State AI Laws: Colorado, Texas, California, New York, Illinois, and Utah

Table of Contents

The United States does not have one clean federal AI law that tells companies exactly what to do.

That is the problem.

Instead, companies are getting a patchwork.

Colorado is regulating automated decision-making technology used in consequential decisions.

Texas has passed a statewide AI governance law with prohibited AI uses and enforcement authority.

California is moving through privacy rules, automated decision-making technology requirements, cybersecurity audits, risk assessments, and employment discrimination rules for automated systems.

New York City has already been enforcing automated employment decision tool requirements.

Illinois is bringing artificial intelligence directly into employment discrimination law.

Utah has focused on generative AI disclosures, consumer protection, regulated occupations, and AI policy experimentation.

That is not one law.

That is a compliance map.

And for companies using AI across HR, marketing, SaaS products, healthcare, financial services, insurance, education, ecommerce, customer support, legal services, or internal operations, the risk is no longer theoretical.

AI governance in the United States is becoming state-driven.

That means companies cannot wait for Congress to create a single national rule. The state patchwork is already here, and it is going to shape how companies inventory AI systems, review vendors, run impact assessments, provide notices, test for bias, document human oversight, respond to consumer rights requests, and preserve evidence.

The companies most exposed are not necessarily the companies building the most advanced AI models.

They are the companies using AI without knowing where it is used, what data it processes, who it affects, whether it influences decisions, and which state law applies.

That is where state AI law becomes dangerous.

The state AI law problem is really an inventory problem

Before a company can comply with state AI laws, it needs to know what AI systems it uses.

That sounds basic. It is not.

Most companies have AI spread across the business:

  • HR uses AI recruiting tools.
  • Marketing uses AI lead scoring and personalization.
  • Sales uses AI call summaries.
  • Customer support uses chatbots.
  • Engineering uses AI coding assistants.
  • Product teams use AI APIs.
  • Security uses AI-powered monitoring.
  • Finance uses AI fraud or forecasting tools.
  • Legal uses AI document review.
  • Vendors add AI features into existing SaaS platforms.
  • Employees use public generative AI tools without approval.

A state AI law may apply to one of those systems and not another.

The law may care whether the system uses personal data.

It may care whether the system makes or influences a consequential decision.

It may care whether the system is used in employment.

It may care whether the user is told they are interacting with AI.

It may care whether the system creates discrimination risk.

It may care whether the company uses AI-generated outputs in a regulated occupation.

It may care whether a human actually reviews the output.

That means the first step is not writing a beautiful AI policy.

The first step is building an AI inventory.

The inventory should track system name, vendor, owner, department, purpose, data categories, personal data status, sensitive data status, decision impact, affected individuals, state exposure, risk classification, required controls, review dates, and evidence.

Without that inventory, state AI compliance becomes guesswork.

The common themes across state AI laws

Each state is taking a different approach, but the laws are starting to cluster around a few themes.

The first theme is automated decision-making. States are looking at AI systems that make, guide, assist, or materially influence decisions about people.

The second theme is employment. Hiring, promotion, worker management, performance, productivity, compensation, and termination are becoming major AI compliance risk areas.

The third theme is consumer disclosure. Some states want consumers to know when they are interacting with generative AI or when AI is used in certain regulated services.

The fourth theme is algorithmic discrimination. States are trying to prevent AI systems from producing discriminatory outcomes, even when the system does not explicitly use protected characteristics.

The fifth theme is privacy. AI often processes personal data, generates inferences, supports profiling, or affects privacy rights.

The sixth theme is evidence. Companies need records showing what AI systems were used, what risk review occurred, what notices were given, what vendor materials were reviewed, what human oversight existed, and what decision was made.

Those themes create a practical compliance rule:

If an AI system affects people, uses personal data, influences decisions, or interacts with consumers, it needs governance.

Colorado: automated decision-making and consequential decisions

Colorado has been one of the most watched states in AI regulation because it moved early toward regulating AI systems used in high-impact decisions.

The current Colorado direction is focused on automated decision-making technology, often shortened to ADMT, used to materially influence consequential decisions.

That phrase matters.

Colorado is not just looking at fully automated decisions where a machine makes the final call with no human involved. The risk area is broader. If technology generates outputs that are used to guide or assist important decisions about people, companies need to pay attention.

Consequential decisions can involve areas such as:

  • Employment
  • Education
  • Housing
  • Financial services
  • Lending
  • Insurance
  • Healthcare
  • Access to essential services

That means Colorado is directly relevant to companies using AI for applicant ranking, resume screening, employee evaluation, loan recommendations, insurance underwriting, healthcare prioritization, student assessment, tenant screening, fraud flags, eligibility determinations, or similar decision-support workflows.

The practical question is not only:

Did AI make the final decision?

The better question is:

Did AI materially influence a decision that affects a person’s access, opportunity, eligibility, price, treatment, or rights?

If the answer is yes, the system should receive deeper review.

What companies should do for Colorado

Companies should identify every AI or automated decision-making system that may affect Colorado residents in consequential decision contexts.

That review should include:

  • Employment tools
  • Recruiting tools
  • Promotion and performance systems
  • Financial eligibility systems
  • Insurance risk tools
  • Healthcare prioritization systems
  • Education assessment tools
  • Housing or tenant screening tools
  • Fraud or account restriction systems
  • Customer scoring tools

For each system, the company should document:

  • Whether the system uses personal data
  • Whether the system produces a recommendation, score, classification, ranking, or prediction
  • Whether the output is used to make, guide, or assist a consequential decision
  • Whether a human reviews the output
  • Whether the human can override it
  • Whether affected individuals can correct inaccurate personal data
  • Whether disclosures or notices are needed
  • Whether discrimination risk has been assessed
  • What records are retained

Colorado is a warning that companies need to stop treating “decision support” as harmless.

If the AI output changes the pathway for a person, the company should govern it.

Texas: TRAIGA and statewide AI governance

Texas has taken a broader statewide approach through the Texas Responsible Artificial Intelligence Governance Act, commonly referred to as TRAIGA.

Texas matters because it is not just an employment AI law or a privacy rule. It is a broader AI governance statute that gives the Texas Attorney General enforcement authority and creates prohibited-use concepts around AI deployment.

For companies, the message is clear: Texas is not waiting for federal AI regulation.

TRAIGA focuses on developers and deployers of AI systems and creates prohibitions around certain AI uses. That includes concerns around manipulation, self-harm, criminal activity, unlawful discrimination, and other uses the state views as unacceptable.

Texas also matters because it is a large commercial market. A law in Texas is not a fringe compliance issue for national companies.

Companies using AI in Texas should not assume the only relevant laws are privacy and consumer protection statutes. AI-specific obligations are now part of the risk picture.

What companies should do for Texas

Companies should identify AI systems developed, deployed, offered, or used in Texas.

They should pay special attention to systems that:

  • Interact with consumers
  • Generate recommendations
  • Influence important decisions
  • Use sensitive data
  • May affect protected classes
  • Could manipulate consumer behavior
  • Operate in healthcare, finance, insurance, employment, education, or housing
  • Could produce harmful or deceptive outputs
  • Could be used by employees or customers outside intended purposes

Texas compliance should include:

  • AI inventory review
  • Prohibited-use screening
  • Risk classification
  • Vendor review
  • Consumer disclosure review
  • Discrimination risk review
  • Human oversight review
  • Incident response planning
  • Evidence retention

The practical concern is not only whether the AI system is powerful.

The concern is whether the system could be used in a way Texas law prohibits or regulators view as harmful.

California: privacy, ADMT, risk assessments, and employment AI

California is not moving through one single AI law. It is building AI obligations through multiple channels.

That is what makes California complicated.

California companies may need to think about:

  • CCPA and CPRA privacy obligations
  • Automated decision-making technology rules
  • Risk assessments
  • Cybersecurity audits for certain businesses
  • Consumer access and opt-out rights related to ADMT
  • Employment discrimination rules for automated-decision systems
  • Data broker obligations
  • Sector-specific rules
  • Consumer protection law

For AI governance, California is one of the most important states because it connects AI to privacy and discrimination.

That connection is exactly where companies often fail.

They treat AI governance as a technology issue.

California treats parts of it as a privacy and civil rights issue.

California ADMT and significant decisions

California’s automated decision-making technology requirements focus on ADMT used for significant decisions.

Companies need to look at whether technology processes personal information and replaces or substantially replaces human decision-making for decisions that matter to consumers.

That includes reviewing whether consumers need notice, access rights, opt-out rights, or other rights related to ADMT use.

Companies should ask:

  • Do we use automated decision-making technology?
  • Does the system process California consumers’ personal information?
  • Does it replace or substantially replace human decision-making?
  • Does it affect a significant decision?
  • Do consumers need notice?
  • Do consumers have opt-out rights?
  • Do consumers have access rights related to the ADMT process?
  • Does the use require a risk assessment?
  • Does the privacy notice need to be updated?
  • Can we produce records showing how the system works?

This is not something companies can solve after the system is live.

They need to map ADMT use before a California consumer asks about it.

California employment AI

California’s employment AI rules clarify how automated-decision systems can create discrimination risk under existing civil rights law.

That matters for employers using AI in:

  • Recruiting
  • Resume screening
  • Interview analysis
  • Candidate ranking
  • Promotion decisions
  • Performance reviews
  • Compensation decisions
  • Productivity monitoring
  • Discipline
  • Termination

Employers should not assume an AI vendor’s tool is safe just because it does not explicitly use protected characteristics.

The system may still use proxy variables. It may still produce disparate impact. It may still facilitate discrimination. It may still create recordkeeping obligations.

California employment AI review should include:

  • Protected-class impact
  • Proxy-variable review
  • Disability-related issues
  • Job-relatedness
  • Business necessity
  • Vendor documentation
  • Human review
  • Record retention
  • Applicant and employee notices
  • Bias testing

For employers, California’s message is simple: using software does not make discrimination risk disappear.

What companies should do for California

Companies with California exposure should identify AI systems that:

  • Process California consumer data
  • Use automated decision-making technology
  • Support significant decisions
  • Use profiling
  • Use sensitive personal information
  • Trigger privacy risk assessments
  • Use AI in employment
  • Use AI in marketing, targeted advertising, or personalization
  • Use AI with data broker or third-party data

California compliance should be built into privacy operations. That means AI governance should connect to:

  • Privacy notices
  • Data maps
  • DSAR workflows
  • Opt-out workflows
  • Consent management
  • Vendor contracts
  • Risk assessments
  • Record retention
  • Security review

A company should not have one AI file and a separate privacy file that never talk to each other.

In California, those worlds overlap.

New York City: Local Law 144 and automated employment decision tools

New York City’s Local Law 144 is one of the most visible AI employment laws in the United States.

It focuses on automated employment decision tools, known as AEDTs, used in hiring and promotion.

At a practical level, covered employers and employment agencies need to think about:

  • Whether the tool is an AEDT
  • Whether the tool is used for hiring or promotion
  • Whether candidates or employees in New York City are affected
  • Whether a bias audit has been completed within the required timeframe
  • Whether the audit information is publicly available
  • Whether required notices have been provided

Local Law 144 matters beyond New York City because it has become a model for AI employment compliance conversations around the country.

It also shows a hard truth: employment AI is going to be one of the first places regulators look.

What employers should review under Local Law 144

Employers should identify any tool used to substantially assist or replace discretionary decision-making in hiring or promotion.

That may include tools that:

  • Screen resumes
  • Rank candidates
  • Score applicants
  • Recommend candidates
  • Classify applicants
  • Analyze interviews
  • Analyze video responses
  • Support promotion decisions

Employers should not assume the law does not apply because a human makes the final decision.

If the tool substantially assists the decision, it needs review.

Employers should ask:

  • Is the tool used for hiring or promotion?
  • Does it produce a score, classification, recommendation, or ranking?
  • Is it used for candidates or employees in New York City?
  • Has an independent bias audit been completed?
  • Is the audit current?
  • Is a summary publicly posted?
  • Have candidates or employees received required notice?
  • Does the vendor provide enough information to support compliance?
  • Does the employer retain records showing compliance?

A vendor saying “we are compliant with Local Law 144” is not enough.

The employer should maintain its own evidence file.

Illinois: AI in employment and protected-class discrimination

Illinois is important because it brings artificial intelligence into employment discrimination law in a direct way.

Illinois Public Act 103-0804 amends the Illinois Human Rights Act to address employer use of artificial intelligence in employment contexts.

The law focuses on AI used in areas such as:

  • Recruitment
  • Hiring
  • Promotion
  • Renewal of employment
  • Selection for training or apprenticeship
  • Discharge
  • Discipline
  • Tenure
  • Terms, privileges, or conditions of employment

The law also specifically addresses the risk of using zip codes as proxies for protected classes.

That is important because it highlights a broader AI problem: a system can discriminate without explicitly asking for protected-class data.

Zip code, school, employment gaps, commute distance, language, prior employer, device type, schedule availability, and salary history can all act as proxies in certain contexts.

The employer may think the system is neutral.

The output may not be.

What employers should do for Illinois

Employers with Illinois applicants or employees should identify AI used in any employment-related process.

That includes not only obvious hiring tools but also:

  • Performance management systems
  • Productivity monitoring tools
  • Workforce analytics platforms
  • Promotion recommendation tools
  • Compensation tools
  • Training-selection tools
  • Discipline support tools
  • Termination risk tools

For each system, employers should ask:

  • Does the AI system affect an employment decision?
  • Does it process applicant or employee data?
  • Does it use zip code or similar proxy variables?
  • Could it create discrimination based on protected classes?
  • Has notice been provided where required?
  • Has the vendor provided documentation?
  • Has the system been tested for disparate impact?
  • Is human review meaningful?
  • Are records retained?

Illinois should push employers toward a simple internal rule: no AI employment tool goes live without legal, HR, privacy, vendor, and bias review.

Utah: generative AI disclosure and regulated occupations

Utah’s Artificial Intelligence Policy Act takes a different approach from Colorado or New York City.

Utah focuses heavily on generative AI disclosure, consumer protection, regulated occupations, and AI policy experimentation through the state’s AI office and learning laboratory framework.

For companies, the most practical issue is disclosure.

Utah requires disclosure in certain generative AI interactions. In general consumer interactions, a person using generative AI must clearly and conspicuously disclose that the person is interacting with generative AI and not a human if asked or prompted. For regulated occupations, disclosure requirements can be more direct, including prominent disclosure when generative AI is used in providing regulated services.

This matters for companies using AI in:

  • Customer support
  • Chatbots
  • Sales interactions
  • Professional services
  • Healthcare-related services
  • Financial services
  • Legal or compliance services
  • Licensed or regulated occupations
  • Consumer advice tools
  • AI assistants that communicate with the public

The Utah model is not mainly about bias audits or consequential decision assessments.

It is about not hiding the AI interaction.

What companies should do for Utah

Companies should identify generative AI tools that interact with Utah consumers or are used in regulated services.

They should ask:

  • Is the user interacting with generative AI?
  • Would the user reasonably think they are interacting with a human?
  • Is the AI interaction connected to a consumer transaction?
  • Is the AI used in a regulated occupation?
  • Is disclosure required at the start of the exchange?
  • Is disclosure required when the user asks?
  • Is the disclosure clear and conspicuous?
  • Is the AI system generating advice, recommendations, or statements that could create consumer protection risk?
  • Are employees trained on when to disclose AI use?
  • Are chatbot scripts and interfaces configured properly?

Utah is especially relevant for companies using generative AI in customer communications.

A hidden AI chatbot is no longer just a product-design choice.

It can be a compliance problem.

How state AI laws overlap with privacy laws

State AI laws do not sit separate from privacy compliance.

They overlap constantly.

AI systems often process personal data. They may generate inferences. They may support profiling. They may use sensitive data. They may affect consumer rights. They may rely on cookies, pixels, behavioral data, device data, CRM data, employee records, applicant records, health data, financial data, or data broker information.

That means companies should connect state AI compliance to:

For example, a marketing AI tool that uses website tracking data may create privacy notice, cookie consent, targeted advertising, profiling, and AI governance issues at the same time.

A recruiting AI tool may create applicant privacy, employment discrimination, bias audit, notice, and human review issues at the same time.

A healthcare chatbot may create patient privacy, disclosure, safety, and vendor risk issues at the same time.

A fintech scoring model may create consumer privacy, automated decision-making, fair lending, explainability, and audit issues at the same time.

The company should not split these into separate compliance silos.

The same AI system can trigger multiple obligations.

How state AI laws overlap with vendor management

Most companies will use AI through vendors.

That is why state AI law compliance depends heavily on AI vendor due diligence.

Companies should ask AI vendors:

  • Does the product use AI?
  • What kind of AI does it use?
  • Does it process personal data?
  • Does it process sensitive data?
  • Does it rank, score, classify, recommend, or predict outcomes about people?
  • Does it materially influence employment, credit, insurance, healthcare, education, housing, or access decisions?
  • Does the vendor train on customer data?
  • Are prompts and outputs retained?
  • Does the vendor provide bias testing?
  • Does the vendor provide accuracy testing?
  • Does the vendor support notices?
  • Does the vendor support opt-outs or human review?
  • Does the vendor provide audit logs?
  • Does the vendor notify customers of model changes?
  • Does the contract prohibit unauthorized training?
  • Does the vendor cooperate with regulatory inquiries?

State AI laws make vague vendor answers more dangerous.

“We use AI responsibly” is not a vendor diligence response.

The company needs specifics.

How to build one program for multiple state AI laws

Companies should not build a separate AI governance program for every state.

That will become unmanageable.

The better approach is to build one state-aware AI governance program that can map requirements based on use case, data, affected individuals, and geography.

The program should include:

  • AI inventory
  • AI intake workflow
  • Risk classification
  • State-law mapping
  • AI impact assessments
  • Employment AI review
  • Vendor due diligence
  • Privacy review
  • Security review
  • Disclosure management
  • Human oversight documentation
  • Bias testing
  • Consumer rights workflows
  • Monitoring
  • Incident response
  • Audit evidence

The trick is to build the program around triggers.

If the system is used in employment, trigger employment AI review.

If the system processes California consumer data and supports significant decisions, trigger ADMT review.

If the system materially influences a Colorado consequential decision, trigger Colorado ADMT review.

If the system deploys AI in Texas, trigger prohibited-use and Texas compliance screening.

If the system is used for hiring or promotion in New York City, trigger AEDT review.

If the system affects Illinois employees or applicants, trigger Illinois employment AI review.

If the system uses generative AI to interact with Utah consumers or regulated-service users, trigger disclosure review.

This is how software should make state AI compliance manageable.

The state AI law questions every company should ask

Companies should be able to answer these questions for every AI system in use.

Basic system questions

  • What AI system is being used?
  • Who owns it internally?
  • Which department uses it?
  • Is it internally built or vendor-provided?
  • What is the business purpose?
  • Is it already live?
  • Is it a pilot?
  • Is it customer-facing?
  • Is it employee-facing?

Data questions

  • Does the system process personal data?
  • Does it process sensitive data?
  • Does it process employee or applicant data?
  • Does it process consumer data?
  • Does it process patient, student, financial, insurance, or children’s data?
  • Does it use cookie, tracking, behavioral, or data broker data?
  • Does the vendor train on company or customer data?
  • Are prompts and outputs retained?

Decision questions

  • Does the system make decisions?
  • Does it recommend decisions?
  • Does it rank, score, classify, or prioritize people?
  • Does it materially influence a consequential or significant decision?
  • Does it affect employment, credit, insurance, housing, healthcare, education, pricing, access, or eligibility?
  • Does a human review the output?
  • Can the human override the output?
  • Is review documented?

State-law questions

  • Are Colorado residents affected?
  • Are Texas residents affected?
  • Are California consumers, applicants, or employees affected?
  • Are New York City applicants or employees affected?
  • Are Illinois applicants or employees affected?
  • Are Utah consumers or regulated-service users affected?
  • Does the system trigger disclosure?
  • Does the system trigger bias audit review?
  • Does the system trigger opt-out, access, correction, appeal, or human review rights?
  • Does the system trigger an impact assessment?

Evidence questions

  • Can we produce the AI inventory entry?
  • Can we produce the vendor review?
  • Can we produce the risk classification?
  • Can we produce the impact assessment?
  • Can we produce the disclosure language?
  • Can we produce the human oversight record?
  • Can we produce bias or accuracy testing?
  • Can we produce approval records?
  • Can we produce monitoring records?
  • Can we show what version of the system was used?

If the company cannot answer these questions, it should not assume its state AI law risk is under control.

The industries most exposed to state AI laws

State AI laws are not equally relevant to every company, but some industries should move faster than others.

Employers and HR technology

Employment AI is the most obvious risk area. Companies using AI to screen, rank, score, evaluate, monitor, promote, compensate, discipline, or terminate workers need strong governance.

SaaS companies

SaaS companies need to know whether their AI features create obligations for themselves or their customers. Enterprise buyers will increasingly ask for AI governance evidence.

Healthcare

Healthcare AI can involve sensitive data, patient safety, triage, scheduling, clinical support, claims, and patient communications. State AI law may overlap with health privacy and professional rules.

Financial services, lending, and insurance

AI used for eligibility, underwriting, credit, pricing, claims, fraud, or account restrictions can create high-impact decision risk.

Marketing, ecommerce, and adtech

Marketing AI may involve profiling, targeted advertising, tracking data, personalization, lead scoring, sensitive inferences, and consumer disclosures.

Education

AI used in admissions, assessment, proctoring, student support, tutoring, risk alerts, or discipline can create student privacy and opportunity risks.

Professional services

Law, accounting, financial advice, healthcare-adjacent services, and regulated occupations should be careful with generative AI tools that interact with consumers or clients.

Why AI governance software matters for state-law compliance

State AI laws are too dynamic to manage with scattered spreadsheets and emails.

Companies need a system that can track:

  • AI systems
  • Use cases
  • Vendors
  • Data categories
  • Decision impact
  • Affected individuals
  • Jurisdictions
  • Risk classifications
  • State-law triggers
  • Impact assessments
  • Bias audits
  • Disclosures
  • Opt-out workflows
  • Human oversight
  • Vendor documentation
  • Approvals
  • Monitoring
  • Incidents
  • Evidence

That is the real compliance burden.

It is not enough to know that Colorado, Texas, California, New York City, Illinois, and Utah have AI rules.

The company needs to know which of its systems are affected.

That is where AI compliance software becomes useful.

It should take the inventory, route the reviews, map the laws, track the controls, and preserve the records.

Otherwise, the company is left trying to manage a fast-moving state-law patchwork with static documents.

What not to do

Companies are going to make predictable mistakes.

Do not wait for a federal law

The state patchwork is already active. Waiting for Congress is not a compliance strategy.

Do not assume AI laws only apply to AI companies

Many obligations apply to deployers and users of AI, not just developers.

Do not treat employment AI as low-risk

Employment AI is one of the most regulated and litigated AI categories.

Do not rely blindly on vendors

Vendors may provide the tool, but the company controls how it is used.

Do not ignore embedded AI

Existing SaaS tools may add AI features that change the risk profile.

Do not bury AI disclosures

For consumer-facing AI, disclosure should be visible and tied to the interaction.

Do not treat human review as a checkbox

Human review must be meaningful, trained, empowered, and documented.

Do not forget privacy

If the AI system uses personal data, state privacy laws may matter even when there is no AI-specific statute.

Do not skip evidence

If the company cannot prove what it did, the governance program will be hard to defend.

The practical state-by-state cheat sheet

Here is the simple version for compliance teams.

Colorado

Focus on automated decision-making technology used to materially influence consequential decisions. Review employment, education, housing, financial services, insurance, healthcare, and access-related systems. Build records around personal data, decision impact, correction rights, disclosures, human review, and discrimination risk.

Texas

Focus on AI deployment, prohibited uses, consumer harm, manipulation, discrimination, and enforcement risk. Screen AI systems used in Texas for prohibited use cases, sensitive data, high-impact decisions, and consumer-facing outputs.

California

Focus on ADMT, significant decisions, consumer rights, risk assessments, privacy notices, cybersecurity audits, and employment automated-decision systems. Connect AI governance directly to privacy operations and employment compliance.

New York City

Focus on automated employment decision tools used in hiring and promotion. Review bias audit requirements, public audit summaries, candidate or employee notices, vendor documentation, and employer records.

Illinois

Focus on AI in employment and protected-class discrimination. Review recruitment, hiring, promotion, discipline, discharge, compensation, training, and working-condition systems. Watch proxy variables like zip code.

Utah

Focus on generative AI disclosure, consumer interactions, regulated occupations, and consumer protection risk. Make sure users know when they are interacting with AI where required.

The work companies should start now

The state AI law map is not going to get simpler.

More states will pass rules. Existing laws will be amended. Regulators will issue guidance. Plaintiffs will test theories in court. Customers will ask tougher AI governance questions. Vendors will keep adding AI features. Employees will keep using new tools.

The companies that handle this well will not be the ones trying to memorize every state law in isolation.

They will be the ones with a working AI governance system.

That means:

    • Inventory every AI system.
    • Classify risk by use case.
    • Map states based on affected individuals.
    • Review AI vendors before approval.
    • Run impact assessments for high-risk systems.
    • Document human oversight.
    • Provide disclosures where required.
  • Connect AI to privacy rights workflows.
  • Monitor systems after launch.
  • Keep evidence in one place.

The state AI law patchwork is not a future issue anymore.

It is already shaping what companies need to know about their own AI systems.

The companies with clean records, live inventories, documented vendor reviews, real human oversight, and state-aware workflows will be able to move faster.

The companies still relying on “we need to check with the team” are going to have a much harder time.

AI is already inside the business.

The state laws are catching up.

The compliance file needs to catch up before someone asks for it.

Written by: 

Online Privacy Compliance Made Easy

Captain Compliance makes it easy to develop, oversee, and expand your privacy program. Book a demo or start a trial now.