Rawpixel.com - stock.adobe.com

Businesses face growing patchwork of state AI laws

As U.S. states like Colorado pass their own AI laws, businesses will need to prepare compliance measures if they do business in those states.

Listen to this article. This audio was generated by AI.

Businesses adopting new AI tools within their operations will face an added regulatory challenge. While Congress has been slow to act on AI, U.S. states are passing their own AI laws governing the technology's use that businesses will need to comply with.

Colorado recently became the first U.S. state to pass comprehensive AI legislation applicable to both AI system developers and deployers. California is advancing a state AI law, while the Connecticut State Senate in April approved a comprehensive bill regulating private sector deployment of AI systems. And those states are not the first governments to target the technology. New York City passed an antibias law that took effect in 2023, requiring employers to audit any hiring tools using AI. New York State Governor Kathy Hochul also proposed new AI regulatory measures this year.

In the last five years, 17 states have adopted 29 bills focusing on regulating AI, said Ayanna Howard, dean of the Ohio State University College of Engineering. Howard spoke during an AI hearing held by the Joint Economic Committee this week.

Howard said if AI regulation isn't addressed at the federal level, states will continue to create their own rules.

"That is a problem," she said.

Indeed, Forrester Research analyst Alla Valente said a comprehensive federal AI law rather than a multitude of state AI laws would ease compliance burdens for businesses. While the initial compliance process with state laws is challenging, Valente said the real issue stems from change management.

When businesses operate regionally or nationwide, without a federal mandate, they must monitor each state's regulations.

States move on comprehensive AI laws absent a federal standard

The Colorado AI Act applies to tech companies creating AI systems, as well as the AI systems' users who do business in Colorado. The state AI law primarily targets high-risk AI systems, or AI used to make consequential decisions in situations involving education, finance, employment and healthcare.

The law requires businesses deploying such systems to complete an impact assessment and adopt an AI risk management policy and program. The requirements won't take effect until February 2026.

According to Gartner analyst Avivah Litan, the Colorado AI Act reflects many of the requirements in the European Union's AI Act. The EU AI Act classifies AI systems into risk categories and lays out different requirements for each category.

"I think it's really going to shake companies up when they realize they have to comply with it," she said of the Colorado AI law.

Meanwhile, California's SB 1047 would establish safety standards for AI system development. It would also create an enforcement agency called the Frontier Model Division within California's Department of Technology to hold companies accountable. In Connecticut, SB 2 would establish requirements for both the development and deployment of AI systems and prohibit dissemination of certain AI-generated media.

"When businesses operate in states that have specific regulations, they're going to be held accountable to those particular state regulations, especially when there's a void or absence of something at the federal level," Valente said.

Should Congress pass federal legislation, Valente said it would supersede state AI laws to a certain extent, and states would have to harmonize their laws with federal requirements.

However, Litan said she's not holding her breath for federal AI law. Indeed, though congressional leaders like Sen. Chuck Schumer (D-N.Y.) have spent months discussing AI, comprehensive AI legislation has yet to be introduced.

AI systems are full of risk, and regulation is necessary, Litan said. While individual state AI laws will be "a nightmare for compliance," in the end it will provide some controls over AI systems, she said.

"Even if you only have California, New York and Colorado, you probably cover 90% of large enterprises doing business in the U.S.," Litan said. "You just need a few key states to make this by default a federal statute."

Businesses need to prepare for state AI laws

Forrester's Valente said businesses can take steps to prepare for new AI laws by meeting existing best practices. The National Institute of Standards and Technology, for example, released a risk management framework specifically for AI.

"As these additional laws come out of the individual states, hopefully, what you're doing is already up to that particular law's standard," she said. "What you're trying to do is minimize that change management."

Build the foundational building blocks before you deploy high-risk AI applications.
Avivah LitanAnalyst, Gartner

Valente said it's crucial for businesses to build teams and deploy technologies to assess all state bills targeting AI so that they're not caught unprepared when something passes into law. In addition, she said business leaders need to stay aware of existing laws governing issues like consumer privacy and security. Agencies including the Federal Trade Commission and Department of Justice have made strong statements about their ability to enforce existing laws against companies' use of AI.

"Many organizations have run afoul of those existing regulations through the use of AI," Valente said.

Gartner's Litan said companies will need to establish a budget and create a team to handle compliance with state AI laws. Preparing acceptable use policies, data classification and policy enforcement systems also come into play when preparing for compliance, she said.

"Build the foundational building blocks before you deploy high-risk AI applications," Litan said.

Makenzie Holland is a senior news writer covering big tech and federal regulation. Prior to joining TechTarget Editorial, she was a general assignment reporter for the Wilmington StarNews and a crime and education reporter at the Wabash Plain Dealer.

Dig Deeper on Risk management and governance

Cloud Computing
Mobile Computing
Data Center
and ESG