U.S. State AI Laws

The Patchwork Problem

The United States has no federal law that comprehensively regulates artificial intelligence. Congress has held hearings and introduced bills, but nothing has passed. In the absence of federal action, states have stepped in, each with their own approach, definitions, and enforcement mechanisms.

This creates a patchwork. A company operating in multiple states may face different disclosure requirements, different definitions of automated decision-making, and different penalties depending on where its customers or employees are located. For organizations deploying AI at scale, this is one of the most challenging compliance environments in the world.

The pace is accelerating rapidly. According to the National Conference of State Legislatures, all 50 states, Puerto Rico, the Virgin Islands, and Washington, D.C. introduced AI-related legislation in the 2025 legislative session, and 38 states adopted or enacted around 100 measures. Some of these bills target narrow use cases like deepfakes or AI in elections. Others, like Colorado's original SB 24-205 and its 2026 replacement SB 26-189, regulate automated decision tools used in high-stakes decisions about people. Understanding which laws apply to your organization requires tracking legislation across every state where you do business.

This guide covers the most significant state-level AI laws that are enacted or in effect, the common themes across them, and practical steps for building a multi-state compliance strategy.

State-by-State Quick Reference

The table below summarizes the major state and local AI laws covered in detail on this page. It focuses on enacted laws and the most significant pending proposals — it is a starting point, not an exhaustive list. For day-to-day tracking across all 50 states, the NCSL AI Legislation Tracker (opens in new tab) is the most current public resource.

Colorado SB 26-189: ADMT Rules for Consequential Decisions

Colorado remains one of the most important state AI law jurisdictions, but the compliance target changed materially in May 2026. Colorado originally passed SB 24-205, the Colorado Artificial Intelligence Act, in 2024. That law would have created a broad high-risk AI framework with risk management, impact assessment, public statement, and algorithmic-discrimination obligations. Before that framework took effect, Colorado passed and signed SB 26-189, Automated Decision-Making Technology, on May 14, 2026.

SB 26-189 repeals and reenacts the prior Colorado AI Act framework. The new law is narrower and more operational. It focuses on automated decision-making technology, or ADMT, that processes personal data and materially influences consequential decisions about people. The effective date for the new framework is January 1, 2027.

The practical question is now: are you using computation over personal data to generate a prediction, recommendation, classification, ranking, score, or similar output that materially influences access to employment, housing, financial or lending services, insurance, healthcare, education, or essential government services? If yes, Colorado may expect notices, records, data access and correction, adverse-outcome explanations, and meaningful human review.

Covered ADMT

The new law focuses on automated decision-making technology that processes personal data and generates outputs used to make, guide, or assist consequential decisions. It is not limited to generative AI; scoring models, ranking systems, screening tools, and recommendation systems can all be covered.

Materially Influences

Coverage turns on whether the ADMT output meaningfully affects the outcome. A tool used only for drafting, formatting, analytics, or quality control is lower risk. A tool that affects who gets a job interview, loan offer, insurance outcome, healthcare access, education opportunity, or public benefit needs review.

Covered Domains

The law targets consequential decisions in education, employment, housing, financial or lending services, insurance, healthcare services, and essential government services. The original SB 24-205 framing around broad high-risk AI systems is no longer the right starting point.

Developer Documentation

Developers of covered ADMT must provide deployers with information about intended uses, training-data categories, known limitations, appropriate use, human review, and material updates or modifications.

Deployer Duties

Deployers must give clear notices, provide plain-language descriptions after adverse outcomes, support access and correction of personal data used by covered ADMT, offer meaningful human review and reconsideration, and retain compliance records.

Enforcement

Enforcement remains with the Colorado Attorney General through the Colorado Consumer Protection Act. The law does not create a new private right of action, and the Attorney General generally must provide notice and an opportunity to cure if cure is possible.

Texas TRAIGA: In Effect Since January 1, 2026

Governor Greg Abbott signed HB 149, the Texas Responsible Artificial Intelligence Governance Act (TRAIGA), on June 22, 2025. It took effect on January 1, 2026, making Texas one of the first states with a broad AI governance statute in force.

TRAIGA is different in character from Colorado's law. Colorado regulates automated decision-making technology used in consequential decisions. TRAIGA is narrower and more intent-based — it targets purposeful misuse of AI rather than high-risk categories. Most of its prohibitions only bite if a developer or deployer acts with intent.

Applicability is broad in scope: TRAIGA applies to anyone who promotes or conducts business in Texas, produces a product or service used by Texas residents, or develops or deploys an AI system in Texas. Enforcement is exclusively by the Texas Attorney General — there is no private right of action, and the AG must give notice and an opportunity to cure before bringing an action.

Prohibited Uses

Categorical bans on AI systems developed or deployed with intent to manipulate behavior to encourage self-harm or criminal activity, unlawfully discriminate against protected classes, generate child sexual abuse material or unlawful deepfakes, or infringe constitutional rights. Most prohibitions include an intent requirement.

Government Use Disclosure

Government agencies that use AI to interact with consumers must disclose that fact before or at the time of the interaction — even if the AI is obvious. Government social scoring and biometric identification (fingerprint, iris, voiceprint) are banned outright, except for routine photos and audio.

Healthcare Disclosure

Healthcare providers must disclose AI use to patients. Private employers are not subject to the same disclosure requirement under TRAIGA (a notable contrast with Colorado and Illinois).

Penalties

Civil penalties range from $10,000 to $200,000 per violation depending on curability, or $2,000 to $40,000 per day for continued violations. The AG must provide notice and a cure period before bringing an action.

NIST AI RMF Defense

TRAIGA rewards organizations that substantially comply with NIST's Generative AI Profile or another recognized AI risk management framework through its enforcement defenses and reasonable-care structure. This is one of the most concrete examples of a state law giving practical value to NIST adoption.

Regulatory Sandbox (First in the Nation)

TRAIGA establishes a first-in-the-nation state AI regulatory sandbox, administered by the Texas Department of Information Resources. Approved participants can test AI systems for up to 36 months without obtaining standard state licenses, and the AG cannot pursue enforcement actions for violations of waived state laws during that window. Core prohibitions still apply. Participants must submit a detailed application, a benefit assessment, a mitigation plan, and file quarterly and annual reports.

Texas AI Advisory Council

TRAIGA establishes a seven-member Texas AI Advisory Council that advises on AI governance, the sandbox program, ethics, and public safety. The Council runs training programs for state agencies but cannot promulgate binding rules.

California TFAIA: Frontier AI Transparency Rules

California Governor Gavin Newsom signed SB 53, the Transparency in Frontier Artificial Intelligence Act (TFAIA), on September 29, 2025. It took effect on January 1, 2026. TFAIA is the first U.S. state law targeting the largest AI model developers specifically, rather than deployers of AI across sectors.

The scope is narrow but the impact is high. TFAIA applies to a small number of frontier developers — companies training foundation models using more than 10^26 FLOPs of compute — and imposes additional obligations on large frontier developers whose group annual revenue exceeds $500 million. In practice this captures roughly five to eight companies (OpenAI, Anthropic, Google DeepMind, Meta, Microsoft, and a handful of others).

TFAIA is not limited to California-based developers. California applies the law to any frontier developer whose products are sold into or used within the state, on the same "sufficient contacts" theory the state uses for its other consumer protection laws. Enforcement is exclusively by the California Attorney General, with civil penalties up to $1 million per violation.

TFAIA sits alongside two other California AI laws that took effect the same day: AB 2013 (GAI Training Data Transparency Act) and SB 942 (AI Transparency Act). Together they form California's most comprehensive AI regulatory package to date.

Transparency Reports (All Frontier Developers)

Before or at the time of launching a new or substantially modified frontier model, developers must publish a transparency report covering the model release date, supported languages, and intended use. A sufficient model card counts. Redactions are permitted for trade secrets, cybersecurity, public safety, and national security — but must be described, justified, and the unredacted version retained for five years.

Frontier AI Framework (Large Developers Only)

Large frontier developers must publish a Frontier AI Framework on their website detailing the technical and organizational measures in place to assess, manage, and mitigate catastrophic risks. The framework must be reviewed and updated at least annually, cover alignment with national and international standards, include third-party risk assessments, and describe cybersecurity measures protecting unreleased model weights. Material changes require public justification within 30 days.

Critical Safety Incident Reporting

Frontier developers must report critical safety incidents to the California Office of Emergency Services (Cal OES) within 15 days of discovery. If the incident poses imminent risk of death or serious physical injury, notification to law enforcement or public safety agencies is required within 24 hours. "Critical safety incident" includes unauthorized access to model weights, catastrophic risk materialization, loss of control causing death or injury, and models using deceptive techniques to subvert developer controls.

Catastrophic Risk Assessment

TFAIA defines "catastrophic risk" as a foreseeable material risk that a frontier model could contribute to the death or serious injury of 50+ people or cause $1 billion+ in damages — from weapons of mass destruction assistance, autonomous criminal conduct or cyberattacks, or a model evading developer/user control. Large frontier developers must confidentially submit catastrophic risk assessments to Cal OES.

Whistleblower Protections

Employers cannot retaliate against employees or contractors who report catastrophic risks. Notices must be posted in the workplace and provided annually to employees responsible for risk assessment. Anonymous reporting channels are required.

Annual Scope Review

The California Department of Technology must annually assess the 10^26 FLOPs threshold and the $500 million large-developer definition, and recommend updates to the legislature. The scope is expected to evolve as compute and revenue thresholds shift with industry growth.

New York RAISE Act: Frontier AI Safety, Aligned With California

On March 27, 2026, Governor Kathy Hochul signed the final, amended version of the Responsible AI Safety and Education Act (RAISE Act) — New York's frontier AI law — after 2026 chapter amendments reshaped the bill she first signed in December 2025. It takes effect January 1, 2027, making New York the second state, after California, to regulate the developers of the largest AI models specifically.

The amendments deliberately aligned the RAISE Act's scope with California's TFAIA: it covers frontier developers training foundation models above 10^26 operations, with the heaviest duties on large frontier developers whose annual revenue exceeds $500 million — roughly the same five to eight companies. Like California, it reaches any covered developer whose models operate in whole or in part in the state. Enforcement is led by the New York Attorney General (civil penalties up to $1 million for a first violation and $3 million for subsequent ones), with a dedicated office in the Department of Financial Services (DFS) handling disclosure filings. There is no private right of action.

Where New York goes further than California is in speed and substance: a 72-hour critical-incident reporting clock (versus California's 15 days) and an explicit duty not to deploy a frontier model that creates an unreasonable risk of critical harm.

Frontier AI Framework (Large Developers)

Large frontier developers must write, follow, and publicly publish a frontier AI framework describing how they assess and mitigate catastrophic risk — including risk thresholds and mitigations, third-party assessments, cybersecurity protecting unreleased model weights, internal governance, and incident response. The framework must be reviewed and updated at least annually, with unredacted copies and version history retained for the deployment period plus five years.

Transparency Reports

Before deploying a new frontier model, developers must publish a transparency report — which may live in a model or system card — covering contact information, release date, supported languages and output modalities, intended uses, usage restrictions, and (for large developers) a summary of the catastrophic-risk assessment. A redacted framework is also transmitted to the Attorney General and the Division of Homeland Security and Emergency Services.

Critical Safety Incident Reporting (72 Hours)

Developers must report critical safety incidents to state authorities within 72 hours of determining one has occurred, or within 24 hours when an incident poses an imminent risk of death or serious physical injury. Large developers also file quarterly summaries of catastrophic risk arising from their own internal use of frontier models.

No Unreasonable Critical-Harm Deployment

A large frontier developer may not deploy a frontier model if doing so would create an unreasonable risk of critical harm. This turns the published framework into a deployment condition, not just a disclosure — a step beyond California's transparency-focused approach.

Critical Harm Definition

A foreseeable, material risk that a single frontier-model incident causes the death of or serious injury to more than 50 people, or more than $1 billion in property damage — through expert-level chemical, biological, radiological, or nuclear weapons assistance, autonomous criminal conduct without meaningful human intervention, or a model evading developer or user control. The 2026 amendments aligned this definition with California's.

What Deployers Should Take From It

The RAISE Act does not regulate businesses that merely use AI. But it covers the largest model vendors, so the frameworks, transparency reports, and incident practices it brings into the open are useful inputs for vendor due diligence and a free reference for building your own AI governance documentation.

Illinois: AI in Hiring and Biometric Data

Illinois was one of the earliest states to regulate AI, and it remains one of the most active. Two laws are particularly important for organizations using AI: the Artificial Intelligence Video Interview Act (AIVIA) and the Biometric Information Privacy Act (BIPA).

AIVIA (effective January 1, 2020) applies to employers that use AI to analyze video interviews of job applicants. It was one of the first laws anywhere to directly regulate AI in employment. The law requires employers to notify applicants before the interview that AI will be used to analyze their video, explain how the AI works and what characteristics it evaluates, and obtain the applicant's written consent. Applicants have the right to request deletion of their video within 30 days, and employers must comply. If the applicant does not consent, the employer cannot use AI analysis on that interview.

BIPA (2008, but increasingly relevant to AI) is not an AI law per se, but it has major implications for AI systems that use biometric data — particularly facial recognition, voiceprint analysis, and fingerprint scanning. BIPA requires informed written consent before collecting biometric identifiers, a publicly available data retention and destruction policy, and restrictions on selling or disclosing biometric data.

BIPA is notable for its private right of action. Individuals can sue for $1,000 per negligent violation and $5,000 per intentional or reckless violation. Class action lawsuits under BIPA have resulted in settlements exceeding $600 million. Any AI system that processes biometric data on Illinois residents must comply with BIPA, regardless of where the company is based.

Illinois took another significant step in August 2024 when Governor Pritzker signed HB 3773 (Public Act 103-0804), which amends the Illinois Human Rights Act to address AI in employment. The law makes it a civil rights violation to use AI for employment decisions without providing notice to employees, or to use AI in a manner that results in discrimination against members of protected classes. This extends Illinois's AI regulation beyond video interviews to cover AI-assisted employment decisions more broadly.

Illinois continues to consider additional automated decision-making legislation. Proposed bills would extend AI transparency and impact assessment requirements beyond hiring to other high-stakes domains, signaling that Illinois will remain at the forefront of state AI regulation.

NYC Local Law 144: Bias Audits for Hiring AI

New York City's Local Law 144 took effect on July 5, 2023, making it one of the first enforceable AI-specific laws in the United States. The law targets Automated Employment Decision Tools (AEDTs) — any computational process derived from machine learning, statistical modeling, data analytics, or AI that substantially assists or replaces discretionary decision-making in hiring or promotion.

The law applies to employers and employment agencies that use AEDTs for candidates or employees in New York City. It does not matter where the employer is headquartered — if the tool is used on NYC candidates, the law applies.

Annual Bias Audit

Employers must commission an independent bias audit of the AEDT at least once per year. The audit must be conducted by an independent auditor who is not involved in developing or deploying the tool. The audit must assess the tool's impact across race/ethnicity and sex categories, calculating selection rates and impact ratios.

Public Disclosure

A summary of the most recent bias audit results must be made publicly available on the employer's website. The summary must include the date of the audit, the selection rates and impact ratios for each category, and the source and explanation of the data used.

Candidate Notification

Employers must notify candidates at least 10 business days before using an AEDT. The notice must specify that an AEDT will be used, the job qualifications and characteristics the tool assesses, and information about the data sources. Candidates in NYC can request an alternative selection process or accommodation.

Enforcement

The NYC Department of Consumer and Worker Protection (DCWP) enforces the law. Penalties range from $500 for a first violation to $1,500 for subsequent violations per instance. Each failure to provide required notice to a candidate constitutes a separate violation.

Impact and Criticism

Local Law 144 has been both praised and criticized. Supporters say it brings transparency to a process that affects millions of job seekers. Critics argue the law is too narrow — it only covers hiring and promotion, not other consequential AI decisions — and that the bias audit methodology is not rigorous enough. Regardless, it established a precedent that other cities and states are now following.

Other State and Local AI Laws

Beyond Colorado, Illinois, and New York City, a growing number of states have enacted or are actively considering AI legislation. Below is an overview of the most significant developments. This is not exhaustive — the legislative landscape changes monthly.

Several other states — including Massachusetts, Minnesota, Oregon, and Georgia — have introduced or are developing AI-related legislation. The pace is such that any static list becomes outdated within months. Organizations operating in multiple states should monitor the NCSL AI Legislation Tracker (opens in new tab) for current developments.

Common Themes Across State AI Laws

Despite the patchwork, clear patterns are emerging across state AI legislation. Understanding these themes helps organizations build compliance programs that will hold up as more states act.

• ●Transparency and disclosure. Nearly every state AI law requires organizations to tell people when AI is being used in decisions that affect them. The specifics vary — some require disclosure before the interaction, others after — but the principle is universal.
• ●Impact assessments and decision records. Connecticut and several proposals require formal impact assessments for high-risk AI systems. Colorado's 2026 ADMT law moved away from mandatory impact assessments, but still expects records, notices, data-correction processes, and human-review workflows for covered consequential decisions.
• ●Focus on high-risk decisions. States are not trying to regulate all AI. The consistent focus is on AI used in decisions with significant consequences: employment, lending, insurance, housing, healthcare, education, and legal services. Low-risk uses like spam filters or autocomplete are generally unaffected.
• ●Bias auditing. NYC's bias audit requirement for hiring tools is being studied by other jurisdictions. The expectation that AI systems should be independently tested for discriminatory outcomes is becoming mainstream.
• ●Consumer rights. Multiple laws give individuals the right to know when AI is used in decisions about them, to access information about how the system works, to correct inaccurate data, and in some cases to opt out of automated decision-making entirely.
• ●Shared responsibility between developers and deployers. State AI laws increasingly split obligations between the companies that build AI systems and the companies that use them. Developers provide documentation and update notices; deployers implement the consumer-facing notices, review processes, and records.
• ●Reference to federal standards. Texas TRAIGA points to NIST's Generative AI Profile and other recognized AI risk frameworks in its enforcement defenses, and state proposals continue to reference recognized AI risk frameworks. Tying state compliance to existing federal frameworks simplifies implementation for organizations that have already adopted NIST.
• ●No private right of action (mostly). With the notable exception of Illinois BIPA, most state AI laws are enforced by state attorneys general rather than through private lawsuits. This may limit individual enforcement but concentrates regulatory action.

Multi-State Compliance Challenges and Federal Preemption Risk

For organizations that operate across state lines — which includes most businesses with an online presence — the current state of AI regulation creates real practical problems. And a complication has been unfolding since late 2025: federal preemption pressure.

Federal preemption pressure. On December 11, 2025, President Trump signed an executive order titled "Ensuring a National Policy Framework for AI" that directly targets the state AI regulatory patchwork. The order established a DOJ AI Litigation Task Force (stood up by AG Bondi on January 9, 2026) tasked with challenging state AI laws on interstate commerce, preemption, and other grounds. By early June 2026, the Justice Department had intervened in xAI's challenge to Colorado's original SB 24-205 rather than filing a standalone task-force lawsuit. On March 20, 2026, the White House released its National Policy Framework for AI, a set of legislative recommendations covering seven areas (child safety, communities, IP, censorship, innovation, workforce, and state preemption). The Framework is non-binding but is shaping the federal legislative agenda. Constitutional scholars have noted that Congress — not the executive branch — has the exclusive power to preempt state law, so an executive order alone has limited strength. This creates major uncertainty for organizations investing in state-level compliance; laws they are preparing for may face federal challenges before they are fully enforced.

Conflicting definitions. States define key terms differently. What counts as an "automated decision tool" in New York City is not the same as what qualifies as covered ADMT in Colorado or prohibited AI under Texas TRAIGA. An AI system might trigger obligations in one state but not another, even though it does the same thing.

Overlapping requirements with different timelines. Some states require impact assessments. Others, like Colorado after SB 26-189, focus more on notice, records, data correction, and human review. If a company deploys the same AI system in both states, it may need separate assessments or a combined approach that satisfies both. Timing requirements for consumer notifications also differ.

Monitoring the legislative landscape. With over 1,200 AI bills introduced across all 50 states in 2025 alone, keeping track of what has passed, what is pending, and what has been signed is a significant operational burden. Laws can move quickly — a bill introduced in January can be signed by June.

Enforcement uncertainty. Many of these laws are new, and enforcement patterns have not yet been established. Organizations face the challenge of interpreting vague statutory language without the benefit of regulatory guidance or case law. The federal preemption threat adds another layer — organizations may invest in compliance with state laws that are subsequently struck down or preempted.

Resource constraints. Compliance requires legal analysis, technical assessment, documentation, and ongoing monitoring. For smaller organizations that lack dedicated compliance teams, meeting the requirements of even one state law can be demanding. Meeting the requirements of several simultaneously is a significant undertaking.

What Organizations Should Do

The patchwork is not going away soon, though federal preemption pressure continues to create uncertainty. Even if federal action eventually preempts some state laws, organizations that have built compliance programs around frameworks like NIST AI RMF will be well-positioned regardless of how the federal-state dynamic resolves. Building a compliance strategy now is both a legal necessity and a competitive advantage.

• ●Map your AI footprint. Inventory every AI system your organization develops or uses. For each one, document what it does, what data it processes, what decisions it influences, and where those decisions affect people geographically.
• ●Identify your highest-risk systems first. Focus initial compliance efforts on AI systems used in consequential decisions — hiring, lending, insurance, housing, healthcare, education, and legal services. These are the domains every state law targets.
• ●Adopt NIST AI RMF as your baseline. The NIST AI Risk Management Framework is voluntary at the federal level, but Texas TRAIGA gives practical enforcement value to substantial compliance with NIST's Generative AI Profile or another recognized AI risk framework, and other state laws or proposals continue to use NIST as a recognized baseline. Building your governance program around NIST gives you a defensible foundation that aligns with where regulation is heading.
• ●Build bias auditing into your process. Whether or not your state requires it yet, establishing regular independent audits of your AI systems for discriminatory outcomes is becoming a standard expectation. Start before you are required to.
• ●Implement consumer disclosure now. Transparency is the single most consistent requirement across all state AI laws. If your AI system affects decisions about people, build notification and disclosure mechanisms into the product. It is cheaper to build these in from the start than to retrofit them later.
• ●Create a legislative monitoring process. Assign someone — or subscribe to a service — to track AI legislation in every state where you operate. The NCSL tracker is a good starting point. Review new developments at least quarterly.
• ●Document everything. Impact assessments, risk management policies, audit results, consumer notices, and internal decisions about AI deployment should all be documented. Documentation is both a compliance requirement under most laws and your best defense in an enforcement action.
• ●Engage your vendors. If you use third-party AI tools, you need documentation from those vendors about how their systems work, what data they use, what limitations they have, and what risks they present. Colorado's ADMT law and the EU AI Act both make vendor documentation a practical requirement. Start requesting it now.
• ●Plan for the strictest standard. When requirements conflict across states, consider building your compliance program to the most demanding standard. This is more work upfront but avoids the complexity of maintaining different compliance postures for different jurisdictions.

Timeline

Source Documents