AI Governance regulations, and what they mean for your business

Two things most firms feel before any regulator

For mid-market companies, the law is usually the backdrop. The pressure you feel first comes from your customers and your insurer.

The security questionnaireAn enterprise buyer will not sign until you can show how you govern AI and data.

The cyber-insurance renewalCarriers ask detailed control questions, and increasingly deny claims when the controls are not there.

AI laws

Laws that govern how you use AI

EUHigh-risk duties provisional
for Dec 2, 2027

EU AI Act

Who it affects: firms with EU customers or staff, or AI used in regulated, high-risk areas

What it means for you: if any of your AI counts as high-risk, you will owe documentation, human oversight, and risk controls. Most mid-market firms are not high-risk, but you need to know which of your AI uses qualify.

Official source

ColoradoNarrowed rules effective
Jan 1, 2027

Colorado AI Act

Who it affects: firms using AI for consequential decisions about Colorado consumers

What it means for you: when AI helps decide who gets a job, a loan, insurance, or housing, you will owe consumer notices and documentation. The original law was repealed and replaced with a narrower version (SB 26-189).

Official source

TexasEffective Jan 1, 2026

Texas TRAIGA (HB 149)

Who it affects: organizations using AI in Texas, mostly government, with baseline duties for private deployers

What it means for you: Texas bans a short list of harmful AI uses and sets baseline duties. For most businesses it is a floor to stay above, not a heavy compliance lift.

Official source

50 statesUpdated every session

Other US state AI laws

Who it affects: anyone with customers across multiple states

What it means for you: new state AI bills land constantly. Track which ones reach your customers and your AI uses so nothing surprises you. The tracker maps all of them.

Live state AI law tracker

Sector rules

Rules tied to your industry and your buyers

Insurance24 states + DC

NAIC Model Bulletin on AI

Who it affects: insurers and brokers

What it means for you: your regulators expect a written AI governance program covering how AI is used in underwriting, pricing, and claims. Examiners can ask to see it.

Official source

DefensePhase 2 mandatory
Nov 10, 2026

CMMC 2.0

Who it affects: defense and government contractors, and the firms that subcontract for them

What it means for you: if you touch defense or government work, you will need an independent cybersecurity certification, and so will your subcontractors. The requirement flows down the supply chain.

Official source

Standards

Standards your buyers ask you to meet

CertifiableAI management system

ISO/IEC 42001

Who it affects: any firm a buyer asks to prove its AI governance

What it means for you: this is the certificate buyers ask for to trust your AI governance. It is the bar your program builds toward, earned through an independent audit.

Official source

VoluntaryThe common language

NIST AI RMF

Who it affects: any firm organizing its AI governance

What it means for you: voluntary and no certificate, but it is the shared language buyers and auditors use. The simplest way to structure your program and show your work.

Official source

Audited reportThe enterprise trust bar

SOC 2

Who it affects: anyone selling to enterprise buyers

What it means for you: the trust report enterprise buyers ask for before sharing data. AI questions are now folded into the same review, so SOC 2 and AI governance arrive together.

Official source

This page is general information, not legal advice. Status and dates reflect publicly reported sources as of June 22, 2026 and change often. Confirm specifics with a qualified advisor before you act.

Not sure which of these apply to you?

Answer five quick questions about your industry, where you operate, and who your customers are, and see which rules likely reach your business.

Run the Exposure Checker Take the Readiness Assessment