Here's the situation: Congress has been debating federal AI regulation for three years and hasn't passed anything comprehensive. In the meantime, states got tired of waiting.
California, Colorado, Illinois, and Texas have all moved forward with their own AI laws. More states are in the pipeline. And every one of these laws puts some version of a compliance obligation on businesses - not just on the AI companies building the tools, but on the businesses deploying and using them.
If you're a small or mid-sized business that uses AI tools - ChatGPT, Copilot, Gemini, any of them - this affects you. Here's what you actually need to know.
Why There's No Federal Law Yet (and Why That Makes State Laws More Dangerous)
The federal AI regulation debate has been stuck for reasons that aren't going away soon: industry lobbying, election cycles, and genuine disagreement about what the right framework looks like. The Biden administration's Executive Order on AI got rescinded. The AI Safety Institute has seen funding pressure. Congress has held dozens of hearings and produced very little law.
So states filled the vacuum.
The problem with patchwork state laws is that you can't comply with one and call it done. If you have employees in multiple states, you may be subject to multiple overlapping frameworks - each with its own definitions, thresholds, and timelines. And unlike federal law, there's no single enforcement body you can build a relationship with.
The other wrinkle: the EU AI Act is actively influencing how US states are drafting their laws. Legislators are borrowing concepts like "high-risk AI," "AI literacy," and "algorithmic impact assessments" directly from Brussels. If you've been following EU compliance thinking, you're ahead of the curve - but you still need to map those principles to your specific state exposure.
The Four Laws Businesses Should Know Right Now
California - AB 2013 (AI Transparency in Training Data)
What it is: California's AB 2013, signed in 2024, requires businesses that deploy generative AI systems to publicly disclose information about the training data behind those systems. If you're building or fine-tuning AI tools using California resident data - or deploying AI to California users - you have disclosure obligations.
What it requires: A publicly accessible summary of training datasets used in the AI system, including whether the data included personal information, how data was sourced, and what safeguards were applied. The disclosure has to live somewhere accessible on your website.
Who it hits: Primarily developers and deployers of generative AI. But if you're using AI tools that process your customers' or employees' data, you need to understand what your vendor's disclosure looks like - and whether that puts obligations on you.
The practical implication for SMBs: If you've built internal AI tools or customized AI workflows using employee or customer data, talk to legal about your disclosure obligations. If you're just using commercial AI tools off the shelf, the obligation largely falls on the vendor - but document that you checked.
Colorado - SB 205 (Colorado Artificial Intelligence Act)
What it is: Colorado's SB 205 was signed by Governor Polis in 2024 and took effect February 1, 2026. It's the most comprehensive US state AI law currently in force. Colorado drew heavily from the EU AI Act in drafting it.
What it requires: The Colorado AI Act focuses on "high-risk AI systems" - AI used to make or substantially assist in consequential decisions about individuals in areas like employment, education, lending, insurance, and healthcare. Businesses that deploy these systems must:
- Conduct a risk assessment before deployment
- Notify consumers when a high-risk AI system is used in a decision affecting them
- Provide a way for consumers to appeal or request human review of AI-assisted decisions
- Implement an AI governance program
Who it hits: If you use AI tools to screen job applicants, evaluate loan applications, assess insurance risk, or make decisions about education - and you operate in Colorado - you're likely covered. The thresholds matter: not every AI tool qualifies as "high-risk," but the definition is broad enough to catch more businesses than you'd expect.
The practical implication for SMBs: If you're using AI for hiring decisions in Colorado (including tools like AI-assisted resume screening), you need a risk assessment on file, a consumer disclosure process, and an appeal mechanism. If you're not sure whether your AI tools qualify as high-risk under the Colorado definition, that's a conversation for your legal team - but the answer is likely yes if the AI output influences a decision about a person.
Illinois - Artificial Intelligence Act (HB 3773)
What it is: Illinois enacted the Illinois Artificial Intelligence Act, building on its earlier AI Video Interview Act. The Illinois law focuses specifically on AI use in employment contexts.
What it requires: Illinois employers that use AI to evaluate candidates or make employment decisions must:
- Notify applicants and employees that AI is being used in the evaluation
- Explain what AI-related characteristics are being assessed
- Report demographic data on candidates and employees evaluated by AI tools to the Illinois Department of Human Rights
The notification requirements apply before an AI evaluation takes place, not after the decision is made.
Who it hits: Any Illinois employer using AI tools in the hiring, promotion, or performance review process. This includes third-party tools - if your ATS has AI scoring built in, you're covered.
The practical implication for SMBs: If you use AI in hiring and have Illinois employees, you need a disclosure process. You also need to be able to report on the demographic distribution of who your AI tools are evaluating. If your HR software uses AI scoring and you can't get a demographic breakdown from the vendor, that's a gap.
Texas - HB 149 (Responsible AI Governance Act)
What it is: Texas HB 149 establishes baseline AI governance requirements for businesses operating in Texas. It requires businesses that deploy AI systems to adopt a written AI governance policy and conduct periodic risk assessments.
What it requires: Businesses must:
- Maintain a written AI governance policy that covers acceptable use, data handling, and employee responsibilities
- Train employees who use AI tools on that policy
- Conduct a risk assessment when deploying new AI systems in high-stakes contexts
- Designate an internal responsible party for AI governance
Who it hits: Businesses that deploy AI tools in Texas - which, practically speaking, means any Texas-based business using commercial AI tools in their operations.
The practical implication for SMBs: This is the law most directly relevant to everyday AI use. If your employees are using ChatGPT, Copilot, or any AI tool and you don't have a written AI policy and documented training, you're not compliant. A verbal "be careful with AI" conversation in an all-hands doesn't meet the written documentation requirement.
The EU AI Act Factor
Even if you're a US-only business, you need to understand how the EU AI Act is influencing state-level thinking - because what starts in Brussels often becomes the template that states adopt.
EU AI Act Article 4, which takes effect August 2, 2026, requires that employees who use AI tools have demonstrable AI literacy. Not just awareness - literacy. Companies must provide training and be able to prove their employees completed it.
Colorado's law uses near-identical language around AI literacy and risk assessments. Texas borrowed the concept of written governance policies. Illinois's approach to high-stakes AI decisions mirrors the EU Act's high-risk AI framework.
The pattern is clear: state legislators are using the EU AI Act as a checklist. If you build a compliance program aligned with EU AI Act Article 4, you're building toward compliance with the direction most state laws are heading.
What All of These Laws Have in Common
Strip away the jurisdictional specifics and you'll see the same three requirements showing up in every framework:
- A written AI use policy - You need to have documented rules for how employees can and can't use AI tools. Not in someone's head. On paper, in your handbook, signed by employees.
- Documented employee training - You need to be able to prove that employees received training on AI use, not just that you sent them a link. Completion records, certificates, timestamps.
- Risk assessment documentation - For anything beyond basic consumer AI tools, you need a record that you evaluated the risks before deploying the tool.
If you have those three things, you're in a defensible position across most of these frameworks. If you have none of them, you're exposed everywhere.
The Federal Gap Is Getting Filled - Just From the Wrong Direction
Here's the risk that businesses aren't fully accounting for: federal AI law won't arrive as one clean bill. It's going to arrive as enforcement actions under existing frameworks - FTC authority, SEC disclosure requirements, state AG enforcement of state laws - while Congress debates comprehensive legislation.
The businesses that get caught in that transition are the ones that waited for clarity before building a compliance program. The businesses that come out clean are the ones that built defensible documentation before the enforcement wave hit.
The state laws above are already in force. The EU AI Act deadline is August 2, 2026. The question isn't whether compliance matters - it's whether you'd rather build the paper trail now or explain its absence later.
How AISafeIQ Covers All of It
AISafeIQ was built specifically to give businesses the documentation stack that every one of these frameworks requires:
- Written AI Use Policy - Company-branded, handbook-ready, covers acceptable use, prohibited inputs, and employee responsibilities. Satisfies the written policy requirement in Texas HB 149, Colorado SB 205, and the Illinois AI Act.
- Documented employee training - 8-module curriculum with a 20-question assessment. Completion certificates are UUID-verified and timestamped. Satisfies EU AI Act Article 4's AI literacy requirement and the training documentation requirements in every state law covered above.
- Insurance Proof Pack - All documentation compiled for your cyber insurance broker, satisfying the 81% of insurers now requiring documented AI governance.
The entire stack takes under 10 minutes per employee to complete. It doesn't require a compliance attorney or an IT project.
State laws are moving fast. Federal law is catching up. You don't need to map every law to your specific situation today - you need a compliance program that builds the documentation stack that covers all of them.