US State AI Laws in 2026: The AI Product Manager's Compliance Map
TL;DR
The EU AI Act gets most of the press, but US AI product teams now face a patchwork of state laws that are already in force or taking effect in weeks. Colorado's AI Act — the broadest US state law so far — takes effect June 30, 2026, creating disclosure and appeal requirements for AI systems that make consequential decisions. NYC Local Law 144 has required bias audits for hiring tools since 2023. Illinois and Virginia have their own requirements. This guide maps every law that currently affects US AI product teams, explains what each requires you to build, and shows how to prioritize your compliance roadmap without turning your engineering team into a legal department.
Why State Laws Matter More Than Most AI PMs Think
The conventional wisdom has been "wait for federal AI regulation before investing in compliance infrastructure." That was reasonable in 2024. In mid-2026, it's a product strategy mistake.
Here's why: state laws are already triggering enterprise procurement requirements. When a large employer headquartered in New York City runs an AI-assisted hiring process, their legal team now checks whether the vendor passed an annual bias audit (NYC Local Law 144). When a health system in Colorado deploys an AI triage tool, their risk team now asks whether the tool has disclosure mechanisms compliant with SB 24-205. These aren't hypothetical future scenarios — they're showing up in security questionnaires and vendor RFPs today.
US state AI law differs from the EU AI Act in a few critical ways that affect how you prioritize compliance work:
Narrower scope, but targeted
State laws typically focus on specific decision categories (employment, housing, credit, healthcare) rather than all AI systems. If your product doesn't touch those categories, most state laws won't apply. But if it does, compliance is non-optional.
Enforcement varies wildly
The EU AI Act has a structured market surveillance and notification system. US state laws range from robust AG enforcement (Colorado) to lightly enforced notice requirements (Illinois). Risk-weight your investment accordingly.
Residency, not operation
State laws generally apply based on where affected consumers or workers reside — not where your company is incorporated. A fintech headquartered in SF that serves Colorado borrowers must comply with Colorado AI law.
No federal preemption yet
Without a federal AI law, every state can and does act independently. California, Texas, New York, and others have bills at various stages. Plan for a continuing patchwork, not convergence to one standard.
Colorado AI Act (SB 24-205): What Takes Effect June 30, 2026
Colorado's SB 24-205 is the most comprehensive US state AI law to date. It applies to "consequential decisions" — those with substantial effects on education, employment, credit, housing, insurance, and healthcare. Unlike laws that only govern employers, Colorado covers both developers (companies that build AI systems) and deployers (companies that use third-party AI in their operations).
Obligations for: AI Developers
- →Publish a statement on the known risks of the AI system and known limitations
- →Document the intended uses and the data used to train the system
- →Provide deployers with information needed to comply with the law
- →Notify deployers of material changes that affect the system's risk profile
Obligations for: AI Deployers
- →Inform consumers when AI makes or substantially influences a consequential decision about them
- →Provide consumers with the principal reasons for an adverse AI decision
- →Establish a process for consumers to appeal AI decisions, request human review, or correct inaccurate data
- →Conduct and document a risk management program for high-risk AI systems
- →Post a clear public notice describing which high-risk AI systems are deployed
What "consequential decision" means in practice
Colorado defines it as a decision that has "a material legal or similarly significant effect" on a consumer. Covered domains: educational enrollment, employment (hiring, promotion, compensation, termination), essential services (insurance, banking, healthcare), credit, legal services, and housing. If your AI product touches any of these verticals, assume it's covered and consult legal.
Enforcement: The Colorado Attorney General has primary enforcement authority. The AG can issue civil investigative demands, seek injunctive relief, and impose civil penalties. Consumers cannot bring private lawsuits under the initial version of the law — enforcement is AG-driven.
The Other Laws Already in Force
Colorado is the most comprehensive, but it's not the only US AI law product teams face right now.
NYC Local Law 144 (Effective July 2023)
Scope: Automated Employment Decision Tools (AEDT) used in NYC hiring or promotion decisions
Requires: Annual independent bias audit comparing AEDT outcomes by race/ethnicity and sex. Public posting of audit summary. Notice to candidates and employees that an AEDT is being used. Notice of the job qualifications and characteristics the tool evaluates.
Who it hits: Any AI product that automates or substantially assists hiring or promotion decisions for workers in New York City — including vendor tools used by NYC employers.
Enforcement: $1,500 per day per violation for non-compliance. NYC Department of Consumer and Worker Protection enforces.
Illinois AI Video Interview Act (2020, Amended 2021)
Scope: AI analysis of video interviews for employment purposes in Illinois
Requires: Notify applicants before using AI to analyze video interviews. Explain how the AI works and what characteristics it evaluates. Get consent from applicants. Limit who can access the recordings. Destroy recordings within 30 days on request.
Who it hits: Any recruiting product that uses AI to analyze facial expressions, speech patterns, or body language in video interviews, used by Illinois employers.
Enforcement: Private right of action — applicants can sue. No cap on damages. This is actively litigated.
Virginia Consumer Data Protection Act (Effective 2023, AI Provisions)
Scope: Profiling for decisions with legal or similarly significant effects in Virginia
Requires: Opt-out rights from profiling in these contexts. Privacy notices must disclose the profiling. Data protection assessments for high-risk processing activities.
Who it hits: Any product that processes Virginia residents' personal data to make inferences used in consequential decisions.
Enforcement: Virginia AG enforcement. No private right of action. Civil penalties up to $7,500 per violation.
EEOC AI in Hiring Guidance (Federal Guidance, Not a Law)
Scope: AI-powered hiring tools used by US employers
Requires: Not legally binding, but sets enforcement expectations. AI hiring tools must not create disparate impact on protected classes. Employers (not vendors) are liable for discriminatory impact. Technical guidance on testing for adverse impact.
Who it hits: Any AI recruiting product. Your enterprise customers' legal teams will use EEOC guidance in vendor RFPs.
Enforcement: Discrimination lawsuits. EEOC investigations. Significant legal exposure for employers — which becomes a procurement barrier for AI vendors.
Build Products That Win Enterprise Deals
Compliance strategy is a core AI PM skill for enterprise B2B. The masterclass covers how to navigate AI regulation without killing velocity — taught live by a Salesforce Sr. Director PM.
How US State Laws Differ From the EU AI Act
If you've already done EU AI Act compliance work, you might assume that carries over to US state requirements. Partially — but the framing is different enough to matter.
Scope
EU: Comprehensive — applies to all AI systems with a risk-tier framework (prohibited, high-risk, limited risk, minimal risk)
US States: Narrow — most state laws target specific decision categories (employment, credit, housing). Many AI systems outside those categories aren't covered at all.
Documentation burden
EU: Heavy — technical documentation, conformity assessments, CE marking, EU database registration for high-risk systems
US States: Lighter — primarily risk management programs (Colorado), public notices, and audit summaries (NYC). No equivalent to EU's technical documentation requirements.
Consumer rights
EU: Right to explanation, right not to be subject to solely automated decisions, right to opt out for certain processing
US States: Colorado: right to know, right to appeal, right to correct data. Virginia: opt-out from profiling. No federal equivalent. Consumer rights vary by state.
Bias testing requirements
EU: Required data governance, non-discrimination testing, technical robustness testing. No standardized audit format.
US States: NYC requires annual independent bias audits in a specific quantitative format comparing impact ratios by demographic. More prescriptive than the EU on this specific point.
Developer vs. deployer liability
EU: Both providers and deployers have obligations. Clear allocation of responsibility.
US States: Colorado explicitly covers both. NYC holds deployers (employers) responsible, not vendors. EEOC holds employers responsible. The locus of liability varies by law.
Enforcement timeline
EU: Phased enforcement through 2027. High-risk systems must comply by August 2027.
US States: NYC Law 144 is already enforcing. Colorado enforces June 30, 2026. Illinois has active litigation. No phase-in runway for US laws already in force.
Bottom line: EU AI Act compliance does not fully cover US state requirements. You need both — and they require different product features. The EU emphasizes documentation and technical conformity. Colorado emphasizes disclosure, appeal rights, and risk management programs. NYC emphasizes quantitative bias audits. These are distinct product requirements, not the same requirement in different packaging.
What AI Product Teams Must Build
Translate the law into product requirements. Here's the consolidated feature list that covers most of the current US state AI law surface area:
Decision disclosure mechanism
CriticalWhen AI makes or substantially influences a consequential decision, the affected person must be told. This means a disclosure notification — via email, in-app, or in writing — at or before the time of the decision. The disclosure must identify that AI was used and describe what it evaluated. Required by: Colorado (June 2026), EEOC guidance.
Principal reasons for adverse decisions
CriticalWhen AI produces an adverse outcome (rejected application, lower credit score, denied benefit), the consumer must receive the principal reasons. This isn't just a log entry — it's a human-readable explanation surfaced to the affected person. Required by: Colorado. Strongly recommended for EU AI Act conformity.
Appeal and human review pathway
CriticalColorado requires a process for consumers to appeal AI decisions and request human review. This is a product feature, not a customer support workflow. It needs to be documented, discoverable, and actually route to meaningful review. Required by: Colorado, EU AI Act (high-risk systems), Virginia (opt-out from profiling).
Data correction workflow
HighIf an AI decision was based on inaccurate data, consumers must be able to correct that data and have the decision reconsidered. This requires understanding what data feeds your model and exposing correction points in your data pipeline. Required by: Colorado.
Bias audit infrastructure
High if you're in employmentNYC Local Law 144 requires annual independent bias audits measuring impact ratios by race/ethnicity and sex. Your product must support the auditor's data extraction. You need demographic performance data separated by protected class — which means either collecting or imputing that data in a legally appropriate way. Required by: NYC Local Law 144.
Consent and disclosure for video AI
High if you analyze videoAny product analyzing video interviews must get informed consent before analysis, explain what's being evaluated, and support deletion requests. Required by: Illinois AI Video Interview Act.
Risk management program documentation
Medium — enterprise sales accelerantColorado requires deployers to maintain a risk management program. As a developer, your documentation package should include: intended use cases, known limitations, training data description, testing methodology, and recommended use restrictions. This becomes your enterprise sales compliance kit. Required by: Colorado (developers). Strongly recommended for all B2B AI sales.
How to Build a State Law Compliance Workflow Without Drowning in It
The risk for AI PMs is letting compliance become the product manager's primary job. It shouldn't be. The goal is a systematic workflow that routes compliance questions to the right people without blocking product velocity. Here's the playbook:
1. Map your product to decision categories
Create a single document listing every AI output your product generates. For each output, answer: does it influence a decision about a specific person in a covered category (employment, credit, housing, healthcare)? This is your compliance surface area. Anything not on the list is presumptively out of scope for most state laws.
2. Map customers to geographies
State laws apply based on where affected individuals reside. Get a list from sales of your largest enterprise customers and which states their workforce or user base concentrates in. Colorado, New York, Illinois, and Virginia customers trigger the most requirements today. California customers may trigger additional requirements as bills advance.
3. Build the disclosure stack first
Disclosure requirements (tell users AI was used, give them principal reasons) are the highest-ROI compliance investment because they apply across Colorado, EU AI Act, and several other jurisdictions. A well-built disclosure component is reusable across all AI features. Ship it once, apply it everywhere.
4. Create a compliance RFC template
Every new AI feature spec should answer a standard set of compliance questions: What decision does this influence? Who is affected? What disclosure does the affected person receive? Is there an appeal path? This turns compliance into a spec checklist, not a legal emergency at launch.
5. Designate a compliance owner per law
Don't let "compliance" be owned by everyone (which means no one). For each law you're in scope for, name a specific PM or engineering lead who owns the roadmap items and tracks the legal milestones. Rotate as product ownership changes.
The teams treating compliance as a product feature — something they ship and maintain, like authentication or observability — are winning enterprise deals that competitors who treat compliance as an afterthought are losing. Colorado's law takes effect in days. The teams who have appeal workflows and disclosure mechanisms in production this week will be in a different conversation with enterprise customers than the teams still scoping the work.