This article summarises publicly available guidance from regulators and official sources. It is general educational information only and does not constitute legal or professional advice. Requirements vary by jurisdiction. Consult your regional authority or a qualified professional for advice specific to your situation.
A static list of "the state AI laws you need to know" is one of the least reliable things you can build a compliance checklist around, US state AI law moves fast enough that a law can be amended, delayed, or fully repealed within months of being enacted. This isn't a hypothetical risk, it's already happened to one of the most-cited state AI laws.
In short: Colorado's AI Act (SB 24-205), widely cited as a landmark comprehensive state AI law, was signed in 2024, delayed twice, then repealed entirely in May 2026 and replaced with a lighter disclosure-and-rights framework that doesn't take effect until January 2027. If you're relying on any article, including this one over time, for a specific claim about state AI law, verify current status directly rather than trusting the date it was published.
The plain-English answer
There's no single stable list of US state AI laws you can save once and rely on indefinitely. Some state laws are genuinely stable and well-established, California's CPRA/ADMT rules and New York City's Local Law 144 have both been consistently in force with clear compliance dates. Others are much less stable, comprehensive AI-specific statutes in particular have seen real volatility, delayed effective dates, substantial amendment, and outright repeal. The practical approach is to check current status for the specific state relevant to your business, not to trust a list compiled at any single point in time.
Why this matters for your business
A 20-person SaaS company selling nationally is exactly the kind of business that reasonably wants a single reference for state-by-state compliance, checking 50 states individually for every new feature isn't practical. The risk isn't wanting a reference, it's treating that reference as permanently accurate rather than a snapshot that needs periodic re-verification, especially for the newer, less-settled comprehensive AI statutes rather than the more mature, stable privacy-law-style rules.
The Colorado example
Colorado's SB 24-205, the "Colorado AI Act," was signed into law in 2024 and widely covered as the first comprehensive US state AI statute, requiring developers and deployers of high-risk AI systems to use reasonable care against algorithmic discrimination, with duty-of-care obligations, risk management programs, and impact assessments. Its effective date was originally set for February 2026, then delayed to June 2026 under a later amendment. In April 2026, a federal court paused enforcement entirely. Then, on 14 May 2026, Governor Polis signed a new bill repealing SB 24-205 outright and replacing it with a considerably lighter disclosure-and-rights framework, one that eliminates the original duty of care, deployer risk-management obligations, and impact-assessment requirements, with the replacement framework not taking effect until 1 January 2027.
Any article, checklist, or compliance summary written between the law's 2024 signing and its 2026 repeal describing Colorado's obligations as settled and stable would have gone stale, not because the writer was careless, but because the underlying law genuinely changed that much in under two years.
What this looks like in practice
Picture the operations manager who built part of the company's compliance checklist around an article naming Colorado's AI Act as a key requirement, without a process to revisit that specific claim over time. The checklist item sat unreviewed for months, technically referencing a law that no longer existed in its original form by the time anyone looked at it again.
The fix isn't avoiding state AI law entirely, it's building a habit of checking current status directly from a primary source, the state legislature's own bill-tracking page, before relying on a specific claim for anything more than general awareness. A quarterly review of any state-specific AI compliance items, rather than a one-time setup, catches exactly this kind of drift before it becomes a real gap.
What you can do about it
A practical approach to state AI law that won't go stale as fast:
- Identify which states you actually have meaningful business exposure in, customers, employees, or candidates, rather than trying to track all 50 equally.
- For each relevant state, check current status directly from the state legislature's own site, not a secondary summary alone.
- Treat newer, comprehensive AI-specific statutes as higher-volatility than established privacy-law-style rules, and check those more frequently.
- Set a recurring calendar reminder, quarterly is reasonable, to re-verify any state-specific compliance claims your business relies on.
- Don't panic-adopt every proposed state bill's requirements before it's actually enacted, and don't assume an enacted law stays exactly as originally passed.
For the states with genuinely stable, currently-enforced requirements, see our guides on California's CPRA/ADMT rules and NYC's Local Law 144, both well-established rather than newly volatile.
Methodology (Real-World, Verified)
We test AI tools against real SMB workflows: the tasks a 20-person business actually uses AI for, not enterprise demos. Pricing is verified at the vendor's published rates, with local-currency conversions noted where relevant. Compliance notes reference the legislation and regulatory guidance relevant to each article's region. Every tool is judged on one question: could a business with no dedicated IT department actually pick this up and use it on Monday morning.
Related reading: our AI governance by region.
Try our free AI Compliance Checker to check whether your AI tools meet your compliance obligations.
Are all state AI laws this unstable?
No, this varies significantly. Established privacy-law-style rules with automated-decision provisions, like California's CPRA/ADMT rules, have been consistently stable. It's specifically the newer, comprehensive, AI-only statutes, like Colorado's original act, that have shown the most volatility so far.
Should we ignore proposed state AI bills until they're actually enacted?
Awareness is useful for planning, but building compliance obligations around a bill that hasn't passed risks wasted effort if it changes substantially or doesn't pass at all. Track proposed bills for planning purposes, but treat enacted, currently-in-force law as the actual compliance baseline.
What replaced Colorado's original AI Act?
A lighter disclosure-and-rights framework, signed in May 2026, that removes the original duty-of-care and risk-management obligations and doesn't take effect until January 2027. Businesses with Colorado exposure should watch for this framework's implementation guidance as that date approaches, rather than the original 2024 act's now-superseded requirements.
How often should we re-check our state AI law compliance list?
Quarterly is a reasonable cadence for actively tracked states, more frequently if you know a specific state's legislation is currently in flux, such as amendments under consideration or a law recently facing legal challenge.
The information in this article is general in nature. It reflects a summary of publicly available guidance and does not constitute legal, privacy, or professional advice. Your obligations will depend on your specific situation, jurisdiction, and business circumstances. Do not rely on this article as a substitute for qualified legal or professional advice.
Selling to customers or hiring candidates in California or New York City specifically?
Check the stable state rules