Privacy, Cyber & Data Strategy Advisory | State of the (Artificial) Union: A Midyear Review of U.S. AI Regulation, Enforcement, and Policy Trends

Introduction

Artificial intelligence (AI) adoption has advanced rapidly, along with the legal and regulatory frameworks designed to govern it. Here, we provide a report of major advancements in U.S. AI policy, legislation, regulation, enforcement, and litigation through May 2026, examining (1) Legislative and Regulatory Activity; (2) Private Litigation; and (3) AI in the Courtroom.

Legislative and Regulatory Activity

As discussed in our earlier advisory, in a December 2025 Executive Order (Ensuring a National Policy Framework for Artificial Intelligence), the Trump Administration directed federal agencies to implement a national AI policy framework that prioritizes innovation; establish a task force to challenge state laws deemed “onerous” to AI development; and withhold funding from states that pass AI regulations. It also directed the Federal Trade Commission (FTC) to issue regulations seeking to preempt state unfair competition laws in the AI space.

The Executive Order makes exceptions for state laws governing children’s safety, data center construction, and government procurement of AI. Even outside these exception areas, however, federal and state officials have continued to regulate AI through a combination of existing laws—such as prohibitions on unfair and deceptive trade practices—and new legislation.

FTC Section 5 enforcement has continued despite a decision to set aside one consent decree against an AI company based on its alleged role in facilitating the production of false product reviews and endorsements. Recent FTC enforcement has focused on AI companies accused of making misleading claims.

At the state level, lawmakers have created a patchwork of overlapping compliance burdens, raising questions about how businesses should prioritize competing requirements. Most AI regulations, however, fall into the following six areas:

• Automated decision-making technologies.
• Companion chatbot laws.
• Surveillance pricing.
• Frontier model regulation.
• Nonconsensual deepfakes.
• Restrictions on AI use in licensed professions.

Automated decision-making technologies

California and Colorado have passed laws or regulations governing “Automated Decision-Making Technologies” (ADMT) used in high-impact areas such as employment, education, housing, financial services, insurance, and health care.

In October 2025, the California Privacy Protection Agency (CPPA) significantly expanded the reach of the California Consumer Privacy Act (CCPA) through regulations governing ADMT.

On May 14, 2026, the Colorado governor signed SB 26-189, repealing and replacing the 2024 Colorado AI Act with an entirely new regulatory regime focused on the use of ADMT to “materially influence a consequential decision.” For a more detailed analysis of the California regulations, see this advisory. For more detail on the Colorado AI Act and SB 26-189, see this blog post.

Although both laws impose pre-use disclosure requirements on businesses that use ADMT in covered areas, they differ in other compliance burdens and procedural requirements.

In California, effective January 1, 2026, and with phased deadlines through 2030, businesses must:

• Complete a privacy impact assessment before using ADMT to make a significant decision.
• Provide consumers with disclosures describing the methodology behind any models used.
• Respond to consumer ADMT opt-out requests within 15 days.

In Colorado, effective January 1, 2027, businesses must:

• Clearly and conspicuously disclose the use of ADMT, including through a clear and conspicuous link next to a user action.
• Disclose within 30 days when ADMT was used to make a decision resulting in an adverse outcome.
• Grant consumers a right to appeal any adverse decisions made by ADMT to a human reviewer to the extent “commercially reasonable.”

Unlike California, Colorado also imposes additional documentation requirements on ADMT developers.

Companion chatbot laws

The following states have enacted laws governing “companion” AI chatbots:

• New York (General Business Code Chapter 20 Article 47, effective November 5, 2025).
• California (SB 243, effective January 1, 2026 with additional provisions effective January 1, 2027, requiring annual reports describing crisis referrals and safety protocols).
• Washington (HB 2225, effective January 1, 2027).
• Oregon (SB 1546, effective January 1, 2027).
• Connecticut (SB 5, effective January 1, 2027).
• Georgia (SB 540, effective July 1, 2027).
• Iowa (Senate File 2417, effective July 1, 2027).
• Idaho (SB 1297, effective July 1, 2027).

An “AI Companion” is generally defined as a generative AI system with a natural language interface that provides human-like responses to inputs and can sustain a relationship across multiple conversations. In Idaho and Iowa, however, novel laws adopt a broader approach, applicable to “Conversational AI Services,” meaning publicly accessible AI chatbots whose primary purpose is to simulate human conversation.

The AI companion laws apply to “Operators”—businesses that control the relevant AI system and make it available to end users. These laws generally impose heightened obligations when an Operator knows the user is under 18 years old. For example, Operators may be required to take reasonable measures to prevent the AI Companion or Conversational AI Service from generating sexually explicit content or content that promotes self-harm.

In Washington, Oregon, Georgia, and Connecticut, Operators may not implement manipulative design techniques—such as feigning emotional distress when a user attempts to log off—when interacting with a known minor under 18.

In Washington and Oregon, consumers have a private right of action to recover actual damages for any harm resulting from the use of an AI Companion.

Exemptions generally apply to AI systems used for customer service, internal business operations, and smart speakers that do not retain information across conversations, although applicable exemptions vary by statute.

Surveillance pricing

New York and Maryland have passed laws regulating algorithms that alter consumer prices based on personalized metrics.

In New York, General Business Law § 349-a, effective November 10, 2025, amends the state’s General Business Code to address “personalized algorithmic pricing.” This law requires businesses to clearly and conspicuously include a statutory disclosure statement when they set prices using a personalized algorithm. For more on the New York law, see our blog post.

In Maryland, HB 895/SB 387, effective October 1, 2026, prohibits food retailers and third-party delivery services from providing dynamic prices based on consumer personal data.

Frontier model regulation

New York (RAISE Act, effective March 19, 2026) and California (Transparency in Frontier AI Act, effective January 1, 2026) have passed laws governing “large” developers of “frontier” models—companies with annual revenue exceeding $500 million that develop AI models trained on at least 10²⁶ floating-point operations. Both laws aim to mitigate and prevent widespread harms inflicted by unsupervised large AI systems and include:

• Reporting obligations following critical security events such as security events resulting in property damage exceeding $1 billion.
• Safety obligations for large frontier model developers.
• Significant financial penalties for violations.

See our blog post for an in-depth description of New York’s RAISE Act and a comparison with California’s Transparency in Frontier AI Act.

Nonconsensual deepfakes

Several states have passed laws addressing the risks of AI-generated deepfakes. These laws generally fall into two categories: those addressing commercial and noncommercial risks.

Commercial risks

Commercial risks include the use of AI to promote products, impersonate celebrities, or appropriate a real or deceased person’s physical features for financial gain. Tennessee, California, Illinois, Utah, and New York have passed laws to address these risks.

Tennessee’s ELVIS Act, effective July 1, 2024, extends publicity-style protections to voice alongside name and likeness and creates civil liability for unauthorized AI-enabled replicas of a human voice.

California’s AB 2602, effective January 1, 2025, expands the likeness and voice rights of deceased performers by prohibiting the unauthorized commercial use of AI-generated deepfakes.

In Illinois, HB 4875, effective January 1, 2025, amends the state’s right of publicity to protect against digital replicas of voice and likeness.

In Utah, SB 271, effective May 7, 2025, expands “abuse of personal identity” to include unauthorized commercial uses of deepfakes.

New York’s S8420A, effective June 9, 2026, requires companies to disclose when they use generative AI to create a synthetic performer in an advertisement.

Noncommercial risks

Noncommercial risks of deepfakes tend to focus on risks of nonconsensual sexual imagery or child sexual abuse material (CSAM). Some examples are provided below.

In Texas, SB 441, effective September 1, 2025, declares it a criminal offense to produce explicit AI-generated content of a person without their consent. Similarly, the Texas Responsible AI Governance Act, effective January 1, 2026, imposes heightened criminal penalties for AI-generated CSAM.

In Utah, Utah Code 76-5b-103, effective May 6, 2026, updates CSAM and intimate-images statutes to include AI-generated apparent sexual material.

The federal Take It Down Act, effective May 19, 2026, (1) prohibits nonconsensual online publication of real or AI-generated intimate depictions of an individual, and (2) requires platforms to establish a process for victims to report offending imagery.

The FTC has sent letters to major tech platforms to fully comply with the Take It Down Act by May 19, 2026.

Restrictions on AI use in licensed professions

Several states have passed laws and launched enforcement inquiries into AI chatbots that provide services typically associated with licensed professions such as medical care, mental health services, and legal services.

Utah’s SB 226, effective May 7, 2025, defines a “high-risk” AI interaction as one that could result in personalized recommendations, advice, or information reasonably relied upon for the provision of financial advice, legal advice, medical advice, mental health services, or other “significant personal decisions.” This law requires practitioners and businesses to prominently disclose to consumers when a high-risk AI interaction is taking place.

Illinois’ Wellness and Oversight for Psychological Resources Act, effective August 1, 2025, prohibits the use of AI systems in therapy to make independent therapeutic decisions and limits practitioners’ uses of AI for health care-related decisions.

Texas’s SB 1188, effective September 1, 2025, places disclosure requirements on health care providers who use AI for diagnostic purposes, including recommending a diagnosis or course of treatment based on a patient’s medical record. Providers must clearly inform patients of AI use.

In Georgia, Iowa, and Idaho, applicable AI companion laws forbid Operators from knowingly and intentionally causing an AI Companion or Conversational AI Service to represent that it is licensed to provide mental or behavioral health services.

Private Litigation

Litigation against AI deployers and developers has remained steady, particularly in two areas:

• Torts, including negligence, product liability, design defect, or wrongful death.
• Intellectual property (IP) claims under copyright and trademark law.

In anticipation of these types of litigation, Utah and California have passed laws clarifying that civil defendants cannot avoid liability by claiming that an AI system autonomously caused the plaintiff’s harm.

Utah’s SB 226, effective May 7, 2025, states that it is not a defense to argue that a generative AI system made the violative statement, undertook the violative act, or was used in furtherance of the violation.

California’s AB 316, effective January 1, 2026, states that a defendant who “developed, modified, or used” AI that is alleged to have caused a harm “may not assert that the [AI] autonomously caused the harm.”

Tort claims

Since the beginning of 2026, plaintiffs have brought new claims against large AI developers under novel theories of negligence, product liability, wrongful death, and wrongful interference with contract. For instance:

• An insurer brought claims against a large AI chatbot developer for unauthorized practice of law, tortious interference with contract, and abuse of process after the chatbot allegedly drafted 44 court filings seeking to reopen a settlement agreement.
• The family of a deceased mass shooting victim brought claims against a large AI chatbot developer for negligence, gross negligence, strict product liability, design defect, and wrongful death on the basis that the shooter used the chatbot to help plan his attack.
• The family of a deceased 14-year-old sued a large AI Companion developer on the basis that the child developed an intense relationship with the AI Companion, leading to suicidal behavior. Initially filed in 2024, the claim survived and proceeded to discovery before a settlement in January 2026 was reached.

Intellectual property

AI IP litigation has held steady as several classes of authors and other creators have brought a combination of the following claims against developers of large AI chatbots, including:

• Direct copyright infringement for training AI models on copyright-protected content.
• Violations of the Digital Millennium Copyright Act (DMCA) for alleged removal of protected markings during AI training.
• Vicarious copyright infringement for AI outputs that are substantially similar to copyright-protected content.

Developers have generally responded by raising Fair Use as a defense. So far, only three courts have weighed in on the extent to which AI training and functionality qualify as Fair Use. These judges each took a unique approach to the Fair Use issue by emphasizing different elements in the Fair Use assessment.

For instance, one judge from the Northern District of California compared AI training to training schoolchildren to write well but ruled that a large AI chatbot provider could not raise fair use as a defense for downloading and consolidating protected works from unauthorized sources to create a training corpus. Meanwhile, another judge on the same court expressly rejected the schoolchildren analogy and focused instead on the potential dilution effect of AI chatbots on the market for protected works.

AI in the Courtroom

Over the past year, courts have begun addressing whether AI conversations may be discoverable and admissible in trial.

In one case, the Southern District of New York concluded that a criminal defendant could not claim attorney-client privilege or work product protection over his conversations with a public AI chatbot, even though his AI records contained protected information from meetings the defendant had with his attorney.

In the same vein, the Delaware Court of Chancery admitted excerpts of an AI chatbot conversation during a dispute regarding a large acquisition deal—going so far as to include block quotes from the chatbot’s output in its judicial opinion.

On the other hand, in a different dispute, the Eastern District of Michigan reached the opposite conclusion. There, the court held that AI conversation records enjoyed work product protection even though they involved a publicly available AI tool that did not maintain confidentiality of input information. Critically, the court emphasized that the AI user in this case was acting as a pro se litigant and thus her “internal analysis and mental impressions,” as encapsulated in her AI conversations, could not be discoverable.

To address questions associated with the use of AI in the courtroom, the California State Bar Standing Committee on Professional Responsibility and Conduct has proposed changes to its professional rules. If passed, the revised rules would:

• Require attorneys to keep abreast of the benefits and risks associated with AI’s use in the practice of law.
• Require independent review and verification of the output of any AI tool or other technology used when representing a client.
• When the use of AI or other technology presents a “significant risk” or “materially affects the scope, cost, manner, or decision-making process,” require attorneys to communicate the use of technology with the client in a manner sufficient to permit the client to make informed decisions.
• Expressly prohibit attorneys from providing confidential information to AI tools.
• Amend the duty of candor and include an obligation to verify the accuracy and existence of cited sources.

Judges have also issued standing orders addressing AI verification, disclosure, and allocations of risk for attorneys presenting before them.

For instance, Judges Eumi K. Lee and Araceli Martínez-Olguín of the Northern District of California both require filings containing AI-generated content to include a certification that lead trial counsel has personally verified the content’s accuracy and require counsel to retain records of all prompts submitted to generative AI tools in preparing those filings.

Looking Ahead

Child safety will remain a top priority for lawmakers and regulators

A concern for child safety has emerged as a consistent trend across AI legislation and litigation. Regulations governing AI Companions, AI use in licensed professions, and nonconsensual deepfakes all address concerns related to child safety and the future of AI. Child safety has likewise remained a federal priority and an exception to the AI Executive Order. Moving forward, lawmakers will continue to prioritize legislation that increases safeguards for minors under the age of 18.

States will likely rely on transparency as a primary vehicle for policies that regulate AI to protect consumer rights

Regulations governing automated decision-making technology and surveillance pricing aim to protect consumer rights. Currently, the amended Colorado AI Act, California ADMT regulations, and New York law on algorithmic surveillance pricing require businesses to clearly and conspicuously disclose AI use to affected consumers. Disclosure has remained a consistent feature of regulations, even when consumers may have no right to opt out of AI use, such as under the New York surveillance pricing law. Moving forward, states will likely continue requiring businesses to disclose their AI use in circumstances that concern consumer rights.

Legislation will likely continue to focus on targeted issue areas

Following the passage of the EU AI Act, nations around the world have contemplated similar risk-based laws that attempt to regulate AI across a wide range of industries. For instance, South Korea enacted one such law in January 2025.

In the United States, Colorado was the only state to have passed a comprehensive piece of legislation to govern many different actors based on their AI risk. The delay and eventual repeal and replacement of the Colorado AI Act may suggest that states are shying away from this legislative approach, in favor of a continued focus on targeted issue areas.

AI IP infringement claims will proceed, and courts will likely reach divided outcomes when evaluating fair use

Large AI IP infringement claims have entered discovery and will continue to progress, likely raising the number of occasions for courts to weigh in on the extent to which AI training constitutes fair use. Early opinions indicate that courts will decide these issues on a case-by-case basis and may draw a distinction between the act of curating training libraries from unauthorized sources and the act of copying protected work during the AI training process itself.

Attorneys should review local standing orders, court rules, and professional guidelines before using AI tools for client work

Procedural and ethical rules may impose additional obligations on the use of AI in the courtroom. Attorneys may face sanctions, ethical violations, and other discipline when they fail to adhere to these rules by, for example, failing to include a certified statement disclosing the use of AI in a court filing and confirming that all AI-generated content has been verified by a human. As AI use among lawyers continues to increase, individual judges and state bar associations will continue to publish similar rules.

AI will likely raise new cybersecurity vulnerabilities that result in litigation

Widespread AI adoption has created new opportunities for cybersecurity incidents.

In November 2025, the People’s Republic of China used a large AI chatbot to launch a cyberattack resulting in a Homeland Security report. Likewise, Mixpanel—a data analytics company providing services for a large foundational chatbot—was sued following a breach resulting in the disclosure of names, email addresses, organization IDs, and coarse location data. In that case, the plaintiffs voluntarily dismissed their claims before the Northern District of California could weigh in on the issues. However, the incident demonstrates the new ways that the proliferation of AI tools can result in new cyber vulnerabilities and risks.

Recommendations

Businesses should closely track legal and regulatory advances when developing AI tools, negotiating AI contracts, and providing public access to AI. Companies that use AI in operations or pricing may face increased scrutiny under emerging ADMT and surveillance pricing laws. Businesses offering access to AI chatbots may face significant exposure under AI companion laws, as well as laws governing deepfakes and AI use in licensed professions. Meanwhile, IP and tort claims may continue to increase the cost of developing foundational AI models, which may in turn raise costs for downstream enterprise users.

Ransomware Fusion Center

Stay ahead of evolving ransomware threats with Alston & Bird's Ransomware Fusion Center. Our Privacy, Cyber & Data Strategy Team offers comprehensive resources and expert guidance to help your organization prepare for and respond to ransomware incidents. Visit Alston & Bird's Ransomware Fusion Center to learn more and access our tools.

---

If you have any questions, or would like additional information, please contact one of the attorneys on our Privacy, Cyber & Data Strategy team.

You can subscribe to future advisories and other Alston & Bird publications by completing our publications subscription form.

---