{"id":34434,"date":"2026-05-21T13:53:00","date_gmt":"2026-05-21T11:53:00","guid":{"rendered":"https:\/\/askme.it\/insights\/ai-act-us-state-laws-and-compliance-the-2026-map\/"},"modified":"2026-03-26T12:22:50","modified_gmt":"2026-03-26T11:22:50","slug":"ai-act-us-state-laws-and-compliance-the-2026-map","status":"publish","type":"insights","link":"https:\/\/askme.it\/en\/insights\/ai-act-us-state-laws-and-compliance-the-2026-map\/","title":{"rendered":"AI Act, US state laws, and compliance: the 2026 map"},"content":{"rendered":"
\n

In 2026, anyone using or developing AI systems must deal with a regulatory landscape that has grown complex rapidly. The United States still lacks a federal AI law: the administration’s AI Action Plan, published in July 2025, aims to foster innovation by removing governance constraints, but this deregulatory approach does not simplify life for organizations. Without a federal standard, each state can legislate independently, creating a patchwork of obligations that companies operating across multiple jurisdictions must monitor and comply with individually.<\/p>\n

In 2025, legislators in all 50 states introduced AI-related bills. Concrete measures were passed in 38 states.<\/p>\n

Laws already in effect in the US<\/h2>\n

Four US jurisdictions already have operational rules that impact the use of AI in business contexts.<\/p>\n

The Colorado AI Act applies to developers and deployers of high-risk AI systems in areas such as employment, credit, and housing. It requires consumer notification when AI makes “consequential” decisions, annual impact assessments on algorithmic discrimination risk, and a risk management program aligned with recognized frameworks such as NIST. Violations are classified as unfair business practices, with fines up to $20,000 per violation. The effective date, initially set for February 2026, was postponed to June 2026.<\/p>\n

The Illinois Human Rights Act applies to employers in the state that use AI in HR processes. It requires informing candidates and employees when AI is used in hiring, promotion, or evaluation decisions. There is a 30-day window to correct violations before formal penalties apply.<\/p>\n

NYC Local Law 144 has been in effect since January 2023 and applies to employers and employment agencies in New York City that use automated tools for employment decisions. It requires an annual bias audit, the results of which must be published on the company’s website. Six months after the law took effect, a joint study by Cornell University and Consumer Reports found that the majority of in-scope companies had not published audits, claiming they did not fall within the law’s scope.<\/p>\n

The Utah AI Policy Act, in effect since May 2024, requires regulated professions \u2014 accounting, dentistry, podiatry, and others \u2014 to inform consumers when they are interacting with generative AI. In June 2025, Texas passed a similar measure extended to government agencies and healthcare providers.<\/p>\n

The EU AI Act: the broadest standard and the highest penalties<\/h2>\n

The EU AI Act applies to public and private organizations based in the EU, and to those operating in the EU even if not headquartered there. It is structured around a risk-based approach: prohibited uses, high-risk uses with stringent obligations, and low-risk uses with lighter obligations.<\/p>\n

Among the absolute prohibitions: AI systems that manipulate users’ free will, “social scoring” systems, and \u2014 with some exceptions for law enforcement \u2014 emotion recognition in workplace and educational settings.<\/p>\n

For high-risk uses \u2014 which include most AI applications with impact on people \u2014 the law requires conformity assessments, Fundamental Rights Impact Assessments, human oversight, and documentation of testing and monitoring processes.<\/p>\n

Penalties follow a progressive scale: up to 7% of annual global revenue for the most serious violations. The Act builds on the foundations of the GDPR, meaning that organizations already compliant with European privacy regulations have a head start: many of the required risk assessment processes overlap.<\/p>\n

Three common principles to simplify compliance<\/h2>\n

Despite the differences among various laws, a comparative analysis identifies three recurring principles that guide the regulatory approach in both the US and the EU: transparency, risk management, and fairness.<\/p>\n

On transparency, nearly all regulations require that consumers be informed when they interact with AI systems or when decisions affecting them involve automated processes. The form and context vary, but the principle is shared.<\/p>\n

On risk management, Colorado and the EU AI Act go further than other US laws, requiring formal risk assessments and structured management programs. Other US states do not yet have specific obligations in this area, but proposals under discussion in California, Virginia, and Washington follow a similar approach.<\/p>\n

On fairness, NYC, Colorado, and the EU AI Act require measures against algorithmic discrimination, with different approaches: mandatory audits in NYC, documentation for high-risk systems in Colorado, and bias risk assessment in the EU AI Act.<\/p>\n

How to move forward in 2026<\/h2>\n

Those who must manage compliance across multiple jurisdictions have two options: differentiated policies for each jurisdiction, or a global policy aligned with the most stringent standards. The second option is often more efficient, even though it entails more extensive obligations in jurisdictions with lesser requirements.<\/p>\n

Organizations already compliant with the EU AI Act find themselves at an advantage in the US as well: state legislators have explicitly drawn from the European risk-based approach, and the processes already in place for European compliance largely cover American state requirements.<\/p>\n

Legislative monitoring has become a structured activity. 47% of legal executives plan to strengthen their regulatory tracking processes over the next 12 to 18 months. The states to watch most closely are California, Connecticut, Maryland, and New York. More than 60 US state legislators have been collaborating since 2022 to coordinate their regulatory initiatives: in an open letter in December 2024, they reiterated the need to address AI risks and build consumer trust.<\/p>\n<\/section>\n","protected":false},"excerpt":{"rendered":"

Without a US federal AI law, states are legislating on their own. Colorado, Illinois, New York, and Utah already have rules in effect. The EU AI Act sets the highest standard. How to navigate 2026.<\/p>\n","protected":false},"featured_media":34436,"menu_order":0,"template":"","insights_category":[563],"insights_tags":[587,617,671,733,863],"class_list":["post-34434","insights","type-insights","status-publish","has-post-thumbnail","hentry","insights_category-ai-and-regulation","insights_tags-ai-act-en","insights_tags-ai-regulation","insights_tags-compliance-en","insights_tags-governance-en","insights_tags-us-state-laws"],"acf":[],"_links":{"self":[{"href":"https:\/\/askme.it\/en\/wp-json\/wp\/v2\/insights\/34434","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/askme.it\/en\/wp-json\/wp\/v2\/insights"}],"about":[{"href":"https:\/\/askme.it\/en\/wp-json\/wp\/v2\/types\/insights"}],"version-history":[{"count":1,"href":"https:\/\/askme.it\/en\/wp-json\/wp\/v2\/insights\/34434\/revisions"}],"predecessor-version":[{"id":34435,"href":"https:\/\/askme.it\/en\/wp-json\/wp\/v2\/insights\/34434\/revisions\/34435"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/askme.it\/en\/wp-json\/wp\/v2\/media\/34436"}],"wp:attachment":[{"href":"https:\/\/askme.it\/en\/wp-json\/wp\/v2\/media?parent=34434"}],"wp:term":[{"taxonomy":"insights_category","embeddable":true,"href":"https:\/\/askme.it\/en\/wp-json\/wp\/v2\/insights_category?post=34434"},{"taxonomy":"insights_tags","embeddable":true,"href":"https:\/\/askme.it\/en\/wp-json\/wp\/v2\/insights_tags?post=34434"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}