The Framework That Triggered the Battle
On 20 March 2026, the White House released a National Policy Framework for Artificial Intelligence, outlining nonbinding legislative recommendations across seven priority areas — including a specific recommendation for targeted state preemption. The framework argues that a patchwork of incompatible state AI laws creates “undue burdens” that harm innovation competitiveness, and it calls for federal law to establish a unified national standard.
The preemption proposal did not emerge in isolation. President Trump had signed an executive order on 11 December 2025 directing federal agencies to identify and challenge state AI laws deemed inconsistent with national policy. The Commerce Department was due to publish an evaluation of “onerous” state laws by 11 March 2026 — a deadline that passed without the report being released, leaving the enforcement timeline undefined.
The framework’s seven priority areas include child safety, community protections for AI data center energy costs, intellectual property, free speech, innovation sandboxes, workforce development, and federal governance. The preemption recommendation sits within the innovation priority, framed as necessary to prevent regulatory fragmentation from driving AI development offshore.
The States That Are Not Waiting
Four states have maintained active forward momentum on AI legislation despite the federal preemption push:
Colorado — The Colorado AI Act (SB 24-205) enters enforcement June 30, 2026, following a postponement from its original February 1 date. It requires documented impact assessments, risk management programs, and consumer disclosure for high-risk AI systems making consequential decisions in employment, housing, financial services, healthcare, and education. Violations carry penalties of up to $20,000 per incident, with enforcement by the Colorado Attorney General.
California — Multiple laws are already in effect as of January 1, 2026, including the California AI Transparency Act (SB 942, requiring labelling of AI-generated content) and the Training Data Transparency Act (AB 2013, requiring developers to publish training data summaries). The California Frontier AI Act is also advancing through the legislature.
Texas — The Responsible Artificial Intelligence Governance Act (TRAIGA) took effect January 1, 2026, applying requirements to high-impact AI systems with similarities to Colorado’s framework.
Utah — Advanced its own AI disclosure and transparency framework, joining the cluster of states that are building compliance infrastructure independently of federal guidance.
In direct legislative response to the White House framework, Representative Beyer introduced the GUARDRAILS Act on 20 March 2026 — the same day the framework was released — to repeal the administration’s executive order and explicitly block state preemption efforts. Senator Schatz announced companion Senate legislation. The congressional opposition makes federal preemption through legislation uncertain even with administration support.
Advertisement
What Enterprises Are Actually Facing
The compliance paradox enterprises face is this: the federal framework recommends preemption but has not enacted it, while state laws are already operative and carrying enforcement penalties. The Vorys analysis of the governance battle is explicit: “state privacy statutes remain operative and businesses must continue to comply with existing state requirements unless and until federal preemption issue is clarified.”
What Enterprises Should Do
1. Build Compliance to the Highest Active State Standard — Don’t Assume Federal Relief
The most operationally stable path is to build AI governance infrastructure that satisfies the requirements of the strictest currently-operative state law — Colorado’s SB 24-205, with its documented impact assessments and risk management programs. A compliance program built to Colorado’s standard will satisfy the requirements of Texas TRAIGA, California’s transparency laws, and any other state framework currently in force. It also positions the company for any eventual federal standard, which is unlikely to be more demanding than Colorado’s existing requirements.
Companies that pause compliance investment waiting for federal preemption are not neutrally positioned — they are accumulating enforcement exposure in states where the law is already in force. Colorado’s Attorney General has exclusive enforcement authority and can pursue penalties of up to $20,000 per violation beginning June 30, 2026.
2. Build a Multi-Jurisdiction AI System Inventory Now
The foundational compliance action that every enterprise needs — regardless of which state laws apply — is a comprehensive inventory of all AI systems in use, classified by risk level and geographic deployment. The secureprivacy.ai analysis found that approximately 65% of enterprise AI tools operate without IT oversight, increasing average data breach costs by $670,000. Shadow AI is not a compliance curiosity — it is the primary compliance exposure for most enterprises.
Build the inventory, classify each system against the high-risk categories defined in Colorado SB 24-205 and Texas TRAIGA (employment, housing, financial services, healthcare, education, insurance, legal services), and assign compliance ownership. This inventory is the prerequisite for every other compliance action: impact assessments, risk management programs, consumer disclosures, and opt-out mechanisms all require knowing which systems are in scope.
3. Engage Legal Counsel on the Constitutional Battle — and Hedge for Both Outcomes
The White House framework acknowledges that states retain police powers and zoning authority even under the proposed preemption regime. The constitutional question of whether Congress can preempt comprehensive state AI regulation under the Commerce Clause is genuinely unsettled, and the GUARDRAILS Act opposition demonstrates this is a multi-year legal and legislative fight. The Justice Department’s AI Litigation Task Force is building the legal strategy for the federal side — enterprises should engage outside counsel to track which state laws are being contested and how that affects their specific compliance obligations.
The hedging strategy: build impact assessment and disclosure infrastructure that satisfies current state requirements (immediate), while designing governance architecture that can scale to accommodate a future federal standard (medium-term). The governance investments are not wasted regardless of preemption outcome — they are table stakes for deploying AI systems in consequential decision contexts.
The Regulatory Question That Frames It All
The fundamental tension in the AI preemption battle is not innovation versus regulation — it is uniformity versus responsiveness. Federal preemption delivers a single national standard that reduces enterprise compliance costs. State-level regulation delivers faster response to locally-identified harms, but at the cost of fragmented compliance obligations.
The EU resolved this with the EU AI Act’s tiered risk framework, achieving uniformity across 27 member states without preempting national authorities on risk classification decisions. The U.S. dynamic is moving toward a similar tiered outcome, but through a messier constitutional process: federal floors with state ceilings, contested in federal court, with enforcement timelines that shift as political priorities change.
Enterprises that build governance infrastructure now — rather than waiting for legal certainty — are making the operationally correct bet. The companies facing the most acute exposure in 2026 are not those that built prematurely rigorous compliance programs. They are the ones deploying consequential AI systems in Colorado, Texas, or California without documented impact assessments, operating on the assumption that federal preemption will arrive before enforcement does.
Frequently Asked Questions
What is the White House AI preemption proposal and does it have legal force yet?
The March 2026 White House framework is a nonbinding set of legislative recommendations — it has no current legal force. Preemption would require an act of Congress. The framework recommends that Congress preempt state AI laws imposing “undue burdens,” but Democratic opposition (including the GUARDRAILS Act introduced March 20, 2026) makes passage uncertain. State AI laws like Colorado SB 24-205 and Texas TRAIGA are legally operative today regardless of the federal proposal.
Which companies are at most risk from the current state AI law landscape?
Companies deploying AI systems that make consequential decisions in employment, housing, financial services, healthcare, insurance, education, or legal services in Colorado or Texas face the most immediate exposure. Colorado SB 24-205 enforcement begins June 30, 2026 with penalties of up to $20,000 per violation. California’s transparency and training data disclosure requirements are already in effect as of January 1, 2026 and apply to AI developers distributing systems in California.
What is the single most important compliance action enterprises should take in 2026?
Building a comprehensive AI system inventory — documenting every AI tool in use, including shadow AI not managed by IT — is the prerequisite compliance action. Without knowing which systems exist and which decisions they influence, companies cannot conduct impact assessments, assign compliance ownership, or demonstrate the “reasonable care” standard that Colorado’s SB 24-205 requires of high-risk AI deployers.
Sources & Further Reading
🔗 Related Intelligence
The White House AI Framework: Preemption, States, and the Fight for a Single US Rulebook
US AI Regulation Patchwork: How Federal Preemption Battles Are Reshaping Enterprise Compliance
US AI Regulation 2026: 25 State Laws in Q1 as Federal Preemption Stalls
US State AI Laws 2026: Navigating the Compliance Patchwork Before It Fragments Further
