State AI Laws: What Every U.S. State Has Passed, Proposed, or Pending (2026)

Last Updated: May 28, 2026

By Tracey Birkenhauer, journalist and Chief Impact Officer, STACK Cybersecurity

U.S. legislatures have moved decisively to fill the regulatory void left by limited federal action on artificial intelligence (AI). In 2025 alone, 1,208 AI-related bills were introduced across all 50 states, with 145 enacted into law. According to the National Conference of State Legislatures (NCSL), 38 states adopted or enacted around 100 AI-related measures in 2025. The pace has only accelerated: as of March 2026, lawmakers in 45 states had introduced 1,561 AI-related bills, already surpassing the total volume from all of 2024.

These state-level initiatives reveal several distinct approaches to AI governance, with regulations ranging from comprehensive to narrowly targeted.

Update History

May 28, 2026: Added Illinois SB 315 frontier AI safety bill sent to Gov. Pritzker; updated Colorado SB 26-189 signed status; added Georgia SB 540 and SB 444 signed by Gov. Kemp; launched dedicated chatbot laws page.

May 27, 2026: Added New York preemption pushback and updated federal trends.

May 9, 2026: Added Connecticut AIRT Act, Colorado litigation and replacement bill, Washington 2026 laws, Michigan SB 760, Iowa and other state developments; separated federal and international content into a dedicated page.

Feb. 23, 2026: Updated compliance dates, TAKE IT DOWN Act platform deadline, New York RAISE Act chapter amendment, 2026 trends.

AI Compliance Dates

Note: Dates are subject to change. Several states have delayed implementation to refine requirements. Colorado's SB 26-189 was signed May 14, 2026, but enforcement awaits attorney general rulemaking. Check individual state resources for the most current information.

Quick Navigation

Risks Driving Regulatory Urgency

The regulatory landscape has been influenced by growing concerns about AI's potential long-term risks. In May 2023, over 350 AI executives, researchers, and engineers signed a statement warning that "mitigating the risk of extinction from AI should be a global priority alongside other societal-scale risks such as pandemics and nuclear war." Signers included leaders from OpenAI, Google DeepMind, and Anthropic. This unprecedented warning from the very architects of advanced AI systems has added urgency to regulatory discussions.

A 2024 report commissioned by the U.S. State Department concluded advanced AI systems could, in a worst-case scenario, "pose an extinction-level threat to the human species," based on interviews with executives from leading AI companies, cybersecurity researchers, and national security officials. These high-profile warnings have accelerated debate about appropriate governance frameworks to address both near-term harm and long-term safety concerns.

California: Leading with Comprehensive Regulation

California remains the most active state in AI regulation, enacting 24 AI-related laws across the 2024 and 2025 legislative sessions. While Gov. Gavin Newsom vetoed several high-profile bills, including SB 1047 (Safe and Secure Innovation for Frontier Artificial Intelligence Models Act) and SB 7 (No Robo Bosses Act), the state has pursued targeted regulations across multiple domains.

Check out a comprehensive list of California AI regulations.

Transparency Requirements

The California AI Transparency Act (SB 942) mandates AI systems publicly accessible within California with more than 1 million monthly visitors implement comprehensive measures to disclose when content has been generated or modified by AI. This Act establishes requirements for AI detection tools and content disclosures, with penalties of $5,000 per violation per day for noncompliance. The effective date has been delayed from Jan. 1, 2026, to Aug. 2, 2026, following passage of AB 853. AB 853 also expands SB 942 to add requirements applicable to large online platforms and capture device manufacturers, with those obligations taking effect Jan. 1, 2027, and Jan. 1, 2028, respectively.

The Generative Artificial Intelligence Training Data Transparency Act (AB 2013), effective Jan. 1, 2026, requires developers of generative AI systems intended for public use in California to publish high-level information about the training data used, including dataset summaries, intellectual property and privacy flags, and processing history. Industry stakeholders have noted that the law took effect without enforcement guidance from the California attorney general, and that clear compliance patterns have not yet emerged around the format and level of detail required.

California enacted SB 53 (Transparency in Frontier Artificial Intelligence Act) in September 2025, targeting large frontier developers with annual revenue exceeding $500 million. The law requires disclosure of risk management protocols and transparency reports about frontier models, with reporting requirements for critical safety incidents and whistleblower protections for employees who report safety concerns. The law took effect Jan. 1, 2026.

Also effective Jan. 1, 2026, AB 489 (Health Care Professions: Deceptive Terms or Letters: Artificial Intelligence Act) prohibits AI systems from falsely claiming health care licenses or credentials and requires disclosures when AI communicates directly with patients in a health care context.

The California Privacy Protection Agency's automated decision-making technology (ADMT) regulations, effective Jan. 1, 2026, require businesses using automated decision-making for significant decisions to conduct and document risk assessments. The broader consumer opt-out rights and pre-use notice obligations under those regulations phase in April 1, 2027. Companies subject to California's CPRA obligations should review whether their AI-driven decision tools trigger these requirements now.

Companion Chatbot Regulation

The state also passed SB 243 regulating companion chatbots, requiring operators to disclose when users are interacting with AI rather than humans and maintain protocols to prevent production of self-harm content. The law applies to AI systems "capable of meeting a user's social needs" and requires that reasonable persons would not be misled into believing they're interacting with a human. California provides an exception for chatbots used only for customer service. For a full breakdown of every enacted state chatbot law, see our State AI Chatbot Laws guide.

Deepfakes and Explicit Content

California has approved numerous regulations addressing deepfakes and explicit content. SB 926 criminalizes the creation or distribution of AI-generated sexually explicit images with intent to cause serious emotional distress. SB 981 requires social media platforms to establish reporting mechanisms for deepfake nudes, with requirements to temporarily block such content during investigation and permanently remove it if confirmed. AB 1831 expands child pornography laws to include AI-generated content. AB 1836 protects digital replicas of deceased performers from unauthorized AI reproduction.

Election Integrity

For election integrity, AB 2655 (Defending Democracy from Deepfake Deception Act) requires large online platforms to block or label deceptive AI-generated content related to elections, while AB 2839 prohibits distribution of materially deceptive election content. However, a federal judge blocked AB 2839 in 2024 on First Amendment grounds, leading most other states to adopt disclosure requirements rather than outright prohibitions. AB 2355 mandates that political advertisements using AI-generated content include clear disclosures.

Colorado: New Law Signed, Litigation Continues

Colorado was at the forefront of AI regulation with its landmark Colorado Anti-Discrimination in AI Law (SB 24-205), enacted May 17, 2024. This comprehensive framework focused on protecting consumers from algorithmic discrimination in high-risk AI systems making consequential decisions affecting employment, housing, education, health care, financial services, government services, insurance, and legal services.

Check out our Colorado AI Act Compliance Guide for information on developer and deployer requirements, impact assessments, consumer notices, exemptions, and compliance preparation steps.

The law imposed a duty of reasonable care on both developers and deployers, requiring steps to protect against discrimination based on protected characteristics. Developers were required to provide documentation about data sources, limitations, and risk mitigation strategies, while deployers were required to conduct impact assessments, provide consumer notice, and establish appeal processes for adverse decisions. Colorado also made a strong push for use of the NIST AI Risk Management Framework. A violation constitutes a violation of Colorado's Unfair and Deceptive Trade Practices Act, with civil penalties up to $20,000 per violation.

The law faced sustained opposition from the tech industry since its passage, and the path to enforcement grew complicated with each development. After the original February 2026 effective date was pushed to June 30, 2026 following a special legislative session in August 2025, the law faced a federal lawsuit, a DOJ intervention, and ultimately a legislative replacement before it ever took effect.

The xAI Lawsuit and Enforcement Stay

On April 9, 2026, Elon Musk's xAI filed suit in the U.S. District Court for the District of Colorado seeking to block enforcement of SB 24-205 before its June 30 effective date. The company argues the law violates the First Amendment by compelling AI developers to adopt the state's preferred viewpoints and that key terms in the statute are unconstitutionally vague. On April 24, the U.S. Department of Justice joined the lawsuit, alleging the Colorado AI Act violates the Equal Protection Clause of the U.S. Constitution and jeopardizes the country's position as a global AI leader.

On April 27, 2026, a federal judge granted a joint motion in xAI v. Weiser, staying enforcement of the Colorado AI Act pending the court's ruling on xAI's preliminary injunction motion. The stay also extends to any replacement legislation enacted during the current session. Separately, Colorado Attorney General Phil Weiser has indicated he does not intend to promulgate rules until the legislative session concludes, further extending the practical timeline before enforcement could begin.

SB 26-189: Signed Into Law

On May 14, 2026, Gov. Jared Polis signed SB 26-189, repealing and replacing SB 24-205 entirely. The replacement was the product of a governor-appointed AI policy work group and passed both chambers of the legislature before the May 13 adjournment deadline. Senate Majority Leader Robert Rodriguez, who authored the original law, described the new bill as "more of a notice bill" that retains the core principle of disclosure when AI is used in consequential decisions.

The new law represents a significant scaling-back of Colorado's original ambitions. Rather than requiring companies to proactively prevent algorithmic discrimination through risk management programs and impact assessments, SB 26-189 focuses on transparency and consumer rights around automated decision-making technology (ADMT) used to materially influence consequential decisions. The duty-of-care standard, mandatory NIST alignment, annual impact assessments, and algorithmic discrimination self-reporting requirements of the original law are all gone. The new law takes effect Jan. 1, 2027, though enforcement remains contingent on the attorney general completing rulemaking, and the federal court stay on SB 24-205 technically extends to successor legislation as well.

For businesses preparing for compliance, the situation is now clearer: the original law will not take effect, and SB 26-189 is the governing framework. Monitor the attorney general's rulemaking timeline for the final compliance picture.

Tennessee: The ELVIS Act Protects Voice and Likeness

Tennessee made history on March 21, 2024, becoming the first state to enact comprehensive legislation protecting musicians and individuals from unauthorized AI voice cloning. The Ensuring Likeness Voice and Image Security (ELVIS) Act, effective July 1, 2024, expands the state's existing right of publicity law to explicitly include voice protection against AI-generated replicas.

The law defines "voice" broadly as "a sound in a medium that is readily identifiable and attributable to a particular individual, regardless of whether the sound contains the actual voice or a simulation of the voice." The ELVIS Act creates both civil and criminal penalties, with violations constituting a Class A misdemeanor punishable by up to one year in jail and fines up to $2,500.

Notably, the Act targets not only those who create unauthorized voice replicas but also technology providers, creating liability for anyone who "distributes, transmits, or otherwise makes available an algorithm, software, tool, or other technology" whose primary purpose is creating unauthorized voice or likeness replicas. This provision potentially subjects AI platform providers to liability, marking a significant expansion in accountability for technology companies.

Utah: First Comprehensive Consumer Protection AI Law

Utah became the first U.S. state to enact major AI consumer protection legislation when Gov. Spencer Cox signed SB 149 (the AI Policy Act) on March 13, 2024, taking effect May 1, 2024. The law requires entities using generative AI to interact with consumers in commercial activities to provide clear and conspicuous disclosure.

In 2025, Utah significantly narrowed the law's scope through SB 226, which amended requirements to apply only when directly asked by consumers or during high-risk interactions involving health, financial, or biometric data collection. This represents a safe harbor for entities that disclose AI use at the outset and throughout interactions. For regulated occupations, individuals providing services must disclose generative AI use only in high-risk interactions.

SB 332 extended the law's effectiveness until July 1, 2027 (originally set to expire in 2025). Additionally, HB 452 introduced specific regulations for AI-supported mental health chatbots, including bans on advertising products during user interactions and prohibitions on sharing users' personal information. The law requires providers to make clear and conspicuous disclosures to users at several points in time, including prior to initially accessing the chatbot, when a user revisits the chatbot after not using it for more than seven days, and when asked by the user.

Texas: Responsible AI Governance

Texas enacted the Responsible Artificial Intelligence Governance Act (TRAIGA) through HB 149, which took effect Jan. 1, 2026. The law prohibits intentionally developing or deploying AI systems to incite or encourage harm to self or others, engage in criminal activity, infringe on constitutional rights, engage in unlawful discrimination against protected classes in violation of state or federal law, or produce deepfakes or child pornography.

The enacted version of TRAIGA replaced an earlier proposal that was similar to Colorado's AI Act. Texas also established an AI advisory council through SB 1893 and enacted HB 2060, requiring impact assessments for AI systems used in public services.

Michigan's Comprehensive Approach

Michigan has taken comprehensive action on AI regulation, particularly focusing on election integrity and protection from deepfakes. The state enacted a four-bill package (HB 5141, HB 5143, HB 5144, and HB 5145) in November 2023, effective Feb. 13, 2024, requiring disclaimers on AI-generated political ads and prohibiting deepfake political content within 90 days of an election unless clearly disclosed. The Michigan Campaign Finance Act (Section 169.259) now requires that any qualified political advertisement created using AI include a clear statement about its AI-generated nature.

Michigan also passed HB 4047 and HB 4048, signed by Gov. Whitmer in August 2025, which criminalize the creation and distribution of nonconsensual intimate AI deepfakes, with enhanced penalties for cases involving extortion, harassment, or profit motives. The laws allow victims to take civil action and establish both criminal penalties and court-ordered restraining orders to prevent further harm.

In October 2024, the Michigan Civil Rights Commission passed a resolution establishing guiding principles for AI use in the state, calling for legislation to prevent algorithmic discrimination, protect privacy, and create a task force to monitor data collection practices.

In 2026, Michigan joined a national wave of chatbot legislation. Senate Bill 760 passed the Michigan Senate 20-17 in May 2026 and has been transmitted to the House. The bill is moving through a split legislature, with Democrats controlling the Senate and Republicans controlling the House. Chatbot bills advanced in at least a dozen states during the same period.

New York: RAISE Act and Frontier AI Governance

At the state level, New York expanded its AI governance framework with the Responsible AI Safety and Education (RAISE) Act (A.6453 / S.6953). The RAISE Act passed the New York State Legislature in June 2025 and was signed into law by Gov. Kathy Hochul on Dec. 19, 2025. A chapter amendment aligning the law more closely with California's TFAIA was signed March 27, 2026. The law takes effect Jan. 1, 2027. Covered developers include those with annual revenues exceeding $500 million who develop frontier models trained using greater than 10²⁶ computational operations. The RAISE Act requires large developers to publish and follow a safety plan, report critical AI safety incidents to state authorities within 72 hours of determining an incident occurred, and refrain from releasing models that fail their own safety testing. Civil penalties will be up to $1 million for first violations and up to $3 million for subsequent violations, enforced by the attorney general. New York also enacted S 3008 in 2025, establishing disclosure requirements for "personalized algorithmic pricing."

As the federal preemption debate intensifies, New York lawmakers are pushing back directly. State Sen. Andrew Gounardes, who sponsored the RAISE Act, and a second state lawmaker sent a letter in May 2026 to all New York House Democrats urging them to oppose congressional legislation that would override state AI protections. Reporting by Politico indicated some members of Congress are pursuing a bipartisan bill that would supersede state-level AI laws, including the RAISE Act. Gounardes has publicly framed the stakes as a choice between federal deregulation and the consumer guardrails New York built through the legislative process. The letter represents one of the first direct interventions by a state AI lawmaker into federal legislative proceedings.

Washington: Three AI Laws in 2026

Washington's SSB 5886 creates digital-likeness rights protecting individuals from unauthorized AI reproduction of their likenesses and takes effect June 10, 2026 -- one of the nearest upcoming compliance deadlines in any state. HB 2225 regulates companion chatbots with disclosure requirements and safety protections for minors and takes effect Jan. 1, 2027. HB 1170 requires AI-generated content disclosure and takes effect Feb. 1, 2027. Washington's SB 5827, enacted in 2023, also prohibits covered entities from discriminating against individuals through automated decision systems based on protected characteristics.

Additional State Initiatives

Arkansas

Arkansas enacted multiple AI regulations in 2025. HB 1071 amends the state's Publicity Rights Protection Act to explicitly include AI-generated images and voice, originally created to strengthen publicity rights for student athletes. HB 1876 establishes ownership rights over content created by generative AI, clarifying that users who provide input to AI tools own the resulting content, provided it doesn't infringe on existing copyrights. HB 1958 requires public entities to develop comprehensive policies regarding the authorized use of AI and automated decision-making technology.

Connecticut

Connecticut passed one of the nation's most comprehensive AI laws when its legislature approved Senate Bill 5, the Connecticut Artificial Intelligence Responsibility and Transparency (AIRT) Act, on May 1, 2026. The Senate voted 32-4 and the House voted 131-17 in favor, sending the bill to Gov. Ned Lamont, whose office has confirmed he plans to sign it. Lamont, who had opposed earlier AI regulation attempts, was brought on board after the bill was amended to incorporate his priorities on youth social media protections.

SB 5 is an omnibus bill spanning more than 67 pages and addressing several distinct areas of AI governance. On employment, the law regulates automated employment-related decision technology, requiring developers to provide compliance information to deployers and requiring deployers to notify affected employees and applicants of the technology's use. The law also amends Connecticut's anti-discrimination statutes to clarify that using automated tools is not a defense to discrimination claims, while allowing courts to consider evidence of anti-bias testing as a mitigating factor. Developer obligations take effect Oct. 1, 2026, while the deployer pre-decision notice requirements don't kick in until Oct. 1, 2027.

The companion chatbot provisions, effective Jan. 1, 2027, are among the strictest in the country. The law requires chatbot operators to notify users they are interacting with AI and include recurring reminders every three hours. Requirements specific to minors include prohibitions on romantic or sexual interactions, encouraging self-harm or substance use, offering unsupervised mental health services, and using manipulative techniques to foster emotional dependence. Legal analysts have noted that the minor-specific rules may function as a practical bar on offering consumer chatbots to users under 18 in Connecticut.

Additional provisions address synthetic digital content provenance (effective Oct. 1, 2026), whistleblower protections for employees at large frontier model developers who report concerns about catastrophic risk (effective Oct. 1, 2026), a state AI regulatory sandbox program, expanded AI workforce training, and a requirement that employers disclose in WARN Act filings whether AI contributed to layoffs. Enforcement runs through the attorney general as unfair or deceptive trade practices, with a cure-notice provision available through the end of 2027. Connecticut joins New York, California, Washington, Oregon, Idaho, Iowa, Nebraska, and Georgia as states with enacted laws addressing potentially harmful chatbot interactions.

Georgia

Georgia Gov. Brian Kemp signed two AI bills into law in May 2026, making the state the first Republican-led state to enact both a chatbot safety law and an AI health insurance restriction in the same session. The signings were closely watched as signals of how GOP governors would respond to White House pressure to stand down on state AI regulation.

SB 540, signed May 15, 2026, and effective July 1, 2027, requires chatbot operators to notify users they are interacting with AI, implement restrictions on interactions with minors, and follow crisis response protocols when users express suicidal ideation or intent to self-harm. The law stands out nationally because it contains no carve-out for chatbots embedded within larger platforms, meaning major tech companies including Meta and Google must comply.

SB 444, effective Jan. 1, 2027, prohibits health insurance coverage decisions from being based solely on AI systems or software tools, requiring a qualified human reviewer to be part of every coverage determination. The law addresses growing concern that automated denial systems are replacing clinical judgment without appropriate oversight.

Illinois

Illinois passed one of the most significant frontier AI safety bills in the country when the House approved SB 315, the Artificial Intelligence Safety Measures Act, 110-0 on May 27, 2026. The Senate had approved the bill 52-5 on May 21. The bill heads to Gov. JB Pritzker, whose office has signaled support for the measure. If signed, Illinois would become the third state to set frontier model standards, following California's SB 53 and New York's RAISE Act.

The law targets large frontier developers with annual revenues exceeding $500 million and requires them to create, publish, and annually update a safety framework addressing catastrophic-risk assessment, governance, cybersecurity, and third-party evaluations. It also mandates annual independent third-party audits of safety protocols, the first such requirement in any state AI law, administered by the Illinois Emergency Management Agency and Office of Homeland Security in consultation with the attorney general. Companies must report critical safety incidents within 72 hours of discovery, or within 24 hours if the incident poses imminent risk of death or physical harm. Civil penalties run up to $3 million per violation, enforced exclusively by the attorney general with no private right of action. Whistleblower protections are included for covered employees. The law takes effect Jan. 1, 2028. The Illinois legislature is scheduled to adjourn May 31, 2026, with nine additional AI-related bills still active.

Montana

Montana passed SB 212 in 2025, establishing a "right to compute" that limits government restrictions on private ownership or use of computational resources. The law requires that any restrictions be narrowly tailored to fulfill a compelling government interest. It also mandates that critical infrastructure facilities controlled by AI systems develop risk management policies based on national or international AI risk management frameworks. Montana is one of four states (alongside Arkansas, Pennsylvania, and Utah) that passed digital replica laws in 2025 to protect digital identity and consent.

Pennsylvania enacted digital replica protections in 2025, joining Arkansas, Montana, and Utah in safeguarding individuals' digital likenesses from unauthorized AI reproduction. Kentucky enacted SB 4, directing the Commonwealth Office of Technology to create policy standards governing AI use.

Maryland passed HB 956 to study private sector AI and provide legislative recommendations. In 2026, Maryland became the first state to ban certain AI-driven price-setting practices when Gov. Wes Moore signed HB 895 into law. The law targets algorithmic pricing tools, making Maryland the first state to act on that emerging concern. West Virginia passed HB 3187 to create a task force identifying AI opportunities and best practices for public sector use.

Missouri passed SB 1019, an omnibus health care bill that includes a prohibition on offering AI therapy chatbots, before adjourning May 15, 2026. The bill now awaits the governor's signature.

Oregon, Idaho, Nebraska, Iowa, Maine, and Georgia have all enacted chatbot disclosure and safety laws in 2025-2026, ranging from basic disclosure requirements to crisis response protocols and minor protections. For full detail on each law, compliance dates, and what they mean for businesses with users in those states, see our State AI Chatbot Laws guide.

Kansas has prohibited the use of foreign-owned AI systems (including DeepSeek) on state computers.

Vermont's S.197 created an AI commission for policy development, and Act 89 addresses AI in insurance underwriting. Vermont also elected to sign an AI election media bill into law in March 2026.

Virginia established an AI advisory council through HB 2360, incorporated AI protections into its Consumer Data Protection Act, and created a "regulatory reduction pilot" for AI governance.

Delaware established an agentic AI sandbox for governance experiments, positioning the state to address emerging questions around autonomous AI systems capable of planning and independent action.

Massachusetts passed H.5163 requiring hiring AI disclosures. Health care-related AI bills continued advancing in the legislature in early 2026.

Florida Gov. Ron DeSantis called a special session beginning April 28, 2026, in part to take up an AI Bill of Rights that had passed the Senate during the regular session but was not acted on in the House. The special session closed without the legislature passing the bill, as it died in the House a second time.

Oklahoma advanced HB 3546 through the Senate in April 2026, with the bill poised for passage. Hawaii's SB 3001 advanced through a second House committee and headed toward a final vote.

AI-Generated Child Sexual Abuse Material

One of the most widespread areas of AI regulation across states involves AI-generated or computer-edited child sexual abuse material (CSAM). As of 2025, 45 states have enacted laws criminalizing AI-generated CSAM, with many of these laws passed in 2024-2025 alone. The National Center for Missing and Exploited Children reported receiving 67,000 reports of AI-generated CSAM in 2024, and 440,000 in just the first half of 2025.

Only five states and Washington, D.C., have not yet criminalized AI-generated CSAM: Alaska, Colorado, Massachusetts, Ohio, Vermont, and the District of Columbia.

Political Deepfakes and Election Integrity

As of 2025, 28 states enacted laws specifically addressing deepfakes used in political communications. These laws generally fall into two categories: disclosure requirements and outright prohibitions. Most states have opted for disclosure requirements due to First Amendment concerns, after a federal judge blocked California's prohibition law (AB 2839) in 2024 on constitutional grounds.

In 2025 alone, 301 deepfake-related bills were introduced across states, with 68 enacted, primarily addressing sexual deepfakes through criminal or civil penalties. This represents one of the most active areas of AI legislation at the state level.

Trends for 2026

States are revisiting unfinished debates from 2025 while addressing new and fast-evolving issues. Several topics are dominating policy discussions.

Chatbot Regulation: The surge in chatbot legislation has been the single most active trend of 2026. At least a dozen states have enacted chatbot laws, with nearly 100 bills tracked across 34 states. Most focus on disclosure requirements, minor protections, and crisis response protocols. Georgia's SB 540 stands out for covering embedded platform chatbots without exemption; Oregon's SB 1546 is the first with a private right of action creating direct litigation exposure. Michigan's SB 760 passed the Senate and awaits House action. Missouri's SB 1019 includes an AI therapy chatbot ban and awaits the governor's signature. For a full breakdown of every enacted law, compliance dates, and what they mean for businesses, see our State AI Chatbot Laws guide.

Frontier AI Safety: Illinois SB 315, sent to Gov. Pritzker on May 27, 2026, would become the first state law to mandate annual third-party safety audits of frontier AI developers. If signed, Illinois joins California and New York as the three states with enacted frontier model safety frameworks. The bills share core elements: safety plans, 72-hour incident reporting, and whistleblower protections. Illinois goes further with the independent audit requirement, a provision that drew both industry opposition and national attention.

Agentic AI: Legislators are beginning to explore AI agents capable of autonomous planning and action, systems that move beyond generative AI's content creation toward more complex functionality. Early governance experiments include Virginia's regulatory reduction pilot and Delaware's agentic AI sandbox, but few bills directly address these agents. Existing risk frameworks may prove ill-suited for agentic AI, as harms are harder to trace across agents' multiple decision nodes.

Algorithmic Pricing: States are testing ways to regulate AI-driven pricing tools, with bills targeting discrimination, transparency, and competition. Maryland became the first state to ban certain algorithmic price-setting practices with HB 895. New York enacted disclosure requirements for personalized algorithmic pricing, while California, Colorado, and Minnesota have floated their own frameworks. In 2026, lawmakers are focusing on more precise definitions and stronger disclosure measures, with new bills introduced in North Carolina and Illinois.

Definitional Uncertainty: States continue to diverge in how they define artificial intelligence itself, as well as categories like frontier models, generative AI, and chatbots. Connecticut's SB 5 uses definitions that differ in meaningful ways from California's and New York's frameworks. These differences will become more consequential as more laws take effect, expanding the compliance burden for multi-state operations.

Federal Litigation: The DOJ's intervention in the Colorado xAI lawsuit signals the federal government is willing to use the courts to check state AI regulation. If the court issues a broad ruling, it could affect other state laws with similar anti-discrimination or disclosure requirements. Businesses operating in multiple states should monitor this case closely, as it may resolve some of the compliance uncertainty created by the current patchwork.

The New York preemption fight adds another front to that tension: state lawmakers are now lobbying their federal counterparts directly, a dynamic that signals the federalism debate has moved beyond the courts and into congressional offices.

International Approaches to AI Regulation

The EU has established the most comprehensive regulatory framework globally through its AI Act, which became legally binding on Aug. 1, 2024. The Act's Aug. 2, 2026 effective date for high-risk system requirements is now approaching. Its extraterritorial reach means U.S. companies serving European customers must comply regardless of where they are headquartered, a particularly relevant consideration for Michigan defense contractors with NATO partners and health care providers with international patients. The UK, Canada, China, and Japan have each taken distinct approaches ranging from sector-specific voluntary guidelines to mandatory algorithm registration.

For detailed coverage of the EU AI Act, other international frameworks, and what they mean for U.S. businesses, see our Federal and International AI Policy page and our EU AI Act Compliance Guide for U.S. Businesses.

Common Regulatory Themes

All state laws emphasize transparency requirements, whether focused on customer interactions in Utah, comprehensive documentation in Colorado, or content labeling in California. Risk-based frameworks are emerging as the dominant approach, with states like Colorado and Connecticut imposing stricter requirements for high-risk systems while allowing lighter regulation for lower-risk applications. Consumer protection drives most legislation, reflecting concerns about algorithmic discrimination, privacy violations, and deceptive practices.

State Leadership

California continued its AI regulatory leadership in the 2025 session, enacting seven new AI laws including landmark frontier AI transparency and companion chatbot legislation. Other active states included Texas (8 AI measures), Montana (6), Utah (5), and Arkansas (5). Across the year, more than 70 AI-related laws passed in at least 27 states, illustrating the rapid evolution of state-level AI governance. States such as Nevada, Montana, North Dakota, and Texas that were less active on AI legislation in 2024 became key players in 2025-2026 AI policy debates. In the early months of 2026, Connecticut, Washington, Oregon, Idaho, Nebraska, Maryland, Vermont, Georgia, and Illinois all enacted or advanced significant AI laws, and the pace shows no sign of slowing.

What This Means for Michigan Businesses

The fragmented regulatory environment creates significant challenges for firms operating across multiple states. Varying definitions of high-risk systems, different disclosure requirements, and inconsistent enforcement mechanisms complicate compliance. Companies developing or deploying AI systems need adaptable frameworks that can accommodate different state standards while anticipating potential federal preemption.

For Michigan-based companies, particularly those in defense contracting and healthcare sectors, several immediate concerns warrant attention:

Colorado's framework has been replaced. Gov. Polis signed SB 26-189 on May 14, 2026, repealing the original AI Act and substituting a narrower transparency-focused law. The new law takes effect Jan. 1, 2027, but enforcement awaits attorney general rulemaking, and the federal court stay on the original law technically extends to successor legislation. If you operate in Colorado or serve Colorado customers, monitor the AG's rulemaking timeline.

California's transparency mandates apply if you do business in California or have AI systems accessible to California residents with significant user bases. AB 2013's training data transparency requirements took effect Jan. 1, 2026, while SB 942's detection tool requirements take effect Aug. 2, 2026. Separately, California's CPPA ADMT regulations require risk assessments for significant automated decisions as of Jan. 1, 2026, with broader consumer opt-out rights phasing in April 1, 2027.

Chatbot compliance is now active in multiple states. California's SB 243 has been in effect since Jan. 1, 2026. Iowa's SF 2417 takes effect July 1, 2026. Washington, Oregon, Idaho, Nebraska, Connecticut, and Georgia all have laws taking effect Jan. 1 or July 1, 2027. Any Michigan company with users in those states should assess whether its AI-facing products trigger coverage. See our State AI Chatbot Laws guide for a full breakdown.

Michigan's own regulations focus primarily on election integrity and deepfake protections through HB 5141, HB 5143, HB 5144, and HB 5145 (political deepfakes) and HB 4047 and HB 4048 (intimate deepfakes). A chatbot bill, SB 760, passed the Senate in May 2026 and is pending in the House. The state's Civil Rights Commission has signaled interest in broader algorithmic discrimination protections.

CMMC compliance intersections exist with AI governance. Defense contractors already familiar with NIST frameworks will find the NIST AI Risk Management Framework provides natural integration with existing cybersecurity and compliance programs.

Federal funding implications are an emerging concern. America's AI Action Plan directs OMB to factor states' AI regulatory environments into federal funding decisions, which could affect grant and contract eligibility for defense contractors and other federally funded businesses.

EU AI Act considerations apply if you serve European customers, have EU operations, or partner with NATO allies. The Aug. 2, 2026, effective date for high-risk system requirements is approaching. See our EU AI Act Compliance Guide for detailed requirements.

A separate bill addresses AI use within state government itself. House Bill 5899 of 2026, introduced by state Rep. Jaime Greene (R-Richmond), would create a three-member AI Governing Board within the Michigan Department of Technology, Management and Budget and require a pilot program to evaluate generative AI use across state agencies. The board would advise on proposed uses, maintain oversight guidelines, and submit a public report within 180 days of the program's completion. The bill passed unanimously out of the House Communications and Technology Committee on May 19, 2026, and awaits further House action.

For deeper coverage of federal policy, the DOJ litigation strategy, NIST standards, and international frameworks, see our Federal and International AI Policy page.

Governance Requires Balance

As the debate continues, effective AI governance requires balancing innovation with accountability, providing appropriate protections without stifling technological progress. With state legislatures actively in session and hundreds more bills advancing, the AI regulatory landscape will continue to evolve rapidly in the coming months.

Companies should monitor developments in states where they operate, assess their AI systems against emerging risk frameworks, implement transparency and disclosure practices that meet or exceed current requirements, and prepare for potential federal action that could either preempt state laws or establish baseline national standards.

The tension between state innovation in regulation and federal interest in uniformity will likely define AI governance debates throughout 2026. Until comprehensive federal legislation emerges, states will continue serving as laboratories of democracy, testing different approaches to managing AI's risks while fostering its benefits.