1,200 State AI Bills. Zero Federal Framework. Here's the Only Compliance Strategy That Works.
State legislatures introduced more than 1,200 AI bills in a single year, each with its own definitions and duties, and a December 2025 executive order is now trying to preempt many of them in court. The durable move is a model-layer governance framework anchored to the NIST AI RMF and Treasury's new 230-control financial-services adaptation.
The United States has produced a wall of state AI legislation with no federal framework to rationalize it, and the result is compounding operational complexity for any financial firm deploying AI. The volume is now matched by legal uncertainty, because a December 2025 executive order is attempting to preempt many of these laws in court.
A firm building its AI compliance programme one state law at a time is designing itself into permanent reactive mode. The alternative is a model-layer governance framework that treats each new obligation as an overlay mapping rather than a ground-up project — and that framework now has a concrete reference point in Treasury's recently published financial-services adaptation of the NIST AI Risk Management Framework.
The scale of the patchwork
State legislatures introduced over 1,200 AI-related bills in 2025 and enacted just under 150, with the pace accelerating. The deeper problem is not volume but incoherence: policymakers are working without a shared test for whether their efforts constitute good policy. For financial services, the overlap is concrete. A firm using AI for credit underwriting can sit under multiple regimes with no consistent definitions across them.
- TRAIGA (Texas) — effective January 1, 2026. Prohibits intentional AI use for restricted purposes; provides affirmative defenses for NIST-aligned frameworks; 36-month regulatory sandbox.
- California TFAIA — effective January 1, 2026. Requires large frontier developers (>$500M revenue) to publish a Frontier AI Framework addressing catastrophic risks.
- Colorado SB 26-189 — signed May 14, 2026, replacing the stayed original act with a targeted transparency framework. Effective January 1, 2027.
The instability is the argument for a model-layer approach, not against it. When specific statutes are in flux, anchoring compliance to any single law is the most fragile possible strategy. A governance architecture built around durable, framework-level controls survives whichever way the preemption fight resolves.
The closest thing to a unifying reference
On February 19, 2026, Treasury published the Financial Services AI Risk Management Framework — developed through a partnership involving more than 100 financial institutions, the FSSCC and the Cyber Risk Institute. The framework contains 230 control objectives scalable from community banks to multinationals, organized around NIST's four functions: Govern, Map, Measure, and Manage.
What's next
Three moves: adopt a model-layer governance baseline mapped to the NIST and FS AI RMFs; treat each state obligation as an overlay onto that baseline rather than a separate programme; shift from point-in-time reviews to continuous monitoring. Firms that adopt a framework-anchored architecture now will absorb future requirements as incremental additions. Firms that keep building law by law will be rewriting their compliance programmes every legislative session.
- Fortune, "The U.S. has 1,200 AI bills and no good test for any of them" (15 May 2026)
- King & Spalding on Jan 1, 2026 state laws and the December 2025 executive order
- Orrick AI Law Center, US AI Law Tracker
- Zwillgen on Treasury FS AI RMF structure
- Lowenstein Sandler on operationalizing the 230 control objectives
Ghost Watch in your inbox
Regulatory signals and analysis, when there is something worth saying. No fixed cadence.