U.S. states are moving ahead with targeted artificial-intelligence rules even as the White House and members of Congress try to replace the growing patchwork with one national framework.
The new measures do not all regulate the same technology or impose the same duties. Some focus on companion chatbots used by minors. Others require notice when AI influences employment, education, housing, lending, or other consequential decisions. States are also addressing synthetic-media identification and the safety policies used by developers of the largest frontier models.
That distinction matters: this is not one coordinated state rulebook, and not every measure discussed in the current debate is law. Some provisions are already enacted, some have future effective dates, and others are still awaiting a governor's signature or further legislative action.
States are choosing narrower pressure points
Earlier attempts to pass broad, economy-wide AI regulation often ran into resistance from governors and technology companies that considered them too sweeping. The current wave is more targeted. Legislators are concentrating on situations where a person may not know AI is involved, where a child may form an ongoing relationship with a chatbot, or where a model's failure could create unusually severe harm.
The Associated Press reports that Colorado, Connecticut, Idaho, Iowa, Nebraska, and Oregon are among the states that have passed chatbot-related laws in 2026. The details vary, but recurring themes include telling users when they are interacting with AI, limiting harmful interactions with minors, giving parents more control, and protecting information shared with a chatbot.
Connecticut's newly enacted AI law illustrates how quickly these rules can extend beyond a conventional technology-policy bill. Its provisions cover companion-chatbot safeguards, consumer protections, education, teacher preparation, and workforce development. For companion systems used by minors, the law ties access to safeguards against encouraging self-destructive behavior and tools that let parents manage use.
Disclosure is becoming a product feature
Another category of state law focuses on notice. The basic question is simple: when AI is influencing an important decision, should the person affected be told?
AP reports that Colorado adopted a requirement for companies deploying AI in areas such as employment, education, housing, and banking to disclose when the system is being used to influence a decision about someone. Other measures address whether people know they are talking to a machine or whether synthetic media can be identified as AI-generated.
For product teams, disclosure cannot be treated as a sentence added to a privacy policy after launch. It may need to appear at the moment of interaction, before a consequential decision, beside generated content, or inside an appeal and support flow. That makes compliance part of interface design, data architecture, and release testing.
Illinois is testing independent review for frontier-model safety
Illinois lawmakers have passed a frontier-model safety bill that was awaiting action from Governor JB Pritzker when AP reported on it. The proposal builds on laws adopted in California and New York that require developers of large, advanced models to publish protocols intended to reduce catastrophic risks such as major cyberattacks, biological-weapons assistance, or disruption of critical infrastructure.
The Illinois measure adds an important step: an independent auditor would review whether a developer is following its own published safety policies. That is different from asking the auditor to guarantee that a model is safe. It creates outside scrutiny around whether the company is doing what it said it would do.
The bill received nearly unanimous legislative support, but it should still be described as pending unless and until it is signed. Its significance is the direction of travel. Voluntary safety frameworks are beginning to acquire reporting, review, and accountability layers that can be examined outside the company that wrote them.
Washington is pushing in the opposite direction
The federal government is simultaneously trying to limit state-by-state divergence. A White House executive order signed on December 11, 2025 says that a patchwork of state regulation makes compliance harder, particularly for startups, and directs the administration to pursue a minimally burdensome national standard.
The order created an AI Litigation Task Force to challenge state laws the administration considers inconsistent with federal policy. It also directed the Commerce Department to evaluate state AI laws, raised the possibility of conditioning some federal funding, and called for federal reporting and disclosure standards that could preempt conflicting state requirements.
Yet the order's requested legislative framework expressly leaves room for some state authority, including lawful child-safety protections, state procurement and use of AI, and AI compute or data-center infrastructure. Those carve-outs reflect the political difficulty of sweeping every state measure aside, especially when laws address children, schools, local services, or traditional consumer-protection concerns.
Axios reported in June that White House and congressional officials were relaunching negotiations over federal preemption. But negotiations are not legislation. Until Congress passes a federal law that validly displaces particular state requirements, companies still have to track the rules that apply where they build, sell, and operate.
The compliance map is becoming part of the product map
A digital product can reach every state through one app store listing or website, but its legal obligations may no longer be uniform. A companion feature might require different age checks or parental controls. A hiring tool may need a specific disclosure. Generated media may need provenance information. A frontier-model provider may face separate reporting and safety duties.
Companies can respond by creating fifty separate products, but that is rarely practical. A more durable approach is to build a strong common baseline and keep jurisdiction-sensitive behavior configurable. Age protections, AI disclosures, consent records, content labels, human-review paths, and incident reporting should be reusable product capabilities rather than one-off patches.
This is similar to the measurement problem we examined in AI use at work: the category "AI" is too broad to govern well without knowing which system is acting, what decision it affects, what data it uses, and who can challenge the outcome. State laws are increasingly attaching obligations to those concrete interactions.
What this means for SunMarc
For SunMarc App Labs, the immediate lesson is to inventory AI features by behavior, not by marketing label. A feature that generates copy, recommends an action, talks conversationally, processes a child's data, or materially influences a user deserves its own risk and disclosure review.
Any future conversational feature should begin with clear machine-identity disclosure, conservative defaults for minors, a defined escalation path for harmful content, and minimal retention of sensitive conversation data. Those are useful protections even before a specific law applies.
For tools that help users compare costs, navigate information, or make a practical decision, the product should distinguish calculation from recommendation and automation from final judgment. Important outputs should show their assumptions, provide a correction path, and avoid implying that an AI-generated result is a professional or legally binding decision.
Finally, compliance work should remain modular. The same underlying app can use configuration to enable a notice, restrict a feature by age, preserve an audit record, or route a decision to human review. Building those controls into the product system is more reliable than trying to rewrite the experience each time a state changes its law.
The patchwork is already operational
The federal-state contest may eventually produce a clearer national framework, a set of court rulings, or a negotiated division of responsibility. None of those outcomes is settled today.
What is settled is that state AI policy is no longer theoretical. Enacted laws are reaching chatbot design, education, consumer notice, employment, finance, synthetic media, and frontier-model governance. Pending bills are testing independent audits and stronger accountability. Federal officials are trying to narrow the field, but they have not erased it.
Developers should therefore treat AI regulation as a changing product requirement, not a distant legal headline. The teams that can identify where AI acts, explain it to users, apply safeguards consistently, and adapt controls by jurisdiction will be better prepared whichever level of government writes the next rule.