US state AI laws 2026 present a compliance surface that no single framework anticipated. A general counsel at a mid-market SaaS company pulled up the regulatory tracker in January 2026. Colorado’s AI Act: now effective January 1, 2027 under an amended framework. Texas TRAIGA: already in effect. California’s three AI laws: live. Illinois employment AI restrictions: live. New York’s RAISE Act: signed, effective 2027. Five states. Four different regulatory models. Zero federal coordination. The compliance team had budgeted for one state AI law. They now face a compliance surface that spans algorithmic discrimination, training data transparency, frontier model safety protocols, and sector-specific disclosure mandates across jurisdictions that do not agree on definitions, obligations, or enforcement mechanisms.
That company is not an outlier. The 2025 state legislative session produced over 1,200 AI bills across all 50 states, with more than 100 enacted into law per NCSL AI Legislation Database (counts updated regularly). By early February 2026, hundreds more bills were already introduced [MultiState.ai, February 2026]. The fragmentation is accelerating. States are not waiting for Congress. They are not coordinating with each other. And the December 2025 Executive Order signaling federal preemption has no legal force until Congress acts or courts rule.
Three regulatory archetypes have emerged from the state-level activity, though Colorado’s transition is reconfiguring the landscape. Each archetype creates different obligations, different penalties, and different compliance strategies. The organizations mapping these archetypes now are building multi-state compliance architectures. The ones waiting for clarity will build under deadline pressure when the next enforcement action lands.
US state AI laws 2026 span three regulatory archetypes: standards-based (Texas, with Colorado shifting away from this model), transparency-focused (California, New York, and now Colorado under SB 26-189), and sector-specific (Illinois, Utah, Tennessee). No federal AI law exists, creating a patchwork where obligations overlap and conflict across jurisdictions. NIST AI RMF is the common denominator, serving as a safe harbor in Texas (and under the original Colorado law pending SB 26-189 confirmation) [Texas TRAIGA; Colorado SB 24-205].
The Three Regulatory Archetypes Shaping State AI Law
US state AI laws 2026 are not random. Three distinct regulatory archetypes have crystallized from the 2025 legislative activity, and each archetype reflects a fundamentally different theory of AI harm. The standards-based archetype (Texas, originally Colorado) treats AI risk as a governance problem: require risk management frameworks, create safe harbors for compliant organizations, enforce through attorney general actions. The transparency-focused archetype (California, New York, and now Colorado under SB 26-189) treats AI risk as an information problem: mandate disclosures about model capabilities, training data, and incidents. The sector-specific archetype (Illinois, Utah, Tennessee) treats AI risk as a domain problem: target specific harms in employment, consumer interactions, or creative rights.
Colorado’s passage of SB 26-189 on May 9, 2026 is the most significant taxonomy shift since the original Colorado AI Act was signed. By replacing the risk-management-and-affirmative-defense framework with a disclosure/transparency model, Colorado is migrating from the standards-based archetype toward the transparency archetype. Texas TRAIGA becomes the primary standards-based exemplar.
What defines the standards-based archetype?
Texas is the clearest remaining standards-based model. Texas TRAIGA (HB 149), effective January 1, 2026, prohibits AI systems designed to discriminate or infringe constitutional rights, requires government disclosure of AI interactions, and mandates healthcare AI disclosure [Texas TRAIGA, 2025]. Texas provides an affirmative defense tied to “substantial compliance” with the NIST AI Risk Management Framework including the GenAI Profile. The NIST AI RMF affirmative defense creates a legal protection mechanism that rewards organizations investing in governance infrastructure.
The Colorado AI Act (SB 24-205, as amended by SB 26-189), effective January 1, 2027, originally included a NIST AI RMF affirmative defense; SB 26-189 is replacing that framework with disclosure and transparency obligations. Whether any safe harbor for NIST AI RMF compliance survives in SB 26-189’s final text requires verification against the signed bill.
What defines the transparency-focused archetype?
California and New York lead the transparency archetype, targeting disclosure rather than operational requirements. California enacted three separate AI laws effective in 2025-2026. SB 53 (Transparency in Frontier AI Act) requires developers of frontier models trained on more than 10^26 FLOPs to publish safety frameworks, file transparency reports, and report incidents to the California Office of Emergency Services within 15 days of discovering a critical safety incident. For incidents posing imminent risk of death or serious physical injury, providers must additionally notify law enforcement or public safety authorities within 24 hours. Penalties reach $1 million per violation [California SB 53, September 2025]. AB 2013 requires generative AI developers to disclose training data sources, including copyrighted materials and personal information, covering systems released since January 1, 2022 [California AB 2013]. SB 942 requires providers with over 1 million monthly California users to offer free AI detection tools and embed both visible and hidden metadata disclosures, with penalties of $5,000 per violation [California SB 942].
New York’s RAISE Act, signed December 19, 2025, applies to frontier models meeting the same 10^26 FLOPs threshold and developers with over $500 million in revenue. The law requires safety protocol publication and 72-hour incident reporting. Penalties start at $1 million for first violations and reach $3 million for subsequent ones [New York RAISE Act, December 2025]. Colorado’s SB 26-189 transition toward a disclosure/transparency framework will add the state to this archetype, though the specifics of SB 26-189’s final framework require confirmation.
What defines the sector-specific archetype?
Illinois HB 3773, effective January 1, 2026, amends the Illinois Human Rights Act to prohibit employer use of AI systems that produce discriminatory effects in recruitment, hiring, promotion, discharge, discipline, or terms of employment, even if the discrimination is unintentional [Illinois HB 3773, 2025]. Employers must notify employees and applicants of AI use and cannot use zip codes as proxies for protected classes. Illinois provides broader claimant access than Colorado or Texas: AI-discrimination claims are filed through the Illinois Department of Human Rights (IDHR), and after a right-to-sue letter is issued, individuals can pursue civil claims in Illinois Circuit Court. This is the standard IHRA enforcement mechanism applied to AI claims; claimants must go through IDHR first, not directly to court.
Utah’s AI Policy Act (SB 149), effective since May 2024 and amended in March 2025, takes a lighter approach. Regulated occupations must prominently disclose AI use. All others must disclose only if asked. Utah created the first state AI regulatory sandbox (the AI Learning Lab), offering two-year mitigation periods for participating companies. Penalties run $2,500 per violation with no private right of action [Utah SB 149; Utah SB 226]. Tennessee’s ELVIS Act, effective July 2024, addresses a narrower harm: AI voice cloning and unauthorized use of likeness. It expands the right of publicity to cover AI-generated voice simulations, with both civil and criminal penalties [Tennessee ELVIS Act, 2024].
The audit fix. Classify your AI compliance obligations by archetype. (1) Standards-based: if you deploy high-risk AI systems in Texas, map your risk management program to the NIST AI RMF four-function structure. For Colorado, monitor SB 26-189 for any retained NIST AI RMF safe harbor. (2) Transparency-focused: if you develop frontier models or generative AI serving California or New York users, inventory your disclosure obligations across SB 53, AB 2013, SB 942, and the RAISE Act. (3) Sector-specific: if you use AI in employment decisions affecting Illinois employees or applicants, audit your hiring, promotion, and termination workflows for AI-driven discrimination exposure. One organization often falls under all three archetypes.
The State Law Overlap Matrix: Where Obligations Stack
Multi-state compliance gets difficult at the intersections. An organization deploying AI across Colorado, Texas, California, Illinois, and Utah faces overlapping obligations that do not align cleanly. Seven obligation categories appear across state laws: risk management programs, impact assessments, consumer notification, algorithmic discrimination protections, training data transparency, incident reporting, and NIST AI RMF safe harbors.
Where do state AI obligations overlap?
| Obligation | States Requiring | Key Details |
|---|---|---|
| Risk management program | TX, CA (SB 53) | TX requires broad AI governance programs. CA SB 53 requires safety frameworks for frontier models only. CO transitioning away from this requirement under SB 26-189. |
| Impact assessment | CO (under original SB 24-205; verify under SB 26-189) | Annual assessment required under original law; SB 26-189 framework shift may affect this. |
| Consumer notification | CO, TX, CA (SB 942), IL, UT | CO and TX require pre-decision notice. CA SB 942 requires watermarks. IL requires employment notification. UT requires disclosure on request. |
| Algorithmic discrimination | CO, TX, IL | CO and TX prohibit discriminatory AI outcomes broadly. IL targets employment decisions specifically, including zip code proxies. |
| Training data transparency | CA (AB 2013) only | Requires disclosure of training data sources including copyrighted materials. Covers systems released since January 2022. |
| Incident reporting | CO (90 days to AG), CA (SB 53, 15 days to Cal OES; 24 hours to law enforcement for imminent threats) | Build to the shortest deadline (15 days for California SB 53). File separately with each jurisdiction. |
| NIST AI RMF safe harbor | TX (substantial compliance), CO (verify under SB 26-189) | TX requires “substantial compliance” including GenAI Profile. CO’s affirmative defense status under SB 26-189 requires verification against signed text. |
| AG enforcement | CO, TX, CA (SB 53, SB 942), UT | IL enforces through IDHR process. CA AB 2013 enforcement mechanism is unclear. |
| Private right of action / broader claimant access | IL (IDHR process) | Illinois IHRA framework routes AI-discrimination claims through IDHR, with civil claims available after right-to-sue letter. AG-only in Colorado and Texas. |
| Cure period | CO, TX | Both provide 60-day cure periods. No other state offers a cure window before penalties attach. |
Where do state AI laws conflict?
Three conflict zones create compliance friction for multi-state organizations. First, incident reporting timelines. Colorado requires reporting algorithmic discrimination to the AG within 90 days. California SB 53 requires frontier model incident reporting within 15 days to Cal OES, with a separate 24-hour notification to law enforcement for incidents posing imminent risk of death or serious physical injury. An incident affecting users in both states triggers two different reporting obligations with two different timelines to two different authorities. Build to the shortest deadline and file separately with each jurisdiction.
Second, notification scope and timing. Colorado requires pre-decision consumer notification with five specific elements. Texas mandates disclosure of AI interactions for government entities and healthcare providers. Illinois requires employee notification of AI use in employment decisions. Utah requires disclosure when asked. A national employer using AI in hiring decisions must simultaneously satisfy Colorado’s pre-decision notification (for Colorado applicants), Illinois’s employment notification (for Illinois applicants), and Utah’s disclosure-on-request (for Utah applicants).
Third, enforcement asymmetry. Illinois is the only major enacted state AI law providing a pathway that reaches civil litigation at all. Claims route through IDHR first, then to Illinois Circuit Court after a right-to-sue letter. Every other state limits enforcement to the AG or a designated agency. The same AI hiring tool defect creates regulatory exposure in Colorado and Texas (AG enforcement, cure period available) and litigation pathway in Illinois (IDHR-to-Circuit-Court, no cure period equivalent). Different tools with the same defect, but fundamentally different legal risks depending on the employee’s state.
The audit fix. Build a jurisdiction-by-jurisdiction compliance map for every AI system operating across state lines. (1) For each system, identify which states’ residents it affects. (2) Map the applicable obligations from the overlap matrix. (3) Identify the strictest requirement in each category and build to that standard. (4) For incident reporting, create a unified process triggered at the shortest deadline (15 days for California SB 53) with state-specific filing templates. (5) For notification obligations, design the consumer-facing disclosure to satisfy all applicable states simultaneously.
Will Federal Preemption Override State AI Laws?
Executive Order 14365 (December 11, 2025, titled “Ensuring a National Policy Framework for Artificial Intelligence”) launched five mechanisms aimed at overriding state AI laws [White House EO 14365, December 2025]. The DOJ AI Litigation Task Force was directed to be established within 30 days of the December 11 order (targeting approximately January 10, 2026). The FCC opened a proceeding on federal AI reporting standards. The FTC issued a policy statement on preempting state laws. The Commerce Department was directed to identify burdensome state laws by March 11, 2026 (90 days from December 11). Five mechanisms. Zero binding legal authority as of May 2026.
Does the Executive Order preempt state AI laws?
No. Executive orders direct federal agencies. They do not override state law. Industry legal analysis has identified structural weaknesses in the preemption theory: executive orders lack the force of law, no federal AI regulatory scheme exists for state laws to conflict with, Congress has not authorized preemption in any AI-related legislation, and Dormant Commerce Clause challenges face a high evidentiary bar when states are regulating within traditional police powers like consumer protection and employment. State laws remain enforceable until a court issues an injunction or Congress passes preemptive legislation. Neither has happened. Neither is imminent.
How should organizations factor preemption risk into compliance planning?
The strategic error is waiting. Organizations pausing compliance programs pending federal action face two bad outcomes. If preemption fails (the most likely scenario based on current legal analysis), they have lost months of preparation time with enforcement dates unchanged. If preemption succeeds, a federal framework will almost certainly require the same governance infrastructure: risk management, documentation, transparency, and incident response. The NIST AI RMF is the federal government’s own AI risk framework. Any federal AI standard will draw from it.
Federal preemption of state AI laws is a political signal, not a legal fact. No court has struck down a state AI law on preemption grounds. Colorado’s SB 26-189 demonstrates that states are refining their approaches, not abandoning AI regulation. Build now. Adapt later.
Building a Multi-State AI Compliance Architecture
A unified compliance framework beats state-by-state implementation on cost, consistency, and auditability. The architecture starts with NIST AI RMF as the structural backbone. NIST AI RMF is explicitly named as a safe harbor in Texas TRAIGA, the federal government’s own AI risk standard, and a framework that maps to both ISO 42001 and EU AI Act Article 9 requirements [NIST AI 100-1; Texas TRAIGA]. Building on NIST AI RMF creates a single governance infrastructure that satisfies the standards-based archetype, provides documentation for the transparency archetype, and generates the audit evidence the sector-specific archetype demands.
What does the unified compliance framework look like in practice?
- Layer 1: AI system inventory and classification. Catalog every AI system, the states whose residents it affects, and the obligations triggered in each jurisdiction. Update it quarterly and when new systems deploy or new laws take effect.
- Layer 2: NIST AI RMF implementation. Implement all four functions with documentation mapped to Texas’s “substantial compliance” standard (the primary enacted standard-based safe harbor as of May 2026 following Colorado’s SB 26-189 transition). Include the GenAI Profile to satisfy Texas’s explicit requirement.
- Layer 3: State-specific overlays. For each state, document the delta between your NIST AI RMF baseline and the state’s specific requirements. Texas overlay: governance framework, anti-discrimination testing. California overlay: incident reporting at 15 days to Cal OES, separate law enforcement notification for imminent-risk incidents, training data disclosure, watermark requirements. Illinois overlay: employee notification, anti-discrimination testing against Illinois protected classes. Colorado overlay: update once SB 26-189 signed text is analyzed.
- Layer 4: Incident response and reporting. Build a unified incident response process triggered at the shortest mandatory deadline (15 days for California SB 53). Create state-specific reporting templates. The 60-day cure periods in Colorado and Texas run concurrently with reporting obligations, not sequentially.
- Layer 5: Monitoring and adaptation. Track pending legislation across all 50 states. When a new law passes, classify it by archetype, map obligations to existing NIST AI RMF functions, build the state-specific overlay, and update the inventory.
Which States Will Enact AI Laws Next in 2026?
Several states are advancing legislation that will reshape the multi-state compliance map. The shift from 2025 to 2026 shows a pattern: states are moving away from omnibus AI regulation toward targeted, sectoral laws addressing specific harms.
Connecticut has twice failed to pass broad AI regulation, but the Connecticut AG has publicly stated that existing consumer protection laws already apply to AI-driven harms. Connecticut Public Act 25-113 (enacted June 2025) addressed AI-related provisions under Connecticut law. SB 5 is pending in the 2026 session. Connecticut illustrates the secondary enforcement vector: even without comprehensive AI-specific laws, existing consumer protection, employment, and civil rights statutes apply to AI-driven harms.
Oregon passed a chatbot transparency bill. Washington is advancing chatbot and content provenance legislation. Arizona’s Senate passed an AI content provenance bill. Florida introduced AI governance legislation in the 2026 session; status was pending as of May 2026. New Jersey introduced S 451 targeting algorithmic pricing in rental housing. Minnesota has active bills on AI-driven surveillance pricing.
The bill that matters most for compliance planning is the one nobody is watching. A state AG applying existing consumer protection law to an AI-driven harm requires no new legislation.
The audit fix. Add these five states to your legislative monitoring dashboard: Connecticut, Washington, Oregon, New Jersey, and Minnesota. For Connecticut specifically, brief your legal team on AG warnings that existing consumer protection law already applies to AI. Map your AI systems against each pending bill’s scope. When a bill passes, classify it by archetype, build the state overlay, and update your AI system inventory within 30 days.
State AI regulation is not converging. It is branching into three archetypes that create fundamentally different compliance obligations. Colorado’s SB 26-189 demonstrates that states will refine their approaches based on industry feedback and enforcement experience. Texas TRAIGA remains the standards-based safe harbor anchor. The compliance surface will get larger before it gets smaller. Build the architecture now. The states are not waiting for Congress, and neither should your compliance program.
Frequently Asked Questions
How many states have AI laws in 2026?
As of May 2026, several states have enacted significant AI-specific legislation: Texas (TRAIGA, effective January 1, 2026), California (SB 53, AB 2013, SB 942, effective 2025-2026), Illinois (HB 3773, effective January 1, 2026), Utah (SB 149, since May 2024), Tennessee (ELVIS Act, since July 2024), New York (RAISE Act, signed December 2025), and Colorado (SB 24-205 as amended by SB 26-189, signed May 14, 2026, effective January 1, 2027). Additional bills were introduced across states in early 2026 per the NCSL AI Legislation Database.
Which state AI law is the most restrictive?
California’s SB 53 imposes the heaviest compliance burden on frontier model developers with its $1 million per violation penalty and multi-path incident reporting requirements. Colorado’s AI Act (under SB 26-189’s final framework) and Texas TRAIGA impose the broadest obligations on deployers of high-risk AI systems. Illinois HB 3773 creates the clearest litigation pathway because it routes AI-discrimination claims through the IDHR process to Illinois Circuit Court [Colorado SB 24-205; Texas TRAIGA; Illinois HB 3773].
Is there a federal AI law in the United States?
No federal AI law exists as of May 2026. The December 2025 Executive Order signals federal intent to preempt state AI laws, but executive orders lack the force of law, Congress has not authorized preemption, and no court has ruled on state AI law validity [White House EO 14365, December 2025].
What is the NIST AI RMF safe harbor?
Texas TRAIGA provides an affirmative defense for organizations that demonstrate “substantial compliance” with the NIST AI Risk Management Framework including the GenAI Profile. Colorado’s original SB 24-205 named NIST AI RMF as a qualifying framework; whether any safe harbor survives under SB 26-189’s framework shift requires verification against the signed bill text. These safe harbors reward organizations investing in recognized governance frameworks [Texas TRAIGA; Colorado SB 24-205].
Do state AI laws apply to companies outside the state?
Yes. Most state AI laws apply to organizations serving residents of the state, regardless of where the organization is headquartered. Colorado’s AI Act applies to deployers of AI systems making consequential decisions affecting Colorado consumers. Texas TRAIGA applies to entities developing or deploying AI in Texas or serving Texas residents [Colorado SB 24-205; Texas TRAIGA].
What penalties do state AI laws impose?
Penalties vary by state: Colorado up to $20,000 per violation, Texas TRAIGA civil penalties of $10,000-$12,000 per curable violation and $80,000-$200,000 per uncurable violation, with $2,000-$40,000 per day for ongoing violations [Texas HB 149, §552.105, verified June 2025 enacted text], California SB 53 up to $1 million per violation, California SB 942 $5,000 per violation, New York $1-3 million per violation, Utah $2,500 per violation. Illinois routes AI-discrimination claims through the IDHR process to Illinois Circuit Court; individual damages are available after a right-to-sue letter [Colorado SB 24-205; Texas TRAIGA; California SB 53; New York RAISE Act].
How do I comply with multiple state AI laws simultaneously?
Build a unified compliance architecture using NIST AI RMF as the structural backbone. Implement the four core functions (Govern, Map, Measure, Manage) to Texas’s “substantial compliance” standard (the primary enacted safe harbor as of May 2026). Add state-specific overlays for unique requirements like California’s 15-day incident reporting to Cal OES and separate law enforcement notification for imminent-risk incidents, or Illinois’s IDHR-process employment notification. One framework absorbs new state laws through overlay additions rather than rebuilds [NIST AI 100-1].
Subscribe to The Authority Brief for next week’s analysis.
