Which states require AI impact assessments?

Last verified: May 28, 2026

Answer

Connecticut has the most explicit AI impact assessment requirement through SB-1103. Minnesota HF-4757 requires data protection assessments that cover AI profiling. Note: Colorado previously required impact assessments under SB 24-205, but SB 26-189 (signed 2026-05-14) repealed that requirement — Colorado no longer belongs on this list.

Applicable Regulations

SB-1103

An Act Concerning Artificial Intelligence, Automated Decision-Making and Personal Data Privacy (Public Act 23-16)

enacted

Public Act 23-16 — the enacted form of Connecticut SB-1103 (2023 session). Signed by Governor Ned Lamont on June 7, 2023, making Connecticut among the first states to impose oversight on state agency use of AI. Government-only scope: does NOT directly regulate private-sector AI. Requires state agencies to complete impact assessments before deploying AI systems, publish a public AI inventory, and submit annual reports to the joint standing consumer-protection committee. Sections 1–3 effective July 1, 2023; Section 4 effective October 1, 2023; Section 5 effective upon passage.

Key Requirements

State Agency AI Impact Assessments State agencies may not employ AI systems that have not undergone impact assessments or that result in unlawful discrimination or disparate impact against specified individuals or groups
Public AI Inventory All inventory reports detailing AI systems used by state agencies and the Judicial Department must be publicly accessible online, with the Department of Administrative Services making its inventories available on the state's open data site
Annual Consumer-Protection Report Annual report to the joint standing committee on consumer protection, due February 15 beginning 2025 and annually thereafter
Effective: 2023-07-01 Penalties: Oversight and enforcement through legislative reporting requirements. Agencies failing to comply face ongoing reporting obligations to the Connecticut General Assembly.
HF-4757

Minnesota Consumer Data Privacy Act (MCDPA)

enacted

Enacted May 24, 2024 as Chapter 121 of the 2024 Minnesota Session Laws, codified at Minnesota Statutes Chapter 325O. Effective July 31, 2025 with full enforcement (no cure period) from February 1, 2026. Applies to controllers and processors of personal data of Minnesota residents meeting the thresholds below. Grants consumers rights to access, correct, delete, and port personal data; to opt out of targeted advertising, data sales, and profiling; and — uniquely among state laws — to question the result of a profiling decision, receive the reason for that outcome, and request reevaluation if inaccurate data was used. Requires data protection assessments before processing personal data for targeted advertising, data sales, sensitive data, and profiling with heightened risk. Enforced exclusively by the Minnesota Attorney General; no private right of action.

Key Requirements

Core Consumer Rights Right to access, correct, delete, and obtain a portable copy of personal data. Right to know which third parties received data sales.
Opt-Out of Profiling and Targeted Advertising Consumers may opt out of processing for targeted advertising, sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects.
Profiling Challenge and Explanation Right When profiling produces legal or similarly significant effects, consumers may question the result, receive the reason for the outcome, and request reevaluation if inaccurate data was used. Covered decisions include housing, insurance, education, employment, healthcare, and financial services.
Data Protection Assessment Controllers must conduct and document data protection assessments before processing for targeted advertising, data sales, sensitive data, profiling with heightened risk, and other high-risk processing activities.
Privacy Notice Requirements Controllers must provide a privacy notice with a hyperlink labeled 'Your Privacy Rights' disclosing data categories, purposes, third-party disclosures, and opt-out mechanisms.
Attorney General Enforcement Only the Minnesota AG may enforce. A 30-day cure period applied through January 31, 2026; from February 1, 2026, no cure period — violations subject to immediate civil penalty action.
Effective: 2025-07-31 Penalties: Civil penalties of up to $7,500 per violation, enforceable by the Minnesota Attorney General. No private right of action. Court may also award injunctive relief and litigation costs. The 30-day cure period expired January 31, 2026; full enforcement without cure rights began February 1, 2026.

Full State Analysis

Connecticut AI Regulations Minnesota AI Regulations

Where this lands operationally

Gridex turns the compliance or coverage question into operated workflow controls: intake, review points, audit trails, and the places a person stays in the decision.

Governed AI DeploymentRun AI inside real work with audit trails, human review points, and the operating controls underwriters and regulators expect.Managed Intake & QualificationCapture, qualify, and route incoming work with disclosure, consent, and human review built into the intake step.

Map This Workflow With Gridex

Use this research to identify the workflow, review points, and operating controls that would matter in your organization.

Map This Workflow With Gridex

Related Questions

  • Does Colorado require AI impact assessments? No longer. SB 26-189 (signed 2026-05-14) repealed and reenacted Colorado's AI Act, eliminating the impact-assessment requirement entirely. Colorado now instead requires deployers of automated decision-making technology (ADMT) to: give consumers clear interaction notice, disclose adverse consequential decisions within 30 days, allow correction of incorrect personal data, and provide meaningful human review and reconsideration. The statute formally takes effect 2026-08-12, but all compliance obligations — for deployers and developers alike — begin 2027-01-01.
  • What are Connecticut's high-risk AI system requirements? Connecticut does not currently impose high-risk AI system requirements on private-sector businesses. Connecticut's enacted AI law — SB-1103 / Public Act 23-16 (signed June 7, 2023, effective July 1, 2023) — regulates state agencies only: it requires agencies to complete AI impact assessments before deployment, maintain publicly-accessible AI inventories (including vendor, purpose, start date, and the extent to which the system replaces human judgment), and submit annual reports to the Connecticut General Assembly's joint consumer-protection committee. Private-sector firms are not covered. Senator James Maroney has repeatedly introduced a comprehensive high-risk AI deployer bill (SB-2) in the 2024 and 2025 sessions — modeled on Colorado SB-24-205, with risk assessments, governance policies, and incident reporting — but SB-2 passed the Senate and died in the House both sessions. Until a successor bill is enacted, Connecticut businesses should look to federal rules, sector-specific guidance (e.g., for insurance or healthcare), and neighboring-state law (e.g., Colorado's AI Act, SB 26-189, whose obligations begin January 1, 2027, which uses a disclosure-and-notice model rather than a high-risk assessment framework) when designing AI governance programs.
Disclaimer: This content is provided for informational purposes only and does not constitute legal advice. AI regulations and insurance policy terms change frequently. Consult with a qualified attorney or insurance professional for advice specific to your situation. Gridex makes no warranties regarding the accuracy or completeness of this information.