Early 2026 Legislative AI Law Updates

So far in 2026, the regulatory landscape surrounding AI has become significantly more complicated. With a wave of new state-level initiatives and additional federal activity anticipated, companies should be prepared for major shifts in compliance expectations throughout the year. Below are the Top 10:

Federal–State Conflict Expected Under the Trump Administration

It is likely that 2026 will bring heightened friction between the Trump Administration and state governments regarding AI policy. The Administration issued an Executive Order on December 11, 2025, aimed at creating a “minimally burdensome national standard” for AI. Among its directives, the order instructs the U.S. Department of Justice to challenge state AI laws deemed unconstitutional, and requires the Commerce Department to evaluate “burdensome” state AI regulations for potential referral. Public statements from Administration officials, including White House Special Advisor for AI and Crypto David Sacks, suggest that laws in California, New York, Colorado, and Illinois are key targets.

However, the Executive Order does not nullify state statutes; those laws remain enforceable unless overturned, amended, or invalidated through formal legal processes.

Congressional Action on AI May Accelerate

The Executive Order also directs federal agencies to prepare legislative recommendations for a nationwide AI regulatory framework that would preempt many state‑level rules. The recommendation cannot propose preemption of lawful state laws related to child safety, compute infrastructure, government procurement, and other designated areas.

On December 19, 2025, Senator Marsha Blackburn introduced the TRUMP AMERICA AI Act, designed to codify key elements of the Executive Order and establish a unified federal regulatory scheme intended to “protect children, creators, conservatives, and communities.” Additional congressional proposals on AI are expected throughout 2026.

U.S. States: Expanding Rules for High-Risk AI

Organizations developing or using AI in areas involving significant personal consequences—such as lending, education, employment, healthcare, housing, legal services, or access to government programs—should prepare for new state-level obligations. For instance, updated regulations under the California Consumer Privacy Act (CCPA) require businesses that use “automated decision-making technology” (ADMT) to make “significant decisions” about individuals to provide a pre‑use notice, offer consumers the ability to opt out of ADMT, and disclose additional information about how the technology is used. These obligations take effect on January 1, 2027.

Colorado’s AI Act, scheduled to take effect June 30, 2026, imposes additional responsibilities on AI developers and deployers. These include obligations to exercise reasonable care to prevent algorithmic discrimination, establish risk management programs, issue specific notices, and conduct impact assessments. Legislative discussions may still modify the Colorado Act before its effective date.

Rising Oversight from State Attorneys General

State attorneys general (AGs) and regulators increased their focus on AI enforcement throughout 2025, and this trend is expected to intensify in 2026. In May 2025, the Pennsylvania AG announced a settlement with a property management company over allegations that its use of an AI system contributed to maintenance delays and unsafe housing conditions. In another example, the Massachusetts AG secured a $2.5 million settlement in July 2025 with a student loan company accused of using AI‑driven lending practices that disproportionately harmed historically marginalized borrowers.

Cybersecurity: AI-Driven Threats Grow

AI‑related cybersecurity risks will become even more prominent in 2026. Malicious actors are expected to increasingly leverage generative AI to scale attacks at unprecedented speed. Internal risks will also grow, as employees may inadvertently expose sensitive information by using unauthorized AI tools, while novel AI integrations may create new vulnerabilities. Regulators, customers, and auditors will seek greater assurance that organizations have effective controls throughout the AI lifecycle—from data sourcing and training through deployment and incident response. Even without AI‑specific cybersecurity regulations, existing legal frameworks will continue to support regulatory action. The SEC’s Division of Examinations, for example, has flagged cybersecurity—particularly threats to data integrity and third‑party risk stemming from AI—as a priority for FY2026. In addition, the SEC’s Investor Advisory Committee has urged stronger corporate disclosures regarding how boards oversee AI governance as part of managing material cybersecurity threats.

Cyber Insurance

The cyber insurance landscape is also rapidly shifting as insurers respond to emerging AI risks. Many carriers are now tying coverage eligibility to the implementation of AI‑focused security practices. A growing number of insurers are rolling out “AI Security Riders,” which require organizations to provide proof of adversarial testing, model‑level risk analyses, and other specialized safeguards before underwriting coverage. This approach is expected to become even more common in 2026, with insurers increasingly looking to established AI risk‑management frameworks as the benchmark for determining whether a company has exercised “reasonable security.”

New Compliance Duties for Frontier Model Developers

Organizations building advanced frontier AI systems will need to prepare for compliance with new state‑level frameworks. At the end of 2025, both California and New York enacted robust statutes governing frontier AI models. California’s Transparency in Frontier AI Act (S.B. 53) and New York’s RAISE Act (S.B. S6953B) impose broad obligations on developers of large frontier models. These laws require the creation and public release of an AI safety and security program, mandatory reporting of specified safety incidents, and detailed transparency disclosures regarding model risk assessments and usage. Most of California’s S.B. 53 provisions took effect on January 1, 2026, and New York lawmakers are expected to formally adopt the finalized version of the RAISE Act in early 2026.

Training Data Transparency Requirements Expand

California’s AB 2013 now requires developers of most generative AI systems to publicly release information about the training data used to build those systems. Covered developers must disclose key dataset summaries, including the volume of data points, whether any protected personal information or copyrighted material is included, and whether datasets were licensed or purchased. These obligations apply broadly, subject to limited exceptions.

Scrutiny of AI Chatbots

Regulators at both the state and federal level are increasingly focused on AI‑powered “companion chatbots,” particularly those that may interact with children. In September 2025, the Federal Trade Commission announced an inquiry into companion‑style AI chatbots. Two months later, the attorneys general of North Carolina and Utah launched a bipartisan task force aimed at identifying emerging AI risks and recommending safeguards to protect users, especially minors.

This concern culminated in a December 9, 2025 letter from the National Association of Attorneys General, signed by 42 state AGs, warning AI companies about “sycophantic and delusional” outputs and urging immediate adoption of stronger child‑safety controls. The letter notes that failure to implement adequate protections could violate state consumer‑protection and safety laws. Several states—including Utah, Nevada, New York, Maine, Illinois, and California—also enacted new statutes in 2025 regulating AI‑enabled chatbots.

AI in Healthcare: Federal Momentum, State-Level Divergence

Healthcare remains a major focus of AI policy activity. At the end of 2025, the U.S. Department of Health and Human Services (HHS) issued a request for information on accelerating the use of AI in clinical settings, seeking input on issues ranging from liability and governance to testing, reimbursement, and interoperability. Based on this feedback, HHS is expected to take further action in 2026. The FDA has already released guidance in 2026 easing oversight for certain AI‑based tools. HHS has also launched new initiatives to test AI use in healthcare, including the Medicare ACCESS Model and the TEMPO Pilot program for pre‑approved digital health tools. In 2026, HHS is expected to announce participants in these programs and develop a public Tools Directory.

Federal regulators are also pushing for broader access to health data to support AI development, including through enforcement of information‑blocking rules. In contrast, many states moved in 2025 to impose new restrictions on AI in healthcare—such as regulating AI for mental‑health use, requiring safety protections for AI companions, mandating disclosures in clinician–patient interactions, and establishing opt‑out rights for automated decision‑making in certain contexts. The pace of state legislation may be influenced by the new federal AI Executive Order.

EU: New Compliance Obligations Take Hold

Companies operating within the European Union should prepare for key provisions of the EU AI Act to become enforceable. Several requirements took effect in 2025, including rules governing new general‑purpose AI (GPAI) models launched in the EU and the prohibition of certain AI uses. By August 2, 2026, businesses must meet specific transparency standards and comply with obligations tied to designated high‑risk AI systems (HRAI).

To support implementation, the European Commission (EC) is expected to release additional guidance throughout 2026. This will likely cover the practical application of various AI Act provisions and clarify how the legislation interacts with existing EU data protection rules. The EC is also working on a new Code of Practice for labeling and identifying AI‑generated content. A first draft surfaced on December 17, 2025, with a final version anticipated by June 2026.

EU Member State Implementation Continues

At the national level, many EU countries are still in the process of appointing the regulators who will oversee AI Act enforcement within their jurisdictions. Additional national laws harmonizing domestic rules with the AI Act are likely to be enacted in 2026. Companies should monitor these developments carefully, as country‑specific nuances remain. For example, Italy’s AI law—effective October 10, 2025—generally mirrors the EU Act but includes Italy‑specific provisions, such as heightened protections for children under 14.

Simultaneously, the EU is considering updates to related legal frameworks. In November 2025, the EC proposed legislative amendments that would, among other adjustments, postpone the effective date of the HRAI requirements from August 2, 2026, to as late as December 2027. EU lawmakers are expected to negotiate these amendments throughout 2026, and the final text will likely evolve before adoption.