← Findings 🕐 12 min read
Findings

AI and Your Compliance Obligations: The Regulatory Quick-Reference for Mid-Market Companies

Brandon Sneider · March 2026

President Trump's December 2025 executive order, "Ensuring a National Policy Framework for Artificial Intelligence," directed the DOJ to establish an AI Litigation Task Force to challenge state laws,

Executive Summary

  • Seven U.S. state AI laws are now live or taking effect before year-end 2026. A company with employees or customers in Illinois, Texas, California, Colorado, Connecticut, or New York City faces overlapping requirements — most without a dedicated regulatory team to track them. This card maps which laws apply to a 200-2,000 person company and which can be deprioritized for now.
  • The EU AI Act’s high-risk enforcement begins August 2, 2026, with penalties up to 35 million euros or 7% of global turnover. Any company whose AI outputs touch EU residents — through customers, vendors, or data processing — faces extraterritorial exposure that most mid-market GCs have not yet evaluated.
  • Federal preemption is aspirational, not operational. President Trump’s December 2025 executive order directed the DOJ to challenge “onerous” state AI laws, but no state law has been struck down, no preemptive legislation has passed Congress, and companies that paused compliance to wait for federal clarity face active liability with no governance documentation to defend against it (King & Spalding, January 2026; Ropes & Gray, March 2026).
  • The practical path: build to the strictest standard once. A governance framework designed for Colorado’s requirements — the most demanding U.S. law — covers 80-90% of obligations across all jurisdictions simultaneously. The GC at a 300-person company does not need seven compliance programs. The GC needs one program and a jurisdiction-by-jurisdiction checklist.

The Laws That Apply Right Now

Illinois HB 3773 — AI in Employment (Effective January 1, 2026)

Who it covers: Any employer with Illinois employees or applicants.

What it requires: Notice to employees and applicants whenever AI is used in recruitment, hiring, promotion, discipline, or discharge decisions. Prohibits AI that produces discriminatory outcomes under a disparate impact standard — the employer is liable even when the discriminatory effect comes from a third-party vendor’s tool. Zip codes may not be used as a proxy for protected classes.

Penalty exposure: Private right of action with uncapped compensatory damages, back pay, emotional distress damages, and attorneys’ fees. This is not a regulatory fine — it is employment litigation.

The GC question: Do you use any AI in hiring, performance reviews, or scheduling for Illinois-based employees? Resume screening tools, interview analysis software, and workforce management platforms with AI features all trigger this law.

Source: Illinois HB 3773 amending the Illinois Human Rights Act; Illinois Department of Human Rights draft regulations (2025); Hinshaw & Culbertson analysis, January 2026.

Texas TRAIGA — Responsible AI Governance Act (Effective January 1, 2026)

Who it covers: Any business operating in Texas, providing services to Texas residents, or deploying AI systems used by Texas residents.

What it requires: Prohibits AI deployed with intent to discriminate against protected classes, encourage self-harm or violence, or violate constitutional rights. Healthcare AI requires patient disclosure. Companies must document system descriptions, training data summaries, performance metrics, and safeguards — the AG can request these via civil investigative demand at any time.

Penalty exposure: $10,000-$200,000 per violation; $2,000-$40,000 per day for ongoing noncompliance. AG enforcement only with a 60-day cure period.

The GC question: Can you produce a one-page compliance statement for each AI system describing its purpose, known limitations, and safeguards? TRAIGA offers an affirmative defense for companies that follow the NIST AI Risk Management Framework — the simplest path to documented good faith.

Source: Texas HB 149 (TRAIGA); Baker Botts analysis, July 2025; Norton Rose Fulbright compliance guide, 2025.

Colorado SB 24-205 — AI Consumer Protection (Effective June 30, 2026)

Who it covers: Any developer or deployer of “high-risk” AI systems making or substantially influencing “consequential decisions” affecting Colorado residents. Consequential decisions include employment, education, housing, lending, insurance, healthcare, and legal services.

What it requires: Reasonable care to prevent algorithmic discrimination. Risk management policy and program. Annual impact assessments for each high-risk AI system. Consumer disclosure before any adverse decision made or influenced by AI.

Penalty exposure: Up to $20,000 per violation, with each affected consumer counted separately. AG enforcement only. The legislature is actively reworking the law — a March 2026 working group reached consensus on a replacement framework that shifts from mandatory bias audits to transparency-and-notice, extends the cure period to 90 days, and allocates fault between developers and deployers (Colorado Governor’s Office, March 2026). Companies should prepare for the original law’s requirements while monitoring the replacement bill.

The GC question: Does any AI system influence decisions about Colorado residents’ employment, credit, insurance, or access to services? If yes, impact assessments and consumer disclosures are required by June 30.

Source: Colorado SB 24-205; Clark Hill analysis of August 2025 delay; Colorado Governor’s AI Working Group consensus report, March 2026.

New York City Local Law 144 — AI in Hiring (Effective Since July 2023)

Who it covers: Any employer or employment agency using automated employment decision tools (AEDTs) for hiring or promotion of candidates for jobs in New York City.

What it requires: Annual independent bias audit published on the employer’s website. Notice to candidates at least 10 business days before the AEDT is used, including a link to the published bias audit results. A December 2025 Comptroller’s audit found that 75% of complaints were misrouted and the enforcement agency identified only 1 noncompliant company out of 32 surveyed — while auditors found at least 17 potential violations in the same group (NYS Comptroller, December 2025). Stricter enforcement is expected in 2026.

Penalty exposure: $500-$1,500 per violation per day. An employer that used an AI screening tool on 200 applicants without notice faces $100,000-$300,000 in potential fines from a single hiring cycle.

The GC question: Does anyone in the organization use AI-assisted resume screening, candidate ranking, or interview analysis for NYC-based positions? The tool does not need to make the final decision — substantially assisting the decision triggers the law.

Source: NYC Local Law 144; NYS Comptroller audit, December 2025; DLA Piper enforcement analysis, January 2026.

California CCPA/CPRA — AI Risk Assessments (Effective January 1, 2026)

Who it covers: Any business that collects personal information of California residents and meets CCPA thresholds (annual revenue over $25 million, or processes data of 100,000+ consumers, or derives 50%+ of revenue from selling personal information).

What it requires: Risk assessments for any AI processing of California residents’ personal data — including profiling, automated decision-making, and targeted advertising. The new ADMT (automated decision-making technology) rules require consumer opt-out rights when AI is used in decisions that “replace or substantially replace human decision-making.” Full ADMT opt-out compliance is required by January 1, 2027, but risk assessment obligations are active now.

Penalty exposure: $2,500 per violation; $7,500 per intentional violation. AG and CPPA enforcement.

The GC question: Does any AI system process personal information about California residents for purposes beyond basic operations? Customer recommendation engines, fraud detection, HR analytics, and marketing personalization all likely trigger risk assessment requirements.

Source: CCPA/CPRA amendments; California ADMT regulations (effective 2026); BDO analysis, January 2026.

The Laws to Monitor — Not Yet Urgent for Most Mid-Market Companies

EU AI Act — High-Risk Enforcement (August 2, 2026)

When it matters: If the company has EU customers, processes data about EU residents, or sells products or services that reach the EU market. The law applies regardless of where the company is headquartered.

What it requires: AI systems used in employment, credit, education, and law enforcement contexts are classified as “high-risk” and face documentation, transparency, human oversight, and conformity assessment requirements. General-purpose AI model obligations have been in effect since August 2, 2025.

Penalty exposure: Up to 35 million euros or 7% of global annual turnover — whichever is higher.

When to act: A 300-person company with no EU customers or employees can deprioritize this. A company with EU-facing operations should begin an AI inventory mapped to EU risk classifications by Q2 2026.

Source: EU AI Act (Regulation 2024/1689); Legal Nodes compliance analysis, 2026; Baker Botts energy sector analysis, March 2026.

Connecticut — LLM Training Data Disclosure (July 1, 2026)

When it matters: If the company processes personal data of Connecticut residents and uses that data to train or fine-tune large language models.

What it requires: Privacy notice must disclose whether personal data is collected, used, or sold for training LLMs.

When to act: Update privacy policies by July 1, 2026. Minimal compliance burden — this is a transparency requirement, not a prohibition.

Source: Connecticut Public Act 25-113 (CTDPA amendment).

Federal Landscape: What the GC Needs to Know

The Preemption Gambit — Not a Compliance Strategy

President Trump’s December 2025 executive order, “Ensuring a National Policy Framework for Artificial Intelligence,” directed the DOJ to establish an AI Litigation Task Force to challenge state laws, ordered Commerce to identify “onerous” state AI laws within 90 days, and threatened to withhold federal broadband funding from states with targeted AI regulations (White House, December 2025).

The order explicitly carves out state laws on child safety, AI procurement, and data center infrastructure. It cannot override existing state law — that requires an act of Congress or a court ruling. No state AI law has been struck down or preempted as of March 2026. Companies that delay compliance while waiting for federal action are betting their governance posture on a legal theory that has not yet been tested in court.

EEOC — Guidance Removed, Liability Unchanged

The Trump Administration removed Biden-era EEOC guidance on AI and hiring discrimination in January 2025. The underlying law — Title VII — remains unchanged. Employers are fully liable under disparate impact theory if their AI tools produce discriminatory outcomes, regardless of whether they purchased the tool from a vendor (Harris Beach Murtha analysis, 2026). The EEOC continues to prioritize algorithmic fairness in enforcement.

FTC — “Operation AI Comply” Continues

The FTC’s enforcement initiative against deceptive AI marketing claims survived the administration change. Notable actions: DoNotPay fined $193,000 for “robot lawyer” claims (January 2025), Workado fined for claiming “98% accuracy” that measured 53% in real-world use (August 2025), IntelliVision sanctioned for unsubstantiated facial recognition accuracy claims (January 2025). The pattern: AI-specific accuracy and capability claims are being tested against evidence — and losing (Benesch analysis, 2025).

SEC — No New Rules, But Existing Disclosure Applies

The SEC’s Investor Advisory Committee recommended AI-specific disclosure guidance in December 2025, but Chairman Atkins indicated the Commission is not prepared to issue AI-specific rules. Existing materiality-based disclosure requirements already apply: companies must disclose material risks from AI use, including model limitations, data quality, and cybersecurity considerations. The Division of Examinations flagged AI as a top priority for fiscal year 2026, and comment letters are targeting companies that overstate AI capabilities in filings (Norton Rose Fulbright, 2025; Harvard Law School Forum, January 2026).

Key Data Points

Jurisdiction Effective Applies If You Have… Penalty Per Violation Enforcement
Illinois HB 3773 Jan 1, 2026 Illinois employees or applicants Uncapped (private right of action) Individuals + IDHR
Texas TRAIGA Jan 1, 2026 Texas operations or customers $10K-$200K + $2K-$40K/day AG only (60-day cure)
NYC Local Law 144 Active since 2023 NYC-based hiring $500-$1,500/day DCWP
California CCPA/CPRA Jan 1, 2026 California consumer data (>$25M revenue) $2,500-$7,500 AG + CPPA
Colorado SB 205 June 30, 2026 Colorado residents in consequential decisions $20K per consumer AG only
Connecticut CTDPA July 1, 2026 Connecticut consumer data + LLM training AG discretion AG only
EU AI Act (high-risk) Aug 2, 2026 EU customers, data subjects, or market reach Up to €35M or 7% of turnover National authorities

What This Means for Your Organization

The mid-market GC faces a fragmented regulatory landscape that was designed by and for companies with dedicated compliance teams. A 300-person company does not have a regulatory affairs department. What it has is a general counsel who handles everything from real estate leases to employment disputes and now needs to add AI governance to the portfolio.

The practical path is not to build seven jurisdiction-specific programs. It is to build one AI governance framework — an AI system inventory, a risk classification for each system, an employment AI notice template, a consumer disclosure process, and documentation of reasonable care — and map it against the jurisdiction-specific requirements on the table above. A framework built to Colorado’s standard (the strictest) covers the core requirements of every other U.S. jurisdiction on this list. The marginal cost of adding Illinois employment notices or California risk assessments to an existing framework is hours, not months.

Three questions to answer this week: (1) Do you have a complete inventory of every AI system in use across the organization — including platform-embedded features in tools like Salesforce Einstein, Microsoft Copilot, and Zoom IQ? (2) Does any AI system influence decisions about employment, lending, insurance, or access to services for residents of the states listed above? (3) Can you produce basic documentation — purpose, limitations, safeguards — for each system within 30 days? If the answer to any question is no, the compliance clock is already running. If this raised questions specific to your organization’s exposure, I’d welcome the conversation — brandon@brandonsneider.com.

Sources

  1. Illinois HB 3773 — Illinois General Assembly; Hinshaw & Culbertson analysis of employer requirements, January 2026; Seyfarth Shaw legal update, September 2024. Independent legislative analysis — high credibility.

  2. Texas TRAIGA (HB 149) — Texas Legislature, signed June 22, 2025; Baker Botts compliance analysis, July 2025; Norton Rose Fulbright implementation guide, 2025; IAPP sample policy framework, 2025. Independent legal analysis — high credibility.

  3. Colorado SB 24-205 — Colorado General Assembly; Clark Hill delay analysis, August 2025; Colorado Governor’s AI Working Group consensus report, March 2026; NAAG deep-dive analysis, 2024. Regulatory primary source + independent analysis — high credibility. Note: law is under active rework.

  4. NYC Local Law 144 — NYC Department of Consumer and Worker Protection; NYS Comptroller enforcement audit, December 2025; DLA Piper enforcement analysis, January 2026. Government audit source — high credibility. Comptroller findings are damning for current enforcement but signal tightening.

  5. California CCPA/CPRA and ADMT regulations — California Privacy Protection Agency; BDO compliance analysis, January 2026; Hinshaw & Culbertson roadmap, 2026. Regulatory primary source — high credibility.

  6. EU AI Act — European Parliament Regulation 2024/1689; Legal Nodes compliance analysis, 2026; DLA Piper obligations guide, August 2025; Baker Botts sector analysis, March 2026. Primary legislative source — high credibility. Extraterritorial application analysis still evolving.

  7. Federal preemption executive order — White House, “Ensuring a National Policy Framework for Artificial Intelligence,” December 11, 2025; King & Spalding analysis, January 2026; DLA Piper preemption analysis, December 2025; NPR legal analysis, December 2025; White & Case analysis, December 2025. Primary source + independent legal analysis — high credibility. Note: executive order is aspirational; no state law has been preempted.

  8. EEOC and AI hiring — K&L Gates analysis of guidance removal, January 2025; Harris Beach Murtha AI-assisted hiring analysis, 2026; Cooley U.S. legal developments review, September 2025. Independent analysis — high credibility. Underlying Title VII liability is unchanged.

  9. FTC “Operation AI Comply” — FTC press releases, September 2024-August 2025; Benesch enforcement analysis, 2025; Crowell & Moring Workado analysis, 2025. Government enforcement primary source — high credibility.

  10. SEC AI disclosure — SEC Investor Advisory Committee recommendation, December 2025; Harvard Law School Forum annual reporting analysis, January 2026; Norton Rose Fulbright enforcement analysis, 2025. Government advisory recommendation — moderate credibility (recommendation, not rule).

  11. State privacy law landscape — IAPP state tracker, 2026; MultiState privacy law tracker, 2026; Hunton Andrews Kurth January 2026 analysis; NCSL 2025 legislation database. Independent policy trackers — high credibility for legislative status.

Brandon Sneider | brandon@brandonsneider.com March 2026