Photo by Shubham Dhage on Unsplash
100 laws in one year. That's the volume of AI-specific legislation 38 U.S. states produced in 2025 alone, according to TechTarget's enterprise AI analysis โ with no federal framework governing any of it. If your business deploys AI across state lines, that number isn't a headline. It's your compliance queue.
According to TechTarget's reporting, the burden created for businesses operating across state lines "is not insignificant, as different states have different requirements." That's an understatement dressed in professional language.
The Evidence: 100 Laws, No Compass
The U.S. regulatory gap hit an inflection point on January 20, 2025, when President Trump rescinded Biden's AI executive order, terminating key safety and transparency requirements for AI developers. That rescission didn't create a vacuum so much as confirm one: 38 states were already legislating independently, and without federal preemption, each is now on its own trajectory.
Colorado was first. The state enacted the nation's first comprehensive AI law on May 17, 2024 (SB 24-205), then substantially rewrote it via Senate Bill 26-189 in May 2026 โ replacing broad consumer protections with a more targeted automated decision-making framework effective January 1, 2027. Connecticut enacted comprehensive AI regulation in 2026. California, Utah, Texas, and Tennessee each have distinct frameworks in place. And in September 2024, the U.S. Department of Justice updated its Evaluation of Corporate Compliance Programs to specifically address AI-related risks โ meaning federal prosecutors are already asking about AI governance controls before any AI-specific federal law exists.
Globally, the EU moved in the opposite direction. The EU AI Act was formally adopted on May 21, 2024, establishing the world's first comprehensive risk-based AI legal framework, with full implementation running through August 2, 2027. As of June 13, 2026, over 37 countries โ including China, India, and Japan โ have proposed AI-related legal frameworks beyond the EU, according to regulatory research databases. The divergence between the EU's unified approach and the U.S. state-by-state scramble is the defining compliance tension for any multinational business right now.
What It Means: The Governance Gap Is Where Liability Lives
The EU AI Act's penalty tiers make the stakes concrete. For prohibited AI practices โ real-time biometric surveillance in public spaces, social scoring by public authorities โ fines reach up to โฌ35 million or 7% of global annual turnover, whichever is higher. For high-risk AI system violations covering hiring, credit scoring, critical infrastructure, and law enforcement, the ceiling is โฌ15 million or 3% of worldwide annual turnover. Enforcement authorities now hold broad investigative powers, and implementation is already underway for businesses with EU market exposure.
Chart: 77% of organizations are actively building AI governance programs, but only 36% have formally adopted a framework like NIST AI RMF โ leaving a 41-point gap where most legal exposure currently lives.
In the U.S., the exposure is less obvious but not less real. Wilson Sonsini's regulatory guidance puts it plainly: "regulators and civil litigants may proceed with enforcement actions and lawsuits even in the absence of new laws, leveraging existing consumer protection statutes and other theories of liability." A court would likely look at what internal controls were in place at the time of the alleged harm โ which is exactly why governance documentation matters even when no specific statute demands it.
My read: the 41-percentage-point gap between organizations building programs and those that have formally adopted a framework isn't a maturity curve. It's an uninsured period. This mirrors the pattern Smart AI Trends flagged when examining U.S. government posture toward frontier AI models โ the regulatory instinct is present, but the formal structure keeps arriving after the liability does.
Photo by Markus Winkler on Unsplash
The EU Benchmark and the NIST Baseline
NIST released AI RMF 2.0 in February 2024 and followed with a dedicated Generative AI Profile (NIST-AI-600-1) on July 26, 2024 โ the closest the U.S. government has come to a structured compliance template. Financial regulators specifically expect AI governance aligned with NIST or ISO 42001 standards, with explicit bias-detection requirements for lending systems. The EU AI Act classifies automated lending and hiring decisions as "high-risk," requiring institutions to document model operations, control for bias, and produce outputs explainable to auditors โ creating significant operational burden for fintech companies deploying automated underwriting or portfolio management legal technology tools.
If your business reaches EU customers or partners โ even through a third-party SaaS vendor โ the EU AI Act can apply. Skadden's legal analysis highlights a preventive angle largely absent from other outlets' coverage: companies should draft public-facing terms of use that explicitly govern whether proprietary content or data on their websites may be ingested by third-party AI systems. Before you sign any vendor contract involving AI model training, this is the provision to negotiate. A court weighing AI misappropriation claims would likely look for whether affirmative IP notice provisions existed before the dispute arose โ and most businesses haven't addressed this yet.
How to Act on This
Identify every U.S. state where your AI systems make consequential decisions โ hiring, lending, pricing, content moderation. Colorado (revised framework effective January 1, 2027 under SB 26-189), Connecticut, California, Texas, Utah, and Tennessee each have distinct requirements. A simple matrix of "which AI system, which state, which rule" surfaces your actual exposure and is the first document any regulator or plaintiff's attorney will request. Build it now, not after the letter arrives.
As of June 13, 2026, NIST AI RMF 2.0 (February 2024) and the Generative AI Profile (July 2024) are the documented standards that U.S. regulators, DOJ compliance reviewers, and EU AI Act auditors all reference. Only 36% of organizations have formally adopted a framework, meaning the majority have no defensible paper trail. Skadden frames the obligation directly: internal governance policies that are "clear and robust" and "regularly updated" minimize risk and liability as AI integrates more broadly into products and business practices. The word "regularly" matters โ a governance document from 2023 that hasn't been touched will not hold up.
Before your next terms review, add explicit language addressing whether proprietary content, data, or tools on your site can be ingested by third-party AI systems. The statute here isn't AI-specific โ existing IP and contract law will govern the first wave of AI scraping disputes, and notice provisions matter to any court assessing whether you took reasonable steps. This is a low-cost, high-leverage update that most legal software and compliance checklists haven't caught up to yet.
Frequently Asked Questions
What is the EU AI Act and when does it fully take effect?
The EU AI Act was adopted on May 21, 2024, establishing the world's first comprehensive risk-based AI legal framework. It phases in through August 2, 2027. Prohibited AI practices โ such as social scoring or real-time biometric surveillance in public spaces โ face fines up to โฌ35 million or 7% of global annual turnover. High-risk AI system violations covering hiring, credit, law enforcement, and critical infrastructure carry penalties up to โฌ15 million or 3% of worldwide annual turnover. These apply to any company marketing or deploying AI in the EU, regardless of where the company is incorporated.
Does the U.S. have a federal AI law that businesses must comply with in 2026?
As of June 13, 2026, no comprehensive federal AI law is in place. Biden's AI executive order was rescinded on January 20, 2025. What exists instead is approximately 100 state AI laws enacted by 38 states in 2025 alone, plus existing consumer protection statutes that regulators are applying to AI-related harms. The DOJ's updated Evaluation of Corporate Compliance Programs from September 2024 explicitly addresses AI risks and controls โ meaning federal liability exposure exists even without a dedicated federal AI statute.
What penalties can businesses face for AI non-compliance, and do EU rules apply to U.S. companies?
EU AI Act penalties for prohibited practices reach up to โฌ35 million or 7% of global annual turnover; high-risk AI violations carry fines up to โฌ15 million or 3% of worldwide annual turnover. These rules apply extraterritorially โ if your AI system affects EU residents, EU jurisdiction applies regardless of where your company is based. In the U.S., current penalties are primarily indirect: consumer protection enforcement, civil litigation, and DOJ compliance failures. But state-level AI laws are building out enforcement mechanisms, and that indirect exposure is already real for businesses that lack formal governance documentation.
Bottom line: The AI regulatory map isn't waiting for Congress. With roughly 100 state laws already on the books, EU enforcement timelines in motion, and federal prosecutors actively asking about AI controls, the businesses most exposed right now aren't necessarily the ones building the riskiest AI โ they're the ones who assumed the rules were still being written while enforcement had already begun.
Disclaimer: This article is for informational purposes only and does not constitute legal advice. Always consult a qualified attorney regarding your specific legal situation. Research based on publicly available sources current as of June 13, 2026.