US AI Laws 2026: 25 State Acts, Zero Federal Law

Published April 29, 2026 · by ALGERIATECH Editorial

⚡ Key Takeaways

In the last two weeks of March 2026, governors in seven states signed 19 new AI laws, bringing Q1 2026’s total to 25 state AI laws enacted. With no comprehensive federal AI statute enacted and the Trump administration’s preemption push facing bipartisan resistance, enterprises deploying AI across multiple US states now navigate a compliance burden spanning at least six distinct obligation categories across 25+ laws.

Bottom Line: Enterprise compliance teams should build a jurisdiction-agnostic AI risk registry, adopt Colorado’s AI Act as their compliance baseline (the most substantive state framework, effective June 30, 2026), and pre-build a 72-hour incident reporting workflow to meet New York’s RAISE Act requirements — waiting for federal preemption is not a viable compliance strategy.

Read Full Analysis ↓

🧭 Decision Radar

Relevance for Algeria
Medium
▾

Algerian companies selling AI products to US enterprise customers need to understand the compliance requirements their customers face — Colorado’s AI Act and New York’s RAISE Act affect procurement decisions and vendor due diligence in ways that directly impact Algerian B2B software exports.

Infrastructure Ready?
Partial
▾

Technical compliance capabilities (NIST AI RMF alignment, impact assessments, incident logging) are not standard practice in Algerian software development but can be adopted given the right frameworks and client contracts requiring it.

Skills Available?
Partial
▾

US regulatory legal expertise is scarce in Algeria; however, the NIST AI RMF framework is publicly documented and widely applicable — Algerian developers building for US enterprise clients can adopt its practices with training rather than full legal specialization.

Action Timeline
12-24 months
▾

Colorado’s AI Act is effective June 30, 2026; New York’s RAISE Act amendments are effective now. Algerian companies with US enterprise clients should understand which obligations fall on their clients and design their products to support client compliance.

Key Stakeholders
Enterprise compliance officers, US-market Algerian SaaS exporters, B2B AI product teams

Decision Type
Educational
▾

This article provides a structured overview of the US AI compliance landscape that Algerian companies with US customers or US-market ambitions need to understand when designing their compliance posture and client contracts.

Quick Take: Algerian B2B software companies serving US enterprise customers should ask their clients which state AI laws apply to their use of the vendor’s product, understand whether Colorado’s impact assessment requirements or New York’s incident reporting obligations will affect the contract terms, and begin building NIST AI RMF-aligned documentation as a standard deliverable for enterprise deals.

The Count: 25 Laws, Seven States, Two Weeks

The acceleration of US state AI legislation in Q1 2026 was not a gradual trend — it was an event. In the final two weeks of March 2026, governors in seven states — including Utah, Washington, and New York — signed 19 new AI laws in 14 days, according to analysis by Swept AI. Combined with earlier Q1 enactments, the quarter closed with 25 state AI laws signed, representing more AI-specific legislation than the entire prior year.

Utah’s Governor Spencer Cox signed nine bills in that two-week window alone — covering AI disclosure requirements, consumer protection rules for AI-generated content, and sector-specific restrictions in healthcare and insurance. Washington’s Governor Bob Ferguson signed HB 1170 and HB 2225, with HB 1170 introducing mandatory “latent disclosure” requirements for AI-generated content distributed by providers serving more than one million monthly users. New York’s Governor Hochul signed amendments to the RAISE Act (which itself was originally signed in December 2025), with the amended version requiring platforms to report critical AI safety incidents to the state within 72 hours of determination.

The legislative surge is the product of a specific political dynamic: the Trump administration’s December 2025 executive order directed the federal government to preempt state AI regulations that “unduly burden” lawful AI development, and the White House’s March 2026 National Policy Framework for Artificial Intelligence formally recommended that Congress enact federal preemption of conflicting state laws. Rather than deterring state action, the preemption signals appear to have accelerated it — state legislatures are racing to establish frameworks before any federal preemption law could be enacted.

What the Laws Actually Require

The 25 state laws enacted in Q1 2026 are not uniform. They span at least six distinct compliance categories, and the obligations in each category vary significantly by state. Understanding the substantive landscape requires looking beyond the headline count.

Transparency and disclosure obligations are the most common category. Washington’s HB 1170 requires providers of AI-generated or AI-modified content who serve more than one million monthly users to embed “latent disclosures” — machine-readable metadata that identifies AI origin — in distributed content. California’s AI transparency measures require disclosure when AI systems are used in consequential consumer interactions. New York’s chatbot disclosure requirements mandate that operators disclose when a user is interacting with an AI system.

Automated decision-making restrictions represent the most substantive compliance burden. Colorado’s AI Act (SB 24-205, effective June 30, 2026) requires developers and deployers of “high-risk AI systems” — defined as systems used in consequential decisions about employment, education, housing, credit, healthcare, and legal proceedings — to implement risk management programs aligned with the NIST AI Risk Management Framework, conduct annual impact assessments, and maintain three-year record retention. A March 2026 working group draft proposed narrowing the definition to “covered automated decision-making technology,” which could reduce scope, but the current statutory text remains in force.

Sector-specific restrictions in healthcare and insurance are proliferating rapidly. Texas’s healthcare AI restrictions and California’s AB 853 introduce phased compliance timelines for AI systems used in clinical decision support and insurance underwriting. New York’s 72-hour incident reporting requirement for the RAISE Act’s covered AI systems creates an operational monitoring obligation that has no federal equivalent.

Criminal liability for AI-generated harmful content has been established in multiple states, covering non-consensual AI-generated intimate imagery (deepfakes), election interference through AI-generated political content, and AI-assisted fraud. These provisions are largely beyond the scope of enterprise AI compliance programs but affect any platform that hosts user-generated or AI-generated content.

The Federal Preemption Question

The Trump administration’s position on federal preemption is formally stated in the March 2026 National Policy Framework for Artificial Intelligence: Congress should preempt state laws relating to AI development that “unduly burden” lawful activity. The administration has also indicated willingness to pursue “executive and enforcement channels” — including potential Department of Justice challenges to state laws — in the absence of congressional action.

The challenge for the preemption strategy is that it requires legislative action, and the legislative path is narrow. As Morgan Lewis noted in their April 2026 analysis, no comprehensive federal AI statute has been enacted, and the bipartisan composition of state AI law supporters complicates any federal preemption bill. Republican-led states including Utah, Texas, and Georgia have enacted their own AI regulations — states whose senators and representatives would be voting against preemption legislation that would nullify their own governors’ actions.

The result is a structural stalemate. The federal government does not want states regulating AI but cannot pass legislation to preempt them. States believe federal regulation will be too permissive and are legislating proactively. Enterprises cannot legally ignore state laws pending a preemption outcome that may be years away — or may never come.

Morgan Lewis’s analysis notes that federal enforcement through existing authorities — FTC Act Section 5 for unfair or deceptive AI practices, SEC disclosure rules for material AI risks, False Claims Act liability for government contractors, and antitrust enforcement for AI market concentration — continues regardless of the preemption debate. This means enterprises face both a proliferating state compliance burden and an active federal enforcement environment, not a trade-off between the two.

What Enterprise Compliance Teams Should Do About It

The compliance challenge created by 25+ state laws with heterogeneous requirements is not a problem of understanding each law individually. It is a problem of building an AI governance architecture that can accommodate variation across jurisdictions without requiring a custom compliance program per state.

1. Build a Jurisdiction-Agnostic AI Risk Registry

The foundational step is an internal registry of every AI system deployed by the organization, catalogued by: intended use case, decision categories it affects (employment, credit, healthcare, housing, etc.), US states where users or affected persons are located, and the law-specific classification in each applicable jurisdiction.

Colorado’s high-risk definition, New York’s RAISE Act covered systems, and California’s transparency requirements each use different classification criteria. A registry that captures use case, affected decision category, and user geography enables a single mapping exercise to determine which laws apply to which systems, rather than re-analyzing the full system portfolio for each new state law.

2. Adopt Colorado-Plus as Your Compliance Baseline

Colorado’s AI Act is currently the most substantive state AI law in the country — it requires NIST AI RMF alignment, annual impact assessments, and three-year records retention. Designing a compliance program that meets Colorado’s requirements and then layering state-specific additions (New York’s 72-hour incident reporting, Washington’s latent disclosure) on top creates a defensible baseline that covers most scenarios.

The “Colorado-plus” approach mirrors the GDPR-as-baseline strategy that enterprises adopted for US state privacy law compliance after 2018: meet the most demanding framework, add state-specific variations as modules. It is the most cost-efficient architecture for an enterprise facing 25+ heterogeneous frameworks.

3. Wire Incident Detection to a 72-Hour Reporting Workflow

New York’s RAISE Act amendment requires reporting of critical AI safety incidents within 72 hours of the organization determining that an incident has occurred. This is stricter than most data breach notification laws (which typically allow 30-72 hours from discovery, not determination) and requires a pre-built workflow — not an ad-hoc process improvised after an incident.

Compliance teams should define: what constitutes a “critical AI safety incident” under the applicable definitions, who in the organization has authority to make the determination, what the notification process to the New York state authority looks like, and whether the same incident would trigger notification obligations in other jurisdictions (EU, California). The 72-hour clock rewards organizations with pre-built playbooks and penalizes those without them.

The Correction Scenario

The obvious question for enterprise compliance teams is whether to build the Colorado-plus program now, knowing that federal preemption could retroactively simplify the landscape within 1-3 years. The correction scenario — where Congress passes preemption legislation and 20+ state laws are nullified — is possible but not plannable.

The cost of building a compliance program that turns out to be over-engineered (because preemption passed) is manageable: documented AI governance, risk registries, and impact assessment processes are operationally useful even in the absence of legal obligations. The cost of not building a compliance program and having preemption fail is asymmetric: enforcement actions, state attorney general investigations, and reputational risk from being publicly identified as non-compliant with minors-protection or employment-AI laws.

The 25-law Q1 2026 count is not the ceiling. Across 45 states, legislators have introduced 1,561 AI-related bills as of early 2026. The legislative pipeline will continue to generate new obligations faster than any preemption effort can proceed through Congress. For enterprise compliance, the working assumption must be: the fragmentation is permanent, and the governance architecture must be built to manage it.

Follow AlgeriaTech on LinkedIn for professional tech analysis Follow on LinkedIn

Follow @AlgeriaTechNews on X for daily tech insights Follow on X

Frequently Asked Questions

What is the difference between Colorado’s AI Act and New York’s RAISE Act?

Colorado’s AI Act (SB 24-205, effective June 30, 2026) is a comprehensive framework covering all high-risk AI systems used in consequential decisions — employment, education, credit, housing, healthcare — and requires risk management aligned with NIST AI RMF, annual impact assessments, and three-year record retention. New York’s RAISE Act (signed December 2025, amended March 2026) focuses on AI safety incidents and requires organizations to report critical incidents to state authorities within 72 hours of determining an incident has occurred. The two laws have different triggers, scope definitions, and compliance obligations — enterprises in both states need separate analyses.

Can enterprises legally wait for federal preemption before building state compliance programs?

No. State AI laws are valid and enforceable from their effective dates. Federal preemption legislation would need to pass Congress, be signed by the President, and survive potential constitutional challenges before it could override state laws — a process that could take years or may never complete. State attorneys general and regulators can enforce their state laws today. The White House’s March 2026 Policy Framework recommending preemption is not law; it is a legislative recommendation. Enterprises that rely on preemption as a compliance strategy face enforcement exposure during any gap.

How does the NIST AI Risk Management Framework relate to state AI compliance requirements?

The NIST AI Risk Management Framework (AI RMF), published in January 2023, is a voluntary guidance document that provides a structured approach to identifying, assessing, and managing AI risks. Colorado’s AI Act is the first US state law to explicitly align its compliance requirements with the NIST AI RMF, requiring developers of high-risk AI systems to implement risk management practices “conforming with generally accepted industry standards,” with the NIST AI RMF cited as the reference standard. Enterprises that implement the NIST AI RMF as their internal AI governance baseline are well-positioned to meet Colorado’s requirements and have a defensible compliance argument in other jurisdictions that assess AI governance practices.