AI Penalties and Enforcement: What Happens When Companies Violate AI Laws

Understanding what AI laws require is only half the compliance analysis. Understanding how those laws are enforced—what penalties apply, which agencies have authority, and what the first enforcement actions look like—determines the actual risk profile for non-compliance.

This article surveys the enforcement landscape across the major state AI laws in effect or taking effect through 2026, with a focus on penalty structures, enforcement agency authority, and practical risk mitigation.

Penalty Summary by Jurisdiction

Colorado SB 205: The $20,000 Per-Violation Framework

Colorado's AI Act imposes penalties of up to $20,000 per violation through the Colorado Consumer Protection Act's unfair trade practices framework. The Colorado AG has exclusive enforcement authority; there is no private right of action.

The Cure Period

1. The AG issues a notice of violation to the company.
2. The company has 60 days to cure the violation.
3. If the company fails to cure, enforcement action may proceed.

This cure period gives companies actively trying to comply a meaningful opportunity to correct deficiencies. Companies that have made no good-faith effort to comply, or that discover and fail to disclose known algorithmic discrimination, are at significantly greater enforcement risk.

The Affirmative Defense

Companies that have implemented a risk management program aligned with NIST AI RMF or ISO/IEC 42001, and that discover and voluntarily cure violations, can assert an affirmative defense. This framework rewards proactive compliance investment more than almost any other AI law currently in effect. Track enforcement activity on our Colorado AI law page.

NYC Local Law 144: Per-Day Escalation

DCWP enforcement carries a structure designed to encourage prompt correction: $500 for a first violation, escalating to $1,500 per day for ongoing non-compliance. For a large employer using an AEDT across thousands of NYC applicants, the per-violation interpretation—potentially applied to each affected applicant—could produce substantial aggregate penalties. DCWP's first enforcement actions targeted companies with no compliance effort at all, not companies with procedural deficiencies in otherwise good-faith programs.

California: The Private Litigation Risk

California's enforcement picture differs materially from Colorado's because California laws often include private rights of action. AB 325's algorithmic pricing prohibitions, combined with SB 763's treble damage availability, mean a California antitrust claim arising from a shared pricing algorithm could expose a company to damages three times the alleged harm—with no cap in civil cases. In high-volume consumer industries, this creates substantial potential exposure. The lowered pleading standard under AB 325 means class action attorneys can bring algorithmic pricing claims that survive early dismissal more readily than before January 1, 2026.

The Illinois AIVIA Enforcement Gap

Illinois's AI Video Interview Act has been in effect since 2020 but has seen limited enforcement activity, partly because the Illinois Department of Labor's process is complaint-driven and penalty amounts have not been clearly defined. This does not mean the law lacks teeth—violations may also give rise to claims under Illinois's Biometric Information Privacy Act (BIPA) in some circumstances, where per-violation statutory damages have been awarded in class action litigation at substantial scale.

First Enforcement Actions: Patterns and Lessons

• NYC LL 144: Initial DCWP enforcement focused on employers that had not conducted any bias audit. The agency issued warning notices before fining, allowing a cure period in practice even absent a statutory requirement.
• California B.O.T. Act: AG enforcement has pursued cases involving commercial fraud and election interference, not ordinary business chatbots where AI identity is readily apparent from context.
• FTC algorithmic pricing: The FTC's 2024 surveillance pricing investigation targeted large companies with consumer-facing individualized pricing, not smaller businesses with standard dynamic pricing models.

The pattern suggests enforcement is currently concentrated on egregious or high-profile cases, but this will change as laws mature and agencies build enforcement expertise. Compliance programs built now will provide meaningful protection when enforcement broadens. See our guide on how to prepare for AI audits.

How to Reduce Your Risk

1. Document your compliance efforts. Under SB 205 and NYC LL 144, documented good-faith compliance programs mitigate enforcement risk and provide affirmative defenses. An absence of documentation is the single biggest vulnerability.
2. Monitor for violation discovery obligations. Under Colorado SB 205, developers must report discovered algorithmic discrimination to the AG within 90 days. Failing to self-report removes the affirmative defense and signals bad faith.
3. Prioritize highest-risk systems first. If resources are limited, prioritize compliance for AI systems that make consequential decisions for large volumes of individuals in active enforcement jurisdictions.
4. Engage qualified legal counsel before enforcement events. The cure period under SB 205 and the informal cure practice under NYC LL 144 are most useful if you have counsel who can engage the agency promptly and credibly.

For real-time tracking of enforcement actions under state AI laws, visit our AI enforcement and penalties page. For case-level detail on AI litigation outcomes, the AI Lawsuit Tracker catalogs AI-related lawsuits, rulings, and settlements across federal and state courts.

This article is for informational purposes only and does not constitute legal advice. Consult a qualified attorney for guidance specific to your situation.