):
- Use reasonable care to protect consumers from known or reasonably foreseeable risks of algorithmic discrimination
- Provide deployers with detailed documentation covering:
- The system’s intended uses and known limitations
- The categories of data used to train it
- The transparency measures in place
- How deployers can use the system to minimize discrimination risk
- Make periodic statements to the Attorney General documenting compliance
- Disclose known or reasonably foreseeable algorithmic-discrimination risks within 90 days of discovery
For deployers (those who deploy high-risk AI affecting Colorado consumers):
- Use reasonable care to protect consumers from algorithmic discrimination
- Conduct annual impact assessments evaluating whether the system causes algorithmic discrimination
- Provide clear notice to consumers when high-risk AI makes or substantially contributes to a consequential decision
- Implement reasonable management policies and practices governing use
- Provide an opportunity to appeal adverse decisions and obtain human review
Algorithmic discrimination defined: Use of an AI system that results in unlawful differential treatment or impact disfavoring individuals on the basis of protected classifications (including race, color, ancestry, religion, sex, national origin, disability, age, and sexual orientation).
Enforcement: Exclusive enforcement by the Colorado Attorney General; violations are treated as unfair trade practices under the Colorado Consumer Protection Act, with penalties up to $20,000 per violation. There is no private right of action.
Compliance Timeline:
- Now through June 30, 2026: Build impact-assessment procedures, transparency documentation, and notice systems
- June 30, 2026: Compliance required for all covered systems
- Ongoing: Annual impact assessments, continuous monitoring, and Attorney General statements
Colorado Compliance Costs (estimated):
- Small deployers: $50,000-$100,000 (initial impact assessment, documentation, notice implementation)
- Medium deployers: $150,000-$300,000 (dedicated resources, third-party assessments, enhanced monitoring)
- Large deployers and developers: $400,000-$800,000 (comprehensive compliance program, legal counsel, continuous auditing)
3. Texas: Responsible AI Governance Act (TRAIGA)
On June 22, 2025, Governor Greg Abbott signed the Texas Responsible Artificial Intelligence Governance Act (TRAIGA), enacted as HB 149, with an effective date of January 1, 2026---ahead of Colorado’s law. TRAIGA is narrower than its earlier drafts, but it establishes meaningful guardrails for AI development and for government use of AI.6
Key prohibitions:
TRAIGA prohibits the intentional development or deployment of AI systems to:
- Produce or distribute child sexual abuse material
- Create unlawful sexually explicit deepfake content
- Generate explicit text-based exchanges impersonating minors
- Unlawfully discriminate against individuals
- Infringe constitutional rights
- Incite harmful or criminal acts
Notably, TRAIGA’s anti-discrimination prohibition requires intent---a deliberate narrowing from the consequential-decisions, disparate-impact model adopted in Colorado. A showing that a system produced a discriminatory outcome is not, by itself, a violation.
Transparency requirements:
For government use: State agencies must give “clear and conspicuous notice” to individuals interacting with an AI system.
For the private sector: TRAIGA does not impose an equivalent notice requirement on private companies, creating an asymmetry between public- and private-sector obligations.
Texas deepfake laws:
Senate Bill 441 (SB 441) - Addresses sexually explicit deepfakes, including the threat to create intimate deepfakes to coerce, extort, harass, or intimidate. (Confirm the precise penalty classification before relying on it externally.)
House Bill 581 (HB 581) - Assigns civil liability to operators of websites or applications used to create deepfakes of minors, and is among the first U.S. laws to hold platform operators liable for such tools.
Enforcement: Criminal prosecution for prohibited AI uses; civil liability for platform operators that enable minor deepfakes. TRAIGA itself does not specify civil penalties for every violation, but intentional development of a prohibited system can carry criminal exposure.
Compliance requirements:
- Audit AI systems for prohibited purposes (intentional discrimination, constitutional violations, criminal incitement)
- For government-facing AI, implement notice systems
- For deepfake-creation tools, implement age verification and content restrictions
Texas Compliance Costs (estimated):
- AI developers: $40,000-$80,000 (audit for prohibited purposes, documentation)
- Government contractors: $60,000-$120,000 (notice implementation, compliance verification)
- Platform operators: $100,000-$250,000 (content moderation, age verification, liability assessment)
Penalties:
- Criminal prosecution for prohibited AI development (penalties vary by violation)
- Civil liability for platform operators (damages determined by the court)
- Potential injunctive relief
4. New York: Employment AI Bias Audits and the RAISE Act
New York City’s Local Law 144, the first AI hiring-bias-audit requirement of its kind, took effect January 1, 2023, with enforcement beginning July 5, 2023. Although it is a city ordinance rather than a statewide law, the size and influence of the New York market make it effectively mandatory for companies hiring there.7
Coverage: “Automated employment decision tools” (AEDTs)---computational processes derived from machine learning, statistical modeling, data analytics, or AI that issue simplified output used to substantially assist or replace discretionary decision-making for:
- Hiring employees or independent contractors
- Promoting current employees
Key requirements:
Bias audits: Employers using AEDTs must have them audited annually by an independent auditor. The audit assesses differential impact by race/ethnicity and sex, calculating selection rates and impact ratios.
Public disclosure: Employers must post, in the employment section of their website:
- The date of the most recent bias audit
- A summary of audit results (selection rates and impact ratios)
- The distribution date of the AEDT
Candidate notice: Employers must notify candidates or employees at least 10 business days before using an AEDT in an employment decision.
Alternative process: Employers must allow individuals to request an alternative selection process or an accommodation.
Data retention: Employers must retain audit documentation and make it available on request.
Enforcement: NYC Department of Consumer and Worker Protection. Civil penalties:
- First violation: $500 per instance
- Subsequent violations: up to $1,500 per instance
- Each day of continued violation counts as a separate instance
The New York RAISE Act (signed December 19, 2025; effective January 1, 2027):
On December 19, 2025, Governor Hochul signed the Responsible AI Safety and Education (RAISE) Act, making New York the second state---after California---to enact a frontier-AI safety law. The statute requires large developers (generally those with more than $500 million in revenue) to publish safety protocols and to report safety incidents to the state within 72 hours, and it establishes an oversight office within the Department of Financial Services. Penalties reach up to $1 million for a first violation and up to $3 million for subsequent violations (negotiated down from higher figures during the legislative process). The law takes effect January 1, 2027. Chapter amendments were committed for the 2026 session, so specific provisions may be refined; confirm any granular requirement before relying on it.8
2025-2026 state-level developments:
Beyond the RAISE Act, the New York State Legislature has considered bills that would:
- Extend bias-audit requirements statewide, beyond New York City
- Increase transparency requirements (algorithm explanation, training-data disclosure)
- Create a private right of action against employers and AI vendors
- Expand coverage to promotion, performance evaluation, and termination decisions
New York Compliance Costs (estimated):
- Small employers (using a vendor AEDT): $15,000-$30,000 (audit costs, notice implementation, documentation)
- Medium employers (custom AEDT): $40,000-$75,000 (independent audit, legal review, process modifications)
- Large employers (multiple AEDTs): $100,000-$200,000 (comprehensive audit program, dedicated compliance resources)
- AI vendors selling to New York employers: $50,000-$150,000 (audit certifications, customer documentation, legal counsel)
Strategic considerations: Even absent a statewide mandate, many employers adopt the NYC standard company-wide rather than maintain different hiring systems. With the RAISE Act, frontier-model developers now face a distinct New York compliance obligation as well.
5. Illinois: Biometric Privacy and a New Employment-AI Statute
Illinois’s Biometric Information Privacy Act (BIPA), enacted in 2008, remains the most protective biometric-privacy law in the country and one of the few that confers a private right of action (in contrast to California’s CCPA, which relies on Attorney General enforcement).9
Coverage: Any entity that collects, captures, purchases, or otherwise obtains biometric identifiers or biometric information.
Biometric identifiers include:
- Retina or iris scans
- Fingerprints, voiceprints, and scans of hand or face geometry
- Other identifiers based on an individual’s biological characteristics
AI systems using biometric data: Many AI systems---particularly facial recognition, emotion detection, and identity verification---fall squarely within BIPA’s scope, and the statute’s application to AI has produced significant enforcement actions and settlements.
Key requirements:
Written policy: Maintain and publicly post a written policy establishing a retention schedule and destruction guidelines for biometric data.
Informed consent: Obtain informed written consent before collecting biometric data, including:
- Specific disclosure of what biometric data is collected
- The specific purpose and length of collection
- A written release from the individual
No sale or profit: Selling, leasing, trading, or otherwise profiting from biometric data is prohibited.
Data security: Use a reasonable standard of care---at least the standard used for other confidential information---to protect biometric data.
2024 amendment: Senate Bill 2979 (effective August 2024) amended BIPA’s damages provision to limit recovery to a single violation per method of collection, materially reducing damages exposure. Under prior law, each scan or collection could constitute a separate violation, which had enabled very large class-action damages.
Clearview AI settlement: In a class action alleging BIPA violations against Clearview AI, the court granted final approval on March 20, 2025, to a settlement valued at roughly $51.75 million. The settlement was structured in a legally novel way---rather than a fixed cash fund, the class received an approximately 23% equity stake in the company---and it barred Clearview from granting access to Illinois state and local agencies for five years.10
HB 3773---AI in employment (effective January 1, 2026): Illinois amended the Illinois Human Rights Act to address AI in the workplace. Effective January 1, 2026, employers may not use AI in a way that has a discriminatory effect in employment decisions, may not use ZIP code as a proxy for a protected class, and must provide notice to employees when AI is used for covered employment decisions.11
Enforcement (BIPA): Private right of action. Statutory damages:
- Negligent violation: $1,000 per violation
- Intentional or reckless violation: $5,000 per violation
- Attorney’s fees and costs to a prevailing plaintiff
Illinois Compliance Costs (estimated):
- AI companies using facial recognition: $80,000-$150,000 (consent systems, policy documentation, security audit, legal counsel)
- Emotion detection / biometric AI: $100,000-$200,000 (comprehensive consent infrastructure, enhanced security, risk assessment)
- Settlement / litigation risk reserve: $500,000-$5,000,000 (depending on deployment scale and user base)
Strategic considerations: Some AI companies avoid collecting biometric data from Illinois users entirely; others geofence biometric features for Illinois. With HB 3773 now in force, employers using AI in hiring and other employment decisions have a separate Illinois obligation to manage.
6. Connecticut: A Comprehensive Bill That Has Not Passed
Connecticut has been a leading proponent of comprehensive AI regulation, but its flagship bill, SB 2 (“An Act Concerning Artificial Intelligence”), has not become law. In 2025, SB 2 passed the Senate (32-4) but was never called for a vote in the House, in the face of a threatened gubernatorial veto. This was the second consecutive year the bill failed---a similar effort also failed in 2024. Sponsors have signaled an intent to return with a revised bill, so Connecticut remains a jurisdiction to watch rather than one with an operative comprehensive law.12
What SB 2 would have required (if enacted in a future session):
Developer requirements:
- Protect consumers against algorithmic discrimination in high-risk AI systems
- Conduct impact assessments before deployment
- Implement AI risk-mitigation policies
- Provide transparency disclosures covering capabilities and limitations, training-data characteristics, and known risks
Deployer requirements:
- Conduct impact assessments for high-risk systems
- Provide notice to consumers when AI makes consequential decisions
- Implement management and oversight procedures
- Maintain documentation of AI system use and impacts
High-risk AI definition (as proposed): Systems that make, or are a substantial factor in making, decisions with legal or similarly significant effects in education, employment, financial services, healthcare, housing, insurance, and access to essential services. The proposed framework closely tracked Colorado’s.
Status: Failed in 2025 (and in 2024); expected to return in a future session. Companies serving Connecticut consumers should monitor the next legislative cycle but are not presently subject to a comprehensive Connecticut AI statute.
7. Massachusetts: Attorney General Guidance
Massachusetts has not enacted AI-specific legislation, but Attorney General Andrea Joy Campbell issued guidance on April 16, 2024, explaining how existing consumer-protection law applies to AI systems.13
Key guidance provisions:
Developer obligations:
- Do not falsely advertise AI capabilities or reliability
- Ensure AI systems perform as represented
- Do not misrepresent safety or accuracy
- Disclose material limitations
Supplier and vendor obligations:
- Market AI tools and services accurately
- Disclose system limitations transparently
- Provide proper training and support to deployers
User and deployer obligations:
- Do not deploy AI in ways that violate consumer-protection law
- Remain responsible for the outcomes of AI-driven decisions
- Maintain human oversight for material decisions
Enforcement: Violations of the Massachusetts Consumer Protection Act (Chapter 93A) can result in civil penalties (commonly cited at up to $5,000 per violation), injunctive relief, actual damages in private actions, attorney’s fees to prevailing plaintiffs, and treble damages for willful violations.
Massachusetts approach: Rather than enacting new AI-specific law, Massachusetts applies its existing consumer-protection framework to AI. The approach is immediately applicable, flexible as the technology evolves, grounded in decades of case law, and broad enough to reach uses not addressed by targeted legislation.
Massachusetts Compliance Costs (estimated):
- AI developers / vendors: $30,000-$60,000 (marketing review, capability testing, disclosure development)
- AI deployers: $20,000-$40,000 (oversight procedures, documentation, vendor due diligence)
- Litigation-risk management: $50,000-$150,000 (legal counsel, compliance audit, Chapter 93A risk assessment)
8. Utah: Disclosure-Focused Framework
Utah has built a disclosure-oriented framework across several statutes, and it refined that framework in 2025.14
SB 149---Artificial Intelligence Policy Act (effective 2024):
- Requires disclosure to consumers interacting with generative AI
- The notification must be clear and conspicuous
- Applies to consumer-facing generative AI (chatbots, content generators, and similar tools)
SB 226 (effective May 7, 2025): Utah narrowed SB 149’s generative-AI disclosure trigger. As amended, the affirmative disclosure obligation arises in response to a person’s clear and unambiguous request to know whether they are interacting with AI, and in specified high-risk interactions---rather than as a blanket, always-on disclosure duty. Companies should calibrate their disclosure practices to the amended, narrower trigger.15
HB 452---AI mental-health chatbots (effective May 7, 2025):
- Advertising: Prohibits advertising products or services during user interactions
- Data privacy: Prohibits sharing users’ personal information with third parties
- Disclosure: Requires the system to clearly identify itself as AI, not a human therapist
Regulatory mitigation agreements: Utah’s Office of Artificial Intelligence Policy can negotiate regulatory mitigation agreements with companies, offering reduced fines, cure periods, a collaborative compliance posture, and greater regulatory certainty.
Enforcement: Utah Division of Consumer Protection; the commonly cited penalty is up to $2,500 per violation.
Utah Compliance Costs (estimated):
- Generative AI products: $15,000-$30,000 (disclosure implementation, interface modifications)
- Mental-health chatbots: $40,000-$80,000 (privacy controls, advertising restrictions, regulatory-agreement negotiation)
- Regulatory mitigation agreement: $10,000-$25,000 (legal counsel for negotiation)
Strategic considerations: Utah’s regulatory-mitigation mechanism offers a collaborative path to compliance certainty; companies operating in Utah should consider engaging the Office of AI Policy proactively.
9. Virginia: A Vetoed Comprehensive Bill, and Privacy-Law Coverage
Virginia’s story is as much about what did not become law as what did. In 2025, the General Assembly passed HB 2094, the High-Risk Artificial Intelligence Developer and Deployer Act---a California/Colorado-style framework regulating consequential decisions and algorithmic discrimination that, had it been signed, would have made Virginia the second state with a comprehensive AI law. Governor Youngkin vetoed HB 2094 on March 24, 2025, and the veto was not overridden. Virginia therefore has no comprehensive AI statute today.16
In the meantime, Virginia regulates AI principally through its Consumer Data Protection Act (VCDPA), which reaches AI systems that process personal data.
Data protection assessments are required for:
- Processing personal data for targeted advertising
- Sale of personal data
- Profiling that presents a reasonably foreseeable risk of unfair or deceptive treatment, financial, physical, or reputational injury, intrusion upon seclusion, or other substantial injury
AI systems that frequently trigger assessment requirements:
- Algorithmic decision-making systems
- Automated profiling for credit, employment, or housing
- Personalization engines using sensitive data
- Predictive analytics affecting consumers
Consumer rights under the VCDPA:
- Access to personal data
- Correction of inaccurate data
- Deletion of personal data
- Opt-out of profiling and targeted advertising
Enforcement: Virginia Attorney General; civil penalties commonly cited at up to $7,500 per violation.
Virginia Compliance Costs (estimated):
- AI systems processing Virginia consumer data: $50,000-$100,000 (data-protection assessments, privacy infrastructure, consumer-rights implementation)
- Ongoing annual costs: $30,000-$60,000 (updated assessments, rights-request handling, documentation)
Strategic considerations: The HB 2094 veto means companies that anticipated a Colorado-style obligation in Virginia have, for now, only the VCDPA’s privacy-law coverage to satisfy---but a renewed comprehensive bill in a future session is plausible, and companies already compliant with comprehensive privacy laws (California, Virginia, Colorado) are partially prepared for it.
10. Washington: Active, but Not Yet Comprehensive
Washington has not enacted a comprehensive AI statute. State officials, including Senator Maria Cantwell and Attorney General Nick Brown, were prominent opponents of federal preemption, and multiple AI bills---addressing algorithmic discrimination, deepfakes, and data privacy---have been introduced in recent sessions. Whether and when a comprehensive framework passes, and on what timeline it would take effect, remain open; companies should treat Washington as an active-development jurisdiction rather than assume specific future requirements.17
Current legislative activity:
- Multiple AI bills introduced in recent sessions
- Focus areas: algorithmic discrimination, deepfakes, data privacy
Strategic considerations: Washington’s active legislative interest suggests meaningful AI regulation could emerge; the prudent course is to monitor the legislature rather than build to a predicted framework that has not been enacted.
50-State AI Regulation Summary Table
The following table summarizes AI-related laws and regulatory status for all 50 states, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands as of June 2026. Penalty and effective-date figures should be confirmed against the primary source before they are relied on for a specific matter.
| State | Primary AI Law(s) | Effective Date | Key Requirements | Penalties | Status |
|---|---|---|---|---|---|
| Alabama | None enacted | - | None (monitoring federal developments) | - | No current regulation |
| Alaska | None enacted | - | None (introduced bills did not pass) | - | No current regulation |
| Arizona | Deepfake disclosure law | Jan 1, 2025 | Disclosure required for political deepfakes before an election | Civil penalties | Enacted |
| Arkansas | None enacted | - | None (bills introduced) | - | Legislation pending |
| California | SB 53, SB 243, AB 1008, Bot Disclosure, Deepfakes | Various (2025-2026) | Frontier-AI safety (SB 53), companion-chatbot safeguards (SB 243), CCPA AI coverage, bot disclosure, deepfake restrictions | $1,000-$1,000,000 per violation depending on the law | Multiple laws enacted (AB 1018 / SB 420 stalled) |
| Colorado | SB 24-205 (Colorado AI Act) | June 30, 2026 | Algorithmic-discrimination prevention, impact assessments, transparency notices | $20,000 per violation | Enacted |
| Connecticut | SB 2 | - | Comprehensive AI bill (impact assessments, anti-discrimination) | - | Failed 2025 (and 2024); expected to return |
| Delaware | None enacted | - | None (study commission created) | - | Study phase |
| Florida | Deepfake restrictions | July 1, 2025 | Political and intimate deepfake prohibitions | Criminal penalties | Enacted |
| Georgia | None enacted | - | None (proposals under consideration) | - | Legislation pending |
| Hawaii | None enacted | - | None | - | No current regulation |
| Idaho | None enacted | - | None | - | No current regulation |
| Illinois | BIPA; HB 3773 (Human Rights Act) | BIPA in effect (2008, amended 2024); HB 3773 Jan 1, 2026 | Biometric data consent and security; AI employment anti-discrimination, ZIP-code-proxy ban, employee notice | $1,000-$5,000 per violation (BIPA, private right of action) | Enacted |
| Indiana | None enacted | - | None (bills introduced) | - | Legislation pending |
| Iowa | None enacted | - | None | - | No current regulation |
| Kansas | None enacted | - | None | - | No current regulation |
| Kentucky | Limited AI disclosure | Jan 1, 2025 | Disclosure for AI-generated content in certain contexts | Civil penalties | Enacted |
| Louisiana | None enacted | - | None (study ongoing) | - | Study phase |
| Maine | None enacted | - | None (consumer-protection focus) | - | No AI-specific law |
| Maryland | None enacted | - | None (bills pending) | - | Legislation pending |
| Massachusetts | AG Guidance | April 16, 2024 | Existing consumer-protection law applies to AI | Up to $5,000 per violation (Chapter 93A) | Guidance issued |
| Michigan | None enacted | - | None (introduced bills did not pass) | - | No current regulation |
| Minnesota | Deepfake law | Aug 1, 2024 | Restrictions on deepfakes in elections and intimate imagery | Civil and criminal penalties | Enacted |
| Mississippi | None enacted | - | None | - | No current regulation |
| Missouri | None enacted | - | None | - | No current regulation |
| Montana | None enacted | - | None (bills introduced) | - | Legislation pending |
| Nebraska | LB 504 | Jan 1, 2026 (enforcement July 1, 2026) | Consumer-protection provisions for AI | $50,000 per violation (confirm) | Enacted |
| Nevada | None enacted | - | None (privacy law may extend to AI) | - | No AI-specific law |
| New Hampshire | None enacted | - | None | - | No current regulation |
| New Jersey | None enacted | - | None (multiple bills pending) | - | Legislation pending |
| New Mexico | None enacted | - | None | - | No current regulation |
| New York | NYC Local Law 144; RAISE Act | LL144 enforced July 5, 2023; RAISE Act Jan 1, 2027 | AI hiring bias audits (NYC); frontier-AI safety protocols and 72-hour incident reporting (RAISE Act) | $500-$1,500 per instance (LL144); up to $1M/$3M (RAISE Act) | NYC enacted; RAISE Act enacted Dec 19, 2025 |
| North Carolina | None enacted | - | None (study commission active) | - | Study phase |
| North Dakota | None enacted | - | None | - | No current regulation |
| Ohio | None enacted | - | None (bills introduced) | - | Legislation pending |
| Oklahoma | None enacted | - | None | - | No current regulation |
| Oregon | None enacted | - | None (bills pending) | - | Legislation pending |
| Pennsylvania | None enacted | - | None (study ongoing) | - | Study phase |
| Rhode Island | None enacted | - | None (bills introduced) | - | Legislation pending |
| South Carolina | None enacted | - | None | - | No current regulation |
| South Dakota | None enacted | - | None | - | No current regulation |
| Tennessee | ELVIS Act | July 1, 2024 | Protects voice and likeness from AI replication | Civil penalties | Enacted |
| Texas | TRAIGA (HB 149), SB 441, HB 581 | Jan 1, 2026 (TRAIGA) | Prohibited AI uses, government transparency, deepfake restrictions, platform liability | Criminal (prohibited uses); civil (platform liability) | Enacted |
| Utah | SB 149, SB 226, HB 452 | SB 149 (2024); SB 226 and HB 452 May 7, 2025 | Generative-AI disclosure (narrowed by SB 226), mental-health chatbot restrictions | Up to $2,500 per violation | Enacted |
| Vermont | None enacted | - | None (consumer-protection focus) | - | No AI-specific law |
| Virginia | VCDPA (HB 2094 comprehensive AI bill vetoed Mar 2025) | VCDPA in effect | Data-protection assessments for AI profiling; comprehensive AI framework vetoed | Up to $7,500 per violation (VCDPA) | No comprehensive AI law (VCDPA applies) |
| Washington | None enacted | - | None (active legislative interest) | - | No comprehensive law; bills active |
| West Virginia | None enacted | - | None | - | No current regulation |
| Wisconsin | None enacted | - | None (bills introduced) | - | Legislation pending |
| Wyoming | None enacted | - | None | - | No current regulation |
| District of Columbia | None enacted | - | None (bills introduced) | - | Legislation pending |
| Puerto Rico | None enacted | - | None (bills introduced) | - | Legislation pending |
| U.S. Virgin Islands | None enacted | - | None (bills introduced) | - | Legislation pending |
Key insights from the 50-state analysis:
- Geographic concentration: The most comprehensive AI regulation is concentrated in California, Colorado, Texas, New York, and Illinois---collectively a large share of the U.S. population and economy
- Common requirements emerging: Transparency and disclosure, bias testing, and impact assessments recur across multiple state frameworks
- Deepfake focus: The most common narrow regulations address deepfakes in elections and intimate imagery---a relative point of consensus across many states
- Study commissions: Several states created study commissions rather than enacting immediate legislation, which may presage more comprehensive laws in later sessions
- Privacy-law coverage: Several states (Virginia, Nevada) reach AI primarily through existing comprehensive privacy laws rather than AI-specific statutes
- Frontier-AI safety is now a category: California (SB 53) and New York (RAISE Act) have created a distinct compliance population for large frontier-model developers---a development that did not exist when many earlier surveys were written
Common Requirements Across State AI Laws
Despite their differences, several core requirements recur across state AI frameworks.
1. Transparency and Disclosure
What it requires:
- Clear notification when AI makes or substantially contributes to a consequential decision
- Disclosure of AI system capabilities and limitations
- Transparency about training-data sources and characteristics
- Publication of bias-testing results (in some jurisdictions)
Appears in: California (multiple laws), Colorado, Texas (government use), Utah, New York (employment), Nebraska
Implementation:
- User-facing notice systems (in-app notifications, website disclosures)
- Public transparency reports
- Individual decision explanations (on request or automatically)
Cost range (estimated): $20,000-$80,000 for disclosure systems; $10,000-$30,000 annually for transparency reporting
2. Bias Testing and Impact Assessments
What it requires:
- Pre-deployment testing for algorithmic discrimination
- Assessment of disparate impact by protected characteristics
- Evaluation of risks to consumer rights and safety
- Documentation of methodology and results
- Annual re-assessment of deployed systems
Appears in: Colorado, New York (employment), Virginia (data-protection assessments); proposed in Connecticut’s failed SB 2
Implementation:
- Internal testing using representative datasets
- Third-party audits by independent assessors
- Statistical analysis of selection rates and impact ratios
- Documentation systems for audit trails
Cost range (estimated):
- Internal testing: $30,000-$75,000 per system
- Third-party audits: $50,000-$150,000 per system annually
- Comprehensive program (multiple systems): $200,000-$500,000 annually
3. Human Review and Appeal Rights
What it requires:
- Opportunity for human review of AI-driven decisions
- Appeal process for adverse decisions
- Alternative selection processes (in the employment context)
- Meaningful human oversight of automated systems
Appears in: Colorado, New York (employment); proposed in Connecticut’s failed SB 2
Implementation:
- Human-in-the-loop workflows for material decisions
- Appeal submission and review processes
- Escalation procedures for overrides
- Training for human reviewers on AI limitations
Cost range (estimated): $40,000-$100,000 for appeal infrastructure; $50,000-$150,000 annually for staffing human review
4. Data Protection and Security
What it requires:
- Reasonable security measures for AI systems and training data
- Protection of personal information processed by AI
- Data minimization
- Retention limits and deletion procedures
- Breach notification
Appears in: Illinois (BIPA), Virginia (VCDPA), California (CCPA/CPRA), Massachusetts (consumer protection)
Implementation:
- Encryption of training data and model weights
- Access controls and authentication
- Regular security audits
- Incident-response procedures
- Data inventory and retention schedules
Cost range (estimated): $60,000-$150,000 for initial security infrastructure; $40,000-$100,000 annually for maintenance and audits
5. Prohibited Uses and Content Restrictions
What it requires:
- Restrictions on AI use for unlawful discrimination
- Prohibitions on deepfakes (elections, intimate imagery)
- Restrictions on biometric data collection
- Prohibitions on child-exploitation content
- Limits on AI in sensitive domains (in some states)
Appears in: Texas (prohibited AI development), Illinois (biometric restrictions), many states (deepfake laws), California (various restrictions)
Implementation:
- Use-case audits and restrictions
- Content-moderation systems (for platforms)
- Age verification and access controls
- Prohibited-use monitoring
- Legal review of deployment contexts
Cost range (estimated): $25,000-$75,000 for use-case restrictions; $100,000-$300,000 for platform content-moderation systems
6. Documentation and Recordkeeping
What it requires:
- Maintenance of impact-assessment records
- Documentation of bias-testing methodologies and results
- Records of AI system modifications and updates
- Training-data documentation
- Consumer-notice records
- Retention for regulatory inspection (often several years)
Appears in: Colorado, New York, California, Virginia
Implementation:
- Document-management systems
- Automated recordkeeping for AI decisions
- Audit-trail infrastructure
- Regular documentation reviews
Cost range (estimated): $30,000-$70,000 for documentation systems; $20,000-$50,000 annually for maintenance
Compliance Framework for Multi-State Operations
Navigating dozens of different state AI laws calls for a deliberate compliance framework that balances legal obligations, operational efficiency, and business goals. Four strategies, and a phased roadmap, follow.
Strategy 1: Adopt the Highest Common Denominator
Approach: Comply with the most stringent state requirements across all operations, creating uniform national standards.
When it works:
- Uniform products and services: When state-specific AI systems are not economical
- California operations: When serving the California market---as most national companies do---California requirements effectively become the national floor
- Enterprise customers: When major customers demand compliance with the strictest standards
- Brand positioning: When positioning as an AI-safety leader
Advantages:
- Operational simplicity: A single compliance program
- Future-proofing: Prepared for additional state laws and eventual federal action
- Positioning: A defensible “built to the strictest standard” claim
- Risk reduction: Eliminates the risk of state-specific non-compliance
Disadvantages:
- Higher costs: Paying for strict requirements even where not legally required
- Slower iteration: The most burdensome requirements may slow product development
- Overinvestment: May exceed legal requirements in many jurisdictions
Recommended for: Large AI companies, companies serving California plus many other states, enterprise-focused companies, and companies pursuing industry leadership positioning
Implementation costs (estimated):
- Initial: $300,000-$750,000 (comprehensive compliance infrastructure)
- Annual: $200,000-$500,000 (monitoring, audits, documentation, legal counsel)
Strategy 2: Tiered Compliance by State
Approach: Implement different compliance levels by jurisdiction, maintaining separate systems or processes where appropriate.
When it works:
- Distinct product lines: When different AI systems serve different markets
- Geographic targeting: When user location can be reliably identified
- Technical feasibility: When features can be geofenced or maintained in state-specific versions
- Cost sensitivity: When highest-common-denominator costs would be prohibitive
Advantages:
- Cost optimization: Pay for compliance where legally required
- Faster iteration: Deploy advanced features in less-regulated states first
- Tailored approach: Customize to specific state frameworks
Disadvantages:
- Operational complexity: Managing multiple compliance programs at once
- Technical overhead: Geofencing, state-specific features, version control
- User experience: Inconsistent features across states may confuse users
- Regulatory risk: Geolocation failures could create exposure in stricter states
Recommended for: Mid-sized AI companies, companies with distinct product lines, companies with primarily regional user bases, and cost-constrained startups
Implementation costs (estimated):
- Initial: $150,000-$400,000 (tiered infrastructure, geofencing, legal analysis)
- Annual: $100,000-$300,000 (multi-state monitoring, state-specific audits, technical maintenance)
Strategy 3: Strategic Market Selection
Approach: Limit operations to states with favorable or no AI regulation, avoiding the strictest jurisdictions.
When it works:
- Early-stage startups: Testing product-market fit with limited resources
- Niche applications: Serving specific industries with concentrated geography
- B2B focus: When customers are located in specific states
- High regulatory sensitivity: When the use case is particularly susceptible to regulation (e.g., emotion detection, biometric identification)
Advantages:
- Minimized compliance costs: Avoid the most expensive regimes
- Faster time-to-market: Launch without comprehensive compliance infrastructure
- Resource focus: Concentrate resources on product development
Disadvantages:
- Limited market access: Excluding California, New York, Texas, and Illinois forecloses a large share of the U.S. market
- Scaling challenges: Major markets must eventually be addressed
- Competitive disadvantage: National competitors gain scale advantages
- Investor concerns: Geographic limits may weigh on valuation
Recommended for: Pre-seed and seed-stage startups, companies testing novel applications, B2B companies with concentrated customer bases, and companies building toward acquisition
Implementation costs (estimated):
- Initial: $25,000-$75,000 (basic compliance for selected states, terms-of-service restrictions)
- Annual: $20,000-$60,000 (monitoring selected states, limited auditing)
Strategy 4: Compliance as Competitive Advantage
Approach: Exceed legal requirements, pursue third-party certifications, and build compliance into brand positioning.
When it works:
- Enterprise sales: When selling to highly regulated industries (healthcare, finance, government)
- Ethical-AI positioning: When targeting customers with strong AI-safety values
- Investor appeal: When raising from investors focused on responsible AI
- Talent: When recruiting researchers and engineers who prioritize safety
Advantages:
- Differentiation in a crowded market
- Customer trust through demonstrated commitment to responsible AI
- Premium pricing for certified-compliant solutions
- Risk reduction through proactive compliance
- Future-proofing for regulatory evolution
Disadvantages:
- Highest costs: Exceeding legal requirements means maximum investment
- Ongoing commitment: Certification standards must be maintained
- Competitive disclosure: Transparency requirements may reveal proprietary information
- Slower iteration: Compliance processes may slow development
Recommended for: Enterprise AI vendors, companies in regulated industries, AI-safety-focused companies, and companies pursuing premium positioning
Implementation costs (estimated):
- Initial: $500,000-$1,500,000 (comprehensive program, certifications, audit infrastructure)
- Annual: $300,000-$800,000 (continuous auditing, certification maintenance, documentation, legal counsel)
Recommended Multi-State Compliance Roadmap
Phase 1: Foundation (Months 1-3)
Objective: Establish a baseline understanding and the compliance infrastructure.
Actions:
-
Jurisdictional analysis ($15,000-$30,000 legal counsel)
- Identify all states where you deploy AI systems or serve customers
- Determine which state laws apply to your specific AI use cases
- Assess conflicting requirements and compliance gaps
-
Current-state assessment ($20,000-$50,000 internal and external audit)
- Inventory all AI systems (models, applications, uses)
- Document current compliance status by jurisdiction
- Identify high-risk systems requiring immediate attention
-
Strategy selection ($10,000-$25,000 legal and business consultation)
- Choose a compliance strategy (highest common denominator, tiered, market selection, or competitive advantage)
- Develop a multi-year roadmap
- Secure executive and board approval with budget
-
Governance structure ($15,000-$40,000 policy development)
- Designate a compliance officer or cross-functional committee
- Establish reporting lines and accountability
- Create escalation procedures
Phase 1 total (estimated): $60,000-$145,000
Phase 2: Implementation (Months 4-9)
Objective: Build compliance infrastructure and implement required systems.
Actions:
-
Transparency and disclosure systems ($30,000-$100,000)
- Develop user-facing notice systems
- Create public transparency reports
- Implement individual decision explanations
-
Bias testing and impact assessments ($75,000-$200,000)
- Design testing protocols and methodologies
- Conduct initial impact assessments for high-risk systems
- Engage third-party auditors where required
- Document results and mitigation plans
-
Human-review infrastructure ($50,000-$150,000)
- Build appeal and review processes
- Train human reviewers on AI limitations
- Implement escalation workflows
-
Data protection and security ($60,000-$150,000)
- Encrypt AI systems and training data
- Implement access controls
- Conduct security audits
- Develop incident-response procedures
-
Documentation systems ($40,000-$80,000)
- Implement document management for compliance records
- Create automated recordkeeping for AI decisions
- Establish retention schedules
Phase 2 total (estimated): $255,000-$680,000
Phase 3: Operationalization (Months 10-12)
Objective: Integrate compliance into ongoing operations.
Actions:
-
Continuous monitoring ($30,000-$80,000)
- Deploy monitoring for AI system performance
- Implement automated bias detection
- Create dashboards for compliance metrics
-
Training and awareness ($20,000-$50,000)
- Train development teams on compliance requirements
- Educate customer-facing teams on disclosure obligations
- Build a compliance culture
-
Vendor management ($15,000-$40,000)
- Audit third-party AI vendors for compliance
- Negotiate contractual compliance obligations
- Establish vendor-oversight procedures
-
Regulatory relations ($25,000-$60,000)
- Engage with state regulators proactively
- Participate in industry working groups
- Monitor emerging legislation and rulemaking
Phase 3 total (estimated): $90,000-$230,000
Year 1 total (estimated): $405,000-$1,055,000
Ongoing annual costs (Year 2 and beyond, estimated): $200,000-$600,000
- Annual impact assessments and bias testing
- Third-party audits
- Continuous monitoring and documentation
- Legal counsel and regulatory updates
- Training and awareness programs
- Vendor oversight
Federal Preemption: From a Failed Moratorium to Active Federal Pushback
When the Senate stripped the moratorium in July 2025, the open question was whether comprehensive federal legislation would eventually preempt the state patchwork. By the end of 2025, the answer had taken an unexpected form. Rather than a preemptive statute from Congress, the federal effort to displace state AI law has come from the executive branch---and it is now actively underway. This inverts the premise of the earlier debate: the federal government is, at the moment, trying to preempt the very state laws this guide maps.
The renewed---and failed---legislative moratorium push. In November 2025, supporters floated a renewed AI-preemption rider for the FY2026 National Defense Authorization Act, reviving the substance of the defeated moratorium. The rider drew bipartisan opposition---including from House Armed Services Committee leadership and several hundred state legislators---and was dropped from the NDAA text. The executive action described below followed that failure.
Executive Order 14365 (signed December 11, 2025). The order, titled in the Federal Register “Ensuring a National Policy Framework for Artificial Intelligence” and captioned by the White House “Eliminating State Law Obstruction of National Artificial Intelligence Policy,” is the centerpiece of the current federal posture. Among its directives, it:
- Directs the Attorney General to establish an AI Litigation Task Force within 30 days to challenge state AI laws on grounds including the Commerce Clause, federal preemption, and the First Amendment
- Directs the Federal Trade Commission to issue a policy statement (within 90 days) and directs Federal Communications Commission action
- Conditions certain federal funding---including BEAD broadband funding---on a state’s AI-law posture
- Tasks the development of a legislative recommendation for a preemptive federal AI framework
The order identifies carve-outs from its recommended preemption for children’s safety, AI compute and data-center infrastructure, and a state’s own procurement and use of AI. Its practical effect is to put state AI statutes---particularly the consequential-decisions and anti-discrimination frameworks---on notice that they may face federal litigation and funding pressure.18
Where federal legislation stands. Several bills remain pending in the 119th Congress, though none has advanced to a floor vote as of June 2026:
- Algorithmic Accountability Act (S. 2164) - Would require impact assessments for automated decision systems, in the same family as state frameworks
- AI Foundation Model Transparency Act (H.R. 8094) - Would impose transparency requirements on foundation-model developers
- AI Training Act - Workforce development for AI oversight
- Various sector-specific bills - Healthcare AI, law-enforcement AI, education AI
What this means for companies. The near-term federal story is attempted preemption by executive action and litigation, paired with a forthcoming federal-framework recommendation---not a comprehensive statute already in force. The practical implications:
- Do not pause state compliance in anticipation of federal relief. State obligations are live now---Texas (January 2026), Colorado (June 2026), California’s SB 53 and SB 243 (January 2026), Illinois HB 3773 (January 2026)---and the EO does not, by itself, repeal any state law. Whether and to what extent state statutes are preempted will be resolved through litigation that takes time
- Track the AG Litigation Task Force and the FTC/FCC proceedings. Which state laws are challenged first, and on what theories, will shape the risk picture for specific use cases---particularly the consequential-decisions frameworks most squarely in the order’s sights
- Watch the federal-framework recommendation. If a preemptive federal statute is proposed and advances, its scope and its carve-outs (children’s safety, infrastructure, state procurement) will determine how much of the state patchwork survives
- Constitutional litigation is now concrete, not hypothetical. Commerce Clause and First Amendment challenges to state AI laws---long discussed in the abstract---are precisely what the Litigation Task Force is directed to bring; resolution timelines will run for years
- International standards still matter. The EU AI Act entered into force on August 1, 2024; its general-purpose-AI obligations applied beginning August 2, 2025; and its high-risk obligations phase in through August 2026 and beyond. Companies building to the EU framework are partially prepared for any eventual U.S. federal standard
Practical Next Steps: What AI Companies Should Do Now
Immediate Actions (Next 30 Days)
1. Conduct a jurisdictional audit ($5,000-$15,000 internal or legal review)
Identify where you operate and which state laws apply:
- Where are your servers and infrastructure located?
- Which states do your customers reside in?
- Where do you have employees or contractors?
- Which states have laws applicable to your AI systems?
Map AI system to jurisdictions to applicable laws to compliance status.
2. Prioritize high-risk systems (internal analysis)
Focus first on the systems most likely to trigger state requirements:
- Employment decisions (hiring, promotion, termination)
- Credit, lending, and insurance underwriting
- Housing access and tenant screening
- Healthcare diagnosis or treatment recommendations
- Education admissions or student evaluation
- Law enforcement or government benefits
- Biometric identification or emotion detection
- Frontier-model development (now a distinct category under California’s SB 53 and New York’s RAISE Act)
3. Designate a compliance owner (internal resource allocation)
Assign responsibility for AI compliance to a specific person or committee:
- VP of Legal or Compliance (larger companies)
- General Counsel (mid-sized companies)
- Founder plus outside counsel (startups)
Ensure adequate budget and authority to implement compliance measures.
4. Establish legal monitoring ($2,000-$5,000 per month for updates)
Track state AI legislation---and now the federal litigation and rulemaking the executive order set in motion:
- State legislature monitoring
- Law-firm regulatory alerts
- Trade-association updates
- The AG Litigation Task Force docket and FTC/FCC proceedings
Short-Term Planning (Months 2-6)
5. Develop transparency infrastructure ($30,000-$100,000)
Build systems to provide required disclosures:
- User-facing notifications when AI makes consequential decisions
- Public transparency reports
- Individual decision explanations (on request)
- Updates as systems change
6. Implement a bias-testing program ($50,000-$150,000)
Establish testing protocols:
- Define protected characteristics and test datasets
- Conduct initial bias assessments for high-risk systems
- Document methodology and results
- Engage third-party auditors where required
- Create remediation plans for identified bias
7. Document compliance status ($15,000-$40,000)
Create comprehensive compliance documentation:
- Impact assessments for high-risk systems
- Data-protection and security measures
- Training-data sources and characteristics
- Human-oversight procedures
- Recordkeeping and retention policies
8. Update terms of service and privacy policy ($10,000-$25,000 legal drafting)
Ensure customer-facing documents address:
- AI system disclosures
- Data collection for AI training
- Consumer rights (access, deletion, opt-out)
- Biometric data handling (if applicable)
- State-specific requirements
Long-Term Positioning (Months 7-12)
9. Build compliance into product development (process integration)
Integrate compliance into the engineering workflow:
- Pre-deployment impact assessments
- Bias testing before launch
- Transparency documentation as part of release
- Security audits for new AI systems
10. Engage with regulators ($25,000-$60,000 legal counsel and participation)
Engage proactively:
- Respond to state Attorney General requests for information
- Participate in industry working groups
- Submit comments on proposed regulations
- Consider regulatory mitigation agreements (the Utah model)
11. Monitor federal developments (ongoing legal counsel)
Track both legislation and the executive-branch effort:
- Analyze pending bills and their likely path
- Assess the preemption risk created by EO 14365 and the AG Litigation Task Force
- Engage in advocacy on the shape of any federal framework
12. Consider certification ($100,000-$300,000 for third-party certification)
Pursue independent certifications if:
- Selling to enterprise customers with procurement requirements
- Seeking competitive differentiation
- Preparing for regulated-industry deployment
- Raising capital from responsible-AI-focused investors
Looking Ahead: The Future of State AI Regulation
State AI regulation is not a temporary phenomenon awaiting federal rescue---but its trajectory is now contested, because the federal executive branch has begun pushing back. The most likely near-term picture is continued state activity alongside federal litigation testing how much of that activity survives.
Trends to watch:
- Convergence on common requirements - State frameworks increasingly resemble the Colorado and California models (transparency, bias testing, impact assessments), even as some face federal challenge
- Frontier-AI safety as a distinct track - California’s SB 53 and New York’s RAISE Act have opened a category of obligation aimed specifically at large model developers; other states may follow
- Federal preemption litigation - The AG Litigation Task Force and FTC/FCC proceedings will test the constitutional limits of state AI regulation; expect multi-year resolution
- Sector-specific regulation - Targeted laws for AI in healthcare, education, law enforcement, and financial services
- Private rights of action - Continued pressure to allow private suits (the Illinois BIPA model) rather than exclusive government enforcement
- Criminal penalties - Expansion of criminal liability for prohibited AI uses (the Texas deepfake approach)
Strategic imperatives:
- Compliance is a competitive position - Companies that treat regulation as an opportunity tend to outperform those that treat it only as a burden
- Transparency builds trust - Publishing AI-safety documentation attracts customers and talent
- Federal engagement matters - With both legislation and an executive-branch preemption effort in motion, industry input on the shape of any national framework matters more, not less
- Investment in safety infrastructure pays - Durable compliance systems reduce enforcement risk and support premium positioning
The state AI regulatory patchwork is complex and operationally demanding, and it now sits atop an unsettled federal-preemption question. Companies that build durable, well-documented compliance---while tracking the federal litigation closely---will be best positioned whichever way that question resolves.
Need Multi-State AI Compliance Guidance?
Astraea Counsel advises AI companies on navigating the 50-state regulatory landscape, building efficient multi-state compliance frameworks, and positioning compliance as a competitive advantage.
Related Resources:
- California’s Frontier AI Law (SB 53) - Deep dive on the Transparency in Frontier Artificial Intelligence Act
- Federal AI Regulation Landscape - Track federal legislative and executive developments
- AI & Emerging Technology Services - Comprehensive AI legal counsel
- Regulatory Compliance Practice - Multi-jurisdictional compliance strategy
Disclaimer: This article provides general information for educational purposes only and does not constitute legal advice. AI regulation is evolving rapidly at both the state and federal levels. Consult qualified legal counsel for advice on your specific situation and compliance obligations.
Footnotes
-
California Senate Bill 53, Transparency in Frontier Artificial Intelligence Act, signed September 29, 2025; most requirements effective January 1, 2026. California Legislative Information, https://leginfo.legislature.ca.gov/; Office of Governor Gavin Newsom, https://www.gov.ca.gov/. ↩
-
California Assembly Bill 1008, amendments to the California Consumer Privacy Act, effective January 1, 2025. California Legislative Information, https://leginfo.legislature.ca.gov/. ↩
-
California Senate Bill 243, companion-chatbot safeguards, signed October 13, 2025; effective January 1, 2026 (certain provisions phasing in later). California Legislative Information, https://leginfo.legislature.ca.gov/. ↩
-
California Assembly Bill 1018 (Automated Decision Systems), placed on the inactive file September 13, 2025; carried as a two-year bill. California Legislative Information, https://leginfo.legislature.ca.gov/. ↩
-
Colorado Senate Bill 24-205, Consumer Protections for Artificial Intelligence (Colorado Artificial Intelligence Act), signed May 17, 2024; effective date moved to June 30, 2026 by Senate Bill 25B-004 (August 2025 special session). Colorado General Assembly, https://leg.colorado.gov/bills/sb24-205 and https://leg.colorado.gov/. ↩
-
Texas House Bill 149, Texas Responsible Artificial Intelligence Governance Act (TRAIGA), signed June 22, 2025; effective January 1, 2026. Texas Legislature Online, https://capitol.texas.gov/. Texas Senate Bill 441 and House Bill 581 (deepfake laws), 2025. ↩
-
New York City Local Law 144 of 2021, Automated Employment Decision Tools, effective January 1, 2023; enforcement began July 5, 2023. NYC Department of Consumer and Worker Protection, https://www.nyc.gov/. ↩
-
New York Responsible AI Safety and Education (RAISE) Act, signed December 19, 2025; effective January 1, 2027. Office of Governor Kathy Hochul, https://www.governor.ny.gov/; New York State Department of Financial Services, https://www.dfs.ny.gov/. ↩
-
Illinois Biometric Information Privacy Act, 740 ILCS 14/, enacted 2008, amended by Senate Bill 2979 (effective August 2024). Illinois General Assembly, https://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004. ↩
-
In re Clearview AI, Inc. Consumer Privacy Litigation, N.D. Ill.; final approval of settlement entered March 20, 2025 (approximately $51.75 million in value, structured as an approximately 23% equity stake in the class, with a five-year bar on access by Illinois state and local agencies). ↩
-
Illinois House Bill 3773, amendments to the Illinois Human Rights Act addressing artificial intelligence in employment, effective January 1, 2026. Illinois General Assembly, https://www.ilga.gov/. ↩
-
Connecticut Senate Bill 2, “An Act Concerning Artificial Intelligence”; passed the Senate but failed in the House in 2025 (and previously failed in 2024). Connecticut General Assembly, https://www.cga.ct.gov/. ↩
-
Massachusetts Office of the Attorney General, Advisory on the application of the Massachusetts Consumer Protection Act to artificial intelligence, April 16, 2024. https://www.mass.gov/. ↩
-
Utah Senate Bill 149, Artificial Intelligence Policy Act (2024); House Bill 452, AI-supported mental-health chatbot regulations, effective May 7, 2025. Utah State Legislature, https://le.utah.gov/. ↩
-
Utah Senate Bill 226 (2025), amendments narrowing the generative-AI disclosure trigger of the Artificial Intelligence Policy Act, effective May 7, 2025. Utah State Legislature, https://le.utah.gov/. ↩
-
Virginia House Bill 2094, High-Risk Artificial Intelligence Developer and Deployer Act, vetoed by Governor Glenn Youngkin on March 24, 2025 (veto not overridden). Virginia Legislative Information System, https://lis.virginia.gov/. ↩
-
Washington State Legislature, AI-related bills introduced in recent sessions. https://leg.wa.gov/. ↩
-
Executive Order 14365, “Ensuring a National Policy Framework for Artificial Intelligence” (White House caption “Eliminating State Law Obstruction of National Artificial Intelligence Policy”), signed December 11, 2025. The White House, https://www.whitehouse.gov/; Federal Register, https://www.federalregister.gov/. ↩