HIPAA Compliance Checklist for 2025
Most enterprise compliance teams spent the last two years tracking the EU AI Act. What they missed is the wave of US state-level AI legislation that moved faster, with less notice, and with immediate applicability to how enterprises use AI tools internally.
States like Colorado, Texas, Utah, Illinois, and California have passed or enacted AI laws covering algorithmic decision-making, AI transparency obligations, and employee-facing AI use. They apply to any company doing business in those states, not just companies headquartered there.
If you have employees in Illinois, customers in Utah, or operations anywhere in California, these US state AI laws already apply to parts of your AI stack.
Your AI stack, the tools your teams use daily, is already in scope for some of these laws. The question is not whether they apply. It is whether you know which ones do.
TL;DR
- In 2025 alone, 145 AI bills were enacted across the US. By June 2026, at least Colorado, Texas, California, Utah, and Illinois have broad AI laws in force or set to take effect this year
- Every state law focuses on three things: transparency, fairness, and accountability. If you cannot document what AI you are using, how it influences decisions, and what safeguards are in place, you have a compliance gap
- The enforcement picture is real: state AGs in Colorado, Texas, and California have signaled AI enforcement as a 2026 priority
- Most enterprises cannot answer basic AI governance questions, what AI tools are in use, who is using them, and for what purpose, which is the prerequisite for compliance with any of these laws
- CloudEagle delivers the AI inventory and audit evidence layer that state AI laws structurally require without a manual audit before every regulatory deadline
1. What's Actually Passed and What's Coming?
With federal legislation stalled, states have become the primary drivers of binding AI regulation. The pace picked up in 2025 and 2026, with multiple laws taking effect on January 1, 2026, and more coming throughout the year.
Here is where the significant laws stand as of July 2026:
Here is where the major state AI laws stand as of July 2026:
- Colorado (SB 26-189): Replaced the broader SB 24-205 with a narrower law regulating AI used in consequential decisions. Takes effect January 1, 2027.
- Texas (TRAIGA): Effective January 1, 2026. Primarily governs government AI use while banning AI systems designed for behavioral manipulation, unlawful discrimination, and deepfake CSAM.
- Utah (AI Policy Act): Effective May 1, 2024. Requires businesses to disclose when consumers interact with generative AI, particularly in regulated professions.
- Illinois: Employers must notify candidates when AI evaluates video interviews, obtain consent, and comply with data retention requirements. The law also prohibits discriminatory AI hiring practices.
- California: Multiple AI laws require safety reporting, AI-generated content disclosures, and transparency measures. Most key provisions took effect January 1, 2026.
- New York: The Responsible AI Safety and Education Act emphasizes transparency and reporting, with civil penalties of up to $3 million for repeat violations.
The pattern across every state law is consistent: transparency, telling people when AI is being used; fairness, preventing AI from discriminating against protected classes; and accountability, documenting what AI is doing and being able to prove it.
The EU AI Act gave enterprises a multi-year runway. Several of these state laws are already in effect.
2. Why These Laws Catch Most Enterprise AI Stacks Off Guard
The laws do not require enterprises to stop using AI. They require enterprises to know what AI they are using, govern how it is used, and prove that governance is functioning. Most enterprises cannot do any of those three things today for their full AI stack.
Here is where the specific in-scope tools catch teams by surprise:
- AI in hiring: AI used to screen resumes, rank candidates, schedule interviews, or analyze video interviews can trigger requirements in states like Illinois, Colorado, and New York. Compliance depends on how the AI is used, not who provides it.
- AI in employee management: AI that monitors productivity, evaluates performance, recommends promotions, or supports compensation decisions may be subject to state transparency and fairness requirements.
- AI in customer interactions: Customer-facing chatbots and AI support tools can trigger disclosure obligations, particularly under Utah's AI Policy Act and California's evolving AI regulations.
- The shadow AI blind spot: Employees often adopt AI tools without IT approval. Without visibility into every AI application in use, organizations cannot accurately assess which tools fall within the scope of state AI laws.
You cannot comply with a law that governs tools you don't know you're running.
📖 Worth a Read 👉 10 AI Governance Trends in 2026 and What CISOs Are Doing About Them
3. What Non-Compliance Actually Costs
The enforcement landscape is no longer theoretical. State attorneys general are making AI oversight a priority, while the FTC continues using its existing authority to investigate unfair or deceptive AI practices.
Financial penalties also vary by state:
- Utah: Fines start at $2,500 per violation.
- New York: Civil penalties of up to $1 million for a first violation and $3 million for subsequent violations.
- California: Penalties scale based on the number of affected individuals.
- Colorado: Penalties of up to $20,000 per violation.
The phrase "per violation" is important. In many cases, it means per affected individual, not per incident. An AI hiring tool that processes 500 candidates without the required disclosures could result in hundreds of violations.
The impact extends beyond regulatory fines. Enterprise customers increasingly ask vendors to demonstrate AI governance during security and compliance reviews. Organizations that cannot provide evidence of compliance risk losing deals and customer trust.
The takeaway is simple. Every claim about an AI system's capabilities, accuracy, or performance should be backed by documented evidence. Strong AI governance protects against regulatory action, strengthens customer confidence, and reduces legal risk.
4. What Legal and Security Teams Are Doing to Get Ahead
The compliance teams getting ahead of US state AI laws are not tracking every bill. They are building the governance infrastructure that every law assumes exists.
- Build an AI inventory: Create a complete inventory of AI tools, where they are used, and the states they impact. You cannot assess compliance without knowing what AI is running across the organization.
- Classify tools by use case: Compliance depends on how AI is used, not just the vendor. The same AI tool may be regulated for hiring decisions but not for internal productivity tasks.
- Document AI decisions: Maintain records of where AI influenced decisions, how it was used, and what safeguards were applied. Continuous documentation is far more effective than preparing evidence before an audit.
- Establish AI disclosures: Build disclosure workflows for customer-facing AI now. Proactive disclosures are easier to implement than responding to regulatory inquiries after deployment.
- Assess state-by-state exposure: Map your employee and customer footprint against applicable state AI laws. A live AI inventory with use-case classification makes ongoing compliance much easier than repeating manual reviews.
5. How CloudEagle.ai Helps Legal and Security Teams Build the Governance Layer State Laws Require
State AI laws do not require a specific technology. They require documentation, transparency, and control. CloudEagle.ai is the layer that makes those things possible at enterprise scale.
Two things these laws structurally require that most enterprises do not have today:
AI Inventory and Use-Case Visibility
Most state AI laws assume organizations know which AI tools are in use and how they are being used. Most organizations don't.

How it helps
- Discovers sanctioned and shadow AI through browser signals, SSO, Zscaler, CrowdStrike, and finance integrations
- Maintains a centralized AI inventory with approval status, use-case classification, and data access scope
- Detects AI agents, embedded GenAI features, and duplicate copilots operating across the environment
- Supports faster applicability assessments for state-specific AI regulations
Continuous AI Governance Evidence
State regulators increasingly expect organizations to demonstrate that AI governance controls are functioning, not simply documented.

How it helps
- Creates audit-ready access logs, AI inventories, and governance reports automatically
- Records AI policy enforcement events, including flash-page redirects and usage interventions
- Maintains GenAI risk assessments, governance history, and review records
- Provides evidence for audits, regulator requests, and internal compliance reviews without manual collection
6. US State AI Laws by State: A Quick Reference for Compliance Teams
Note: State AI law details change rapidly. Verify current status against each state's legislative source before relying on any deadline.
7. AI Governance Laws Are Coming Federally Too: What to Watch
State AI laws are advancing faster than federal legislation, but federal oversight is also expanding.
Today, the federal landscape is centered on:
- FTC enforcement of unfair or deceptive AI practices under existing Section 5 authority.
- NIST AI RMF and ISO 42001, which have become the governance frameworks many enterprises use across jurisdictions.
A December 2025 executive order proposed preempting certain state AI laws. However, laws in Colorado, Texas, California, Utah, and Illinois remain in effect while courts determine how federal preemption will apply.
For most organizations, the takeaway is simple:
- Comply with applicable state AI laws today.
- Build governance around transparency, fairness, and accountability.
- Adopt processes that can scale as new state and federal requirements emerge.
The safest strategy is not to track every new law. It is to build the governance foundation that every AI law expects organizations to have.
In a Nutshell
US state AI laws are not a future compliance concern. Several are already in effect. More take effect in 2026 and 2027. And the AI stack your teams are using today is already in scope for some of them, including tools that were adopted without IT review, used in ways nobody formally classified, and generating decisions that nobody documented.
The compliance teams that are getting ahead of AI governance laws are not waiting for federal harmonization. They are building the inventory, classification, and audit evidence layer that every state law assumes exists.
CloudEagle.ai builds that layer automatically, so compliance teams can assess state law applicability against a live AI inventory rather than a manual audit that is outdated before it is finished.
See how CloudEagle builds the governance infrastructure state AI laws require → Book a Demo
Frequently Asked Questions
1. Which US states have major AI laws in 2026?
Colorado, Texas, Utah, Illinois, and California have the most significant AI laws. These regulations cover AI transparency, hiring, automated decision-making, consumer disclosures, and governance requirements.
2. Do state AI laws apply to companies outside those states?
Yes. If your business has employees, customers, or AI systems affecting residents in a state, you may need to comply with that state's AI laws, regardless of where your company is headquartered.
3. Which AI tools are most likely to be regulated?
AI used in hiring, employee management, customer interactions, and automated decision-making is most likely to fall under state AI laws. Compliance depends on the use case, not the AI vendor.
4. What does compliance with state AI laws require?
Most laws focus on three principles: transparency, fairness, and accountability. Organizations should maintain an AI inventory, classify AI use cases, document decisions, and keep audit-ready governance records.
5. How do federal AI policies affect state AI laws?
Federal AI policy continues to evolve, but existing state AI laws remain enforceable. Organizations should comply with current state requirements while monitoring future federal developments.





.avif)




.avif)
.avif)




.png)


