US State AI Governance Legislation Tracker
This tracker focuses on cross-sectoral AI governance bills that apply to private sector organizations.
Published: 23 May 2024
Last updated: 6 Oct. 2025
As with seemingly every aspect of AI, legislative activity related to potential AI risks and harms has moved with unprecedented speed. Often it can take decades for policymakers to begin responding to new technologies with targeted laws. But after generative AI captured the world's attention, it took only a matter of months for U.S. state legislatures to consider responsive legislation. States are not waiting for federal action, instead adopting a remarkably active stance on regulations responding to concerns around many different types of AI systems and contexts.
Unpacking the themes of these legislative efforts is an ongoing undertaking. To help keep track of this rapidly changing landscape, the IAPP has published this tracker, which collates legislative activity and reflects emerging themes across AI governance policymaking at the U.S. state level. This information is compiled into a chart and a directory with information specific to states with enacted laws.
Over the past few years, state responses have varied widely, reflecting the multifaceted challenges AI poses across legal domains. Initial legislative efforts focused on state government use of AI, with states creating new safeguards or outright bans on high-risk governmental AI applications. Other states have focused on implementing studies and task forces to assess AI’s risks and benefits before rushing to new regulations. The recent surge in generative AI has shifted legislative attention to commercial AI guardrails. These efforts typically fall within consumer protection law and aim to amend state legal codes accordingly. This tracker serves as a resource to monitor these developments.
If you are aware of a state AI governance bill absent from the tracker, please share it with us at research@iapp.org.
For more information on the IAPP's stance concerning which state AI governance laws are considered to be broadly applicable and affect various types of AI systems, view the text in the below dropdown.
As state privacy legislation grows in number and complexity, questions arise with respect to those bills that occupy the fuzzy gray area between comprehensive and not — namely, Florida's Digital Bill of Rights and Washington state's My Health My Data Act.
As defined in the tracker, a bill is not considered comprehensive if "it does not qualify due to its scope, coverage, rights or purpose."
A bill is narrow in scope if it applies only to a specific set of data types, like financial or health data, or data subjects, like children. A bill is narrow in coverage if its applicability includes only a single industry, like the automotive industry, or if its thresholds apply, in practice, to only a handful of companies. A bill is narrow in rights if it is targeted at providing only one or two consumer data rights, such as deletion or correction.
For further information, this full-length article outlines the IAPP's current stance. The IAPP may adjust this position in the future in light of new information, bills, stakeholders or member feedback. The IAPP will annually reassess its position on the definition of "comprehensive" to best stay current with state legislation trends.
State AI governance law chart
Private-sector AI governance bills
This chart is curated to spotlight legislation directly impacting private sector organizations, excluding government-only bills. While such standards influence AI policy, they generally do not impose immediate obligations on private sector organizations. Sectoral AI activities, despite their significance, are also omitted from the chart due to their limited scope.
The chart instead focuses on broadly applicable laws affecting various types of AI systems. This approach acknowledges the complexity of crafting comprehensive AI governance legislation that addresses the spectrum of risks associated with diverse AI applications. The chart features a scope column to indicate the types of AI systems each bill covers, ranging from generative AI to automated decision-making systems. It also categorizes obligations into broad themes, clarifying which provisions apply to developers and deployers. However, the legislative text can vary significantly, so a check mark in the chart does not imply identical obligations across proposals.
State AI governance law map
This map tracks the status of statutes and bills that are enacted or in the legislative process.
State AI governance law directory
This section contains information specific to each state with enacted AI governance laws, including links to legislation.
Private sector AI governance laws
- Assembly Bill 2013
Effective date: 1 January 2026 - Senate Bill 942
Effective date: 1 January 2026 - Senate Bill 53
Effective date: 1 January 2026
Private sector AI governance laws
- Colorado AI Act
Effective date: 1 February 2026
Private sector AI governance laws
- Utah AI Policy Act
Effective date: 1 May 2024 - Senate Bill 226
Effective date: 7 May 2025
Private sector AI governance laws
- Texas Responsible Artificial Intelligence Governance Act
Effective date: 1 January 2026
This content is eligible for Continuing Professional Education credits. Please self-submit according to CPE policy guidelines.
US State AI Governance Legislation Tracker
This tracker focuses on cross-sectoral AI governance bills that apply to private sector organizations.
Published: 23 May 2024
Last updated: 6 Oct. 2025
Contributors:
Cobun Zweifel-Keegan
Managing Director, D.C., IAPP
CIPP/US, CIPM
David Botero
Westin Fellow, IAPP
As with seemingly every aspect of AI, legislative activity related to potential AI risks and harms has moved with unprecedented speed. Often it can take decades for policymakers to begin responding to new technologies with targeted laws. But after generative AI captured the world's attention, it took only a matter of months for U.S. state legislatures to consider responsive legislation. States are not waiting for federal action, instead adopting a remarkably active stance on regulations responding to concerns around many different types of AI systems and contexts.
Unpacking the themes of these legislative efforts is an ongoing undertaking. To help keep track of this rapidly changing landscape, the IAPP has published this tracker, which collates legislative activity and reflects emerging themes across AI governance policymaking at the U.S. state level. This information is compiled into a chart and a directory with information specific to states with enacted laws.
Over the past few years, state responses have varied widely, reflecting the multifaceted challenges AI poses across legal domains. Initial legislative efforts focused on state government use of AI, with states creating new safeguards or outright bans on high-risk governmental AI applications. Other states have focused on implementing studies and task forces to assess AI’s risks and benefits before rushing to new regulations. The recent surge in generative AI has shifted legislative attention to commercial AI guardrails. These efforts typically fall within consumer protection law and aim to amend state legal codes accordingly. This tracker serves as a resource to monitor these developments.
If you are aware of a state AI governance bill absent from the tracker, please share it with us at research@iapp.org.
For more information on the IAPP's stance concerning which state AI governance laws are considered to be broadly applicable and affect various types of AI systems, view the text in the below dropdown.
As state privacy legislation grows in number and complexity, questions arise with respect to those bills that occupy the fuzzy gray area between comprehensive and not — namely, Florida's Digital Bill of Rights and Washington state's My Health My Data Act.
As defined in the tracker, a bill is not considered comprehensive if "it does not qualify due to its scope, coverage, rights or purpose."
A bill is narrow in scope if it applies only to a specific set of data types, like financial or health data, or data subjects, like children. A bill is narrow in coverage if its applicability includes only a single industry, like the automotive industry, or if its thresholds apply, in practice, to only a handful of companies. A bill is narrow in rights if it is targeted at providing only one or two consumer data rights, such as deletion or correction.
For further information, this full-length article outlines the IAPP's current stance. The IAPP may adjust this position in the future in light of new information, bills, stakeholders or member feedback. The IAPP will annually reassess its position on the definition of "comprehensive" to best stay current with state legislation trends.
State AI governance law chart
Private-sector AI governance bills
This chart is curated to spotlight legislation directly impacting private sector organizations, excluding government-only bills. While such standards influence AI policy, they generally do not impose immediate obligations on private sector organizations. Sectoral AI activities, despite their significance, are also omitted from the chart due to their limited scope.
The chart instead focuses on broadly applicable laws affecting various types of AI systems. This approach acknowledges the complexity of crafting comprehensive AI governance legislation that addresses the spectrum of risks associated with diverse AI applications. The chart features a scope column to indicate the types of AI systems each bill covers, ranging from generative AI to automated decision-making systems. It also categorizes obligations into broad themes, clarifying which provisions apply to developers and deployers. However, the legislative text can vary significantly, so a check mark in the chart does not imply identical obligations across proposals.
State AI governance law map
This map tracks the status of statutes and bills that are enacted or in the legislative process.
State AI governance law directory
This section contains information specific to each state with enacted AI governance laws, including links to legislation.
Private sector AI governance laws
- Assembly Bill 2013
Effective date: 1 January 2026 - Senate Bill 942
Effective date: 1 January 2026 - Senate Bill 53
Effective date: 1 January 2026
Private sector AI governance laws
- Colorado AI Act
Effective date: 1 February 2026
Private sector AI governance laws
- Utah AI Policy Act
Effective date: 1 May 2024 - Senate Bill 226
Effective date: 7 May 2025
Private sector AI governance laws
- Texas Responsible Artificial Intelligence Governance Act
Effective date: 1 January 2026
This content is eligible for Continuing Professional Education credits. Please self-submit according to CPE policy guidelines.
Tags:
Related resources
US State Privacy Legislation Tracker
Organizational Digital Governance Report 2025
US State Comprehensive Privacy Laws Report
US Data Privacy Litigation
