After writing Part 1 on the EU AI Act, I expected the United States to be the simpler story.

One country. One government. Surely a more straightforward picture than navigating the legislation of 27 member states.

I was wrong.

If Part 1 was about understanding one very strict room, Part 2 is about navigating a building where every floor has different rules, the rules keep changing, and nobody can agree on who gets to set them.

Let’s get into it.

No Federal Law. No Single Answer.

Here is the one thing you need to understand before anything else about AI regulation in the United States.

There is no comprehensive federal AI law. No single framework that sits above everything else. Instead, regulation is coming from individual states, each writing its own rules, covering different use cases, with different obligations and different penalties.

Over 1,200 AI-related bills were introduced across all 50 states in 2025 alone, with 145 enacted into law.

That is not a regulatory environment. That is a compliance maze. And if your product has users anywhere in the US, you are already in it.

🏛️ Is There Federal Guidance?

Yes, but it is not what most businesses expect.

At the federal level, what exists is a set of voluntary guidelines and agency-specific enforcement under existing laws. There is no comprehensive federal AI law in force and no single body overseeing AI compliance the way the EU AI Office does.

Voluntary is the word to pay attention to. Federal guidelines do not override state laws. They do not create enforceable obligations on their own.

What that means practically is simple: state laws are the real compliance story in the US right now. Every state regulation covered in this article is fully enforceable today, and that is where your product team’s attention needs to be.

The State Patchwork: What Is Actually In Force

This is where it gets genuinely complex for product teams. Rather than one deadline to track, you have multiple laws, in multiple states, covering different use cases, with different obligations and different penalties.

Here are the ones that matter most right now:

🏔️ Colorado: Core is Transparency and Disclosure.

Colorado’s AI law is now operating under a replacement bill signed in May 2026 and takes effect January 1, 2027. It applies to any automated decision-making technology that is used to make or materially influence consequential decisions, covering employment, education, healthcare, housing, insurance, and legal services.

And like the EU AI Act, the reach is extraterritorial. Organisations headquartered outside Colorado must comply if they serve Colorado residents or make AI-driven decisions affecting them. Being based outside the state is not a get-out-of-jail card.

If this applies to you, here is what you are required to do:

The law draws a distinction between two types of regulated parties. Knowing which one you are determines your obligations.

If you are a Developer (you build, sell, license, or substantially modify the AI system), you must provide deployers with technical documentation that includes:

1. Intended uses and known harmful or inappropriate uses of the system.

2. Categories of training data used, to the extent known.

3. Known limitations and risks.

4. Instructions for appropriate use and meaningful human review are required.

5. Any information deployers need to meet their own disclosure obligations.

6. You must also notify deployers of material updates and retain all records for a minimum of three years.

If you are a Deployer (you use the AI system to make decisions about consumers), you must:

1. Provide consumers with clear notice before a covered AI system is used to influence a consequential decision

2. If an adverse outcome occurs, provide the consumer within 30 days with a plain-language explanation of the decision, the AI system’s role, and how to appeal

3. Give consumers the right to access, correct, and request human review of decisions that affected them

4. Retain compliance records for a minimum of three years

Not sure which category you fall into? Most businesses are deployers. If you have also built or customised the AI system your product runs on, you may be both.

Penalties: violations are enforced by the Colorado Attorney General as deceptive trade practices. There is no private right of action. A 60-day cure period applies before enforcement for first-time violations.

What this means for your business: The core obligations here are disclosure and documentation. If your product makes consequential decisions affecting Colorado consumers, you need consumer-facing notices built into your product, a clear paper trail, and if you are a developer, your deployers need documentation from you before they can comply themselves.

☀️ California: Multiple Laws, Multiple Deadlines

California is not one law. It is a stack of them, each targeting a different slice of AI use.

The California Transparency in Frontier AI Act (SB 53), signed in September 2025, requires frontier developers of large AI models to publish risk frameworks, report critical safety incidents, and implement whistleblower protections. Large frontier developers face enhanced obligations, with penalties up to $1 million per violation.

The California AI Transparency Act (SB 942) requires large AI platforms to provide free AI content detection tools and include manifest and latent watermarks, effective August 2, 2026.

California has also enacted targeted laws covering specific AI use cases:

• Healthcare AI must not falsely claim to hold a healthcare licence or misrepresent itself as a human clinician when communicating with patients

• Companion chatbots must disclose their AI nature, include safety protocols against harmful content, and apply specific protections when the user is a minor

• AI systems used for pricing must not coordinate pricing with competitors; the same antitrust rules that apply to humans now explicitly apply to algorithms.

What this means for your business: If you are building any consumer-facing AI product in California, you need to map your product against each of these laws separately. They cover different things and have different effective dates. The watermarking and disclosure requirements, in particular, will require technical changes to how your product surfaces AI-generated content.

🏙️ Illinois: Focus on AI in the Workplace

Illinois has taken a targeted approach, focusing specifically on how AI is used in employment decisions.

Employers in Illinois must notify candidates when AI is used to analyse video interviews, obtain consent before any AI evaluation occurs, and comply with data retention and destruction requirements for AI-analysed video content.

What this means for your business: If your HR platform, talent acquisition tool, or any hiring-adjacent product uses AI to evaluate candidates, video, audio, or otherwise, Illinois has already drawn a clear line. Consent and disclosure are not optional.

🤠 Texas: Prohibitions Over Risk Categories

Texas took a fundamentally different approach from both the EU and Colorado. Rather than categorising AI systems by risk level and imposing governance requirements, Texas focused on prohibiting specific harmful uses of AI outright.

The Texas Responsible AI Governance Act (TRAIGA) has been in effect since January 1, 2026. It applies to any business operating in Texas, advertising to Texas residents, or offering products and services used by Texas consumers, which in practice means most businesses deploying AI nationally.

What does it prohibit?

TRAIGA makes it illegal to develop or deploy an AI system with the intent to:

• Manipulate human behaviour to encourage self-harm, harm to others, or criminal activity

• Discriminate against individuals based on protected characteristics

• Create or distribute unlawful deepfakes or AI-generated child sexual abuse material

• Infringe constitutional rights

The word intent is doing a lot of work here, and it is what makes Texas different from every other law covered in this series. Under TRAIGA, a discriminatory outcome alone is not enough to establish a violation. You have to be found to have intended the harm. That is a higher bar than the EU AI Act or Colorado’s framework, both of which focus on outcomes and risk management regardless of intent.

What this means for your business: Even though the intent standard is higher, the documentation requirements are very real. Proving you did not intend harm requires evidence — internal governance records, testing results, audit trails, and documentation of known limitations. Texas effectively rewards businesses that have built proper AI governance into their processes.

Enforcement sits with the Texas Attorney General, with a 60-day cure period before formal enforcement action.

💭 My Take

The EU AI Act is strict, but it is at least legible. The US policies are harder in a different way. The rules are fragmented, the landscape is fast-moving, and constantly shifting. For a product team trying to build with confidence, that uncertainty is its own kind of compliance burden.

But here is what I keep coming back to: underneath every one of these state laws, the same principles show up. Transparency. Fairness. Human oversight. Documentation. Accountability.

So, regardless of which jurisdiction applies to you, start here:

→ Map your AI systems against use case categories. Employment, healthcare, housing, education, and financial services are the highest-risk categories in virtually every active state law. If your product operates in any of these verticals, you are in scope somewhere.

→ Identify your highest-exposure states. California, Colorado, Illinois, and Texas are the priority jurisdictions right now. If you have significant user bases in any of these states, those laws apply to you.

→ Build for the strictest requirement. Colorado’s law is the most comprehensive at the state level. Using it as your compliance baseline will put you in a defensible position across most other state frameworks, too.

→ Do not let regulatory uncertainty slow you down. State laws are enforceable today. Treat compliance as your default and build governance into your process now rather than retrofitting it later.

→ Document everything. Impact assessments, risk management policies, consumer disclosure processes — the businesses that weather regulatory scrutiny best are the ones that can show their work.

A product team that builds those things into how they work, not because a specific law requires it, but because it is the right way to build AI, will find that compliance follows naturally.

The question is not which law to comply with.

The question is what kind of AI product you are trying to build.

Next week in Part 3, we move beyond the EU and the US to look at how China, the UK, and the rest of the world are approaching AI regulation and what it means when you are building for a truly global audience.

See you then 😉