← Back to Blog

The AI Regulatory Patchwork: What Every Business Needs to Know in 2026

· Don Ho

Last updated: February 10, 2026

Last updated: April 2026

There is no federal AI law in the United States, but at least 45 states introduced AI-related legislation in 2025, at least 15 enacted regulations, and the pace is accelerating in 2026, creating a fragmented compliance landscape where businesses operating across state lines face overlapping and sometimes conflicting AI obligations with no unifying federal standard.

Congress introduced over 120 AI-related bills in the 118th Congress. None passed. The 119th Congress is no closer to consensus. Meanwhile, states aren’t waiting. If your business operates in more than one state, you’re already navigating a compliance maze with no map.

The Active Laws

Colorado AI Act (SB 24-205). Targets high-risk AI in consequential decisions (employment, insurance, lending, housing). Enforcement delayed from February 2026 to a later date. Still on the books. Requires risk management policies, impact assessments, consumer notice, and algorithmic discrimination reporting.

Illinois AI Video Interview Act. In effect since January 2020. Requires employers to notify candidates that AI is analyzing their video interviews, explain how the AI works, and obtain consent. Applies to any employer using AI-analyzed video interviews for candidates in Illinois.

New York City Local Law 144. Effective since July 2023. Requires annual bias audits by independent auditors for automated employment decision tools used in hiring or promotion in New York City. Applies to employers and employment agencies.

Maryland HB 1202. Prohibits employers from using facial recognition technology during job interviews without applicant consent.

Tennessee ELVIS Act. Effective 2024. Protects against unauthorized AI-generated replicas of a person’s voice. Includes both criminal and civil penalties.

Texas AI Advisory Council. Established in 2023 to study AI regulation. Published recommendations in late 2025 that may lead to legislation in 2026.

Utah AI Policy Act (SB 149). Effective May 2024. Requires disclosure when a person is interacting with generative AI (not a human). Applies broadly, not just to employment.

The Incoming Bills

Beyond the three workplace AI bills from California, New York, and Rhode Island (covered in a separate article), several other significant bills are advancing:

California SB 942 (AI Transparency Act). Would require clear labeling of AI-generated content and mandate watermarking of AI-generated images and video.

New York AI Disclosure Act. Requires disclosure when AI-generated performers appear in advertisements (covered separately).

Washington State. Multiple bills addressing AI in government decision-making and AI bias in insurance underwriting.

Virginia. Considering comprehensive AI legislation modeled on parts of the EU AI Act, with a risk-based classification system.

Massachusetts. A bill requiring impact assessments for AI used in “significant decisions” affecting individuals, with a broad definition of “significant.”

The EU Factor

U.S. companies selling into or operating in Europe must also comply with the EU AI Act, which entered into force in August 2024 with staged implementation through 2027. The Act’s risk-based classification system (unacceptable, high-risk, limited, minimal) and its requirements for high-risk AI systems (conformity assessments, technical documentation, human oversight) represent the most detailed AI regulatory framework in the world.

Several state legislatures are explicitly borrowing concepts from the EU AI Act. Virginia’s proposed legislation uses similar risk tiers. Colorado’s impact assessment requirements echo the EU’s conformity assessment process. The EU framework is becoming a template that state legislators reference even when they adapt it for local context.

Why the Federal Government Can’t Get It Together

Congressional inaction on AI has several causes. Partisan disagreement on whether regulation should focus on safety (Democratic priority) or innovation protection (Republican priority). Intense industry lobbying from companies that benefit from regulatory ambiguity. A general lack of technical expertise among legislators. And a jurisdictional turf war between committees.

In the Senate, AI legislation touches the jurisdiction of the Commerce Committee, the Judiciary Committee, the Armed Services Committee, and the Intelligence Committee. Each wants ownership. The result is competing proposals, duplicated hearings, and no consensus bill.

The closest the federal government has come to binding AI regulation is sector-specific. The EEOC’s guidance on AI and employment discrimination. The FTC’s case-by-case enforcement approach against deceptive AI claims. The SEC’s AI washing cases. The OCC’s guidance on AI in banking. These are enforcement actions and guidance documents, not legislation. They establish precedent but don’t create the comprehensive framework that businesses need.

What to Do Now

Build a state-by-state compliance matrix. List every state where you have employees, customers, or operations. Map the applicable AI laws and pending bills for each state. Update quarterly, because new bills are introduced every legislative session.

Need to map your exposure across this patchwork? Take the ACRA to see which state laws apply to your AI operations.

Adopt a single internal standard that exceeds the strictest state requirement. Trying to comply with each state’s specific requirements independently is operationally impossible for most companies. Pick the strictest requirement in each category (notice, audit, impact assessment, consumer rights) and apply it everywhere. This is the CCPA/GDPR lesson: comply to the strictest standard and you’re covered everywhere.

Track five jurisdictions. You can’t monitor all 50 states. Focus on California, New York, Colorado, Illinois, and the EU. These five jurisdictions drive the regulatory conversation. When they act, other states follow.

Engage with the rulemaking process. Many of these laws include rulemaking periods where businesses can submit comments on implementing regulations. This is where the actual compliance requirements get defined. If you’re not commenting, you’re letting your competitors write the rules.

Start documenting now. A structured approach like the 5-Layer AI Compliance Stack can help you organize these requirements into a manageable governance program. Every AI regulation being proposed includes documentation requirements. What AI systems do you use? What data do they process? What decisions do they influence? What testing have you done? If you start documenting today, you’ll be ready when the obligations become enforceable. If you wait until enforcement begins, you’ll be playing catch-up while the regulators are already at your door.

The patchwork is messy. It’s expensive. It’s confusing. And it’s what happens when Congress leaves a vacuum that states are happy to fill. The companies that are getting ahead aren’t waiting for clarity — they’re building governance frameworks now, because the AI safety incidents that drive new legislation aren’t slowing down. Plan for it, because nobody’s coming to simplify it for you.

Book a diagnostic to navigate the regulatory maze with expert guidance.

50 states. Zero federal framework. That’s not a policy gap — it’s a liability multiplier. Kaizen AI Lab builds compliance programs that work across jurisdictions so you’re not scrambling every time a new state law drops. Talk to us.

DH

Don Ho, Esq.

Founder & CEO of Kaizen AI Lab. A practicing attorney for 19 years and former General Counsel, he builds compliance-first AI systems for mid-market companies operating in regulated industries.

Kaizen AI Labs

Ready to Deploy AI in Your Business?

Schedule a discovery call with our AI consulting team. We'll map your operations, identify leverage points, and show you exactly where AI moves the needle.

Book a Consulting Call
AI

Adjacent Media by Kaizen Labs

Is Your Brand Visible to the Bots?

Get a free GEO audit and find out if your brand is being cited, found, or completely invisible in AI-generated answers. Then let's fix it.

Get a Free GEO Audit
GEO