AI Compliance Answers

Browse answers to common AI compliance questions, organized by topic.

State Regulations

  • Do AI-driven adverse actions require fair lending notices? Yes. Federal fair lending laws require adverse action notices regardless of whether the decision was made by AI. Under ECOA and Regulation B, lenders must provide written adverse action notices with specific reasons for credit denials — regulators have clarified this applies even when an AI model is the proximate decision-maker. FCRA similarly requires adverse action notices when a consumer report influences a credit or employment decision. Colorado's AI Act (SB 26-189, which repealed and reenacted SB 24-205) adds a state-level layer: financial services is a consequential decision, so lenders using an automated decision-making technology (ADMT) must give interaction notice, explain an adverse decision within 30 days, allow correction of inaccurate personal data, and provide meaningful human review — creating overlapping obligations for Colorado lenders.
  • How should multistate employers comply with AI hiring laws? Multistate employers should baseline AI hiring workflows against the strictest active regimes, then layer state-specific rules. In practice, that means Illinois notice, consent, non-discrimination, and reporting obligations; Colorado ADMT interaction notice, adverse-outcome disclosure, data correction, and meaningful human review for consequential employment decisions beginning January 1, 2027; Minnesota profiling and data-protection-assessment obligations where covered; and Texas TRAIGA controls for prohibited discriminatory or biometric AI uses. Texas HB-2060 should not be treated as a private-employer hiring disclosure or opt-out law; it was a state-agency AI advisory and inventory statute.
  • Are there regulations on AI in insurance underwriting? Yes. Colorado's AI Act (SB 26-189, which repealed and reenacted SB 24-205) treats insurance as a covered 'consequential decision' area: a carrier using automated decision-making technology in underwriting or claims must give interaction notice, disclose an adverse decision in plain language within 30 days, let consumers correct inaccurate personal data, and provide meaningful human review — replacing the prior high-risk impact-assessment model. The Colorado Division of Insurance has separately issued guidance requiring carriers to demonstrate that AI underwriting models do not produce unfairly discriminatory outcomes. Multiple other state insurance departments — including California, New York, and Illinois — have issued AI guidance bulletins, and the NAIC has adopted model AI governance principles that many states are incorporating into their regulatory frameworks.
  • Which states require disclosure when AI screens resumes? Illinois and Colorado are the clearest state-level disclosure regimes for AI-assisted employment screening. Illinois requires notice for AI use in employment decisions under HB-3773, and written consent plus an explanation before AI analyzes video interviews under the Illinois Artificial Intelligence Video Interview Act. Colorado's reenacted AI Act (SB 26-189) requires interaction notice, adverse-outcome disclosure, data correction, and meaningful human review when ADMT makes or substantially influences consequential employment decisions, with obligations beginning January 1, 2027. Texas does not currently impose a private-sector candidate disclosure rule for resume screening; HB-2060 was a state-agency inventory law, while TRAIGA (HB-149) can still matter for discriminatory or biometric AI uses.
  • What AI rules apply to financial services in Colorado? Under Colorado's AI Act (reenacted by SB 26-189; obligations begin 2027-01-01), financial services is an enumerated consequential-decision category — meaning ADMT used in lending, credit underwriting, or insurance decisions triggers the full set of deployer duties: (1) interaction notice at the point of consumer contact; (2) adverse-outcome disclosure within 30 days of an adverse decision; (3) allow correction of factually incorrect personal data used by the ADMT; and (4) meaningful human review and reconsideration after an adverse decision. Impact assessments and 'high-risk AI system' classification from SB 24-205 no longer apply in Colorado.
  • What are California's AI content watermarking requirements? California SB-942 requires developers of large generative AI systems to embed machine-readable provenance data — commonly called watermarks — into AI-generated images, audio, and video. The watermarks must conform to established provenance standards such as the Coalition for Content Provenance and Authenticity (C2PA) specification. The requirement is intended to make AI-generated content identifiable even after it has been shared or downloaded from the originating platform.
  • Does California require AI detection tools? Yes. California SB-942 requires covered generative AI developers to make publicly accessible detection tools available that can identify content produced by their systems. The detection tool must be free to use, available without an account, and capable of assessing whether a given piece of content was generated by the developer's AI system. This requirement exists alongside the watermarking obligation and is intended to give journalists, researchers, and the public independent means of verifying AI provenance.
  • Who must comply with the California AI Transparency Act? California SB-942 applies to developers of generative AI systems that are made available to consumers in California and that generate text, images, audio, or video. Covered developers must implement provenance standards (such as C2PA) to embed machine-readable watermarks in AI-generated content, provide publicly accessible tools for detecting AI-generated content from their systems, and disclose when users interact with AI. The law applies to developers with 1 million or more monthly users.
  • Can I use AI for hiring in Illinois? Yes, but two distinct Illinois laws apply. HB-3773 (effective January 1, 2026) amended the Illinois Human Rights Act to prohibit employers from using AI that discriminates against protected classes or uses zip codes as a proxy, and it requires notice to employees that AI is being used in employment decisions (recruitment, hiring, promotion, discipline, tenure, or terms and conditions). Separately, the Illinois Artificial Intelligence Video Interview Act (PA 101-0260, 820 ILCS 42), in effect since 2020, applies specifically when AI analyzes applicant video interviews: employers must notify the applicant, explain how the AI works, obtain written consent, limit video sharing to necessary evaluators, delete videos within 30 days of an applicant's request, and — per the 2022 amendment (PA 102-47) — report applicant racial/ethnicity data annually to DCEO. If AI hiring tools also capture biometric identifiers (e.g., facial geometry from video), the separate Illinois Biometric Information Privacy Act (BIPA) creates additional consent and liability obligations. Illinois employers using AI for any form of employment decision should map their process against all three regimes.
  • Does the Colorado AI Act give consumers appeal rights? Yes, under Colorado's AI Act as reenacted by SB 26-189 (obligations begin 2027-01-01). When an ADMT makes or substantially influences an adverse consequential decision, the deployer must provide meaningful human review and reconsideration — and must disclose the adverse outcome to the consumer within 30 days in plain language. The prior 'high-risk AI system' and formal appeal-process-posting requirement from SB 24-205 are gone; the replacement is the human-review and timely-disclosure duty.
  • What are the Colorado AI Act consumer notice requirements? Under Colorado's AI Act as reenacted by SB 26-189 (obligations begin 2027-01-01), ADMT deployers have two distinct notice duties: (1) interaction notice — clear notice at the point of interaction when a consumer interacts with an ADMT; and (2) adverse-outcome disclosure — a plain-language explanation delivered within 30 days when an ADMT makes or substantially influences an adverse consequential decision. The prior SB 24-205 'proximate cause' and pre-decision notice framing no longer applies.
  • What is the difference between developer and deployer obligations under the Colorado AI Act? Colorado's AI Act (reenacted by SB 26-189; the statute formally takes effect 2026-08-12 but all obligations begin 2027-01-01) splits obligations between deployers and developers. Deployers — businesses using ADMT to make or substantially influence consequential decisions — have 4 duties: interaction notice, adverse-outcome disclosure within 30 days, data-correction rights for consumers, and meaningful human review after an adverse decision. Developers — those who build ADMT — must supply technical documentation (intended uses, training-data categories, known limitations), notify deployers of material updates, and retain compliance records 3+ years. Both deployer and developer duties begin 2027-01-01. Impact assessments and risk management programs from SB 24-205 are gone. A company can be both developer and deployer if it builds and uses the same system.
  • What are Connecticut's high-risk AI system requirements? Connecticut does not currently impose high-risk AI system requirements on private-sector businesses. Connecticut's enacted AI law — SB-1103 / Public Act 23-16 (signed June 7, 2023, effective July 1, 2023) — regulates state agencies only: it requires agencies to complete AI impact assessments before deployment, maintain publicly-accessible AI inventories (including vendor, purpose, start date, and the extent to which the system replaces human judgment), and submit annual reports to the Connecticut General Assembly's joint consumer-protection committee. Private-sector firms are not covered. Senator James Maroney has repeatedly introduced a comprehensive high-risk AI deployer bill (SB-2) in the 2024 and 2025 sessions — modeled on Colorado SB-24-205, with risk assessments, governance policies, and incident reporting — but SB-2 passed the Senate and died in the House both sessions. Until a successor bill is enacted, Connecticut businesses should look to federal rules, sector-specific guidance (e.g., for insurance or healthcare), and neighboring-state law (e.g., Colorado's AI Act, SB 26-189, whose obligations begin January 1, 2027, which uses a disclosure-and-notice model rather than a high-risk assessment framework) when designing AI governance programs.
  • Does Colorado require AI impact assessments? No longer. SB 26-189 (signed 2026-05-14) repealed and reenacted Colorado's AI Act, eliminating the impact-assessment requirement entirely. Colorado now instead requires deployers of automated decision-making technology (ADMT) to: give consumers clear interaction notice, disclose adverse consequential decisions within 30 days, allow correction of incorrect personal data, and provide meaningful human review and reconsideration. The statute formally takes effect 2026-08-12, but all compliance obligations — for deployers and developers alike — begin 2027-01-01.
  • Does Connecticut regulate AI? Yes, but only state agencies — not private businesses. Connecticut's enacted AI law, SB-1103 / Public Act 23-16 (signed June 7, 2023, effective July 1, 2023), imposes oversight on state agency use of AI and automated decision-making: agencies must conduct impact assessments before deploying AI systems, publish a public AI inventory, and submit annual reports to the state legislature's joint consumer-protection committee. The law does not regulate private-sector AI use. Efforts to enact a comprehensive private-sector AI governance statute — Senator James Maroney's SB-2 (modeled on Colorado SB-24-205) — have been introduced and advanced in the Connecticut Senate in the 2024 and 2025 sessions, but SB-2 did not pass the House in either session. As of April 2026, Connecticut private-sector AI use is governed by generally-applicable federal and state laws (consumer protection, data privacy under the Connecticut Data Privacy Act, civil rights statutes, sector-specific rules) rather than a dedicated AI statute. Monitor successor bills in the 2026 and 2027 Connecticut legislative sessions.
  • What are the penalties for violating Illinois AI hiring law? Illinois does not have a single unified penalty scheme for AI hiring violations; enforcement depends on which law is violated. HB-3773 (Illinois Human Rights Act amendment, effective January 1, 2026) does not itself specify monetary penalties — violations are enforced through IHRA procedures by the Illinois Department of Human Rights (IDHR), with remedies including injunctive relief, damages, and attorney's fees. The Illinois AI Video Interview Act (PA 101-0260, 820 ILCS 42) similarly does not specify monetary penalties within the Act; enforcement is primarily through the Section 20 reporting obligation to DCEO and general Illinois employment / consumer protection frameworks. If an AI hiring tool captures biometric identifiers (e.g., facial geometry during video interviews, voice prints), the separate Illinois Biometric Information Privacy Act (BIPA, 740 ILCS 14/) applies via private right of action and carries specific statutory damages: $1,000 per negligent violation or $5,000 per intentional/reckless violation (or actual damages, whichever is greater), plus attorneys' fees and costs and possible injunctive relief. The 2024 BIPA amendment (SB 2979, effective August 2, 2024) clarifies that repeated collection of the same biometric identifier from the same person using the same method counts as a single violation per individual, limiting the per-scan damage multipliers that drove earlier class-action exposure.
  • What are the AI video interview consent requirements in Illinois? Illinois' AI video interview consent requirements come from the Illinois Artificial Intelligence Video Interview Act (PA 101-0260, codified at 820 ILCS 42), not HB-3773. Under Section 5 of the Act, before using AI to analyze an applicant's video interview, the employer must: (1) notify the applicant in advance that AI may be used to analyze the video interview and consider the applicant's fitness for the position; (2) explain how the AI works and what general types of characteristics it uses to evaluate applicants; and (3) obtain written consent from the applicant. Under Section 10, employers may share applicant videos only with individuals whose expertise or technology is necessary to evaluate the applicant's fitness — not with third parties generally. Under Section 15, if the applicant requests deletion, the employer must delete all copies within 30 days and instruct any other recipients (with copies or backups) to delete theirs as well. The Act has been in effect since January 1, 2020, with demographic reporting added by a 2022 amendment (PA 102-47). Note: broader employment-AI discrimination rules — including a separate employee-notice requirement and a ban on zip-code proxies — are addressed in HB-3773 (IHRA amendment, effective January 1, 2026), which is distinct from this Video Interview Act.
  • What are Illinois' annual reporting requirements for AI in hiring? A common misconception: Illinois HB-3773 (the 2026 Illinois Human Rights Act amendment) does NOT contain any annual reporting requirement. HB-3773 prohibits discriminatory AI in employment and requires notice to employees that AI is being used — but no annual report. Annual reporting for AI in Illinois hiring comes from a separate, older law: the Illinois Artificial Intelligence Video Interview Act (PA 101-0260, codified at 820 ILCS 42), Section 20, which was added by PA 102-47 (effective January 1, 2022). Under Section 20, Illinois employers who use AI to analyze applicant video interviews must: (1) collect racial/ethnicity data for applicants denied an in-person follow-up interview because of their AI-analyzed video interview; (2) collect racial/ethnicity data for applicants who are hired; and (3) report both data sets annually to the Illinois Department of Commerce and Economic Opportunity (DCEO) by December 31. DCEO then analyzes the data for racial bias and reports findings to the Governor and General Assembly by July 1. This is the only annual reporting obligation for AI in Illinois hiring under current law — the Illinois Department of Labor (IDOL) is not the enforcement agency, and no broader AI hiring registry exists.
  • Can Minnesota consumers opt out of AI profiling? Yes. Minnesota HF-4757 gives consumers the right to opt out of automated profiling decisions that produce legal or similarly significant effects. Controllers must honor opt-out requests within a reasonable time frame and may not deny goods, services, or employment opportunities solely because a consumer exercised this right. The opt-out right applies to profiling used in employment, lending, insurance, and similar high-stakes contexts.
  • When is a data protection assessment required in Minnesota? Minnesota HF-4757 requires controllers to conduct data protection assessments before processing personal data in ways that present a reasonably foreseeable risk of harm to consumers. Mandatory triggers include: automated profiling that produces legal or significant effects, processing sensitive personal data, and AI-based decisions in employment, insurance, lending, or healthcare. Assessments must weigh the benefits of processing against the risks and document risk mitigation measures.
  • Does the Minnesota Consumer Data Privacy Act cover employment AI decisions? Yes. Minnesota HF-4757 classifies AI-based employment profiling — including automated resume screening, candidate scoring, and interview analysis — as high-risk processing that requires a data protection assessment. Controllers must document the purpose, necessity, and risk of harm before deploying such systems, and employees and applicants retain the right to opt out of solely automated employment decisions.
  • Does New York's AI law apply to the private sector? New York S7543-B (the LOADING Act) primarily applies to state government agencies that use automated decision systems, requiring inventories, impact assessments, and public transparency reports. Private sector employers are not directly covered by S7543-B. However, private sector employers in New York City who use AI in hiring are subject to NYC Local Law 144, which requires annual bias audits and candidate disclosure for automated employment decision tools.
  • What does the New York LOADinG Act cover? New York S7543-B (the LOADinG Act — Legislative Oversight of Automated Decision-making in Government) was signed into law on December 21, 2024, making New York the first state to impose comprehensive oversight on how state agencies use automated decision-making systems and AI. The law requires state agencies to: (1) publicly disclose every automated decision-making system in use, including vendor, purpose, start date, and the extent to which the system replaces human judgment; (2) obtain authorization before using any automated decision-making system and ensure meaningful human review; (3) publish impact assessments for any new or substantially modified system; and (4) maintain human oversight — no agency decision-making process may be fully delegated to an automated system. Enforcement is through legislative reporting obligations. The LOADinG Act applies to New York state agencies only; it does not directly impose obligations on private businesses. Private-sector firms in New York should monitor pending bills like S4394 (employment decision tools) and NYC Local Law 144 for automated employment decisions.
  • Does the Texas TRAIGA require biometric consent? For private-sector employers, no — TRAIGA itself does not impose the biometric consent obligation. Texas HB-149's (TRAIGA) prohibition on identifying individuals from publicly available biometric data without consent applies to government entities only. The controlling biometric consent law for private-sector employers is Texas's CUBI statute (Capture or Use of Biometric Identifier Act, Tex. Bus. & Com. Code §503.001): before capturing a biometric identifier — such as face geometry or a voiceprint in an AI video interview — for a commercial purpose, an employer must inform the individual and obtain consent, protect the data, and destroy it within a set period after the collection purpose ends. TRAIGA's 2025 amendments to CUBI, effective January 1, 2026, add an AI-model-training exception and clarify that media appearing publicly online does not by itself constitute consent unless the individual made it public. Enforcement of both TRAIGA and CUBI is exclusive to the Texas Attorney General; CUBI carries civil penalties up to $25,000 per violation. Employers already compliant with a strict biometric regime such as Illinois BIPA will generally meet CUBI's consent requirements.
  • What are the Texas TRAIGA private sector AI obligations? Texas HB-149 (the Texas Responsible Artificial Intelligence Governance Act, or TRAIGA) — effective January 1, 2026 — is structured as a prohibition-based statute, not an affirmative-obligation regime like Colorado's AI Act. Private-sector businesses that promote, advertise, or conduct business in Texas, produce products or services for Texas residents, or develop/deploy AI systems in the state are prohibited from: (1) using AI designed to incite self-harm, harm to others, or criminal activity (behavioral manipulation); (2) intentionally deploying AI to discriminate against protected classes (disparate impact alone is insufficient to prove intent); and (3) using AI to infringe constitutional rights or target individuals based on constitutionally protected characteristics. Two further TRAIGA prohibitions — biometric identification from publicly available sources, and social scoring — apply to government entities only; for private-sector employers, biometric consent for AI tools is governed by Texas's CUBI statute (Tex. Bus. & Com. Code §503.001), not TRAIGA. TRAIGA's consumer-disclosure duty (telling a person they are interacting with AI) applies to government agencies; healthcare-provider AI disclosure to patients is governed separately by SB 1188, not TRAIGA. There is no statewide mandate for risk assessments, governance policies, or high-impact-system recordkeeping. Enforcement is exclusive to the Texas Attorney General; no private right of action. A 36-month regulatory sandbox allows approved companies to test AI systems with certain requirements waived.
  • What AI rules apply to hiring in Texas? Texas does not currently have a private-sector AI hiring disclosure or candidate opt-out law comparable to Illinois, Colorado, or NYC Local Law 144. Texas HB-2060 was a state-agency AI advisory and inventory law, not an employer hiring rule. The main Texas AI law for private employers is HB-149 (TRAIGA), effective January 1, 2026: for hiring AI it matters mainly if the system is intentionally deployed to discriminate against protected classes or otherwise falls into TRAIGA's prohibited-practice categories. TRAIGA's biometric-identification and social-scoring prohibitions apply to government entities only — biometric consent for private-sector AI tools, such as video-interview face or voice capture, is governed by Texas's CUBI statute (Tex. Bus. & Com. Code §503.001), not TRAIGA. Employers using AI in Texas should still document the tool, human review points, bias controls, and any biometric consent process.
  • What is a high-risk AI system under Colorado law? The 'high-risk AI system' classification no longer exists in Colorado law. SB 26-189 (signed 2026-05-14) repealed and reenacted the Colorado AI Act, replacing the high-risk-AI-system model with a new framework centered on 'automated decision-making technology' (ADMT) that makes or substantially influences 'consequential decisions' — covering education, employment, housing, financial services, insurance, healthcare, and government services. The focus shifted from system classification to disclosure and consumer-rights obligations at the point of use.
  • Which states require bias audits for hiring AI? No state currently mandates a standalone bias audit for hiring AI at the state level. Colorado no longer requires algorithmic impact assessments or disparate impact analysis — SB 26-189 (signed May 14, 2026; its disclosure-and-notice obligations begin January 1, 2027) repealed that framework and replaced it with a disclosure-and-notice model covering automated decision-making technology (ADMT) used in consequential employment decisions. Illinois requires employers who rely solely on AI to analyze applicant video interviews to collect and report applicant race/ethnicity data annually to the Illinois Department of Commerce and Economic Opportunity (DCEO) — but that obligation comes from the Artificial Intelligence Video Interview Act (820 ILCS 42, Section 20, added by PA 102-47), not HB-3773, and it functions as bias monitoring rather than a mandated audit. New York City Local Law 144 (a city ordinance, not a state law) is the only U.S. law explicitly requiring an independent annual bias audit before using an automated employment decision tool.

Multi-State Comparisons

  • Which states give consumers the right to appeal AI decisions? Colorado's AI Act (SB 26-189, which repealed and reenacted SB 24-205) gives consumers meaningful human review and reconsideration after an adverse consequential decision made or substantially influenced by an automated decision-making technology (ADMT). Connecticut SB-1103 similarly provides the right to appeal adverse decisions made by high-risk AI systems and request human review.
  • Which states require AI disclosure to consumers? Several states require AI disclosure, but the scope differs sharply. Colorado's AI Act (SB 26-189, obligations from January 1, 2027) requires deployers to give consumers notice when automated decision-making technology is used in a consequential decision, plus a plain-language explanation after an adverse outcome. California's AI Transparency Act (SB 942, operative January 1, 2026) requires large generative-AI providers to offer an AI-detection tool and to watermark AI-generated content. Illinois requires employers to notify employees and applicants when AI is used in employment decisions (HB-3773, effective January 1, 2026) and to disclose and obtain consent for AI analysis of video interviews (Artificial Intelligence Video Interview Act, 820 ILCS 42). Connecticut's AI law (SB-1103 / Public Act 23-16) is narrower — it governs Connecticut state agencies' own use of AI (impact assessments and a public AI inventory), not private-sector consumer disclosure.
  • Which states actively regulate AI in employment as of 2026? Illinois and Colorado have the most prescriptive AI employment regimes as of 2026. Minnesota can reach employment profiling through privacy and data-protection-assessment rules. Texas should be monitored for TRAIGA prohibited practices, especially intentional discrimination and biometric identification, but HB-2060 is a state-agency AI advisory and inventory law, not a private-employer hiring disclosure rule. Connecticut's enacted AI law is government-only; private employers should monitor successor bills and generally applicable employment, privacy, and civil-rights law.
  • How do Illinois and Colorado AI hiring laws compare? Illinois regulates AI hiring through two laws: the Artificial Intelligence Video Interview Act (820 ILCS 42), which requires notice, explanation, and written consent for AI-analyzed video interviews, and HB-3773, which adds employee/applicant notice and an anti-discrimination duty for AI used in employment decisions (effective January 1, 2026). Colorado's AI Act (SB 26-189, which repealed and reenacted SB 24-205) takes a disclosure-and-notice approach: employers using automated decision-making technology (ADMT) to make or substantially influence consequential employment decisions must give interaction notice, provide a plain-language adverse-outcome explanation within 30 days, allow data correction, and ensure meaningful human review. Colorado no longer requires algorithmic impact assessments or high-risk AI system classification — that model was repealed when SB 26-189 was signed on May 14, 2026; its disclosure-and-notice obligations begin January 1, 2027.
  • Which states have AI hiring laws? Illinois and Colorado have the most direct state-level AI hiring rules. Illinois HB-3773 and the AI Video Interview Act cover notice, consent, non-discrimination, video-interview limits, and reporting. Colorado's AI Act (SB 26-189, with obligations beginning January 1, 2027) covers ADMT used for consequential employment decisions through interaction notice, adverse-outcome disclosure, data correction, and meaningful human review. Minnesota HF-4757 can reach employment profiling through privacy and data-protection-assessment obligations. Texas should be tracked for TRAIGA (HB-149) prohibited practices, especially intentional discrimination and biometric identification, but HB-2060 is not a private-employer AI hiring disclosure law.
  • When do state AI regulations take effect? Effective dates vary: Illinois HB-3773 took effect January 2025, California SB-942 applies from January 2026, Colorado's AI Act (SB 26-189, which repealed and reenacted SB 24-205) was signed May 14, 2026 and formally takes effect August 12, 2026, but its compliance obligations — for both deployers and developers — begin January 1, 2027, and Connecticut SB-1103 (state agencies only) took effect July 1, 2023. Note: the prior Colorado effective date of February 2026 or June 30, 2026 is no longer applicable — SB 26-189 was signed May 14, 2026; the statute formally takes effect August 12, 2026, but the operative compliance date for businesses is January 1, 2027.
  • How do Colorado and Minnesota AI privacy requirements compare? The two states take different approaches. Colorado's AI Act (SB 26-189, which repealed and reenacted SB 24-205 and whose obligations begin January 1, 2027) is a disclosure-and-notice framework: it does not require data protection assessments or high-risk AI classification. Instead, deployers of automated decision-making technology (ADMT) that makes or substantially influences consequential decisions must give consumers interaction notice, disclose adverse outcomes within 30 days, allow data correction, and provide meaningful human review. Minnesota HF-4757 takes the opposite approach, embedding AI governance within broader consumer data privacy protections and requiring data protection assessments before processing that presents foreseeable risk — including automated profiling producing legal or significant effects.
  • Will federal AI law preempt state regulations? No comprehensive federal AI law exists yet. States are leading AI regulation, and any eventual federal framework will need to address whether it preempts or sets a floor above existing state laws like Colorado's AI Act (SB 26-189) and Illinois HB-3773.
  • Which states require AI impact assessments? Connecticut has the most explicit AI impact assessment requirement through SB-1103. Minnesota HF-4757 requires data protection assessments that cover AI profiling. Note: Colorado previously required impact assessments under SB 24-205, but SB 26-189 (signed 2026-05-14) repealed that requirement — Colorado no longer belongs on this list.
  • Which states have enacted AI laws? As of early 2026, Colorado, Illinois, California, Connecticut, Minnesota, Texas, New York, Utah, Tennessee, Virginia, and Maryland have enacted AI-related legislation with varying scope from hiring-specific to comprehensive frameworks.

Insurance & Carriers

  • Are D&O and E&O policies affected by AI endorsements? Yes. Berkley PC 51380 specifically targets D&O, E&O, and Fiduciary liability policies with an absolute AI exclusion. Any claim arising from AI use, including board-level AI governance decisions, can be excluded.
  • How do AI endorsements affect EPL policies? Berkley PC 51380 can attach to EPL policies, excluding claims where AI contributed to employment decisions. This is critical for companies using AI in hiring, performance reviews, or termination decisions.
  • How do I know if my policy has an AI exclusion endorsement? Check your policy's endorsement schedule or declarations page for forms CG 40 47 (Verisk/CGL), PC 51380 (Berkley/Professional), or similar AI-specific endorsements. Your broker can run an endorsement audit across all your policies.
  • Do AI exclusions cover shadow AI? Yes. AI exclusion endorsements like Verisk CG 40 47 and Berkley PC 51380 use broad language covering any AI use, including unsanctioned shadow AI tools used by employees without authorization.
  • What is the difference between AI exclusions and AI sublimits? AI exclusions (like Verisk CG 40 47) eliminate coverage for AI claims. At the other end, affirmative or sublimited AI coverage — such as the standalone AI liability products that launched in 2025-2026 — provides protection for AI-related losses rather than removing it, sometimes capped or conditioned on governance controls.
  • Does Verisk CG 40 47 apply to my CGL policy? If your CGL insurer has adopted the Verisk CG 40 47 endorsement, it excludes all AI-related claims from your general liability coverage. Check your policy declarations page for this endorsement number.
  • Which states have adopted Verisk CG 40 47? Verisk CG 40 47 has been adopted in multiple states including Illinois, Colorado, California, New York, and Connecticut, with additional states having pending filings. Check the endorsement tracker for current filing status.
  • What does Berkley PC 51380 exclude? Berkley PC 51380 is an absolute AI exclusion for professional and management liability (D&O, E&O, Fiduciary) that eliminates coverage for any claim based upon, arising out of, or attributable to AI use.
  • What is Verisk CG 40 47? Verisk CG 40 47 is a CGL policy endorsement that excludes coverage for bodily injury, property damage, or personal/advertising injury arising out of AI systems.

Industry Guides

  • What AI compliance requirements apply to insurance brokers? Insurance brokers using AI for quoting, risk assessment, or client recommendations fall under Colorado's AI Act (SB 26-189, which repealed and reenacted SB 24-205), which treats insurance as a consequential decision: brokers must give interaction notice, explain adverse AI-driven decisions within 30 days, allow data corrections, and provide meaningful human review — plus potential E&O exposure if AI exclusion endorsements affect their own coverage.
  • What AI compliance requirements apply to law firms? Law firms using AI for document review, legal research, or client communication face state-specific disclosure obligations and risk malpractice claims if AI generates incorrect legal advice. Colorado and Illinois regulations apply when AI touches client matters.
  • What AI compliance risks affect education institutions? Educational institutions using AI for admissions, grading, or student monitoring face FERPA data obligations and emerging concerns about algorithmic bias in educational opportunity decisions. Where state AI law applies — such as Colorado's AI Act (SB 26-189, which repealed and reenacted SB 24-205) — education is a covered 'consequential decision' area, so a school using automated decision-making technology must give interaction notice, disclose adverse decisions within 30 days, allow data correction, and provide meaningful human review, rather than the repealed impact-assessment model.
  • What AI risks do marketing agencies face? Marketing agencies using AI for content generation, targeting, and analytics face risks from California's AI watermarking requirements, state consumer protection laws, and potential E&O claims if AI-generated content causes client harm.
  • Do AI tools in real estate create fair housing risks? Yes. AI tools used for property valuation, tenant screening, or marketing targeting can create fair housing violations if they produce discriminatory outcomes. Housing is a covered 'consequential decision' area under Colorado's AI Act (SB 26-189, which repealed and reenacted SB 24-205): a firm using automated decision-making technology must give interaction notice, disclose an adverse housing decision within 30 days, let consumers correct inaccurate personal data, and provide meaningful human review — replacing the prior high-risk-classification model.
  • What AI compliance issues affect healthcare organizations? Healthcare organizations using AI for diagnostics, treatment recommendations, or patient data analysis face HIPAA obligations for AI-processed data plus state-level AI rules. Healthcare is a covered 'consequential decision' area under Colorado's AI Act (SB 26-189, which repealed and reenacted SB 24-205): an organization using automated decision-making technology must give interaction notice, disclose an adverse decision within 30 days, let consumers correct inaccurate personal data, and provide meaningful human review — replacing the prior high-risk impact-assessment model.
  • What AI governance do financial services firms need? Financial services firms need AI governance covering model risk management, fair lending compliance for AI-driven decisions, and documentation of AI decision-making processes for regulatory examination. Financial services is a covered 'consequential decision' area under Colorado's AI Act (SB 26-189, which repealed and reenacted SB 24-205): a firm using automated decision-making technology must give interaction notice, disclose an adverse decision within 30 days, let consumers correct inaccurate personal data, and provide meaningful human review — replacing the prior impact-assessment requirements.
  • What liability exposure do HR tech vendors have for AI tools? HR tech vendors face dual exposure: as AI developers under Colorado's developer obligations, and through client contracts when their AI tools contribute to employment discrimination claims covered by state hiring laws.

Governance

  • Who is liable when an AI agent causes harm? When an AI agent causes harm, legal responsibility almost always traces back to a person or organization — not to the AI itself, which has no legal personhood. As a default, liability flows to the deploying organization: under established agency, vicarious-liability, and negligence principles, the business that puts an agent into operation generally answers to the third party it harms, much as it would for an employee or a tool it chose to use. Responsibility can extend upstream to the developer or vendor through product-liability, professional-liability (E&O), or contractual-indemnity theories — particularly where the harm stems from a defect, a misrepresented capability, or the agent's autonomous decision-making rather than the deployer's own configuration. Outcomes vary by jurisdiction, the agent's degree of autonomy, and whether it faces customers, handles transactions, or runs internal workflows. Two practical wrinkles matter: emerging laws such as Colorado's AI Act (SB 26-189, obligations from January 1, 2027) impose deployer and developer duties — interaction notice, adverse-outcome disclosure, and meaningful human review — whose breach can support a claim; and AI-specific insurance exclusions such as Verisk's CG 40 47 can strip coverage a deployer assumed it had, so who ultimately pays may differ from who is liable. In practice, liability is shaped before any incident — by where human review sits, what the audit trail can prove, and how vendor contracts allocate risk.
  • What should an AI governance framework include? An AI governance framework should include an AI use policy, an inventory of where AI makes or substantially influences consequential decisions, documentation requirements, incident response procedures, and regular audit mechanisms. Note that Colorado's AI Act (SB 26-189, which repealed and reenacted SB 24-205) dropped the old impact-assessment and high-risk-classification model in favor of disclosure, consumer-notice, and human-review duties — so a framework should map to those obligations rather than the repealed assessment regime.
  • What is the difference between an AI governance policy and procedure? An AI governance policy defines the organization's principles and risk tolerance for AI use. Procedures are the specific steps employees follow to comply — approval workflows, documentation templates, and review cadences required by state regulations.
  • What should an AI risk register include? An AI risk register should catalog each AI system, its risk classification, applicable regulations, data inputs, decision scope, last assessment date, responsible owner, and insurance coverage status — critical for both compliance and claims documentation.
  • How do you discover shadow AI tools in your organization? Shadow AI discovery requires network traffic analysis, SaaS management platform audits, browser extension inventories, and employee surveys. Most organizations find 3-5x more AI tools in use than officially sanctioned.
  • What is an AI impact assessment? An AI impact assessment is a documented evaluation of an AI system's potential risks, including bias, privacy, and safety impacts. Connecticut SB-1103 requires impact assessments before deploying high-risk AI systems. Note: Colorado originally required impact assessments under SB 24-205, but SB 26-189 (signed 2026-05-14) repealed that requirement — Colorado no longer mandates impact assessments and instead requires an ADMT disclosure-and-notice framework.

Shadow AI

  • How many shadow AI tools does the average enterprise have? Industry surveys indicate the average enterprise has 40-60 AI-enabled tools in use, with only 10-15 formally sanctioned. The gap represents shadow AI exposure that most insurance policies now explicitly exclude.
  • What is the difference between shadow AI and sanctioned AI? Sanctioned AI is officially approved, documented, and governed by the organization's AI policy. Shadow AI bypasses all governance controls, creating unmanaged regulatory and insurance risk because AI exclusion endorsements apply to all AI use regardless of authorization.
  • What is shadow AI? Shadow AI refers to artificial intelligence tools and services used by employees without IT department knowledge or organizational approval — including ChatGPT, AI writing assistants, and AI-powered browser extensions.