A Country Without a Rulebook

The United States does not have a comprehensive federal AI law. No single statute governs how artificial intelligence can be developed, deployed, or monitored across the country. Congress has introduced bills. Hearings have been held. White papers have been published. But as of early 2026, there is no federal legislation on the books that tells companies what they can and cannot do with AI.

The states got tired of waiting.

What’s emerged is exactly what you’d expect when 50 different legislatures tackle the same problem independently: a patchwork of overlapping, sometimes contradictory laws with different definitions, different thresholds, different enforcement mechanisms, and different effective dates.

If your company operates in more than one state — and in 2026, whose doesn’t — this is your problem now.

The Laws on the Board

Here’s what’s already live or going live this year.

Colorado SB 24-205 is the most comprehensive state AI law in the country. Originally set to take effect in February 2026, its operational requirements were delayed to June 30, 2026. It takes a risk-based approach focused on “high-risk AI systems” — defined as systems that make or substantially contribute to consequential decisions about consumers in areas like employment, education, financial services, healthcare, housing, insurance, and legal services. Developers and deployers of these systems must exercise a “duty of reasonable care” to protect consumers from algorithmic discrimination. That means impact assessments, risk management policies, public disclosures, and notification obligations when discrimination is detected.

Texas HB 1709, the Responsible AI Governance Act (RAIGA), applies to developers and deployers conducting business in Texas or serving Texas residents. It prohibits intentional creation or use of AI systems for restricted purposes — encouraging self-harm, infringing constitutional rights, unlawful discrimination, generating child exploitation material, or creating deepfakes. The Texas Attorney General can issue investigative demands and enforce civil penalties. Notably, the law provides affirmative defenses for companies that adhere to recognized frameworks like NIST or that self-detect and remediate issues. It also creates a regulatory sandbox concept allowing 36-month testing periods for innovative AI applications.

California, as usual, didn’t pass one law — it passed several.

• SB 942, the AI Transparency Act, requires providers to offer free AI-content detection tools and implement watermarking for AI-generated content. Its effective date was pushed to August 2, 2026.
• AB 2013, the Generative AI Training Data Transparency Act, requires developers of public-use generative AI systems to publish high-level information about their training data.
• AB 489 prohibits AI from falsely claiming healthcare licenses and requires disclosures when AI communicates with patients.
• SB 243 mandates chatbot disclosures, safety protocols against harmful content, and specific protections for minors interacting with companion chatbots.
• AB 325 updates California’s antitrust law to bar shared or common pricing algorithms used by competitors — algorithmic price-fixing, in plain English.
• The Transparency in Frontier AI Act (TFAIA) applies to developers of “frontier models” trained using more than 10^26 computing operations. Large frontier developers with combined revenue over $500 million must create and publish a “Frontier AI Framework” addressing catastrophic risks, including third-party assessments, cybersecurity measures, and governance protocols.

Illinois HB 3773 amends the state’s Human Rights Act to explicitly prohibit employers from using AI systems that discriminate against protected classes.

And that’s just the first wave. More states have bills in committee. More will pass before the year is out.

The Definitional Nightmare

Here’s where it gets operationally painful.

Every state defines its key terms differently. Colorado’s “high-risk AI system” is scoped to consequential decisions in specific consumer-facing domains. Texas defines restricted AI use around prohibited purposes — self-harm, discrimination, deepfakes. California’s frontier AI threshold is a raw compute number (10^26 operations). Illinois focuses specifically on employment discrimination.

There is no common vocabulary. A system that qualifies as “high-risk” in Colorado might not trigger any obligations in Texas. A transparency requirement under California’s SB 942 has no equivalent in Illinois. A chatbot that’s compliant in Texas might violate California’s SB 243 if it interacts with minors without the right safety protocols.

For a company deploying AI nationally, the compliance question isn’t “what does the law require?” It’s “which law, in which state, for which system, under which definition?”

Multiply that by every AI-enabled product or internal tool your organization operates, and the matrix gets large fast.

The Federal Preemption Mirage

The Trump administration recognized the problem. On December 11, 2025, Executive Order “Ensuring a National Policy Framework for Artificial Intelligence” was signed, proposing a uniform federal policy framework that would preempt inconsistent state laws.

On paper, it sounds like relief. In practice, it’s complicated.

The EO directed the Attorney General to create an AI litigation task force to challenge conflicting state laws on interstate commerce and federal preemption grounds. The Secretary of Commerce was tasked with evaluating burdensome state laws by March 11, 2026, flagging those requiring altered outputs or disclosures that raise constitutional concerns. The FTC was directed to issue a policy statement on how the FTC Act applies to AI and how it preempts state laws requiring truthful output alteration. Federal agencies were told to condition grants on states refraining from conflicting AI legislation.

But an executive order is not legislation. It can be reversed by the next administration. It doesn’t create statutory preemption — it creates policy direction that agencies may or may not follow, that courts may or may not defer to, and that states may or may not respect. The EO itself carved out child safety, AI infrastructure (except permitting), and state procurement regulations from its preemption efforts.

Colorado’s law was specifically called out as an evaluation target. But Colorado’s law is still on the books. Texas’s law is still enforceable. California’s laws are still going into effect.

Companies that plan their compliance strategy around the assumption that federal preemption will save them are making a bet, not following a rule.

What Multi-State Compliance Actually Looks Like

Let’s be concrete about what this means for an engineering organization.

Disclosure and transparency requirements vary by state. California requires watermarking and detection tools for AI-generated content. Colorado requires public disclosures about high-risk system capabilities and limitations. Texas requires notice of restricted-use prohibitions. If your product generates content, assists decision-making, and serves users in all three states, you need three different disclosure mechanisms — and you need to know which users are in which state.

Risk assessment obligations don’t align. Colorado mandates impact assessments for algorithmic discrimination in high-risk systems. California’s frontier AI framework requires catastrophic risk assessments with third-party review. Texas provides affirmative defenses for following NIST frameworks but doesn’t mandate specific assessments. Your risk assessment program needs to satisfy the strictest standard in every state where you operate — but the strictest standard depends on what kind of AI system you’re evaluating.

Enforcement mechanisms are different. Texas gives enforcement power to the Attorney General with civil penalties. Colorado creates a duty of care that implies private litigation risk. California’s various laws have different enforcement provisions across different agencies. A single compliance failure could expose you to enforcement actions from multiple states simultaneously, each with different procedural rules and penalty structures.

Definitions of harm don’t match. Colorado focuses on algorithmic discrimination against consumers. Illinois focuses on employment discrimination against protected classes. Texas focuses on prohibited purposes like deepfakes and self-harm encouragement. California targets both catastrophic risk (frontier models) and consumer-facing transparency (content detection). Your harm prevention program needs to cover all of these categories, and the categories don’t map neatly onto each other.

The Infrastructure Response

Building state-by-state compliance tooling is a losing game. The laws will keep changing. New states will pass new laws. Existing laws will be amended. Federal preemption may or may not materialize. Any compliance architecture that’s hard-coded to a specific state’s requirements will need to be rewritten every legislative session.

The practical response is to build on infrastructure that generates compliance as a byproduct of how it works — not as an afterthought bolted on top.

That means:

Comprehensive audit trails. Every state law that’s been passed or proposed includes some form of documentation, logging, or record-keeping requirement. If your AI development platform already captures who did what, when, with which model, on which data, and what the output was — you have the raw material for compliance reporting regardless of which state’s format you need to fill out.

Transparency by default. Rather than building separate disclosure mechanisms for California, Colorado, and Texas, build a platform where model provenance, training data lineage, and system capabilities are documented as part of the development workflow. When a new state requires a new disclosure, you’re pulling from existing metadata — not reverse-engineering it from production systems.

Governance built into the workflow. Access controls, policy enforcement, content scanning, and approval workflows shouldn’t be separate compliance tools. They should be part of how your team builds and deploys AI. Platforms like Calliope are designed around this principle — governance is embedded in the development environment, not layered on after the fact.

Portability and control. When you control your infrastructure — your models, your data, your deployment — you control your compliance posture. You’re not dependent on a third-party provider’s interpretation of Colorado’s duty of care or California’s transparency requirements. You define the policies, you enforce them, and you have the records to prove it.

The Only Constant Is More Laws

The patchwork is not going to simplify itself. Even if federal legislation eventually passes, it will likely set a floor, not a ceiling — states will retain the ability to impose stricter requirements, just as they do with data privacy laws today.

The companies that navigate this well won’t be the ones that hire the biggest compliance teams or build the most elaborate state-by-state rule engines. They’ll be the ones whose AI development infrastructure produces compliance artifacts naturally: audit logs, provenance records, impact assessments, access controls, and transparency documentation — all generated as part of normal operations.

The patchwork is the reality. Build your platform accordingly.

Sources

• King & Spalding, “New State AI Laws Are Effective on January 1, 2026, but a New Executive Order Signals Disruption,” kslaw.com
• Drata, “Artificial Intelligence Regulations: State and Federal AI Laws 2026,” drata.com
• Colorado General Assembly, SB 24-205, “Concerning Consumer Protections for Artificial Intelligence”
• Texas Legislature, HB 1709, “Responsible AI Governance Act”
• California Legislature, SB 942 (AI Transparency Act), AB 2013 (Generative AI Training Data Transparency Act)
• Executive Order, “Ensuring a National Policy Framework for Artificial Intelligence,” December 11, 2025