US state AI laws compared: Colorado, Texas, California, and NYC
- The main state laws differ sharply: Colorado is broad, Texas harm-focused, California multi-front, NYC hiring-specific.
- Despite differences, they share concerns: preventing harm, transparency, and responsible governance with evidence.
- The same disciplines underpin the EU AI Act, NIST AI RMF, and ISO 42001.
- National operators should build one coherent governance practice and map each state's rules onto it.
- Current as of June 2026. This is general information, not legal advice.
How the approaches differ
The contrast across the four jurisdictions is clear:
| Law | Primary focus | Approach |
|---|---|---|
| Colorado AI Act | High-risk AI and algorithmic discrimination | Broad, risk-based, developer and deployer duties |
| Texas TRAIGA | Prohibited and regulated AI uses | Harm-focused, with responsible-AI expectations |
| California rules | Automated decision-making, transparency, privacy | Multi-front, privacy-linked |
| NYC Local Law 144 | Automated employment decision tools | Narrow, hiring-specific, bias-audit-and-notice |
The takeaway from the contrast
A broad risk framework (Colorado), a harm-and-prohibition approach (Texas), a multi-instrument privacy-linked approach (California), and a single-use targeted measure (NYC). An organisation operating across these states cannot assume one approach satisfies the others.
The common ground
Despite the differences, the laws share underlying concerns. All are ultimately about preventing harm and unfairness from AI, providing transparency to the people affected, and expecting organisations to govern their AI responsibly. The disciplines they call for, knowing your AI systems, assessing their risks and impacts, being transparent, managing the risk of discriminatory or harmful outcomes, and keeping evidence, are largely common. This is why the laws, for all their surface differences, rest on the same governance foundation.
The link to broader frameworks
This common ground extends beyond the states. The same disciplines underpin the EU AI Act and frameworks like the NIST AI RMF and ISO 42001. An organisation that governs its AI well, with a clear inventory, risk and impact assessments, transparency, and evidence, has built the foundation that all of these laws and frameworks draw on. The specific obligations differ, but the substance overlaps heavily.
What this means for national operators
For an organisation operating across the US, the lesson is not to build a separate compliance project for each state. It is to build one coherent AI governance practice that covers the common ground, then map each state's specific requirements onto it: Colorado's high-risk duties, Texas's prohibitions, California's ADMT and transparency rules, NYC's bias audit. Capturing the facts about each AI system once and mapping them to each applicable law is far more efficient, and more defensible, than maintaining parallel efforts.
The direction of travel
The patchwork is likely to grow as more states act, which strengthens the case for a flexible foundation rather than law-by-law compliance. Organisations that build coherent governance now will adapt to new state laws far more easily than those who treat each as a fresh project. The specific laws will keep changing; the underlying discipline of governing AI well is the durable investment.
Key terms
- Patchwork
- The collection of overlapping state AI laws in the absence of one federal law.
- Common ground
- The shared disciplines underlying differing state AI laws.
- Governance foundation
- A coherent practice that supports compliance across multiple laws.
- National operator
- An organisation whose AI use spans many US states at once.