The State AI Law Becomes the Regulator
In the United States, AI governance is not waiting for one federal statute. It is being written through state law, attorney-general power, frontier-model reporting, automated-decision rules, federal discussion drafts, and the fight over preemption.
For this essay, a state AI law is a visibility-and-remedy instrument: it defines which AI systems must be named, which records must exist, who can demand them, and what affected people or regulators can do with the evidence.
The regulator is not only the agency named in the statute. It is the chain from scope trigger to responsible role, from role to evidence duty, from evidence duty to complaint path, and from complaint path to remedy.
No Single AI Law
The United States does not have one comprehensive AI statute. It has executive orders, agency guidance, procurement rules, civil-rights enforcement, sector laws, standards work, export controls, lawsuits, and a growing body of state legislation. That is not a temporary footnote. It is the actual operating system of American AI governance.
This matters because AI systems now enter society through many doors. A model can screen a job applicant, summarize a medical record, rank a student, write a police report, power a companion product, generate a political ad, recommend a welfare action, automate insurance underwriting, or sit upstream as a frontier model used by other institutions. No single regulator sees all of that. No single law has yet absorbed it.
A state AI law, in practice, is not one thing. It may be an automated-decision statute, a consumer-protection rule, a civil-rights enforcement hook, a privacy amendment, a public-procurement rule, a child-safety or deepfake law, a regulatory sandbox, or a frontier-model reporting duty. The shared feature is institutional: the law tries to make a model, vendor, deployer, incident, or affected person visible to someone with authority.
That makes the state layer a routing system for accountability. It asks where obligation attaches: at model development, product release, public procurement, deployment in a consequential workflow, consumer notice, adverse decision, incident report, attorney-general investigation, or court action. The answer determines what evidence exists when something goes wrong.
The sharpest definition is procedural. A state AI law becomes the regulator when it creates a durable chain from system use to record, from record to explanation, from explanation to complaint, and from complaint to enforcement or remedy. Without that chain, the law may be only an announcement about AI rather than a working institution around it.
The minimum unit is therefore a compliance record. It should name the covered system, legal trigger, developer, deployer, affected domain, evidence artifact, review owner, complaint route, enforcement authority, and public or confidential status. A law that cannot produce that record may still express values, but it will struggle to govern a deployed system.
So the states are moving. NCSL's AI legislation database, updated June 1, 2026 and updated monthly, tracks introduced, enacted, and pending state AI bills beginning in 2025 across government use, private-sector use, health, education, housing, labor, cybersecurity, deepfakes, provenance, impact assessment, oversight, and more. The database is not itself a law. It is a map of something more important: AI governance becoming federalism in motion.
The result is not clean. It is uneven, contested, sometimes redundant, and vulnerable to lobbying. But it is also the place where enforceable duties are beginning to appear while Congress remains unable to pass a broad AI law.
Four State Models
As of June 23, 2026, several state approaches show the shape of the emerging regime.
Colorado is regulating consequential automated decisions. Colorado's 2024 AI law was heavily debated, then repealed and reenacted in 2026 by SB 26-189. The signed act defines automated decision-making technology as systems that process personal data and generate outputs such as predictions, recommendations, classifications, rankings, or scores used to make, guide, or assist decisions about individuals. It focuses on consequential decisions involving education, employment, housing, financial or lending services, insurance, health care, and essential government services. Starting January 1, 2027, developers must provide deployers technical documentation for covered systems, and deployers must give consumers notice, post-adverse-outcome explanations, access to relevant personal data, correction rights, and a path to meaningful human review and reconsideration. The act also requires records needed to show compliance to be kept for at least three years, directs the attorney general to clarify disclosure rules, channels enforcement through the attorney general and the Colorado Consumer Protection Act, includes a temporary notice-and-cure path before 2030, and does not create a new private right of action.
Texas is regulating forbidden uses, disclosure, and state capacity. Texas HB 149, the Texas Responsible Artificial Intelligence Governance Act, took effect January 1, 2026. The enrolled text creates mandatory disclosure requirements for certain AI users, including government agencies and health care service providers; prohibitions on AI systems used to incite certain activities, violate biometric rights, impair constitutional rights, unlawfully discriminate against protected classes, create social scoring systems, or produce certain sexual content involving children; civil penalties enforced by the attorney general; a regulatory sandbox; and a Texas Artificial Intelligence Council. The act also preempts local AI ordinances, requires state-agency AI inventory and assessment practices, and makes the attorney general, Department of Information Resources, and council the central public institutions for the Texas model. The council can issue reports, training, and recommendations, but the statute says it may not adopt binding rules.
California is regulating frontier-model transparency and incident reporting. SB 53, signed September 29, 2025, requires large frontier developers to publish safety frameworks, creates a mechanism for frontier AI companies and the public to report potential critical safety incidents to California's Office of Emergency Services, protects whistleblowers, creates civil penalties for noncompliance, and establishes CalCompute as a public computing initiative. It is a frontier-model law, but it is also a state-capacity law: California is trying to make the companies building the most capable systems legible to public institutions in the state where many of them operate.
New York is building a parallel frontier-model layer. The RAISE Act was signed December 19, 2025, and a chapter-amendment bill, S8828, was signed March 27, 2026. In its current chapter-amended form, New York requires large frontier developers to publish frontier AI frameworks and transparency reports, creates reporting duties for critical safety incidents, places implementation in an office within the Department of Financial Services, and preserves attorney-general enforcement. That sequence matters because the operative law is not just the December signing announcement; it is the signed bill as changed by the later chapter amendment.
These laws are not interchangeable. Colorado centers automated decisions affecting ordinary life. Texas centers prohibited practices, disclosure, enforcement, local preemption, and sandbox governance. California and New York center frontier-model developers, safety protocols, incident reporting, and oversight channels. Together they reveal a basic fact: AI law is not one object. It is a bundle of institutional claims over different points in the stack.
The common pattern is not regulation of intelligence in the abstract. It is regulation of handoffs: developer to deployer documentation, deployer to affected-person notice, company to incident office, sandbox participant to regulator, regulator to public report, and attorney general to court.
That handoff structure is the policy lesson. Colorado tests whether an automated-decision record can reach the person affected by the decision. Texas tests whether an attorney-general and agency-centered model can combine prohibitions, disclosure, inventories, and a sandbox without turning the council into an unelected rulemaker. California and New York test whether frontier-model safety frameworks and incident reports can create state visibility into firms whose products are national or global in reach.
The bottleneck is enforcement capacity. A right to explanation matters only if the deployer can reconstruct the decision. An incident deadline matters only if the receiving office can triage reports and protect sensitive evidence. A sandbox matters only if the regulator can learn without becoming a private consultant. An attorney-general power matters only if the office has technical staff, complaint intake, subpoena practice, budget, and public reporting discipline.
Patchwork as Institution
The word "patchwork" is usually used as an accusation. It means compliance complexity, inconsistent definitions, legal uncertainty, and a burden on firms operating across state lines. Those concerns are real. A national employer, hospital vendor, insurer, bank, school platform, model developer, or AI API provider cannot treat every state border as a different technical universe without cost.
But patchwork is also how American technology law often begins. States surface harms, test definitions, force disclosures, create attorney-general theories, expose lobbying pressure, and produce evidence for later federal law. The early state layer can be messy because it is doing work that a missing national framework has not done. It also creates the practical evidence that later audits, registers, standards, and algorithmic impact assessments need.
The important question is not whether patchwork is elegant. It is whether the alternative is better. If national uniformity means a strong public-interest floor, then it can reduce compliance noise while preserving accountability. If national uniformity means preempting state protections before Congress creates meaningful rights, then it converts patchwork into a slogan for deregulation.
AI systems make this especially dangerous because they are already embedded in high-control interfaces. The person affected by a denied benefit, rejected application, model-generated accusation, unsafe companion, misleading chatbot, or automated workplace score may not care whether the regulating entity is federal or state. They need notice, records, appeal, liability, and an institution with power to investigate.
Patchwork also creates source evidence. A state AI register, a public-sector procurement rule, a workplace notice duty, or an adverse-action explanation requirement can reveal which definitions fail in practice. That evidence can later support federal harmonization. The danger is losing those field reports before a stronger national floor exists.
The Preemption Fight
The preemption fight is therefore not a legal technicality. It is the struggle over who gets to write the first durable interface between AI companies and public accountability.
In July 2025, the U.S. Senate voted 99-1 for the Blackburn amendment to strike the budget-bill section relating to support for artificial intelligence, removing a proposed ten-year moratorium on state AI regulation from the legislation. That vote did not settle the issue. It showed that a broad freeze on state authority was politically difficult, especially when there was no comprehensive federal AI law ready to replace state action.
The White House returned to the issue in December 2025 through an executive order on a national AI policy framework. The order directed the attorney general to create an AI Litigation Task Force to challenge state AI laws viewed as unlawful or inconsistent with federal policy, called for a Commerce evaluation of state AI laws, tied some funding conditions to state AI-law choices, and asked for legislative recommendations that would preempt conflicting state laws.
In March 2026, the White House released a national AI legislative framework. Its public release argued that the framework could succeed only if applied uniformly across the United States and warned that conflicting state laws would undermine American innovation and global AI leadership. That is the central federal argument: AI is interstate, strategically important, and too economically significant to be governed through fifty different rulebooks.
The preemption debate did not stop there. On June 4, 2026, Representatives Jay Obernolte and Lori Trahan released the Great American AI Act as a discussion draft, not a formally enacted law. The draft creates federal frontier-model governance, transparency, independent verification, whistleblower, workforce, cybersecurity, and research provisions. Its section on "Federalization of State laws regulating artificial intelligence model development" would preempt state and local laws specifically regulating AI model development while preserving laws of general applicability, common-law remedies, and laws regulating post-deployment implementation, distribution, offering, or use. The draft text says that section would cease to have effect three years after enactment unless Congress reauthorized it.
By June 16, 2026, a bipartisan group of state lawmakers had sent Congress a letter opposing the draft's preemption provision. That letter is not law, and it does not prove the draft's legal effect. It is evidence that the state layer sees preemption as an immediate institutional conflict, not an abstract federalism seminar.
That draft matters because it narrows the preemption question. A blanket moratorium on state AI law is one thing. A federal rule that blocks state regulation of model development while preserving state power over deployment, use, child safety, fraud, consumer protection, procurement, and ordinary remedies is another. Whether that line would hold in practice is exactly the dispute.
The counterargument is equally concrete: AI harm is experienced locally. Employment, education, housing, insurance, health care, policing, public benefits, child safety, consumer fraud, and state procurement all sit inside state authority. If federal law preempts those domains without replacing them with enforceable rights, then people lose the nearest working regulator.
Preemption can be necessary where state rules truly conflict with a national safety, security, or interstate-commerce framework. But preemption without a floor is institutional deletion. It removes imperfect accountability before building anything stronger.
What State Law Can See
State law sees different things than federal AI strategy sees.
A federal strategy sees national competitiveness, export controls, model security, standards, research funding, federal procurement, critical infrastructure, and geopolitical competition. Those are real concerns. But state law sees the school district buying an AI tutor, the landlord using a tenant-risk tool, the employer screening applicants, the hospital deploying a triage model, the police agency adopting report-writing software, the insurer ranking claims, and the public agency automating a benefits workflow.
Those are not small cases. They are the places where model-mediated knowledge becomes administrative reality. A generated explanation can become a record. A score can become a denial. A chatbot answer can become advice. A safety protocol can remain invisible until an incident happens. A person becomes governable through a system they never chose and cannot inspect.
This is why the state layer matters even when it is awkward. It can require disclosure at the point of use. It can give attorneys general investigatory power. It can create rights to explanation, correction, human review, and incident reporting. It can use procurement, public records, and public registers to make government AI systems visible. It can treat AI as part of ordinary institutional life rather than only as frontier research or national competition.
That ordinary layer includes the government chatbot at the front desk, the voter chatbot as election clerk, the permit counter as plan-review model, the boss as dashboard, and the public-comment bot in rulemaking. State AI law matters because those are state and local institutions before they are frontier-model abstractions.
The Governance Standard
A serious state AI law should meet several tests.
First, definitions must follow power, not branding. A law should not depend only on whether a vendor calls something artificial intelligence. It should ask whether a system makes, guides, materially influences, or automates decisions that affect people.
Second, duties should attach to both developers and deployers. The model builder may know capabilities and limits. The deploying institution knows context, population, workflow, and consequence. Either side can hide behind the other unless the law assigns duties across the chain.
Third, affected people need usable rights. Notice, explanation, correction, human review, and appeal are not decorative. They are the difference between being governed by a record and being able to contest the record.
Fourth, incident reporting should build public memory. California and New York point toward a frontier-model incident layer. That layer should connect to broader AI incident reporting rather than disappearing into private remediation.
Fifth, attorney-general enforcement needs resources. A law enforced only on paper invites compliance theater. Regulators need technical staff, subpoena authority, public reporting, and enough budget to face well-funded AI companies and vendors.
Sixth, sandboxes need public guardrails. A regulatory sandbox can help regulators learn before rules settle, but it should not become a private waiver machine. A serious sandbox needs eligibility standards, risk-mitigation plans, time limits, participant reports, incident escalation, and public summaries that preserve trade secrets without hiding public consequences.
Seventh, audits and standards should remain evidence tools. State laws will increasingly refer to documentation, assessments, controls, and technical standards. Those mechanisms matter only when they connect to real artifacts: model versions, intended-use statements, training-data categories where law requires them, known limitations, monitoring logs, complaint files, human-review records, and vendor contracts. Otherwise the audit interface becomes paperwork theater, and the standard becomes law without public understanding.
Eighth, state experimentation should remain interoperable. States can learn from one another without copying definitions blindly. A good federal floor could harmonize minimum protections while allowing stronger state rules where local domains require them.
Ninth, enforcement machinery should be named. A statute should identify the agency or attorney general that receives complaints, what evidence they can demand, what timelines apply, whether cure periods exist, whether private rights remain available, and which reports become public. Hidden enforcement design turns visible rights into uncertain leverage.
Tenth, preemption clauses should preserve remedies. State and federal preemption can reduce conflict, but they should not quietly erase consumer protection, civil rights, labor, child safety, public procurement, fraud, tort, or public-records pathways unless a stronger replacement exists.
Eleventh, public-sector use should be inventory-first. States regulating their own agencies should require system inventories, procurement records, impact assessments where appropriate, complaint routing, and public-register entries for consequential uses. A state cannot supervise private deployers credibly while leaving its own systems unnamed.
Twelfth, model-development rules and deployment rules should stay distinct. Frontier-model transparency, catastrophic-risk frameworks, and model-weight security are different from tenant screening, worker scoring, benefit eligibility, classroom tools, and public-facing chatbots. A good law says which layer it governs and what downstream evidence must travel with the model.
Source Discipline
State AI law changes quickly, so the source hierarchy matters. A bill tracker is useful for discovery, but it is not a substitute for the enacted bill text, enrolled summary, chapter amendment, signing statement, agency rule, regulator guidance, or court order. A press release can explain intent, but it should not be treated as the operative law unless it links to the statutory text or official action.
For this essay, the current claims rest on primary or near-primary sources: Colorado's official SB26-189 page and enacted summary, Texas Legislature Online's enrolled bill text, California Legislative Information's chaptered SB 53 text and the Governor's signing announcement, New York's Governor announcement plus the signed S8828 chapter amendment, the NCSL database, the Senate roll-call record for the 99-1 moratorium vote, White House and Federal Register materials for the executive-order framework, the official House discussion draft and section-by-section summary for the Great American AI Act, and the June 16 state-lawmakers' letter as evidence of political opposition to the draft's preemption provision. The NCSL database is used as a tracker, not as proof that any particular bill is law. The Great American AI Act is treated as a discussion draft, not enacted federal law. The state-lawmakers' letter is treated as advocacy and political evidence, not as legal authority.
The same rule should apply inside institutions. A compliance team should distinguish model cards, vendor promises, system logs, impact assessments, incident reports, contracts, and regulator filings. Governance fails when all of those artifacts get flattened into a single claim that the system is compliant.
Current-source claims on this page were checked against the named sources on June 23, 2026.
What This Changes
The state AI law is a form of institutional perception. It decides what the polity can notice.
Without law, the AI system appears as product: a model, dashboard, assistant, classifier, agent, or API. With law, the system can become a governed chain: developer, deployer, affected person, notice, record, explanation, appeal, incident, regulator, penalty, public report. The interface stops being only a surface and becomes an administrative object.
That is why the preemption fight has symbolic force. It asks whether AI will be governed primarily through national strategy, company frameworks, state consumer protection, civil-rights law, procurement rules, private contracts, or some new combination. Each answer makes a different reality easier to see.
The danger is that uniformity becomes a spell. A single national standard sounds rational because it promises order. But order can also erase evidence. If the federal standard is weak, the smooth national surface hides local injury. If every state law is dismissed as friction, then friction itself becomes suspect, even when it is the only thing slowing an unaccountable decision machine.
The better path is not romantic chaos. It is federalism with memory. Let states surface concrete harms. Let federal law create a strong floor. Let definitions converge where convergence helps affected people. Preserve state power where local institutions carry the consequence. Require records. Protect reporters. Give people a way to contest the machine in front of them.
The United States may eventually pass a comprehensive AI law. Until then, the regulator is already here. It is uneven, local, partial, litigated, and politically fragile. That is not a reason to ignore it. It is a reason to watch it closely, because the first workable rights around AI may not arrive as a grand national constitution. They may arrive as a notice after an adverse decision, a report filed within 72 hours, a state attorney general's demand letter, or a rule requiring the machine to explain itself before it becomes the institution's voice.
Sources
- National Conference of State Legislatures, Artificial Intelligence Legislation Database, updated June 1, 2026, reviewed June 23, 2026.
- Colorado General Assembly, SB26-189 Automated Decision-Making Technology, signed act dated May 14, 2026, reviewed June 23, 2026.
- Colorado General Assembly, SB24-205 Consumer Protections for Artificial Intelligence, signed May 17, 2024, reviewed June 23, 2026.
- Texas Legislature Online, HB 149 Enrolled Bill Summary, effective January 1, 2026, reviewed June 23, 2026.
- Texas Legislature Online, HB 149 Enrolled Bill Text, 89th Regular Session, reviewed June 23, 2026.
- California Legislative Information, SB 53 Artificial intelligence models: large developers, chaptered September 29, 2025, reviewed June 23, 2026.
- Governor of California, Governor Newsom signs SB 53, September 29, 2025, reviewed June 23, 2026.
- Governor Kathy Hochul, Governor Hochul signs legislation to require AI frameworks for AI frontier models, December 19, 2025, reviewed June 23, 2026.
- New York State Senate, Senate Bill S8828, signed March 27, 2026, reviewed June 23, 2026.
- U.S. Senate, Roll Call Vote 363, Blackburn Amendment No. 2814, July 1, 2025, reviewed June 23, 2026.
- U.S. Senator Edward J. Markey, Senate strikes AI moratorium from budget reconciliation bill overnight in overwhelming 99-1 vote, July 1, 2025, reviewed June 23, 2026.
- Federal Register, Executive Order 14365: Ensuring a National Policy Framework for Artificial Intelligence, December 11, 2025.
- The White House, Ensuring a National Policy Framework for Artificial Intelligence, executive order, December 11, 2025, reviewed June 23, 2026.
- The White House, National Policy Framework for Artificial Intelligence: Legislative Recommendations, March 20, 2026, reviewed June 23, 2026.
- Representative Jay Obernolte, Obernolte, Trahan release a discussion draft of the Great American AI Act, June 4, 2026, reviewed June 23, 2026.
- Representatives Jay Obernolte and Lori Trahan, Great American Artificial Intelligence Act of 2026 discussion draft and section-by-section summary, released June 4, 2026, reviewed June 23, 2026.
- State lawmakers, letter opposing GAAIA state AI law preemption, June 16, 2026, reviewed June 23, 2026.
- Related references: U.S. AI Policy, AI Governance, EU AI Act, AI in Government and Public Services, Algorithmic Impact Assessments, AI System Inventory, AI Incident Reporting, Notice and Appeal, Human Oversight of AI Systems, AI Liability and Accountability, AI Regulatory Sandboxes, The Adverse Action Notice Becomes the Explanation Interface, The Incident Report Becomes Public Memory, The AI Register Becomes Public Memory, The Government Chatbot Becomes the Front Desk, The Public Comment Bot Enters Rulemaking, The AI Bill of Materials Becomes the Supply Chain Map, The State Rents Its Mind, Vendor and Platform Governance, and Transparency and Public Registers.