In Colorado, lawmakers initially proposed a sweeping artificial intelligence bill with mandatory risk assessments and a broad 'duty of care' for AI developers. This ambitious framework aimed to establish comprehensive safeguards for AI technology regulation. However, the legislation was significantly scaled back before its enactment in 2026, shifting towards a more limited, transparency-focused regime, a clear retreat from earlier, more robust consumer protection measures.
U.S. states are rapidly enacting AI legislation, but their approaches are highly divergent and often retreat from comprehensive risk-based frameworks, creating a fragmented regulatory environment. This tension between the urgent need for AI governance and the varied state-level responses complicates the future of data protection and legislative trends.
The current trend suggests a complex, state-by-state regulatory maze for AI, where specific, narrow harms are addressed. A unified, robust framework for broader AI risks remains elusive, likely leading to compliance challenges for businesses and inconsistent protections for citizens.
The Evolving Landscape of State AI Laws
The Colorado AI Act underwent substantial revisions, moving from its initial broad risk-based framework to a more limited, transparency-focused regime, according to Wiley Rein. This revised approach notably removed mandatory risk management programs, annual impact assessments, and broad 'duty of care' obligations from the original 2024 proposal, according to Wiley Rein. The scaling back of the Colorado AI Act reveals a systemic reluctance among states to impose broad accountability on AI developers or empower individuals with extensive redress mechanisms.
Similarly, Texas's TRAIGA 2.0 legislation introduces specific carve-outs in areas typically subject to stringent privacy protections. TRAIGA 2.0 exempts the training and development of AI models processing biometric data from Texas's existing consent-and-retention requirements, albeit with certain limits, as reported by Duane Morris LLP. TRAIGA 2.0's exemption for training and development of AI models processing biometric data effectively creates a loophole for AI where privacy is paramount, potentially weakening overall data protection under the guise of AI regulation.
Meanwhile, other states adopt a 'whack-a-mole' approach, focusing on specific, already-identified harms. Arizona's HB 2133, for instance, aims to expand the state's statute on unlawful disclosure of images to include 'synthetic depiction,' according to the Transparency Coalition. The piecemeal approach of states like Arizona, without establishing broad, preventative risk management frameworks like those initially considered in Colorado, leaves significant gaps in consumer protection against emerging AI threats.
A Patchwork of New State Regulations
- Illinois lawmakers passed Senate Bill 315 — a bill to regulate artificial intelligence models, according to Capitol News Illinois.
- Connecticut's AI law requires subscription-based AI providers — to give written notice and obtain consumer consent before collecting fees, as detailed by Wiley Rein.
- Colorado is expected to see Gov. Polis sign HB 1263 — a chatbot safety bill, and HB 1195, restricting AI in psychotherapy, according to the Transparency Coalition.
- Connecticut Gov. Lamont signed SB 5 into law — on May 27, according to the Transparency Coalition.
- Illinois Gov. Pritzker will sign SB 315 — the frontier model AI safety act, according to the Transparency Coalition.
The sheer volume and variety of state-level bills underscore a growing urgency to address AI, yet they also reveal a critical lack of a unified national strategy. The sheer volume and variety of state-level bills, coupled with a critical lack of a unified national strategy, forces businesses operating across state lines to navigate a complex and unpredictable compliance burden, hindering scalable AI deployment.
Varying Enforcement and Accountability
| Legislation | Enforcement Authority | Individual Recourse | Scope of Accountability |
|---|---|---|---|
| Colorado Revised AI Act | State Attorney General | Limited | Transparency-focused, specific harm prohibitions |
| TRAIGA 2.0 (Texas) | Texas Attorney General (Exclusive) | None (No individual lawsuits) | Unlawful to develop/deploy AI with intent to discriminate; unequal outcomes alone do not establish violation |
Sources: Wiley Rein, Duane Morris LLP
TRAIGA 2.0 explicitly states that unequal outcomes alone do not establish a violation, even if it makes it unlawful to develop or deploy AI with the intent to discriminate against a protected class, as reported by Duane Morris LLP. Furthermore, the Texas attorney general holds exclusive enforcement authority for TRAIGA 2.0, and the statute does not allow individuals to file their own lawsuits. The Texas attorney general's exclusive enforcement authority for TRAIGA 2.0, and the statute's prohibition on individual lawsuits, clearly centralizes control over AI governance, potentially limiting the public's ability to seek redress for AI-related harms and slowing the evolution of case law.
Who Benefits and Who Bears the Brunt?
The current regulatory environment appears to favor AI developers and companies. By retreating from comprehensive 'duty of care' obligations, as seen in states like Colorado, lawmakers prioritize the perceived ease of compliance over robust consumer protection, according to Wiley Rein. The retreat from comprehensive 'duty of care' obligations, as seen in states like Colorado, significantly reduces broad compliance burdens for developers, granting them greater flexibility in the design and deployment of AI models.
Conversely, consumers seeking comprehensive protection from AI risks are disadvantaged. They remain vulnerable to AI harms that fall outside narrow, predefined categories. The focus on specific, often reactive, harms, rather than broad preventative frameworks, creates a fragmented and weaker safety net for individuals. Businesses operating nationally also face a complex and inconsistent regulatory environment, where compliance requirements vary significantly by state, stifling innovation through unpredictable burdens and hindering market entry for new AI solutions.
Global Ambitions vs. Local Realities
Despite global calls for addressing 'frontier-AI risk,' U.S. state legislation largely ignores or actively scales back comprehensive, forward-looking risk management in favor of immediate, tangible consumer interactions or specific, already-identified harms.
- The 2023 Bletchley Declaration established AI safety as a matter for coordinated global action and generated a shared international vocabulary around frontier-AI risk, according to the Council on Foreign Relations.
While global leaders align on a shared vocabulary for frontier AI risks, U.S. states largely focus on narrower, consumer-facing applications. The alignment of global leaders on a shared vocabulary for frontier AI risks, while U.S. states largely focus on narrower, consumer-facing applications, reveals a strategic disconnect between high-level policy discussions and on-the-ground legislative action. The stark contrast between the global call for 'frontier-AI risk' management and the U.S. state-level focus on specific, often reactive, harms, such as Arizona's synthetic depiction bill, suggests a dangerous gap where systemic AI risks are being overlooked in favor of addressing symptoms rather than root causes.
By Q3 2026, national AI developers like OpenAI will likely face an increasingly complex, state-specific patchwork of data protection and transparency mandates, necessitating a granular approach to compliance that accounts for each state's unique legislative trends.
