Compliance Checklist • Updated 2026
Do AI Regulations Apply to My Business? A Compliance Checklist
Not sure whether AI laws affect your organization? You're not alone. AI regulation is fragmented, fast-moving, and highly dependent on what your AI does and where it operates. This guide walks you through a structured assessment — the same framework used by compliance counsel — to determine your obligations and prioritize your response.
1. Introduction: Why This Is Hard
The most common question compliance officers and general counsel ask in 2026 is deceptively simple: "Do AI laws apply to us?" The honest answer — and the one that has driven the development of this checklist — is: it depends. It depends on what your AI systems do, which states they operate in, which industries you serve, and whether the people affected are employees, consumers, patients, or members of the public.
Across the 50 states that have introduced AI legislation, with 2,182 AI bills published, the triggers for compliance are not uniform. Colorado's AI Act applies to "high-risk AI systems" making "consequential decisions" — a defined but expansive concept. Illinois BIPA applies whenever AI processes biometric data. NYC Local Law 144 applies whenever an employer uses automated decision tools in hiring. Utah's AI Policy Act applies when generative AI interacts with consumers in regulated industries.
The first step is always to understand what AI systems your organization uses and what decisions they influence. This guide helps you do that efficiently.
This checklist is for initial assessment purposes only and does not constitute legal advice. Based on your answers, you may need to engage qualified legal counsel to determine your precise obligations under applicable state and federal law.
2. The Quick Assessment: 9 Key Questions
Work through each question below. A "Yes" answer to any question signals potential compliance obligations that require further analysis. Multiple "Yes" answers indicate significant exposure that should be addressed urgently.
AI Compliance Quick Assessment
Check each item that applies to your organization's AI use
3. High-Risk AI Use Cases by State
Not all AI use is equally regulated. The laws that carry the highest compliance obligations — and the most significant penalties — focus on AI systems that make consequential decisions in specific domains. The following table maps the highest-risk use cases to the states with enacted or advancing regulation.
| Use Case | Regulatory Exposure | Key States/Laws | Max Penalty |
|---|---|---|---|
| Employment screening / hiring AI | Very High | NY (LL144), IL (AIVIA), CO, TX | $1,500/violation + private suit |
| Biometric data processing | Very High | IL (BIPA), WA, TX (CUBI) | $5,000/intentional violation (BIPA) |
| Credit / lending decisions | High | CO, TX, CFPB (federal) | Actual damages + $10,000 statutory |
| Healthcare / clinical AI | High | CO, CA, VA + federal (HIPAA/FDA) | $100–$50,000/HIPAA violation |
| Insurance underwriting AI | High | CO + 30+ states (NAIC Model) | Varies by state insurance code |
| Consumer GenAI interactions | Medium | UT (SB 149), CA (SB 942) | Civil enforcement; injunctive relief |
| Housing / real estate AI | Medium | CO + Fair Housing Act (federal) | $16,000–$21,000/violation (FHA) |
| Educational AI | Growing | CO, NY, CA (pending) | Varies; FERPA enforcement |
Use the Am I Affected? tool to get a personalized assessment of your regulatory exposure based on your industry, AI use cases, and operating states.
4. Compliance Requirements Overview
Across the enacted state AI laws, four categories of compliance requirements appear most frequently. Organizations subject to multiple laws will find that these requirements often overlap — satisfying one law's documentation requirement often partially satisfies another's.
Algorithmic Impact Assessments
Colorado requires deployers of high-risk AI systems to conduct an annual impact assessment before deployment and annually thereafter. The assessment must evaluate: the intended benefits of the system; known or reasonably foreseeable risks of algorithmic discrimination; the data used to train or operate the system; steps taken to mitigate bias; performance metrics across demographic groups; and the post-deployment monitoring plan. Texas TRAIGA and Virginia's legislation have similar requirements. The NIST AI Risk Management Framework provides a widely-recognized methodology for conducting these assessments.
Consumer Disclosures and Notices
Multiple laws require that consumers, job applicants, or patients be told that an AI system is being used in a decision that affects them. Colorado requires disclosure "no later than the time of the consequential decision." NYC Local Law 144 requires notice before the AI tool is used in the hiring process. Utah requires immediate disclosure when a consumer directly asks whether they are interacting with AI. California's SB 942 requires that GenAI-generated content be detectable. Adverse action notices under ECOA and the Fair Housing Act must be updated to reference AI-assisted decision-making in many cases.
Opt-Out Rights and Human Review
The Colorado AI Act grants consumers the right to appeal consequential AI decisions and, in some contexts, request human review. This is a significant operational requirement: deployers must establish human review processes, train personnel, and document review outcomes. The right to opt out of purely automated decision-making under several state privacy laws (Connecticut, Colorado CCPA successor) adds another layer for systems covered by those statutes.
Record-Keeping and Documentation
Colorado, Texas, and several other jurisdictions require documented records of AI systems in use, impact assessments conducted, incidents observed, and corrective actions taken. These records must be maintained and, in some cases, submitted to state attorneys general. NYC Local Law 144 requires that bias audit summaries be publicly posted on the employer's website. Documentation requirements are the most commonly under-prepared aspect of AI compliance programs.
5. Industry-Specific Guidance
HR and talent teams using AI for resume screening, interview analysis, performance management, or promotions face the most mature regulatory landscape in the U.S.
- Audit your applicant tracking system and any AI-scoring vendors for compliance with NYC Local Law 144 if you have NY employees or candidates
- Ensure all AI video interview platforms used with Illinois candidates have AIVIA-compliant consent workflows
- Review HR AI vendor contracts for audit rights and documentation delivery obligations
- Prepare bias audit procedures now — Colorado and Texas have similar requirements taking effect
- Check for EEOC guidance on AI disparate impact in hiring — agency has signaled active interest in enforcement
Healthcare AI sits at the intersection of HIPAA, FDA software regulations, and state AI laws — creating complex, layered compliance obligations.
- Assess whether clinical decision support tools meet FDA's SaMD criteria and require 510(k) clearance or De Novo authorization
- Colorado AI Act covers healthcare as a high-risk domain — impact assessments required for covered systems
- Review HIPAA Business Associate Agreements with AI vendors for training data use restrictions
- California bills specifically addressing healthcare AI are advancing — monitor closely
- Establish audit trails for AI-assisted clinical decisions — critical for both compliance and malpractice defense
Credit decisions, fraud detection, and customer service AI in financial services are subject to both federal consumer protection law and state AI requirements.
- Update adverse action notices to account for AI in credit decisions (CFPB guidance requirement)
- Conduct ECOA disparate impact analysis on credit AI models — proactively, before examination
- Colorado AI Act covers financial services AI — assess which systems qualify as high-risk
- Review CFPB's use of UDAAP authority to challenge deceptive AI practices
- Ensure AI vendor contracts include audit rights and performance monitoring obligations
Insurance AI — for underwriting, claims, fraud detection, and customer interaction — is regulated by the NAIC Model Bulletin in most states and specifically by the Colorado AI Act.
- Map which states have adopted or are considering the NAIC AI Model Bulletin and assess compliance
- Colorado AI Act: insurance is an explicit high-risk domain — deployers must conduct annual impact assessments
- Conduct actuarial fairness analysis on underwriting AI models for proxy discrimination
- Establish an AI governance program that can satisfy multiple state insurance departments simultaneously
- Review claims AI for compliance with state unfair claims settlement practices acts
AI in education — from admissions to learning platforms to student assessment — is increasingly regulated, with Colorado AI Act coverage and multiple state-specific bills advancing.
- Colorado AI Act covers educational admissions and opportunity determinations as high-risk domains
- FERPA applies to student data used in or produced by AI systems — review all AI vendor agreements
- New York and California have active bills specifically targeting AI use in K-12 and higher education
- Establish policies on AI tool use disclosure to students, parents, and educators
- Review academic integrity policies for AI-assisted work and assessment AI fairness
6. Steps to Get Compliant: Practical Action Items
Build an AI Systems Inventory
Document every AI system your organization develops, procures, or uses. For each system, record: vendor/developer, purpose, AI capability type, decision domains affected, states of operation, and population affected (employees, consumers, patients). This inventory is required by Colorado, Texas, and Connecticut, and is the foundation of any compliance program.
Map Applicable Laws Using Your Inventory
For each AI system, identify which state and federal laws apply. Use the Am I Affected? tool as a starting point, and consult qualified legal counsel for a definitive analysis. Pay particular attention to the states where your employees, customers, or affected individuals are located — not just where your company is headquartered.
Conduct or Commission Impact Assessments
For every AI system that is or may be "high-risk" under applicable law, conduct a documented impact assessment. Use a recognized framework — NIST AI RMF, ISO/IEC 42001, or the Colorado AG's published guidance. Document your methodology, findings, and risk mitigation steps. Engage external technical and legal expertise for complex systems.
Update Consumer and Employee-Facing Disclosures
Review privacy notices, adverse action letters, job posting templates, and customer communications for required AI disclosures. For NYC employers, post bias audit summaries as required. For Utah-regulated businesses, implement a process to disclose AI interactions when customers ask. Update employment agreements and applicant notifications to address AI use in HR processes.
Establish Human Review and Appeal Processes
Colorado, Virginia, and Connecticut (advancing) require meaningful human review options for consequential AI decisions. Design and staff a review process, train personnel, and document outcomes. This is operationally demanding — build lead time into your compliance timeline.
Implement Ongoing Monitoring and Governance
Assign AI compliance ownership within your organization (legal, compliance, or a dedicated AI governance function). Set up monitoring for new legislation using the Deadline Calendar and state watchlists. Conduct annual reviews of AI systems against updated legal requirements. Establish vendor management processes that include AI-specific contractual protections and audit rights.
7. Tools and Resources
AI Laws by State provides a suite of tools specifically designed to help legal and compliance professionals navigate this landscape efficiently. The directory, trends, and blog are free. Advanced compliance tools require a Pro or Enterprise plan.
Compliance Tools on AI Laws by State
Purpose-built for legal professionals and compliance teams.
-
Am I Affected? →Answer a few questions about your industry and AI use cases to get a customized list of applicable laws and obligations. The fastest way to scope your compliance exposure.
-
Deadline Calendar →Every AI law effective date, enforcement commencement date, and compliance deadline in one calendar. Filter by state, industry, or law type. Essential for compliance planning.
-
Penalty Tracker →Penalty ranges, private right of action availability, and enforcement history for every major AI law. Understand the financial stakes before prioritizing compliance resources.
-
Bill Comparator →Select any two or three state AI laws and compare them side-by-side across key provisions: scope, obligations, penalties, and exemptions. Ideal for multi-state compliance analysis.
-
States Directory →Browse every published AI bill, organized by state, with status, effective dates, and full bill text links. 2,182 AI bills published across 50 states, updated daily from official legislature records.
For the most current information on any state's AI legislation, see the States Directory. For the foundational overview of the U.S. AI regulatory landscape, read AI Laws by State: The Complete 2026 Guide.
Don't miss a compliance deadline
Subscribe for alerts when AI laws are introduced, enacted, or amended in your states.
Free Newsletter Check My Exposure