AI regulation is coming: What should companies do now?

AI For Business


For U.S. companies, AI governance will become more than just a best practice, it will become a compliance imperative.

When the European Union adopted the EU Artificial Intelligence Act in 2024, it set a global benchmark for risk-based AI regulation. The law's gradual implementation, starting with a ban on high-risk systems and moving to inclusive governance by 2026, is influencing legislative agendas around the world. For U.S. companies, this law was a sign that AI governance would become more than just a best practice, but a compliance imperative.

Colorado's landmark law has ripple effects

In May 2024, Colorado became the first state to enact a broad AI law, the Colorado Artificial Intelligence Act. Colorado is partially modeled on the European Union's framework, imposing obligations on developers and implementers of high-risk AI tools, such as those used to make employment, housing, health care, and lending decisions. These obligations include impact assessments, risk management programs, transparency, and human oversight.

Colorado's law was originally scheduled to go into effect in February 2026, but industry pressure and legislative changes pushed it back to June. Nevertheless, Colorado's landmark law has inspired similar legislation in other states, including California and Illinois, and may still find its way into New Hampshire's current legislature.

Momentum is building in state legislatures.

While Colorado is leading the way with comprehensive AI legislation, other state legislatures are also advancing both broad and targeted legislation. California has adopted several such laws, including the Frontier Artificial Intelligence Transparency Act, which requires disclosure and safety protocols for developers of advanced AI models. California also has a law addressing chatbot safety and consumer protection that is scheduled to go into effect in 2026.

Illinois and New York City are focusing on employment-related AI. These laws require applicants to be notified or consent before using AI tools in the hiring process and prohibit or require audits of automated hiring decisions. Broad privacy laws, including New Hampshire's privacy law, also impose limits on automated decision-making, which extend to employment decisions and other situations.

New Hampshire has not yet adopted a broad AI law, opting instead for narrower measures that address specific risks. For example, current New Hampshire law prohibits state agencies from using AI for real-time biometric surveillance and discriminatory profiling without a warrant, as well as certain uses of generated AI, such as deepfakes and communications with minors.

Federal Laws and Executive Orders

At the federal level, a comprehensive AI bill remains elusive. Rather, the policy landscape is shaped by administrative actions. In early 2025, President Trump signed Executive Order 14179, entitled “Removing Barriers to U.S. Leadership in Artificial Intelligence,” which repeals previous safety-focused mandates and prioritizes innovation. More recently, a leaked draft executive order in November 2025 signaled an intention to preempt state AI laws, citing concerns about a “patchwork” of regulations that could inhibit competitiveness. The draft proposal proposes creating a federal AI task force and making federal funding conditional on each state's compliance with domestic rules. Although the order has not yet been finalized or issued, it highlights the tension between federal integrity and states' rights, a debate that will shape AI governance in 2026 and beyond.

Companies should start preparing for compliance now

Regardless of whether state or federal regulations are enacted this Congress or in the near future, businesses need to start preparing for compliance now. Here are three comprehensive steps to help you do just that.

Conduct an AI usage evaluation. Make an inventory of all the AI ​​tools your company is already using and identify AI technologies that your organization would benefit from starting to use.
Establish an AI governance framework. Create a cross-functional AI governance team that includes leaders from across the business, as well as technology and legal advisors with AI expertise. Create documented policies that align with existing regulations and emerging standards, such as EU AI legislation and the AI ​​Risk Management Framework promulgated by the National Institute of Standards and Technology.
Integrate AI into your operations. Operationalizing AI through testing, prototyping, and eventual use of AI in production environments. Ensure proper due diligence has been performed and contracts in place with vendors that address the use of AI.
AI is not a distant concept. That's the reality of business today. With hundreds of AI-related bills introduced across the U.S. and global frameworks such as the EU AI Act and the NIST AI Risk Management Framework setting the bar high for compliance, companies need to act now to stay competitive. Don't wait for the law to force compliance. Please lead the way.

Cam Schilling founded and chairs McLean Middleton's Cybersecurity and Privacy Group. Our group of six lawyers and one paralegal helps businesses and private clients improve security, privacy, and AI compliance to address any incidents or breaches that occur.





Source link