There is a common belief in compliance circles that U.S. AI regulation is still forming, and that the right posture is to watch and wait. That belief is understandable as there is currently no single federal AI law. The executive branch and the states are in open conflict over who governs AI development and the landscape genuinely is unsettled. 

But unsettled is not the same as absent. As of mid-2026, organizations deploying AI in consequential decisions are already operating under active and imminent legal obligations in Illinois, New York City, California, and Colorado. The January 2027 compliance deadline for California and Colorado alone covers a substantial share of the U.S. economy. The question is no longer whether your organization has U.S. AI compliance exposure. It is whether your governance program reflects the exposure you actually have. 

This article walks through the current U.S. AI regulatory landscape, what each active framework requires, and what a defensible governance posture looks like against all of them simultaneously. 

The regulatory map as it stands today

The current regulatory environment spans one federal layer and four state and local frameworks, each with distinct obligations, different effective dates, and its own enforcement posture. Here is where each one stands today. 

Federal: Intent without binding law

The federal picture is active but not yet legislative. President Trump signed Executive Order 14365, “Ensuring a National Policy Framework for Artificial Intelligence,” on December 11, 2025. The order directed the Department of Justice to establish an AI Litigation Task Force to challenge state AI laws on preemption and commerce-clause grounds. It also directed preparation of legislative recommendations for Congress. Those recommendations arrived on March 20, 2026, as the White House National Policy Framework for Artificial Intelligence, a seven-pillar blueprint urging Congress to preempt state AI laws that impose “undue burdens” on AI development. 

Neither the executive order nor the framework changes what is legally required of organizations today. An executive order cannot preempt state law without congressional action, and that action has not yet occurred. What the federal push does is introduce genuine uncertainty about which state laws will survive in their current form. That uncertainty cuts both ways: organizations that build compliance infrastructure now are insulated regardless of how the federal-state conflict resolves. Organizations that wait are exposed on both ends. 

The one federal AI statute signed into law as of this writing is the TAKE IT DOWN Act (signed May 19, 2025), which requires online platforms to remove non-consensual intimate imagery, including AI-generated deepfakes, within 48 hours of a report. Covered platforms had until May 19, 2026 to establishthe required notice-and-removal process. Outside that narrow scope, the federal regulatory floor is agency enforcement under existing statutes, not AI-specific legislation. 

Illinois: In force now

Illinois’s HB 3773 (Public Act 103-0804) took effect January 1, 2026, amending the Illinois Human Rights Act to prohibit employers from using AI that has the effect of subjecting employees or applicants to discrimination on the basis of protected classes. The law covers recruitment, hiring, promotion, discharge, discipline, tenure, and terms of employment broadly. It requires employers to notify workers when AI is used in employment decisions and directed the Illinois Department of Human Rights to issue implementing rules, which it released in draft form in late 2025. 

Illinois also has the Artificial Intelligence Video Interview Act (AIVIA), enacted in 2019 and in force since January 1, 2020, which requires employer notification and candidate consent specifically when AI analyzes video interviews. HB 3773 substantially expands those obligations beyond the video interview context to the full employment lifecycle. 

The practical compliance requirement today: if your organization employs people in Illinois and uses any AI system that influences employment decisions, you need documented notice procedures, a mechanism for employees to understand how AI is used in decisions that affect them, and internal governance that can demonstrate those systems are not producing discriminatory outcomes. 

New York City: In enforcement since July 2023

Enacted in 2021 and in enforcement since July 5, 2023, New York City’s Local Law 144 requires any employer or employment agency using an automated employment decision tool (AEDT) for hiring or promotion decisions affecting New York City positions to conduct an annual third-party bias audit, publish a summary of the results publicly, and notify candidates at least ten business days before the AEDT is used in their evaluation. 

The law is enforced by the NYC Department of Consumer and Worker Protection (DCWP). A December 2025 audit by the New York State Comptroller found DCWP enforcement had been ineffective, identifying at least 17 instances of potential non-compliance among 32 companies reviewed that DCWP had missed. DCWP has committed to implementing the Comptroller’s recommendations, including a shift from reactive complaint-driven enforcement to proactive investigations. Organizations that have treated Local Law 144 as a low-priority compliance item on the assumption that enforcement was light should revisit that posture. 

The practical compliance requirement today: if your organization uses AI tools to screen, rank, or evaluate candidates for positions based in New York City, you need a current bias audit from an independent auditor, a publicly posted summary of the results, and documented candidate notification procedures. 

California: Effective now, compliance deadline January 2027

California’s updated CCPA regulations, adopted by the California Privacy Protection Agency and formally effective January 1, 2026, introduce a comprehensive automated decision-making technology (ADMT) framework. The regulations define ADMT as any technology that processes personal information and uses computation to replace or substantially replace human decision-making. When that technology is used to make “significant decisions” affecting California consumers in finance, housing, education, employment, or health care, a specific set of compliance obligations applies. 

For organizations already using ADMT for significant decisions prior to January 1, 2027, full compliance is required by January 1, 2027. For organizations deploying new ADMT for significant decisions on or after that date, compliance is required before first use. The obligations include pre-use consumer notices, opt-out rights, risk assessments, and documentation requirements. The California Privacy Protection Agency and the Attorney General are both authorized to enforce, with fines of up to $7,500 per intentional violation. 

The practical compliance requirement: if your organization processes personal information of California consumers and uses AI in significant decisions affecting them, the January 1, 2027 compliance deadline is now less than seven months away. Pre-use notices, risk assessments, and opt-out mechanisms all require lead time to build and document properly. 

Colorado: rewritten, targeted for January 2027, subject to a live court challenge

Colorado’s regulatory path has been the most turbulent. The original Colorado AI Act (SB 24-205), signed in 2024 as the first comprehensive state AI law in the United States, was repealed and replaced after a federal court stay and a constitutional challenge filed by xAI on April 9, 2026. The Department of Justice intervened on xAI’s side on April 24, marking the first federal action to invalidate a state AI law under Executive Order 14365; a federal magistrate judge stayed enforcement three days later. 

Governor Polis signed the replacement law, SB 26-189, on May 14, 2026. The new framework is materially narrower than what it replaced. Rather than a risk-based regime built on reasonable care duties and algorithmic discrimination obligations, SB 26-189 focuses on disclosure and transparency for automated decision-making technology used in consequential decisions: employment, housing, health care, insurance, education, lending, and legal services. Deployers must notify consumers when ADMT materially influences a consequential decision. Post-adverse-outcome disclosures and human review rights apply when the outcome is adverse. The attorney general is directed to complete rulemaking by January 1, 2027, which is also the law’s effective date. 

The court stay from the xAI litigation technically extends to SB 26-189 as well as the original law, meaning enforcement is contingent on both rulemaking completion and the court’s ruling on the preliminary injunction motion. The practical compliance posture, consistent with guidance from multiple law firms, is to build to the statute’s text while tracking rulemaking. The January 2027 date is the operative planning target. 

The compliance problem that cuts across all four

Read each of those frameworks independently and they look manageable: a notification requirement here, a bias audit there, a disclosure obligation somewhere else. Read them together and a pattern emerges. 

Every one of these laws assumes your organization already knows which AI systems you have deployed, what decisions they influence, and which populations are affected. Without that inventory, you cannot assess scope, you cannot build the required notices and disclosures, and you cannot demonstrate compliance to a regulator who asks. An AI system inventory is the prerequisite that every state law takes for granted. 

The second pattern: every law’s transparency obligations are only as good as the documentation that backs them up. Illinois’s anti-discrimination requirements mean nothing if you cannot demonstrate what your AI systems are actually doing in employment decisions. California’s pre-use notices mean nothing if they are not tied to documentation of how the system works. Colorado’s adverse outcome disclosures mean nothing if they do not accurately reflect what the ADMT did. In states that enforce through deceptive trade practice statutes, an inaccurate disclosure is itself a violation. 

The third pattern: all four frameworks impose obligations that apply based on where the affected person is located, not where your company is headquartered. An organization based in Texas that makes AI-assisted hiring decisions for New York City positions is subject to Local Law 144. One that deploys ADMT affecting California consumers is subject to the CCPA ADMT regulations regardless of where it is incorporated. Compliance is geographic in the way that matters, not corporate-structural. 

What a defensible governance posture actually requires

Given that reality, what does a compliance program look like that can credibly satisfy these overlapping obligations? 

1. An AI system inventory with jurisdiction mapping. For each deployed AI system, what decisions does it influence, which states are affectedpersons located in, and which legal obligations therefore apply? Without this, every other compliance activity is guesswork. 
2. Documentation that matches disclosed practice. Transparency notices, bias audit summaries, and adverse outcome disclosures must accurately reflect how the system works at the time they are provided. The documentation chain that generates those disclosures must be live, not historical. When the system changes, the documentation changes, and the disclosure is updated. 
3. Operational controls proportionate to the decision domain. An AI system that influences a hiring decision in New York City needs a bias audit and candidate notification. An AI system that influences a consequential decision affecting California consumers needs a risk assessment and pre-use notice. An AI system deployed in Illinois employment contexts needs notice procedures and non-discrimination documentation. The control set follows the footprint, not a generic policy. 
4. A management system that holds it together. ISO 42001 is the structure that makes all of the above auditable, certifiable, and scalable. Its Clause 4 scope requirements are where the jurisdiction mapping and system inventory live. Its Clause 8 operational controls are where the notices, risk assessments, and documentation processes are operationalized. Its Clause 9 performance evaluation is where monitoring and measurement baselines are maintained. Its Clause 10 corrective action requirements are where the response to a compliance finding or an adverse system behavior is structured. 

ISO 42001 is not compliance with any specific U.S. law. It is the management system that makes compliance with all of them simultaneously achievable and demonstrable. Organizations that have built their AI governance to a management system standard are not starting over every time a statute is amended. They are extending an existing foundation. 

The federal preemption question and how to plan around it

The honest answer is that no one knows how the federal-state conflict over AI regulation resolves, or when. The White House Framework calls for congressional action in 2026. Congress has not yet acted. The xAI litigation remains active. The DOJ AI Litigation Task Force has signaled intent to challenge other state laws. 

What is knowable: the January 2027 compliance deadlines for California and Colorado do not depend on that question being resolved. Both states have made clear that enforcement will proceed on their own timelines unless a court or federal legislation intervenes. Illinois and New York City have their obligations in force now. 

Planning around uncertainty means building to the most rigorous applicable requirements today. If federal preemption ultimately narrows the compliance landscape, the governance infrastructure built for a more demanding environment does not become worthless. It becomes a competitive signal. Enterprise customers are already requiring ISO 42001 certification, SOC 2 with AI-specific controls, and documented third-party audits in procurement processes. That market pressure is not contingent on federal resolution. 

The organizations that treat AI governance as a “wait and see” problem will find themselves facing a January 2027 deadline, an active enforcement environment, and a compliance program built against a regulatory landscape that no longer matches the one they are actually operating in. 

Where does your organization stand?

A-LIGN works with organizations at every point in the AI governance maturity curve, from initial AI system inventory and jurisdiction mapping through full ISO 42001 certification assessment. If your program was built before the 2026 regulatory changes took effect, or if it has not yet been mapped against the California, Colorado, Illinois, and New York City frameworks specifically, now is the right time for a gap assessment. Reach out today to find out where your organization stands.