US State Level AI Regulations

How State-by-State Compliance is Reshaping Enterprise Strategy

U.S. AI regulation is here and fragmented. By 2030, 50% of the U.S. population will be covered under state-level AI regulations—up from 18% today. With Congress's Big Beautiful Bill passing and the Senate rejecting a 10-year moratorium on state regulations, enterprises face a complex compliance landscape that demands immediate strategic action.

The business implications are clear: what's lawful in Austin may be banned in Sacramento. What's required in Denver may be irrelevant in Boston. Organizations unprepared for this regulatory patchwork risk operational disruption, legal exposure, and competitive disadvantage.

The Strategic Challenge: Three States, Three Approaches

Quick Summary Table

‍

Key Features

Three states exemplify the regulatory divergence enterprises must navigate:

Colorado's Consumer AI Act (CAIA)

• Targets "high-risk" systems affecting hiring, housing, education, and healthcare
• Imposes "duty of reasonable care" on developers and deployers
• Requires impact assessments, transparency notices, and consumer appeal rights
• First U.S. law of its kind focusing on algorithmic discrimination prevention
• Effective February 1, 2026
• https://leg.colorado.gov/bills/sb24-205

Texas Responsible AI Governance Act (TRAIGA)

• Focuses on government agency AI systems with specific prohibited uses
• Bans manipulation, "social scoring," and biomarker discrimination
• Requires healthcare AI disclosure to patients
• Includes unique "AI Sandbox" for safe innovation testing
• Signed June 23, 2025
• https://capitol.texas.gov/tlodocs/89R/analysis/html/HB00149S.htm

California Generative AI: Training Data Transparency (AB 2013)

• Mandates transparency for generative AI training datasets
• Requires developers to post data information on websites
• Accompanied by additional AI laws (AB 3030, SB 942, SB 1120)
• Addresses deepfakes, AI watermarking, and misinformation
• Enacted September 2024
• https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=202320240AB2013

Arkansas Generative AI Ownership Act (H 1876)

This Arkansas legislation establishes ownership rules for content and models created using generative artificial intelligence tools:

‍Individual Use: A person who inputs prompts or data into a generative AI tool:

• Owns the generated content, if it does not infringe on existing IP.
• Owns the trained model, if the training data is lawfully obtained and no contract transfers ownership.

Employment Use: If an employee uses generative AI as part of their job:

• The employer owns the generated content and model outputs.
• This applies only if the work is within the employee’s job duties and under the employer’s control.

Intellectual Property Limits: No ownership is granted for content that infringes on existing copyrights or IP rights.

• https://custom.statenet.com/public/resources.cgi?mode=show_text&id=ID:bill:AR2025000H1876

Montana Right to Compute Act (SB 212)

This act establishes the Right to Compute as a protected right under Montana law, affirming individuals' and organizations’ ability to own and use computational resources. It also sets governance requirements for artificial intelligence (AI) systems used in critical infrastructure.

Right to Compute:

• The act affirms that using computational resources (e.g., software, algorithms, hardware, machine learning) is protected under Montana’s constitutional rights to property and free expression.
• Government restrictions on this right must be narrowly tailored to serve a compelling interest.

AI Risk Management for Critical Infrastructure:

Entities deploying critical AI systems in critical infrastructure must create a risk management policy using standards such as:

• NIST AI Risk Management Framework
• ISO/IEC 4200
• Federal compliance plans are accepted as valid.

Definitions:

• Computational resources include tools and infrastructure for data use, from machine learning to cryptography.
• Critical AI refers to systems involved in making consequential decisions, excluding narrow-use or procedural technologies.
• Deployer is the person or entity operating an AI system.
• Government actions refer to laws or rules that restrict the use of computational tools.
• Compelling interest examples include fraud prevention, protection from deepfakes, and cybersecurity.
• https://bills.legmt.gov/#/laws/bill/2/LC0292?open_tab=sum

Utah Artificial Intelligence Consumer Protection Amendments (SB 226)

This law regulates the use of generative artificial intelligence (GenAI) in consumer transactions and licensed professional services. It introduces disclosure rules, defines liability, and grants enforcement authority to the Division of Consumer Protection.

Definitions and Scope:

• Generative AI is defined as AI that produces non-scripted, human-like responses via text, audio, or visuals with limited oversight.
• Applies to consumer transactions and regulated occupations (e.g., law, finance, healthcare).

Disclosure Requirements:

• Suppliers must disclose GenAI use if directly asked by a consumer.
• Professionals in licensed occupations must disclose GenAI use at the start of verbal or written interactions if the use qualifies as a high-risk AI interaction, such as handling health, financial, or legal data.

Safe Harbor Provision:

• Businesses that proactively and clearly disclose GenAI use at the start and throughout interactions may qualify for legal protection from enforcement under certain conditions.

Liability and Enforcement:

• GenAI use does not excuse violations of consumer protection lawsThe Division of Consumer Protection may impose fines up to $2,500 per violation and take legal action, including seeking injunctive relief and restitution.
• Civil penalties up to $5,000 per violation may apply for court or administrative order violations.
• Courts may award attorney fees, costs, and investigative fees to the state.

Administration:

• The Division of Consumer Protection administers and enforces the law.
• The Attorney General provides legal support and may impose civil penalties.
• The act does not preempt other state or federal remedies.
• https://le.utah.gov/~2025/bills/static/SB0226.html

Business Impact Analysis

Financial Exposure

The EU AI Act, already in force, demonstrates the financial stakes with penalties scaling to company size and revenue. U.S. state regulations, while varied in enforcement mechanisms, create similar exposure through consumer lawsuits and regulatory penalties.

Operational Complexity

Multi-state compliance requires:

• AI system inventorying across all jurisdictions
• Risk assessment frameworks adapted to each state's definitions
• Documentation systems for impact assessments and audit trails
• Governance structures defining accountability and oversight

Competitive Positioning

Organizations implementing comprehensive AI governance now gain competitive advantages:

• Faster market entry with pre-built compliance frameworks
• Enhanced consumer trust through transparency
• Reduced legal and operational risks
• Scalable innovation within regulatory guardrails

What Regulation Means for Enterprise AI Strategy

Immediate Requirements

1. Visibility: Inventory AI models in production, their decisions, usage locations, and user bases
2. Control: Establish governance frameworks defining system accountability and standards
3. Assurance: Document impact assessments, lineage tracking, and audit logs

Compliance Framework Alignment

Organizations must align with established standards—NIST's AI Risk Management Framework, ISO 42001, or internal frameworks—while adapting to state-specific requirements.

The ModelOp Advantage

ModelOp's AI lifecycle automation and governance software addresses these challenges by enabling organizations to:

• Bring all AI initiatives (GenAI, ML, regression models) to market faster
• Scale AI operations with end-to-end control and oversight
• Ensure compliance across multiple regulatory frameworks
• Realize value from AI investments while maintaining governance

EU AI Act Comparison: Global Context

The EU AI Act provides a regulatory benchmark with its multi-tiered, risk-based approach categorizing AI systems into four levels: unacceptable risk, high risk, limited risk, and minimal risk. While U.S. state laws draw inspiration from this model, they lack the EU's regulatory depth and extraterritorial reach.

However, global corporations operating in both regions must navigate overlapping requirements, making comprehensive governance platforms essential for consistent compliance.

Strategic Recommendations for Leadership

For C-Suite Executives

1. Immediate Action: Assess current AI portfolio and regulatory exposure
2. Resource Allocation: Budget for compliance infrastructure and governance platforms
3. Strategic Positioning: Leverage early compliance as competitive advantage
4. Board Communication: Prepare regulatory risk assessments and mitigation strategies

For Compliance Teams

1. Jurisdiction Mapping: Identify applicable regulations by operational geography
2. Gap Analysis: Compare current practices against state requirements
3. Implementation Planning: Develop compliance roadmaps with clear timelines
4. Tool Evaluation: Assess governance platforms supporting multi-state compliance

The Path Forward: Governance as Innovation Enabler

AI governance isn't about slowing innovation—it's about protecting and accelerating it. Organizations with robust governance frameworks can:

• Navigate regulatory changes with confidence
• Scale AI initiatives faster through standardized processes
• Build consumer trust through transparency
• Maintain competitive advantage through compliant innovation

Conclusion

Red, blue, or purple state doesn't matter. AI regulation in the U.S. is real, enforceable, and expanding. Organizations that embed AI governance into operations now will accelerate their AI innovation while staying ahead of regulatory requirements and competitors.

The regulatory tide won't turn back. The question isn't whether to prepare—it's whether your organization will lead or follow in this new era of regulated AI innovation.

Pete Foley is CEO of ModelOp, the leading AI lifecycle automation and governance software purpose-built for enterprises. ModelOp enables organizations to bring all their AI initiatives—from GenAI and ML to regression models—to market faster, at scale, and with the confidence of end-to-end control, oversight, and value realization.