LR-201b · Module 1
US State & Sector Compliance
3 min read
The United States does not have a federal AI law. What it has is a patchwork of state legislation, sector-specific guidance, and executive orders that create a compliance landscape more complex than a single comprehensive framework would be. Navigating it requires tracking multiple sources, multiple effective dates, and multiple enforcement mechanisms — simultaneously.
Colorado requires impact assessments for high-risk AI systems. Illinois restricts the use of AI in video interview analysis. Connecticut mandates disclosure when AI is used in consequential decisions. New York City requires bias audits for automated employment decision tools. Each state has different definitions, different thresholds, and different penalties. If your client operates in multiple states, compliance means satisfying the strictest requirement in each category.
Do This
- Track proposed legislation in every state where you or your clients operate — compliance starts before enactment
- Apply the strictest applicable standard across all jurisdictions — if Colorado requires impact assessments, do them everywhere
- Layer sector requirements on top of state requirements — healthcare AI in Colorado must satisfy both HIPAA and state AI law
- Document your compliance posture per jurisdiction so audit evidence is organized by regulatory source
Avoid This
- Assume the absence of federal law means AI is unregulated — states are legislating aggressively
- Wait for final enactment before building compliance — proposed legislation signals where requirements are heading
- Apply a single compliance standard across all states — requirements vary by jurisdiction
- Treat sector-specific guidance as advisory — SEC, HIPAA, and FedRAMP requirements are enforceable