The State AI Law Patchwork Just Cracked — And Your Compliance Plan Has to Work Anyway

It's a Tuesday afternoon in late April. A federal judge in Denver signs an order. By Wednesday morning, half the AI governance teams in the country are Slack-ing the same question: do we still have to do this?

The order paused enforcement of the Colorado Artificial Intelligence Act — the country's first comprehensive state AI law — while xAI's lawsuit against the state plays out and the Department of Justice argues the law is preempted by federal policy. The Colorado Attorney General said the same week that her office wouldn't write rules or chase enforcement until the legislative session ended.

It's a strange moment. The headline reads "Colorado AI Act paused." But Texas's Responsible AI Governance Act has been live since January 1. California's training-data transparency rule turned on the same day. A White House executive order signed in December is now actively pulling state AI laws into court on commerce-clause grounds. Forty-eight states aren't Colorado. The patchwork didn't go away — one square just got quieter.

If you run an AI governance program — or if you're the IT director who got handed one — this is the kind of week where you have to make a call. Halt? Keep building? Pivot? And if you keep building, against what?

So what do you actually have to comply with right now, this quarter, while every regulator in the country is mid-sentence?

That's what I want to answer here. Plainly. Without wishful thinking about a federal AI law landing this year and without doom-scrolling. The patchwork is real. The pause didn't unwind it. The work you do this month is what makes the rest of 2026 either painful or quiet.

What actually happened in the last six months#

Three things happened in plain sight, and a fourth happened behind the curtain. Let's take them in order.

The Texas law turned on — January 1, 2026

The Texas Responsible Artificial Intelligence Governance Act — TRAIGA, which is what every Texas lawyer now calls it — was signed by Governor Abbott on June 22, 2025 and took effect on the first day of this year. It applies to any business that uses an AI system in Texas or whose products are used by Texas residents. If your hiring platform shows a recommendation to a candidate in Austin, you're in scope. If your customer-service chatbot answers a ticket from a Dallas user, you're in scope.

Think of TRAIGA as a building code. It tells you what you can't build (AI systems designed to manipulate behavior, discriminate, generate child sexual abuse material, infringe constitutional rights) and what to do if you build something close to the line (document it, test it, follow a recognized AI risk-management framework). The law calls out the National Institute of Standards and Technology's AI Risk Management Framework — a free, government-published checklist you can think of as the housekeeping checklist for AI projects — as a safe harbor. Show you followed it, that's an affirmative defense.

Penalties are real. Ten thousand to two hundred thousand dollars per violation depending on whether it's "curable," and two thousand to forty thousand per day for continuing violations. The Texas Attorney General has exclusive enforcement authority and must give a 60-day cure period before pursuing penalties. That window is the practical gift in the law — companies that respond within 60 days with a documented remediation plan generally avoid the penalty floor.

The California rule turned on — same day

California has been busier than any other state on AI legislation, and the most consequential of its rules — Assembly Bill 2013, the Generative AI Training Data Transparency Act — also took effect January 1, 2026. AB 2013 has a small ask and a big surface area. The ask: any developer that releases a generative AI system or substantially modifies one, and makes it available to Californians, has to publish on its public website a documentation page describing the training data — the sources, the intended purpose, the volume (ranges are allowed), and the kinds of data points the system was trained on.

The surface area is what matters. Unlike most California tech laws, AB 2013 has no minimum-user threshold. There's no "more than one million monthly users" line. If you fine-tune a model on customer data and ship it to a Californian, you may have just become a "developer" under the law and you may owe California a public-facing disclosure page. Most small companies that have stood up a fine-tuned model haven't realized that.

The other California law you may have heard of — SB 942, the AI Transparency Act, which requires AI-generated content to carry visible labels and embedded metadata — was amended last October. Its operative date moved to August 2, 2026. So California's content-labeling rule is on the calendar, not on your desk yet. Training-data transparency, though, is on your desk now.

The Colorado law got frozen — April 27, 2026

Colorado was supposed to be the headline. SB 24-205 was the first state-level comprehensive AI law in the country, originally scheduled to take effect February 1, 2026. The date had already slipped to June 30, 2026 amid heated debate over what the law actually required. Then, on April 24, the Department of Justice filed a notice intervening in xAI's lawsuit against the state. Three days later, the U.S. District Court for the District of Colorado approved a joint motion to stay both the litigation and the law's enforcement.

The stay is not a repeal. The law is still on the books. But the state has agreed not to start investigations or enforcement while the case is paused, and the AG won't promulgate the implementing rules either. The legislative session ends May 13, and there's an active proposal — supported by the governor's office — to repeal and replace much of the existing statute. The most likely outcome is the Colorado AI Act comes back narrower, later, or as something different.

For now: in Colorado specifically, you can stop scrambling on a deadline. You cannot stop building. Whatever replaces SB 24-205 will look enough like it that the work you've already done is reusable.

The federal preemption push — running underneath all three

Behind those three events is a fourth one. On December 11, 2025, the President signed Executive Order 14365, "Eliminating State Law Obstruction of National Artificial Intelligence Policy." It directs the Attorney General to stand up an "AI Litigation Task Force" to challenge state AI laws on commerce-clause and preemption grounds, tells the Federal Trade Commission to publish a policy statement on when state AI laws conflict with the FTC Act, and directs preparation of a federal legislative framework — published March 20, 2026 as the "National Policy Framework for Artificial Intelligence."

The order itself doesn't preempt anything. Preemption is a court call or a Congress call. But it gave DOJ a mandate, and DOJ used it three months later in the Colorado xAI suit. It's the first time the federal government has actively intervened to invalidate a state AI law, and it almost certainly won't be the last.

The pattern tying them together

The state AI law landscape is moving faster than any single program can absorb. Texas is live. California is half-live. Colorado is paused. The federal government is in court trying to make the Colorado situation a template. Forty-six other states have something pending. These laws don't replace each other — they stack. A SaaS company with customers in all 50 states isn't "complying with TRAIGA." It's complying with the union of every state law that touches its product. The pause in Colorado doesn't simplify that. It changes which subset of the union is enforceable this quarter.

When the Backup and the Primary Share the Same Failure Mode#

Here's the structural problem most companies haven't named out loud: state AI laws aren't a "backup and primary" system. They're not a "well, the federal version will preempt this so we'll just wait" system. They're a stack of different rulebooks, written by different staffs, with different definitions of "AI," "high-risk," and "consequential decision," all live at the same time on the same product.

Look at who got pulled in by January 1: a regional bank running a credit-decisioning model. A retail company running a recommendation engine. A staffing firm running a resume-screening tool. A healthcare network running a triage chatbot. None of these companies set out to become AI vendors. They bought a tool, plugged it into their workflow, and now it's regulated in Texas and California simultaneously, with Colorado on hold and a dozen other states pending. Their lawyers are reading three statutes that each define "AI system" in subtly different language.

The standard advice — "build a single AI governance program and document it" — is right, and it's also incomplete. A single program doesn't save you from the patchwork; it gives you a defensible posture against any one piece of it. If a Texas AG inquiry shows up, you point at the NIST AI RMF safe harbor and you have your 60-day cure period. If the California AG knocks for a missing AB 2013 disclosure page, the program doesn't write the page for you. You still have to know which laws are enforceable, in which states, this week, and stand up specific deliverables for the ones that are.

Pullquote: "The court order doesn't repeal the law. It just stops the meter on enforcement while everybody argues. Your AI governance program still has to work — because the patchwork didn't go away. One state of fifty just got quieter."

The companies that will have a clean 2026 are not the ones with the most sophisticated AI governance program. They're the ones whose program is auditable. Whose program produces documents. Whose program can show, on demand, what frameworks were followed, what use cases were assessed, what risks were considered, and what controls were applied. Showing your work is the new compliance posture. The patchwork has too many edges to win on substance alone.

What this means for your company — and it depends on your size#

The thing I've learned managing AI governance work for organizations across very different scales is that the same statute looks like a different problem from the seat of a 10,000-person enterprise versus a 300-person mid-market versus a 25-person early-stage company. The advice has to bend to who's reading it.

Large enterprises (1,000+ employees)

If you're running a multi-thousand-employee organization with a real GRC function, multiple business units that touch AI, and a CISO who reports to the board on AI risk quarterly, the patchwork is a state-by-state mapping problem and a documentation problem in roughly equal measure. The pause in Colorado actually makes the next 90 days harder, not easier — the conversation in your boardroom is now whether to keep funding the Colorado-specific work, pause it, or pivot it to a generic baseline that survives any replacement statute. All three positions are defensible.

What I'd push for is the middle option with a twist. Pause the state-specific deliverables (the Colorado-only impact assessment templates, the Colorado-only consumer notices). Keep building the underlying program — NIST AI RMF alignment, use-case inventory, risk assessment cadence, vendor due-diligence — because the underlying program is what carries you through whatever replaces SB 24-205, through TRAIGA, through California, and through New York's and Illinois's pending bills. The state-specific work is downstream of that. Don't kill it; don't accelerate it.

The other large-enterprise watch item is the FTC's pending policy statement. EO 14365 directed the FTC to publish a position on when state AI laws conflict with the FTC Act's prohibition on deceptive acts or practices. When that lands — practitioners expect it within 60 to 90 days — your legal team needs a position on whether it changes your customer disclosures. That's a separate workstream and it should be on someone's plate now.

Mid-size organizations (100–999 employees)

If you're running a mid-market organization, the patchwork problem looks different. You probably don't have a dedicated AI governance team — you have a VP of Engineering or Director of IT who got the AI-governance hat dropped on their head in late 2025 and is trying to figure out what they're supposed to deliver. You have budget; you don't have headcount.

The mid-market move is to commit to a single demanding framework and treat every state law as a localization of it. NIST AI RMF and ISO 42001 are the two reasonable choices. Pick one. Document your AI use cases against it — every system, every vendor, every model, every workflow that involves AI. Don't try to satisfy every state law on its own terms. Aim for "we follow NIST AI RMF" and let the state-specific deliverables fall out of that posture. TRAIGA gives you safe harbor for that approach, and Colorado's eventual replacement will almost certainly do the same.

The 60-day cure period in TRAIGA is a feature you should explicitly use. Set up an inbox monitoring rule for AG correspondence — Texas, California, and your home state at minimum. Sixty days is plenty if you start when the letter arrives; not enough if it sits in someone's other inbox for two weeks.

The other mid-market trap is procurement-driven over-compliance. A large customer's questionnaire arrives with thirty AI-governance questions. The temptation is to say yes to all of them. Don't. Say yes to what you actually do, document a remediation plan for what you don't. Customers can tell when an answer is theatre, and so can a regulator if it ever comes up.

Small & growing organizations (under 100 employees)

If you're running a small company — a 25-person SaaS startup, a 50-person services firm, a 60-person e-commerce business — you don't have an AI governance program because you don't have a GRC team. You have a founder who reads about AI laws on weekends and worries. The honest answer is that the patchwork is mostly going to enforce itself through your largest customer's procurement questionnaire and your biggest vendor's terms of service. That's the actual enforcement layer at this scale.

What you can do this month is small but valuable. Pick the AI tools you actually use and write down, in a single document, what each one does, what data goes into it, what comes out, and who in your company is responsible. That document is your AI inventory — the thing every customer questionnaire will ask for and every regulator will want to see if there's ever a question.

If you're shipping a product that uses AI — fine-tuning a model, embedding a third-party model, generating content for users — read California's AB 2013 carefully. The training-data transparency requirement may apply to you with no size threshold. A one-page disclosure summarizing your training data sources is cheap to write and saves you from a problem you don't want.

Don't overpay for AI governance tools at this stage. Most are priced for companies five times your size. A spreadsheet, a half-page policy document, and a quarterly check-in is a defensible posture for a 50-person company. The work you do here is preparation for the day a customer asks, not the day a regulator asks.

What to do Monday morning#

The point of this post is to leave you with things you can do this week. Not "engage outside counsel." Not "stand up a workstream." Real, specific, near-term moves that will hold up regardless of which way the federal preemption fight breaks.

1. Write your AI inventory in one document this week. List every AI system, model, tool, or workflow your company uses or ships. For each: what it does, what data it consumes, what it produces, who owns it, and what vendor or model is behind it. If the list runs past 25 items, you have a portfolio rather than a list and you need to chunk it. This document is the foundation for every other AI compliance conversation you will have this year. Build it once. Update it quarterly.
2. Pick one framework and commit. NIST AI RMF (free, U.S.-centric, cited by name in TRAIGA) or ISO 42001 (international, cleaner audit trail, costs money to certify). Don't pick both. Don't invent your own. Document the alignment — even informally — for each item in your AI inventory. TRAIGA's safe harbor requires "compliance with a nationally recognized AI risk management framework." That's the language you need to point to.
3. Find out this week whether AB 2013 applies to you. If your company releases a generative AI system, substantially modifies one, or ships a fine-tuned model to Californians, you may owe California a public training-data documentation page as of January 1. No user-count threshold. If the answer is "we might be," draft the page. It's a few hundred words; the cost of being wrong is more.
4. Pull a list of your AI vendors and ask for their AB 2013 pages. Even if you're not a developer, you're a deployer, and procurement and customer-assurance teams will start asking you for the lineage of the models you embed. Vendors that have the page will share it. The ones that don't will give you a polite delay — useful information regardless of what California enforces.
5. Set up an AG-mail watch. An inbox rule that flags any incoming correspondence from a state Attorney General office and routes it to your General Counsel — or your senior-most legal contact if you don't have one. The 60-day cure period only works if someone notices the letter the day it arrives. Free, and most companies don't do it.
6. Have the board conversation now, not in October. Whoever owns AI risk — CISO, VP of IT, COO, or the founder — puts fifteen minutes on the next leadership agenda and walks through the patchwork: Texas live, California half-live, Colorado paused, federal in court, twelve states pending. The deliverable is one sentence: "Our position is X." That sentence becomes the brief for legal, for engineering, and for any large customer that asks. Not having that sentence in May is what makes October expensive.
7. Read the room on procurement. If you're a vendor, your largest customers' questionnaires are the de facto enforcement layer of all this. Pull the last three you received. The answers you gave six months ago may not match the program you have today. Update them now, before a renewal forces you to do it under pressure.

If you want a place to start#

If your team is staring at the patchwork and looking for a starting point that doesn't require buying anything, NIST publishes the AI Risk Management Framework for free — the safe-harbor anchor in TRAIGA and the closest thing the U.S. has to a default standard for AI governance. NIST also publishes the Cybersecurity Framework; if you're already running a NIST CSF program, extending it to cover AI use is the cheapest way to get most of the benefit.

For companies that want a second set of eyes on their AI program before committing to a framework or policy, that's the kind of work I do through DLegendDigital — but the actions in this post stand on their own. The work has to happen regardless of which way the courts go this summer.

The uncomfortable truth#

So what do you actually have to comply with this quarter? Here's the answer, in plain English: you have to comply with TRAIGA in Texas, with AB 2013 in California, with whatever law applies to your industry in your home state, and with the realistic expectation that your largest customer's procurement team is going to ask harder AI-governance questions in your next renewal than they did in your last one. You do not have to comply with the Colorado AI Act this quarter, but you almost certainly will have to comply with whatever Colorado replaces it with — and the work that prepares you for that is the same work that prepares you for the rest.

What I expect over the next six to twelve months is more of what we just saw in April: more state laws, more federal lawsuits trying to pull them down, more executive orders, more confusion at the boardroom level, and more documentation requests at the procurement level. The companies that will have a quiet 2027 are the ones that build the boring layer now — the inventory, the framework alignment, the safe-harbor evidence. The companies that wait for a federal AI law to settle this will still be waiting at the end of the year.

I've spent enough time inside compliance programs to be honest about this: the patchwork is genuinely hard, and nobody in your industry has it figured out yet. That's fine. The work you do this month is a hedge, not a solution. Hedges don't have to be perfect. They have to be on.

— Charles Redding, Founder, DLegendDigital