The Definitional Problem
At the heart of the emerging state AI regulatory landscape is a problem that sounds technical but has enormous practical consequences: Legislatures cannot agree on what “artificial intelligence” means, and most of them define it too broadly.
Utah’s Artificial Intelligence Policy Act, enacted in 2024 and subsequently amended, defines AI as “a machine-based system that makes predictions, recommendations, or decisions influencing real or virtual environments.” That definition captures any Excel spreadsheet with an IF function, any SQL query that filters records, and any rules-based automation that generates an output. It is not limited to machine learning, neural networks, or any technology that a reasonable person would recognize as “AI.”
Utah’s narrower definition of “generative AI”— requiring training on data, interaction with a person, and generation of non-scripted outputs — is better targeted, but the broader umbrella definition remains in statute and is the one that determines the jurisdictional reach of the state’s AI regulatory apparatus. Other states have adopted similarly expansive definitions, or they have proposed bills using terms like “automated decision system” or “automated decision-making technology” that sweep in any computational process informing a decision.
The consequence is that routine business operations, including credit scoring models, pricing algorithms, customer segmentation, automated underwriting, and even basic data analytics, may fall within statutory scope regardless of whether they involve anything a technologist would call “AI.”
The Current Legislative Landscape
As of March 2026, the state AI legislative landscape is characterized by volume, fragmentation, and uncertainty. The International Association of Privacy Professionals (IAPP) tracks cross-sectoral AI governance bills applicable to the private sector and has observed a dramatic year-over-year increase, from 86 bills in 2023 to 589 in 2025 to an even faster pace in 2026. The trend has shifted away from omnibus EU AI Act-style proposals and toward targeted sectoral legislation, with separate bills for health care, employment, chatbots, pricing, and other verticals.
Colorado remains the most significant jurisdiction. Its AI Act (SB 24-205), originally scheduled for February 2026, was delayed to June 30, 2026, and is now being replaced by a consensus framework announced on March 17, 2026. The replacement eliminates risk management policy and impact assessment requirements in favor of transparency, recordkeeping, and consumer rights. It allocates fault between developers and deployers based on relative responsibility, a significant shift for technology vendors.
18 states now provide consumers with opt-out rights for automated processing in decisions with “legal or similarly significant effects,” including the provision or denial of financial services. The scope of these opt-out rights varies in ways that matter: Some states limit the right to “solely automated” decisions, while others, notably Colorado, capture decisions with partial human involvement. For any company operating nationally, this variation creates a compliance matrix that must be addressed at the contracting level.
Meanwhile, the Trump administration has signaled opposition to state AI regulation, issuing an executive order directing the DOJ to identify and challenge “onerous” state laws. The administration pressured Utah to withdraw its AI Transparency Act (HB 286) and initially proposed a 10-year moratorium on state AI regulation in the One Big Beautiful Bill Act (later removed). Whether federal preemption materializes remains uncertain, but companies should not count on it as a compliance strategy.
Contracting Implications
The patchwork of state AI definitions and obligations has immediate implications for technology contracting. Companies should consider the following:
- Scope of “AI” in vendor and customer agreements: Most technology contracts do not define “AI” or “automated decision-making” with the precision that state statutes now require. Where a contract allocates compliance responsibilities for “AI systems,” the parties should specify whether this includes rules-based automation, statistical models, and other technologies that fall within broad statutory definitions. Without this specificity, a vendor may find itself bearing compliance obligations for systems it does not consider to be “AI” at all.
- Developer/deployer allocation: Colorado’s framework — and the emerging consensus model it represents — distinguishes between “developers” (entities that build AI systems) and “deployers” (entities that use them in consequential decisions). This distinction must be reflected in contracts between technology providers and their clients. The Colorado working group’s proposed fault-allocation regime, which would allow developers to avoid liability where deployers use technology in unintended ways, should inform how contracts define permitted use, prohibited use, and the consequences of misuse.
- Documentation and audit obligations: Even under the streamlined Colorado replacement framework, deployers must maintain documentation, provide adverse-decision disclosures, and offer human-led reconsideration processes. Technology contracts should specify which party is responsible for generating and maintaining this documentation and should include audit cooperation provisions that anticipate attorney general inquiries.
- Choice-of-law and compliance carve-outs: Given the variation across states, contracts should address whether compliance obligations follow the law of a single jurisdiction or whether the parties intend on a “highest-common-denominator” approach that satisfies the strictest applicable requirements. For companies operating nationally, a single-jurisdiction approach may be insufficient, while a highest-common-denominator approach may impose unnecessary costs.
- FCRA and GLBA intersections: State AI laws generally exempt data subject to the Fair Credit Reporting Act and the Gramm-Leach-Bliley Act. However, these exemptions are typically scoped to data used for FCRA- or GLBA-authorized purposes, not to the entity as a whole. Companies that operate across multiple product lines, some FCRA-covered and some not, must ensure their contracts reflect this partial exemption and do not inadvertently assume full exemption from state AI obligations.
Recommended Actions
Companies should conduct an inventory of automated systems that may fall within broad AI definitions, review existing technology contracts for gaps in compliance allocation, and monitor Colorado’s legislative process as the consensus framework moves through the legislature before the June 30, 2026, deadline. The NIST AI Risk Management Framework and ISO/IEC 42001 continue to serve as useful benchmarks, as multiple states offer safe harbors or rebuttable presumptions for organizations that adopt recognized risk management frameworks.