How many AI bills have been introduced in US states in 2026?

As of March 2026, lawmakers in 45 states have introduced over 1,561 AI-related bills — up from approximately 1,200 in 2025 and 635 in 2024. New York alone has introduced more than 180 AI bills. Key categories include employment AI, healthcare AI, algorithmic pricing, chatbot safety, and automated decision-making.

Which state AI laws are already enforceable?

Colorado's Consumer Protections for AI (SB 24-205) takes effect June 30, 2026 with penalties up to $20,000 per violation. Texas TRAIGA is effective January 1, 2026 with penalties up to $200,000 per uncurable violation. Illinois HB 3773 (AI in employment) is effective January 1, 2026. Multiple California AI bills took effect January 1, 2026. NYC Local Law 144 has been in force since 2023.

Will the federal government preempt state AI laws?

Unlikely in the near term. The Senate voted 99-1 to strip a proposed 10-year federal moratorium on state AI regulation. A December 2025 executive order directs federal agencies to challenge state AI laws, but faces legal uncertainty. States continue legislating at an accelerating pace.

How can MSPs help clients comply with multiple state AI laws?

Position AI governance gap assessments using NIST AI RMF as the foundation. NIST AI RMF is framework-agnostic and maps to both state requirements and international standards like ISO 42001 and the EU AI Act. Build once, demonstrate compliance across jurisdictions.

1,561 AI Bills in 45 States — What MSPs Need to Tell Their Clients

In 2024, state legislatures introduced 635 AI bills. In 2025, that number doubled to approximately 1,200. As of March 2026, the count has reached 1,561 AI bills across 45 states — and the session is not over.

This is not a hypothetical regulatory environment. Colorado’s AI Act takes effect June 30 with penalties of $20,000 per violation counted per affected consumer. Texas started enforcing January 1 with penalties up to $200,000. Illinois is enforcing AI employment rules. California has over 20 AI laws on the books. And the federal government just failed to preempt any of it.

If your MSP clients use AI tools — hiring platforms, chatbots, automated pricing, customer service automation, Copilot — they are operating in a regulatory landscape that is changing faster than most of them realize.

The Federal Preemption That Did Not Happen

The AI industry spent 2025 lobbying for a federal framework that would override state laws. They got close.

The House version of the One Big Beautiful Bill Act included a 10-year federal moratorium on state AI regulation. Had it passed, every state AI law would have been frozen — no new enforcement, no new requirements, no state-level compliance obligations for a decade.

The Senate voted 99-1 to strip the provision. President Trump signed the bill on July 4, 2025 with no restrictions on state AI legislation.

A December 2025 executive order directed federal agencies to challenge state AI laws through FTC preemption claims, FCC proceedings, and a DOJ litigation task force. But legal analysts from Goodwin and Ropes & Gray assess this as legally uncertain and operationally slow. The 99-1 Senate vote signals bipartisan consensus that states retain authority over AI regulation.

The bottom line: the state patchwork is the regulatory reality for the foreseeable future.

The Laws That Are Already Enforceable

Five states have AI laws with teeth, enforceable today or within 90 days.

Colorado — SB 24-205 (Effective June 30, 2026)

Colorado’s Consumer Protections for Artificial Intelligence is the most comprehensive state AI law enacted to date. Originally scheduled for February 2026, it was delayed to June 30 via a special-session bill.

Who it covers: Any organization that develops or deploys “high-risk AI systems” — AI that makes or substantially contributes to consequential decisions about consumers in employment, education, financial services, housing, insurance, legal services, or healthcare.

What it requires:

Developers must exercise “reasonable care” to prevent algorithmic discrimination
Deployers must adopt risk management policies and conduct initial and annual impact assessments
Consumer notifications are required both before an AI-assisted decision is made and after an adverse decision
Public website disclosures describing the types of high-risk AI systems in use

Penalties: Up to $20,000 per violation under the Colorado Consumer Protection Act. Violations are counted per affected consumer or transaction. An organization using an AI hiring tool that processes 1,000 applications without proper disclosure faces potential exposure of $20 million.

Affirmative defense: Compliance with NIST AI RMF or an equivalent framework provides an affirmative defense. This is the most significant detail for MSPs — a NIST AI RMF-based gap assessment is not just good practice. It is a legal shield.

Texas — TRAIGA (Effective January 1, 2026)

The Texas Responsible AI Governance Act prohibits AI systems used for behavioral manipulation, discrimination, and infringement of constitutional rights.

Penalties: $10,000-$12,000 per curable violation. $80,000-$200,000 per uncurable violation. $2,000-$40,000 per day for continuing violations. State agencies can impose additional sanctions up to $100,000 and license revocation.

Enforcement: Texas Attorney General exclusively. 60-day cure period before enforcement action.

Illinois — HB 3773 (Effective January 1, 2026)

Illinois amended its Human Rights Act to prohibit employers from using AI that subjects employees to discrimination based on protected class in recruitment, hiring, promotion, discharge, or conditions of employment.

For any client using AI-powered hiring tools, applicant tracking systems, or performance evaluation software, this law applies if they have employees in Illinois.

California — 20+ Laws (Multiple Effective January 1, 2026)

California has taken a sectoral approach. Key provisions:

SB 53 requires frontier AI developers with over $500 million in revenue to publish catastrophic risk frameworks
AB 489 prohibits AI from implying users are receiving care from licensed healthcare professionals
AB 325 makes algorithmic pricing collusion unlawful
SB 243 mandates safety protocols for companion chatbots, including protections for minors
SB 524 requires law enforcement to disclose when reports are generated using AI

New York City — Local Law 144 (In Force Since 2023)

NYC’s automated employment decision tool (AEDT) law requires annual independent bias audits, public disclosure of results, and advance candidate notification for any AI used in hiring decisions. This applies to any employer hiring in New York City, regardless of where the company is headquartered.

The Five Categories That Matter for SMBs

The IAPP’s analysis of 2026 state AI trends identifies a structural shift: states are moving away from broad “AI acts” and toward targeted, sector-specific legislation. For SMBs, five categories create immediate compliance obligations.

1. Employment AI

If your client uses AI in hiring, performance reviews, promotion decisions, or workforce management — applicant tracking systems, resume screening, video interview analysis, scheduling optimization — they face requirements in Colorado, Illinois, New York City, and a growing number of other states. Requirements include impact assessments, bias audits, employee notification, and appeal rights.

The SMB exposure: Many SMBs use AI hiring tools without realizing it. Platforms like Indeed, LinkedIn Recruiter, and HireVue incorporate AI into their workflows. The SMB may not have built the AI, but as the deployer, they bear compliance obligations.

2. Algorithmic Pricing

Over 40 bills in 24+ states target automated and personalized pricing. The catalyst is the RealPage controversy — allegations that landlords used a shared pricing algorithm to coordinate rent increases. But the legislation extends beyond housing to any business using AI to set prices.

The SMB exposure: Any client using dynamic pricing software, AI-driven quote generation, or automated rate adjustments should be aware that algorithmic pricing is the fastest-expanding category of state AI legislation.

3. Chatbot and AI Disclosure

78 bills in 27 states require disclosure when consumers interact with AI rather than humans. California’s SB 243 goes further for companion chatbots — mandating safety protocols against harmful content and protections for minors.

The SMB exposure: Clients deploying customer service chatbots, AI assistants, or automated response systems need to evaluate disclosure requirements in every state where they have customers.

4. Healthcare AI

California’s AB 489 prohibits AI from implying it is a licensed healthcare professional. Multiple states are introducing requirements for clinical decision support systems, AI-assisted diagnostics, and patient-facing AI tools.

The SMB exposure: MSPs serving healthcare clients need to flag this. Any AI tool used in a clinical or patient-facing context is entering a regulatory minefield.

5. Liability and Private Right of Action

This is where the risk escalates. Colorado and Texas limit enforcement to their Attorneys General, with cure periods that give organizations time to remediate. But proposed bills in New York, Maryland, and Michigan would create private rights of action — allowing individuals to sue directly. New York’s proposed AI Act (S1169A) would let citizens sue technology companies over algorithmic discrimination.

The SMB exposure: A private right of action transforms AI compliance from a regulatory risk into a litigation risk. One disgruntled job applicant in a state with a private right of action could file suit over an AI hiring decision.

The “Build Once, Comply Anywhere” Framework

The practical question for MSPs: how do you help a client that operates in 12 states, each with different AI requirements, without conducting 12 separate compliance assessments?

Colorado’s answer is instructive. The Colorado AI Act provides an affirmative defense for organizations that comply with NIST AI RMF or an equivalent recognized framework. This is not accidental — NIST AI RMF was designed to be adaptable across regulatory contexts.

A NIST AI RMF-based gap assessment creates a governance foundation that maps to multiple state requirements:

NIST AI RMF Function	What It Covers	State Laws It Maps To
Govern	AI risk management policies, roles, accountability	Colorado (risk management policies), Texas (governance requirements)
Map	AI system inventory, intended use, risk classification	Colorado (impact assessments), Illinois (AI system identification)
Measure	Bias testing, performance monitoring, impact evaluation	NYC LL 144 (bias audits), Colorado (annual impact assessments)
Manage	Incident response, remediation, continuous improvement	All states (ongoing compliance demonstration)

The assessment does not need to address every provision of every state law. It needs to establish the governance infrastructure — policies, inventories, risk classifications, testing procedures — that can be adapted to specific state requirements as they take effect.

For MSPs, this is the same playbook as CIS Benchmark assessments for M365: establish the baseline, identify the gaps, build the remediation roadmap, and review on a recurring cycle as the regulatory landscape evolves.

The MSP Revenue Opportunity

AI governance is not a cost center for MSPs. It is the next compliance service line — and the market timing is ideal.

The urgency is real. Colorado’s law takes effect in 90 days. Texas is already enforcing. Illinois is already enforcing. Your clients’ enterprise customers are beginning to require ISO 42001 certification from their vendors — pressure that flows downhill to SMBs in the supply chain.

The competition is thin. Most MSPs are not talking about AI governance yet. The ones who start now own the conversation before it becomes crowded.

The economics are comparable to CIS Benchmark assessments: $2,500-$4,000 in margin per engagement through wholesale assessment partnerships, with recurring revenue as the regulatory landscape continues to evolve. An AI governance gap assessment conducted today will need to be updated when Colorado’s law takes effect, again when new state laws pass, and annually as frameworks like NIST AI RMF and ISO 42001 are revised.

The MSPs who built compliance practices around CIS Benchmarks already have the client relationships, the QBR cadence, and the trusted advisor positioning to introduce AI governance as a natural extension of the security and compliance conversation. The framework is different. The delivery model is the same.

What to Do This Week

For MSPs:

Identify which clients use AI. Start simple: do they use AI-powered hiring tools, chatbots, dynamic pricing, or Copilot? Many clients do not realize the tools they already use incorporate AI.
Map client exposure by state. Where do they have employees? Where do they have customers? Colorado, Texas, Illinois, California, and New York City are the immediate priorities.
Bring it up in the next QBR. The conversation is not “you need to comply with AI laws.” The conversation is “here is what is changing, here is your exposure, and here is how we can help you get ahead of it.”
Offer an AI governance gap assessment. A NIST AI RMF-based assessment establishes the baseline. It identifies which AI systems are in use, classifies their risk levels, and produces a remediation roadmap. Colorado explicitly recognizes NIST AI RMF compliance as an affirmative defense.

Genesis delivers AI governance gap assessments using NIST AI RMF, ISO 42001, and EU AI Act frameworks — white-label, wholesale pricing, with margin built in for MSPs.

The Colorado AI Act takes effect June 30, 2026. If your clients have customers or employees in Colorado, the clock is already running. A gap assessment conducted now gives them 90 days to remediate before enforcement begins.