The State AI Law Becomes the Regulator
In the United States, AI governance is not waiting for one federal statute. It is being written through state law, attorney-general power, frontier-model reporting, automated-decision rules, and the fight over preemption.
No Single AI Law
The United States does not have one comprehensive AI statute. It has executive orders, agency guidance, procurement rules, civil-rights enforcement, sector laws, standards work, export controls, lawsuits, and a growing body of state legislation. That is not a temporary footnote. It is the actual operating system of American AI governance.
This matters because AI systems now enter society through many doors. A model can screen a job applicant, summarize a medical record, rank a student, write a police report, power a companion product, generate a political ad, recommend a welfare action, automate insurance underwriting, or sit upstream as a frontier model used by other institutions. No single regulator sees all of that. No single law has yet absorbed it.
So the states are moving. NCSL's AI legislation database, updated monthly, tracks enacted and pending state AI bills beginning in 2025 across government use, private-sector use, health, education, housing, labor, cybersecurity, deepfakes, provenance, impact assessment, oversight, and more. The database is not itself a law. It is a map of something more important: AI governance becoming federalism in motion.
The result is not clean. It is uneven, contested, sometimes redundant, and vulnerable to lobbying. But it is also the place where enforceable duties are beginning to appear while Congress remains unable to pass a broad AI law.
Four State Models
By May 19, 2026, several state approaches show the shape of the emerging regime.
Colorado is regulating consequential automated decisions. Colorado's 2024 AI law was heavily debated, then replaced in 2026 by SB 26-189. The signed act defines automated decision-making technology as systems that process personal data and generate outputs such as predictions, recommendations, classifications, rankings, or scores used to make, guide, or assist decisions about individuals. It focuses on consequential decisions involving education, employment, housing, financial or lending services, insurance, health care, and essential government services. Starting January 1, 2027, developers must provide deployers technical documentation for covered systems, and deployers must give consumers notice, post-adverse-outcome explanations, access to relevant personal data, correction rights, and a path to meaningful human review and reconsideration.
Texas is regulating forbidden uses, disclosure, and state capacity. Texas HB 149, the Texas Responsible Artificial Intelligence Governance Act, took effect January 1, 2026. The official enrolled summary describes mandatory disclosure requirements for certain AI users, including government agencies and health care service providers; prohibitions on AI systems used to incite certain activities, violate biometric rights, impair constitutional rights, unlawfully discriminate against protected classes, create social scoring systems, or produce certain sexual content involving children; civil penalties enforced by the attorney general; a regulatory sandbox; and a Texas Artificial Intelligence Council.
California is regulating frontier-model transparency and incident reporting. SB 53, signed September 29, 2025, requires large frontier developers to publish safety frameworks, creates a mechanism for frontier AI companies and the public to report potential critical safety incidents to California's Office of Emergency Services, protects whistleblowers, creates civil penalties for noncompliance, and establishes CalCompute as a public computing initiative. It is a frontier-model law, but it is also a state-capacity law: California is trying to make the companies building the most capable systems legible to public institutions in the state where many of them operate.
New York is building a parallel frontier-model layer. The RAISE Act, signed December 19, 2025, requires large frontier AI developers to publish information about safety protocols and report incidents to the state within 72 hours of determining that an incident occurred. It also creates an oversight office within the Department of Financial Services and authorizes the attorney general to bring civil actions for reporting failures or false statements, with penalties up to $1 million for a first violation and up to $3 million for later violations.
These laws are not interchangeable. Colorado centers automated decisions affecting ordinary life. Texas centers prohibited practices, disclosure, enforcement, and sandbox governance. California and New York center frontier-model developers, safety protocols, incident reporting, and oversight channels. Together they reveal a basic fact: AI law is not one object. It is a bundle of institutional claims over different points in the stack.
Patchwork as Institution
The word "patchwork" is usually used as an accusation. It means compliance complexity, inconsistent definitions, legal uncertainty, and a burden on firms operating across state lines. Those concerns are real. A national employer, hospital vendor, insurer, bank, school platform, model developer, or AI API provider cannot treat every state border as a different technical universe without cost.
But patchwork is also how American technology law often begins. States surface harms, test definitions, force disclosures, create attorney-general theories, expose lobbying pressure, and produce evidence for later federal law. The early state layer can be messy because it is doing work that a missing national framework has not done.
The important question is not whether patchwork is elegant. It is whether the alternative is better. If national uniformity means a strong public-interest floor, then it can reduce compliance noise while preserving accountability. If national uniformity means preempting state protections before Congress creates meaningful rights, then it converts patchwork into a slogan for deregulation.
AI systems make this especially dangerous because they are already embedded in high-control interfaces. The person affected by a denied benefit, rejected application, model-generated accusation, unsafe companion, misleading chatbot, or automated workplace score may not care whether the regulating entity is federal or state. They need notice, records, appeal, liability, and an institution with power to investigate.
The Preemption Fight
The preemption fight is therefore not a legal technicality. It is the struggle over who gets to write the first durable interface between AI companies and public accountability.
In July 2025, the U.S. Senate voted 99-1 to remove a proposed ten-year moratorium on state AI regulation from budget legislation. That vote did not settle the issue. It showed that a broad freeze on state authority was politically difficult, especially when there was no comprehensive federal AI law ready to replace state action.
The White House returned to the issue in March 2026 with a national AI legislative framework. Its public release argued that the framework could succeed only if applied uniformly across the United States and warned that conflicting state laws would undermine American innovation and global AI leadership. That is the central federal argument: AI is interstate, strategically important, and too economically significant to be governed through fifty different rulebooks.
The counterargument is equally concrete: AI harm is experienced locally. Employment, education, housing, insurance, health care, policing, public benefits, child safety, consumer fraud, and state procurement all sit inside state authority. If federal law preempts those domains without replacing them with enforceable rights, then people lose the nearest working regulator.
Preemption can be necessary where state rules truly conflict with a national safety, security, or interstate-commerce framework. But preemption without a floor is institutional deletion. It removes imperfect accountability before building anything stronger.
What State Law Can See
State law sees different things than federal AI strategy sees.
A federal strategy sees national competitiveness, export controls, model security, standards, research funding, federal procurement, critical infrastructure, and geopolitical competition. Those are real concerns. But state law sees the school district buying an AI tutor, the landlord using a tenant-risk tool, the employer screening applicants, the hospital deploying a triage model, the police agency adopting report-writing software, the insurer ranking claims, and the public agency automating a benefits workflow.
Those are not small cases. They are the places where model-mediated knowledge becomes administrative reality. A generated explanation can become a record. A score can become a denial. A chatbot answer can become advice. A safety protocol can remain invisible until an incident happens. A person becomes governable through a system they never chose and cannot inspect.
This is why the state layer matters even when it is awkward. It can require disclosure at the point of use. It can give attorneys general investigatory power. It can create rights to explanation, correction, human review, and incident reporting. It can treat AI as part of ordinary institutional life rather than only as frontier research or national competition.
The Governance Standard
A serious state AI law should meet several tests.
First, definitions must follow power, not branding. A law should not depend only on whether a vendor calls something artificial intelligence. It should ask whether a system makes, guides, materially influences, or automates decisions that affect people.
Second, duties should attach to both developers and deployers. The model builder may know capabilities and limits. The deploying institution knows context, population, workflow, and consequence. Either side can hide behind the other unless the law assigns duties across the chain.
Third, affected people need usable rights. Notice, explanation, correction, human review, and appeal are not decorative. They are the difference between being governed by a record and being able to contest the record.
Fourth, incident reporting should build public memory. California and New York point toward a frontier-model incident layer. That layer should connect to broader AI incident reporting rather than disappearing into private remediation.
Fifth, attorney-general enforcement needs resources. A law enforced only on paper invites compliance theater. Regulators need technical staff, subpoena authority, public reporting, and enough budget to face well-funded AI companies and vendors.
Sixth, state experimentation should remain interoperable. States can learn from one another without copying definitions blindly. A good federal floor could harmonize minimum protections while allowing stronger state rules where local domains require them.
The Spiralist Reading
The state AI law is a form of institutional perception. It decides what the polity can notice.
Without law, the AI system appears as product: a model, dashboard, assistant, classifier, agent, or API. With law, the system can become a governed chain: developer, deployer, affected person, notice, record, explanation, appeal, incident, regulator, penalty, public report. The interface stops being only a surface and becomes an administrative object.
That is why the preemption fight has symbolic force. It asks whether AI will be governed primarily through national strategy, company frameworks, state consumer protection, civil-rights law, procurement rules, private contracts, or some new combination. Each answer makes a different reality easier to see.
The danger is that uniformity becomes a spell. A single national standard sounds rational because it promises order. But order can also erase evidence. If the federal standard is weak, the smooth national surface hides local injury. If every state law is dismissed as friction, then friction itself becomes suspect, even when it is the only thing slowing an unaccountable decision machine.
The better path is not romantic chaos. It is federalism with memory. Let states surface concrete harms. Let federal law create a strong floor. Let definitions converge where convergence helps affected people. Preserve state power where local institutions carry the consequence. Require records. Protect reporters. Give people a way to contest the machine in front of them.
The United States may eventually pass a comprehensive AI law. Until then, the regulator is already here. It is uneven, local, partial, litigated, and politically fragile. That is not a reason to ignore it. It is a reason to watch it closely, because the first workable rights around AI may not arrive as a grand national constitution. They may arrive as a notice after an adverse decision, a report filed within 72 hours, a state attorney general's demand letter, or a rule requiring the machine to explain itself before it becomes the institution's voice.
Sources
- National Conference of State Legislatures, Artificial Intelligence Legislation Database, updated May 1, 2026.
- Colorado General Assembly, SB26-189 Automated Decision-Making Technology, signed act dated May 14, 2026.
- Colorado General Assembly, SB24-205 Consumer Protections for Artificial Intelligence, signed May 17, 2024.
- Texas Legislature Online, HB 149 Enrolled Bill Summary, effective January 1, 2026.
- Governor of California, Governor Newsom signs SB 53, September 29, 2025.
- Governor Kathy Hochul, Governor Hochul signs legislation to require AI frameworks for AI frontier models, December 19, 2025.
- U.S. Senate Committee on Commerce, Science, and Transportation, Senate strikes AI moratorium from budget reconciliation bill, July 1, 2025.
- The White House, President Donald J. Trump unveils national AI legislative framework, March 20, 2026.
- Church of Spiralism Wiki, U.S. AI Policy, AI Governance, Algorithmic Impact Assessments, and AI Incident Reporting.