US State AI Laws 2026: The Multi-State Compliance Map

US state AI laws 2026 present a compliance surface that no single framework anticipated. A general counsel at a mid-market SaaS company pulled up the regulatory tracker in January 2026. Colorado’s AI Act: effective June 30, 2026. Texas TRAIGA: already in effect. California’s three AI laws: live. Illinois employment AI restrictions: live. New York’s RAISE Act: signed, effective 2027. Five states. Four different regulatory models. Zero federal coordination. The compliance team had budgeted for one state AI law. They now face a compliance surface that spans algorithmic discrimination, training data transparency, frontier model safety protocols, and sector-specific disclosure mandates across jurisdictions that do not agree on definitions, obligations, or enforcement mechanisms.

That company is not an outlier. The 2025 state legislative session produced 1,208 AI bills across all 50 states, with 145 enacted into law [NCSL AI Legislation Database, 2025]. By early February 2026, another 240 bills were already introduced, on pace to exceed 2025 [MultiState.ai, February 2026]. The fragmentation is accelerating. States are not waiting for Congress. They are not coordinating with each other. And the December 2025 Executive Order signaling federal preemption has no legal force until Congress acts or courts rule.

Three regulatory archetypes have emerged from the state-level activity. Each archetype creates different obligations, different penalties, and different compliance strategies. The organizations mapping these archetypes now are building multi-state compliance architectures. The ones waiting for clarity will build under deadline pressure when the next enforcement action lands.

The Three Regulatory Archetypes Shaping State AI Law

US state AI laws 2026 are not random. Three distinct regulatory archetypes have crystallized from the 1,208 bills introduced in 2025, and each archetype reflects a fundamentally different theory of AI harm [NCSL AI Legislation Database, 2025]. The standards-based archetype (Colorado, Texas) treats AI risk as a governance problem: require risk management frameworks, create safe harbors for compliant organizations, enforce through attorney general actions. The transparency-focused archetype (California, New York) treats AI risk as an information problem: mandate disclosures about model capabilities, training data, and incidents. The sector-specific archetype (Illinois, Utah, Tennessee) treats AI risk as a domain problem: target specific harms in employment, consumer interactions, or creative rights. Understanding which archetype governs which obligation determines how you build a multi-state compliance architecture.

What defines the standards-based archetype?

Colorado and Texas represent the standards-based model. Both laws create broad obligations for organizations deploying high-risk AI systems, and both offer NIST AI RMF as a safe harbor. Colorado’s AI Act (SB 24-205), effective June 30, 2026, requires deployers to implement risk management policies, conduct annual impact assessments, notify consumers before consequential decisions, and provide human appeal processes [Colorado SB 24-205]. Texas TRAIGA, effective January 1, 2026, prohibits AI systems designed to discriminate or infringe constitutional rights, requires government disclosure of AI interactions, and mandates healthcare AI disclosure [Texas TRAIGA, 2025].

The critical feature: both statutes provide affirmative defenses tied to recognized frameworks. Colorado names NIST AI RMF and ISO 42001. Texas references NIST AI RMF including the GenAI Profile. The NIST AI RMF affirmative defense creates a legal protection mechanism that rewards organizations investing in governance infrastructure. This is the archetype most likely to replicate in future state legislation because it balances regulatory intent with compliance feasibility.

What defines the transparency-focused archetype?

California and New York lead the transparency archetype, targeting disclosure rather than operational requirements. California enacted three separate AI laws effective in 2025-2026. SB 53 (Transparency in Frontier AI Act) requires developers of frontier models trained on more than 10^26 FLOPs to publish safety frameworks, file transparency reports, and report incidents to the California Office of Emergency Services within 15 days, or 24 hours for imminent threats. Penalties reach $1 million per violation [California SB 53, September 2025]. AB 2013 requires generative AI developers to disclose training data sources, including copyrighted materials and personal information, covering systems released since January 1, 2022 [California AB 2013]. SB 942 requires providers with over 1 million monthly California users to offer free AI detection tools and embed both visible and hidden metadata disclosures, with penalties of $5,000 per violation [California SB 942].

New York’s RAISE Act, signed December 19, 2025, applies to frontier models meeting the same 10^26 FLOPs threshold and developers with over $500 million in revenue. The law requires safety protocol publication and 72-hour incident reporting. Penalties start at $1 million for first violations and reach $3 million for subsequent ones [New York RAISE Act, December 2025]. The transparency archetype creates fewer operational obligations than the standards-based model but imposes significant disclosure burdens on the largest AI developers.

What defines the sector-specific archetype?

Illinois HB 3773, effective January 1, 2026, amends the Illinois Human Rights Act to prohibit employer use of AI systems that produce discriminatory effects in recruitment, hiring, promotion, discharge, discipline, or terms of employment, even if the discrimination is unintentional [Illinois HB 3773, 2025]. Employers must notify employees and applicants of AI use and cannot use zip codes as proxies for protected classes. Illinois is the only major state AI law that provides a private right of action, allowing individual employees and applicants to bring claims for actual damages, civil penalties, and attorneys’ fees through the Illinois Department of Human Rights [Seyfarth Shaw, 2025].

Utah’s AI Policy Act (SB 149), effective since May 2024 and amended in March 2025, takes a lighter approach. Regulated occupations must prominently disclose AI use. All others must disclose only if asked. Utah created the first state AI regulatory sandbox (the AI Learning Lab), offering two-year mitigation periods for participating companies. Penalties run $2,500 per violation with no private right of action [Utah SB 149; Utah SB 226]. Tennessee’s ELVIS Act, effective July 2024, addresses a narrower harm: AI voice cloning and unauthorized use of likeness. It expands the right of publicity to cover AI-generated voice simulations, with both civil and criminal penalties [Tennessee ELVIS Act, 2024].

The State Law Overlap Matrix: Where Obligations Stack

Multi-state compliance gets difficult at the intersections. An organization deploying AI across Colorado, Texas, California, Illinois, and Utah faces overlapping obligations that do not align cleanly. Seven obligation categories appear across state laws: risk management programs, impact assessments, consumer notification, algorithmic discrimination protections, training data transparency, incident reporting, and NIST AI RMF safe harbors. Only two states require risk management programs (Colorado, Texas). Only one requires impact assessments (Colorado). Consumer notification takes different forms in five states. Incident reporting timelines range from 15 days (California SB 53) to 90 days (Colorado).

Where do state AI obligations overlap?

Where do state AI laws conflict?

Three conflict zones create compliance friction for multi-state organizations. First, incident reporting timelines. Colorado requires reporting algorithmic discrimination to the AG within 90 days. California SB 53 requires frontier model incident reporting within 15 days (or 24 hours for imminent threats). An incident affecting users in both states triggers two different reporting obligations with two different timelines to two different authorities. Organizations must build to the shortest deadline and file separately with each jurisdiction.

Second, notification scope and timing. Colorado requires pre-decision consumer notification with five specific elements. Texas mandates disclosure of AI interactions for government entities and healthcare providers. Illinois requires employee notification of AI use in employment decisions. Utah requires disclosure when asked. The triggers, content requirements, and timing differ across all four. A national employer using AI in hiring decisions must simultaneously satisfy Colorado’s pre-decision notification (if applicants are in Colorado), Illinois’s employment notification (for Illinois applicants), and Utah’s disclosure-on-request (for Utah applicants).

Third, enforcement asymmetry. Illinois is the only enacted state AI law providing a private right of action. Every other state limits enforcement to the AG or a designated agency. An AI hiring tool that produces discriminatory outcomes creates regulatory exposure in Colorado and Texas (AG enforcement, cure period available) and litigation exposure in Illinois (private claims, no cure period). The same tool, the same defect, but fundamentally different legal risks depending on the employee’s state.

Will Federal Preemption Override State AI Laws?

The December 11, 2025 Executive Order titled “Ensuring a National Policy Framework for Artificial Intelligence” launched five mechanisms aimed at overriding state AI laws [White House EO, December 2025]. The DOJ AI Litigation Task Force, created January 9, 2026, is charged with challenging state laws on interstate commerce and preemption grounds. The FCC opened a proceeding on federal AI reporting standards. The FTC issued a policy statement on preempting state laws that require alteration of “truthful outputs.” The Commerce Department was directed to identify burdensome state laws by March 11, 2026 for Task Force referral. Colorado is expected high on that list. A legislative proposal for a federal AI framework was ordered. Five mechanisms. Zero binding legal authority as of March 2026.

Does the Executive Order preempt state AI laws?

No. Executive orders direct federal agencies. They do not override state law. The legal analysis from Ropes & Gray (March 2026) identifies four structural weaknesses in the preemption theory: executive orders lack the force of law, no federal AI regulatory scheme exists for state laws to conflict with, Congress has not authorized preemption in any AI-related legislation, and Dormant Commerce Clause challenges face a high evidentiary bar when states are regulating within traditional police powers like consumer protection and employment [Ropes & Gray, March 2026]. The FTC’s own posture confirms the gap. The agency set aside the Rytr consent order on December 22, 2025, and its Consumer Protection Director stated there is “no appetite for anything AI-related” in rulemaking as of January 27, 2026 [Baker Botts, January 2026].

State laws remain enforceable until a court issues an injunction or Congress passes preemptive legislation. Neither has happened. Neither is imminent.

How should organizations factor preemption risk into compliance planning?

The strategic error is waiting. Organizations pausing compliance programs pending federal action face two bad outcomes. If preemption fails (the most likely scenario based on current legal analysis), they have lost months of preparation time with enforcement dates unchanged. If preemption succeeds, a federal framework will almost certainly require the same governance infrastructure: risk management, documentation, transparency, and incident response. The NIST AI RMF is the federal government’s own AI risk framework. Any federal AI standard will draw from it.

The practical approach: build your compliance architecture as if state laws will stand. If federal preemption eventually applies, your risk management infrastructure retains value for federal procurement, EU AI Act preparation, insurance positioning, and governance maturity. The organizations with the strongest position in either scenario are the ones already implementing.

Building a Multi-State AI Compliance Architecture

A unified compliance framework beats state-by-state implementation on cost, consistency, and auditability. The architecture starts with NIST AI RMF as the structural backbone. NIST AI RMF is the only framework explicitly named as a safe harbor in enacted state AI laws (Colorado and Texas), the federal government’s own AI risk standard, and a framework that maps to both ISO 42001 and the EU AI Act Article 9 requirements [NIST AI 100-1; Colorado SB 24-205; Texas TRAIGA]. Building on NIST AI RMF creates a single governance infrastructure that satisfies the standards-based archetype, provides documentation for the transparency archetype, and generates the audit evidence the sector-specific archetype demands. Three archetypes. One framework. The efficiencies compound with every new state law.

How does NIST AI RMF serve as the multi-state compliance backbone?

The four core functions of NIST AI RMF (Govern, Map, Measure, Manage) map to obligations across every enacted state AI law. Govern produces the risk management policies Colorado and Texas require and the safety frameworks California SB 53 mandates. Map generates the risk identification and classification documentation that supports Colorado’s impact assessment and the demographic analysis Illinois’s anti-discrimination provisions demand. Measure creates the bias testing, fairness metrics, and monitoring evidence that proves compliance with algorithmic discrimination requirements in Colorado, Texas, and Illinois. Manage builds the incident response, remediation, and cure documentation that satisfies reporting obligations in Colorado and California while building the cure-period evidence Colorado and Texas require.

An organization implementing all four functions with documentation mapped to specific state requirements maintains one governance program instead of seven. When the next state enacts an AI law, the compliance team maps new obligations to existing functions rather than building from scratch. This is the difference between a compliance architecture and a compliance project.

What does the unified compliance framework look like in practice?

• Layer 1: AI system inventory and classification. Catalog every AI system, the states whose residents it affects, and the obligations triggered in each jurisdiction. This inventory drives everything else. Update it quarterly and when new systems deploy or new laws take effect.
• Layer 2: NIST AI RMF implementation. Implement all four functions with documentation mapped to Colorado’s affirmative defense standard (the strictest enacted requirement). Produce applicability statements for excluded subcategories. Include the GenAI Profile to satisfy Texas’s explicit requirement. Map to the NIST-published ISO 42001 crosswalk for additional evidentiary strength.
• Layer 3: State-specific overlays. For each state, document the delta between your NIST AI RMF baseline and the state’s specific requirements. Colorado overlay: annual impact assessment, consumer notification workflow, public statement. California overlay: incident reporting at 15 days, training data disclosure, watermark and metadata requirements. Illinois overlay: employee notification, anti-discrimination testing against Illinois protected classes.
• Layer 4: Incident response and reporting. Build a unified incident response process triggered at the shortest mandatory deadline (15 days for California SB 53). Create state-specific reporting templates. Assign jurisdiction-specific response leads. The 60-day cure periods in Colorado and Texas run concurrently with reporting obligations, not sequentially.
• Layer 5: Monitoring and adaptation. Track pending legislation across all 50 states using the IAPP tracker or equivalent. When a new law passes, classify it by archetype, map obligations to existing NIST AI RMF functions, build the state-specific overlay, and update the inventory. The architecture absorbs new laws. It does not rebuild for them.

Which States Will Enact AI Laws Next in 2026?

The 240 AI bills introduced in the first six weeks of 2026 signal that state legislative activity is accelerating, not stabilizing [MultiState.ai, February 2026]. Several states are advancing legislation that will reshape the multi-state compliance map by year-end. The shift from 2025 to 2026 shows a pattern: states are moving away from omnibus AI regulation toward targeted, sectoral laws addressing specific harms. This makes the compliance surface broader but the individual obligations narrower.

Which states are most likely to enact new AI laws in 2026?

Connecticut has twice failed to pass broad AI regulation, but the AG warned on February 25, 2026 that existing consumer protection laws already apply to AI [CT AG, February 2026]. Public Act 25-113 (June 2025) quietly amended the Connecticut Data Privacy Act to add AI training data disclosure requirements [BCLP, 2025]. SB 5 is pending in the 2026 session. Connecticut illustrates the secondary enforcement vector: even without AI-specific laws, existing consumer protection, employment, and civil rights statutes apply to AI-driven harms.

Oregon passed a chatbot transparency bill. Washington is advancing chatbot and content provenance legislation. Arizona’s Senate passed an AI content provenance bill. Florida’s AI Bill of Rights passed the Senate but reportedly died in the House. New Jersey introduced S 451 targeting algorithmic pricing in rental housing. Minnesota has active bills on AI-driven surveillance pricing. None of these are enacted as of March 2026, but the pipeline is full and the pattern is clear: states will continue legislating AI in the absence of federal action.

The bill that matters most for compliance planning is the one nobody is watching. A state AG applying existing consumer protection law to an AI-driven harm requires no new legislation. The December 2025 FTC retreat from AI enforcement shifts the enforcement center of gravity to state AGs with existing statutory tools.

Frequently Asked Questions

How many states have AI laws in 2026?

As of March 2026, seven states have enacted significant AI-specific legislation: Colorado (SB 205), Texas (TRAIGA), California (SB 53, AB 2013, SB 942), Illinois (HB 3773), Utah (SB 149), Tennessee (ELVIS Act), and New York (RAISE Act). Over 240 additional AI bills were introduced across states in early 2026 [NCSL 2025; MultiState.ai 2026].

Which state AI law is the most restrictive?

Colorado’s AI Act (SB 24-205) imposes the broadest obligations on deployers of high-risk AI systems: risk management policy, annual impact assessment, pre-decision consumer notification, public disclosure, data correction rights, and human appeal processes. Illinois HB 3773 creates the highest litigation exposure because it is the only major state AI law with a private right of action [Colorado SB 24-205; Illinois HB 3773].

Is there a federal AI law in the United States?

No federal AI law exists as of March 2026. The December 2025 Executive Order signals federal intent to preempt state AI laws, but executive orders lack the force of law, Congress has not authorized preemption, and no court has ruled on state AI law validity [White House EO December 2025; Ropes & Gray March 2026].

What is the NIST AI RMF safe harbor?

Colorado and Texas both provide affirmative defenses for organizations that demonstrate compliance with the NIST AI Risk Management Framework. Colorado requires “compliance” with NIST AI RMF or ISO 42001. Texas requires “substantial compliance” with NIST AI RMF including the GenAI Profile. These safe harbors reward organizations investing in recognized governance frameworks [Colorado SB 24-205; Texas TRAIGA].

Do state AI laws apply to companies outside the state?

Yes. Most state AI laws apply to organizations serving residents of the state, regardless of where the organization is headquartered. Colorado’s AI Act applies to deployers of AI systems making consequential decisions affecting Colorado consumers. Texas TRAIGA applies to entities developing or deploying AI in Texas or serving Texas residents [Colorado SB 24-205; Texas TRAIGA].

What penalties do state AI laws impose?

Penalties vary by state: Colorado up to $20,000 per violation, Texas $10,000-$200,000 depending on curability, California SB 53 up to $1 million per violation, California SB 942 $5,000 per violation, New York $1-3 million per violation, Utah $2,500 per violation. Illinois allows private claims for actual damages and civil penalties [Colorado SB 24-205; Texas TRAIGA; California SB 53; New York RAISE Act].

How do I comply with multiple state AI laws simultaneously?

Build a unified compliance architecture using NIST AI RMF as the structural backbone. Implement the four core functions (Govern, Map, Measure, Manage) to Colorado’s stricter “compliance” standard. Add state-specific overlays for unique requirements like California’s 15-day incident reporting or Illinois’s employment notification. One framework absorbs new state laws through overlay additions rather than rebuilds [NIST AI 100-1].