Does US AI law apply to small businesses?

At the federal level, there is no single comprehensive US AI law. Federal AI governance relies on agency enforcement under existing laws (FTC Act, Equal Credit Opportunity Act, Fair Housing Act, HIPAA, and others), voluntary guidelines such as the NIST AI Risk Management Framework, and executive orders. The December 2025 Executive Order signed by President Trump signals federal intent to consolidate AI oversight and counter state-level regulation, but it does not preempt existing state laws and no federal AI law is expected to pass in the near term.

At the state level, several significant AI laws came into effect in 2026 that small businesses operating in those states must understand. The practical reality for US small businesses in 2026: AI compliance obligations are predominantly state-driven, sector-driven, and use-case-specific, not size-driven. A small business using AI for hiring, credit decisions, or customer-facing services in Colorado, California, Texas, or Illinois has real legal obligations right now.

The four most significant state AI laws for small businesses

Colorado AI Act, repealed and replaced before it took effect. Colorado's original SB 24-205 was the first comprehensive US state AI law, closely modelled on the EU AI Act's risk-based approach, and would have required deployers of "high-risk AI systems" to conduct annual impact assessments, run a risk-management policy, notify consumers of consequential AI decisions, and offer human appeal. It never came into force: after its start date slipped and a federal court stayed enforcement (April 2026), Governor Polis signed SB 189 on 14 May 2026, repealing and replacing it with a narrower, disclosure-based law effective 1 January 2027. Colorado businesses should now plan against the SB 189 disclosure framework, not the original impact-assessment regime, and confirm the Attorney General's implementing rules as they are issued.

Texas TRAIGA (HB 149), effective 1 January 2026. Texas took a different and lighter-touch approach. TRAIGA focuses primarily on state agency AI use and prohibits intentional discrimination using AI. For private-sector businesses, TRAIGA's strongest provisions are the prohibitions, AI systems must not be used to intentionally discriminate or to incite self-harm. Unlike Colorado, Texas does not require impact assessments or consumer notices for most private-sector deployers. Disclosure obligations apply specifically to healthcare providers and government agencies, not to most small businesses.

California SB 53 (AI transparency for frontier models), effective 1 January 2026. California's SB 53 requires developers of frontier AI models (those trained above certain compute thresholds) to publish safety frameworks and conduct annual assessments. This applies to a very small number of large AI companies and generally does not affect small business deployers. California also has the Automated Decision Systems (ADS) Accountability Act (AB 2930) moving through the legislative process, which if enacted would impose impact assessment requirements on deployers, worth monitoring.

Illinois AI Video Interview Act and Illinois Human Rights Act (HB 3773, effective 1 January 2026). Illinois prohibits employers from using AI that results in discrimination against applicants or employees on the basis of protected characteristics. The Illinois AI Video Interview Act (in force since 2020) requires employer consent before using AI to analyse facial expressions or voice patterns in video interviews. For any Illinois employer using AI in hiring, regardless of size, these obligations apply.

Federal enforcement through existing law, what small businesses are already exposed to

Even without a federal AI law, federal agencies are actively enforcing AI-related harms under existing legal frameworks. Small businesses using AI in regulated areas face the following:

FTC enforcement. The Federal Trade Commission has issued guidance that using AI to make false claims, produce deceptive outputs, or engage in unfair practices violates the FTC Act. Businesses that use AI to generate marketing content, customer communications, or product claims must ensure those outputs are accurate and not deceptive.

Equal Credit Opportunity Act and Fair Housing Act. Using AI in credit decisions or housing allocation must comply with existing non-discrimination law. If an AI model produces disparate impact outcomes for protected classes, the business deploying it faces liability regardless of whether the discrimination was intentional. The CFPB has confirmed that ECOA's explanation requirements apply to AI-generated credit decisions, lenders must be able to explain adverse action in a way humans can understand.

HIPAA. Healthcare businesses using AI that processes protected health information (PHI) must ensure AI vendors and tools comply with HIPAA's security and privacy requirements, including appropriate Business Associate Agreements.

What US small businesses should do now

Given the fragmented landscape, small businesses should focus compliance efforts on the areas of highest actual risk rather than attempting to track every state bill. The priority actions are:

Map AI use to potential harms. Where is your business using AI to make or influence decisions about people, hiring, credit, customer service, pricing, content moderation? These are the areas where legal exposure concentrates, regardless of which state you operate in.

Check state applicability. If you operate in Colorado, the AI Act applies to you if you use high-risk AI systems affecting Colorado consumers. Confirm whether your AI tools fall into the high-risk categories under Colorado SB 24-205 and begin impact assessment planning for the February 2026 compliance deadline.

Review hiring tools. Any AI-assisted hiring tool, resume screening, interview scoring, candidate ranking, is in the highest-risk category across multiple state laws. Ensure vendors can provide bias testing documentation, that humans review AI hiring recommendations before final decisions, and that you can provide explanations to applicants on request in applicable states.

Check vendor agreements. State laws increasingly hold deployers, not just developers, accountable for AI harms. Your contracts with AI vendors should require bias testing documentation, notification of significant incidents, and confirmation of the vendor's own regulatory compliance.

Further reading: NIST AI RMF

Related reading

Further reading: NIST AI RMF