The 2026 State of Play: Navigating the New Frontier of Artificial Intelligence Regulation
Executive summary
On January 1, 2026, a new era of AI regulation began in the United States.
In the absence of comprehensive federal legislation, California, Illinois, and Texas each enacted landmark AI laws addressing frontier model safety, employment discrimination, and intent-based misuse liability, respectively. For organizations developing or deploying AI systems across multiple states, the result is a patchwork of overlapping requirements covering transparency, bias testing, human oversight, and disclosure. The challenge is real — but so is the opportunity: organizations that invest in principled AI governance now will be positioned to navigate not only today's state laws but the federal and international frameworks that will inevitably follow.
Further complicating the picture, President Trump signed an executive order on December 11, 2025, proposing to preempt state AI laws deemed inconsistent with federal policy, and a DOJ AI Litigation Task Force was formed in January 2026 to challenge such laws in court. Until those questions are resolved, every state law discussed here remains enforceable. This white paper provides a clear-eyed analysis of the legislative landscape, a side-by-side comparison of key requirements, a focused look at healthcare implications, and a practical compliance roadmap.
I. The regulatory landscape: a patchwork takes shape
In 2025, lawmakers in 47 states introduced more than 250 AI-related bills, with over 33 signed into law across 21 states. Three jurisdictions have emerged as bellwethers. California focuses on frontier model safety, training data transparency, and healthcare protections. Illinois embeds AI accountability into its Human Rights Act. Texas prohibits specific harmful uses while offering robust safe harbors for companies that adopt recognized risk management frameworks. Together, they define what responsible AI governance looks like in the United States as of early 2026.
A. California: frontier safety and layered transparency
California has enacted the most extensive suite of AI legislation of any state. The centerpiece is the Transparency in Frontier Artificial Intelligence Act (SB 53), signed September 29, 2025. SB 53 targets "frontier developers" — companies training models using more than 1026 FLOPS — requiring them to publish risk frameworks, report safety incidents within 15 days, and implement whistleblower protections. Large developers (over $500M annual revenue) face enhanced obligations, with penalties up to $1 million per violation.
Several companion statutes create additional layers. The Generative AI Training Data Transparency Act (AB 2013) requires developers to disclose training data sources, types, and whether copyrighted material is included. The AI Transparency Act (SB 942) requires providers with one million or more monthly users to offer free AI-content detection tools, with $5,000 per-violation penalties. And AB 316 prohibits the "autonomous harm" defense, ensuring human responsibility cannot be shifted to an AI system. Collectively, California's framework demands compliance at every stage of the AI lifecycle.
B. Illinois: civil rights in the age of algorithmic hiring
Illinois House Bill 3773 (Public Act 103-0804), signed August 9, 2024, amends the Illinois Human Rights Act (IHRA) to make it a civil rights violation for any employer to use AI that "has the effect of subjecting employees to discrimination on the basis of protected classes." The law covers the entire employment lifecycle — recruitment, hiring, promotion, discipline, discharge, and setting of terms and conditions — and applies to any employer with one or more employees in Illinois, one of the broadest thresholds in the nation.
Three features distinguish HB 3773. First, it prohibits the use of zip codes as a proxy for protected classes, reflecting awareness that facially neutral data can produce discriminatory outcomes. Second, it requires affirmative notice to employees whenever AI is used in covered employment decisions, regardless of whether discrimination has occurred. Third, enforcement runs through both the Illinois Department of Human Rights and a private right of action in Circuit Court, giving the law meaningful teeth. Critically, employers using third-party AI tools remain fully accountable for those tools' compliance — a significant point given widespread reliance on vendor-provided hiring platforms.
C. Texas: intent-based liability and the NIST safe harbor
The Texas Responsible Artificial Intelligence Governance Act (TRAIGA, HB 149), signed June 22, 2025, takes a philosophically distinct approach. Where California emphasizes transparency and Illinois focuses on discriminatory impact, Texas centers on intentional misconduct. TRAIGA prohibits developing or deploying AI for "restricted purposes": encouraging self-harm or criminal activity, infringing constitutional rights, unlawful discrimination, and generating CSAM or unlawful deepfakes.
TRAIGA's most innovative feature is its safe harbor regime. Organizations that substantially comply with the NIST AI Risk Management Framework — or another recognized framework — receive an affirmative defense against enforcement. Additional protections apply for organizations that self-detect violations through red-teaming, adversarial testing, or internal review. Enforcement is exclusively vested in the Texas Attorney General (no private right of action), who must provide notice with a 60-day cure period before acting. Penalties range from $10,000–$12,000 for curable violations to $80,000–$200,000 for incurable ones. TRAIGA also creates a first-of-its-kind state AI regulatory sandbox, allowing approved participants to test innovative AI systems for up to 36 months under relaxed requirements.
II. Cross-state comparison: requirements at a glance
The following table provides a side-by-side comparison of the key requirements, enforcement mechanisms, and safe harbors across the three primary state AI frameworks effective January 1, 2026. Organizations operating in multiple jurisdictions should use this as a baseline assessment tool to identify overlapping obligations and compliance gaps.
| Requirement | California (SB 53 / AB 2013 / AB 489) | Illinois (HB 3773) | Texas (TRAIGA / HB 149) |
|---|---|---|---|
| Primary focus | Frontier AI safety, training data transparency, healthcare AI disclosure | AI-driven employment discrimination, worker notification | Prohibited AI uses, intent-based liability, government transparency |
| Effective date | January 1, 2026 | January 1, 2026 | January 1, 2026 |
| Scope | Frontier developers (models trained >1026 FLOPS); GenAI developers; healthcare AI deployers | All employers with 1+ employees in Illinois using AI for employment decisions | Any entity developing or deploying AI systems in Texas or serving Texas residents |
| Key obligations | Publish risk frameworks; report safety incidents within 15 days; disclose training data; healthcare AI disclaimers | Provide employee notice of AI use; prohibit discriminatory AI; bar use of zip codes as proxy for protected classes | Prohibit AI for restricted purposes (self-harm, discrimination, deepfakes, CSAM); government AI disclosure |
| Enforcement | AG enforcement; up to $1M per violation (SB 53); $5K per violation (SB 942) | IL Dept. of Human Rights; IL Human Rights Commission; private right of action | TX Attorney General only; 60-day cure period; $10K–$200K per violation; no private right of action |
| Safe harbors | Exemption for communications reviewed by licensed provider (AB 489/AB 3030) | No formal safe harbor; existing IHRA remedies apply | NIST AI RMF compliance; self-detection via red-teaming; regulatory sandbox (36 months) |
| Healthcare provisions | AB 489: no implied licensure; AB 3030: patient communication disclaimers; SB 1120: physicians make medical necessity decisions | HB 1806: prohibition on commercial AI therapy chatbots | SB 1188: practitioner review before clinical AI decisions; patient disclosure required |
| Federal preemption risk | Moderate — targeted by Dec. 2025 Executive Order | Moderate — may face federal anti-regulation pressure | Moderate — Executive Order signals potential challenge; DOJ AI Litigation Task Force formed Jan. 2026 |
Note: Colorado's AI Act (SB 24-205), originally scheduled for February 1, 2026, has been delayed to June 30, 2026. It is the most comprehensive "high-risk AI" statute in the U.S. and the only state law specifically named in the December 2025 Executive Order. Organizations should prepare for its requirements in parallel.
III. Sector spotlight: AI in healthcare
Healthcare is the sector where AI regulation is moving fastest and the stakes are highest. Across multiple states, 2026 marks the beginning of enforceable requirements governing how AI interacts with patients, influences clinical decisions, and shapes insurance determinations.
California has built the nation's most comprehensive healthcare AI regime. Effective January 1, 2026, AB 489 prohibits AI systems from using titles, terms, or design elements implying services are provided by a licensed healthcare professional, banning language like "doctor-level" or "clinician-guided" unless genuine oversight exists. This builds on AB 3030 (requiring GenAI patient communication disclaimers) and SB 1120 (mandating that only physicians make final medical necessity determinations). Texas's SB 1188 requires practitioners to personally review all AI-generated recommendations before clinical decisions and to disclose AI use to patients. Illinois's HB 1806 prohibits commercial AI therapy chatbots from engaging in therapeutic communications.
Three themes are emerging consistently. Human-in-the-loop requirements mean AI cannot make final decisions in high-stakes clinical scenarios — organizations must build review workflows that are clinically meaningful, not mere rubber stamps. Transparency mandates require patients to be informed whenever they interact with or are subject to AI-driven decisions. And vendor accountability provisions mean deployers cannot assume vendors own compliance — contracts must address training data provenance, bias testing, validation controls, and ongoing monitoring.
IV. Strategic compliance: from "what" to "how"
Understanding the law is necessary but not sufficient. The following roadmap distills the Big Three frameworks into practical compliance actions.
1. Adopt a unified AI governance framework. Rather than building separate programs for each state, organizations should adopt a single adaptable framework. The NIST AI Risk Management Framework is the natural foundation: it is an explicit safe harbor under TRAIGA, aligns with the risk-based Colorado AI Act, and provides structured methodology for California's and Illinois's transparency and accountability requirements. Its four core functions — Govern, Map, Measure, and Manage — offer an organizing structure for documenting policies, identifying risks, assessing severity, and implementing controls.
2. Conduct a comprehensive AI systems inventory. Every organization should catalog all AI systems it develops, deploys, or procures, capturing each system's purpose, affected populations, data processed, and operating jurisdictions. Special attention should go to AI in employment decisions (Illinois), patient-facing settings (California, Texas), and any system reaching Texas residents or California consumers.
3. Implement testing, auditing, and documentation protocols. Documentation is the currency of compliance in 2026. Under TRAIGA, evidence of NIST AI RMF implementation constitutes a legal defense. Under Illinois law, employers must demonstrate their AI tools do not produce discriminatory outcomes. Under California law, frontier developers must publish risk frameworks and report incidents. Organizations should establish regular cadences for adversarial testing, red-teaming, bias audits, and impact assessments with auditable records mapping activities to regulatory requirements.
4. Build disclosure and notice infrastructure. Notice requirements appear in every major state law. Illinois requires employee notification for AI in employment decisions. California requires patient-facing disclaimers, AI-content labeling, and training data disclosure. Texas requires government agencies to provide conspicuous notice of AI interactions. Organizations should audit all AI touchpoints and develop standardized, plain-language disclosures adaptable to specific jurisdictions, free of any dark patterns.
5. Prepare for regulatory uncertainty. The December 2025 Executive Order and DOJ AI Litigation Task Force signal federal intent to challenge state regulations. The Commerce Department must evaluate state AI laws by March 11, 2026. Until courts resolve these questions, state laws remain enforceable. The prudent approach: comply with all applicable state requirements now while building adaptable governance structures that can accommodate federal preemption, additional state legislation, or both.
V. Our mission: compliance as a public good
At the Corporation for Public Interest Technology, we believe responsible AI governance is not merely a compliance exercise — it is a public interest imperative. The communities most affected by AI-driven decisions in employment, healthcare, and public services are often those with the least power to challenge algorithmic errors. Regulation, done well, ensures the transformative benefits of AI are distributed equitably and that vulnerable populations are protected.
We work with organizations across sectors — startups, enterprises, government agencies, and cultural institutions — to build AI governance programs that are legally compliant and ethically grounded. We offer tailored services including AI governance board design, model benchmarking, bias auditing, policy development, and technical implementation. Our conviction: companies that treat compliance as a catalyst for building more trustworthy AI will earn lasting public trust and long-term competitive advantage.
Take the next step: schedule an AI Ethics & Compliance Audit
Our AI Ethics & Compliance Audit provides a comprehensive assessment of your AI governance posture against all applicable state and emerging federal frameworks. Our team identifies gaps, prioritizes remediation, and helps you build a compliance program that is both defensible and forward-looking.
References & key legislation
- California SB 53 — Transparency in Frontier AI Act. Signed Sept. 29, 2025. Effective Jan. 1, 2026.
- California AB 2013 — Generative AI Training Data Transparency Act. Signed Sept. 28, 2024. Effective Jan. 1, 2026.
- California SB 942 — AI Transparency Act. Effective Jan. 1, 2026.
- California AB 489 — AI Healthcare Licensure Misrepresentation Prohibition. Signed Oct. 11, 2025. Effective Jan. 1, 2026.
- California AB 3030 — AI in Health Care Services Bill. Signed Sept. 28, 2024. Effective Jan. 1, 2025.
- California SB 1120 — Physicians Make Decisions Act. Effective Jan. 1, 2025.
- California AB 316 — Prohibition on Autonomous Harm Defense. Effective Jan. 1, 2026.
- Illinois HB 3773 (Public Act 103-0804) — Amendment to the Illinois Human Rights Act. Signed Aug. 9, 2024. Effective Jan. 1, 2026.
- Illinois HB 1806 — Prohibition on Commercial AI Therapy Chatbots.
- Texas HB 149 (TRAIGA) — Responsible AI Governance Act. Signed June 22, 2025. Effective Jan. 1, 2026.
- Texas SB 1188 — AI Use in Diagnostic/Treatment Purposes. Effective Sept. 1, 2025.
- Colorado SB 24-205 — Colorado AI Act. Effective June 30, 2026 (delayed from Feb. 1, 2026).
- Executive Order — "Ensuring a National Policy Framework for AI." Signed Dec. 11, 2025.
- NIST AI RMF 1.0 — National Institute of Standards and Technology. January 2023.