Colorado's AI Act lasted one month. On February 1, the state's sweeping algorithmic discrimination law took effect, requiring risk assessments, duty-of-care obligations, and 90-day reporting to the Attorney General. By mid-March, the Colorado AI Work Group released a draft bill to scrap the whole thing and replace it with lighter notice-and-transparency rules.
Three days later, the White House released a national AI legislative framework urging Congress to preempt state AI laws entirely. The framework calls AI "an inherently interstate phenomenon" and says states "should not be permitted" to penalize developers for how third parties use their models.
So if you're a company deploying AI in hiring, lending, pricing, or customer-facing decisions across multiple states, you're staring at a real question: do you keep spending money on state-by-state compliance, or do you bet on federal preemption arriving first?
The Decision Framework
Scenario 1: You operate in one or two states. Keep complying. Even if federal preemption passes, it's 12 to 18 months away at best. Colorado's original law is still enforceable through June 30. NYC Local Law 144 requires annual bias audits for automated hiring tools, and a December 2025 Comptroller audit found the city is ramping up enforcement after years of near-zero action. Illinois HB 3773 (effective January 1, 2026) requires employee notification and candidate consent before AI evaluates them. These obligations are live right now.
Scenario 2: You operate in five or more states. Build to the strictest standard and toggle down. Right now, that's California. The CCPA's automated decision-making technology regulations require risk assessments, consumer opt-out rights, and worker notification when AI drives employment decisions. California's AI Transparency Act (SB 942), delayed to August 2, 2026, will require visible labels and embedded metadata for AI-generated content from providers with over one million monthly users. If you build your compliance architecture against California's requirements, you'll meet or exceed every other state's rules. And when federal preemption lands, you flip switches instead of rebuilding.
Scenario 3: You sell into the EU. Federal preemption won't help you. The EU AI Act hits full enforcement on August 2, 2026, and the European Commission has already missed its own guidance deadline for high-risk AI obligations. You're building compliance against the statutory text with limited official interpretation. If you have EU customers, the August deadline is the one that actually matters.
What the White House Framework Actually Does (and Doesn't Do)
It's a recommendation to Congress. Not an executive order. Not a regulation. It has no legal force today. Congress hasn't introduced a preemption bill yet. The Commerce Department delivered its evaluation of state AI laws on March 11, identifying which state statutes the administration wants challenged. The FTC issued its Section 5 AI policy statement the same day, signaling enforcement intent. But preemption requires legislation, and legislation takes time.
Here's what it does signal: the administration wants to create a developer liability shield and push compliance obligations downstream to deployers. If you're using someone else's AI in your product (and most growth-stage companies are), you're on the deployer side of that line. The legal exposure stays with you.
Three Things to Do This Week
- GC/Compliance Lead: Map every state AI obligation that currently applies to your company. Not "might apply." Actually applies, today. Get specific: which statute, which product, which use case. - CTO/Product: Architect your AI compliance controls as a modular layer you can toggle per jurisdiction. If you're hard-coding state-specific logic into your product, you're building technical debt that'll hurt regardless of whether preemption passes. - CEO: Track what state-by-state compliance is costing you in dollars and engineering hours. That number becomes your argument for engaging in the federal comment process when Congress starts drafting.
The companies that handle regulatory uncertainty best aren't the ones that guess which way the wind blows. They're the ones that build systems flexible enough to handle either outcome.
---
This article is for informational purposes only and does not constitute legal advice. Consult qualified legal counsel before making compliance decisions based on the developments discussed here.
If your AI compliance strategy is still "wait and see," that's a conversation worth having with outside counsel who can map your actual obligations across every jurisdiction where you operate.