70+ AI laws passed in 27 states in a single year. TRAIGA safe harbors nobody discusses. Chatbot companion bills in 11+ states. A 10-year federal moratorium proposal. Privacy laws with AI profiling rights. Here are the regulatory blind spots creating unaddressed client liability.
Beyond the headlines: 70+ AI laws in 27 states (2025). 1,100+ bills introduced. Chatbot bills advancing in 11+ states (2026). TRAIGA penalties up to $200K/violation + $40K/day but with NIST compliance safe harbor. Indiana, Kentucky, Rhode Island profiling opt-outs effective Jan 2026. Illinois AI video interview law in effect since 2020. Colorado delayed to June 30, 2026. House passed 10-year state AI moratorium proposal.
Most lawyers tracking AI regulation focus on the Colorado AI Act, California’s headline legislation, and the EU AI Act. That covers perhaps 30% of the regulatory surface. Over 70 AI-related laws passed in 27 states during 2025. The 2026 session produced a surge of chatbot companion bills in 11+ states, agentic AI proposals, and mental health AI restrictions with no precedent. Texas’s TRAIGA provides an affirmative defense for NIST compliance that most lawyers have not flagged. Indiana, Kentucky, and Rhode Island enacted privacy laws with AI profiling opt-out rights. Illinois’s video interview AI law has been in effect since 2020. This article catalogs the specific blind spots creating unaddressed liability.
Blind Spot 1: The Laws You Are Not Tracking
TRAIGA’s Safe Harbor: The Defense Nobody Discusses
Texas’s TRAIGA includes a provision most discussions overlook: organizations substantially complying with the NIST AI RMF or recognized standards gain an affirmative defense against enforcement. Organizations discovering violations through internal testing receive safe harbor protection. This is the first U.S. state law creating concrete legal incentive for framework adoption. Penalties reach $80,000 to $200,000 per uncurable violation plus $2,000 to $40,000/day for continuing violations. NIST alignment becomes legal defense, not just governance.
Privacy Laws with AI Profiling Rights
Indiana, Kentucky, and Rhode Island enacted comprehensive privacy laws effective January 2026, all modeled on Virginia’s VCDPA. Each provides profiling opt-out rights and requires impact assessments for high-risk processing. These apply directly to AI-driven decision-making: customer segmentation, risk scoring, pricing, eligibility. Most lawyers track these as privacy, not AI. Organizations using AI in these states face obligations many governance programs miss.
Chatbot Companion Laws: The 2026 Surge
Bills advancing in Virginia, Washington, Utah, Arizona, Hawaii, and 6+ more states. California SB 243 (effective January 2026) is the template. Tennessee unanimously prohibited AI from presenting as mental health professionals. Colorado introduced psychotherapy AI legislation. These create disclosure requirements, crisis referral mandates, emotional manipulation restrictions, and minor protections applicable to any consumer-facing chatbot deployment.
Illinois Employment AI: Effective Since 2020
The Illinois AI Video Interview Act (820 ILCS 42) requires employers to notify applicants of AI use, explain how it works, and obtain consent. Illinois HB 3773 (January 2026) expanded requirements. Many employment lawyers include NYC LL144 but omit Illinois. Baker Botts specifically flags Illinois compliance as a requirement alongside notice procedures and data retention documentation.
Montana and Nevada: Likeness and Political AI
Montana enacted AI-generated likeness protections. Nevada requires political AI disclosure in advertising. Narrow laws creating specific liability for entertainment, media, advertising, and political consulting clients that general governance assessments do not cover.
These blind spots are not just theoretical. They translate into real malpractice and liability risks as AI becomes embedded in decision-making across industries.
The Blind Spot Map
| Category | What Most Lawyers Track | What They’re Missing |
|---|---|---|
| Comprehensive AI | Colorado, EU AI Act | TRAIGA safe harbor for NIST, Colorado delay to June 2026, Utah amended safe harbors |
| Privacy + AI | CCPA/CPRA, GDPR | IN, KY, RI profiling opt-outs and impact assessments (Jan 2026) |
| Employment AI | NYC LL144, EEOC | Illinois Video Interview Act (2020), HB 3773 (2026), CA Civil Rights AI regs, 4-year retention |
| Healthcare AI | FDA SaMD, HIPAA | CA AB 489, TX SB 1188, TRAIGA healthcare, TN mental health prohibition |
| Chatbots | General disclosure | CA SB 243, 11+ state bills, crisis referrals, emotional manipulation, minors |
| Content / Media | Deepfake basics | MT likeness rights, NV political AI, CA SB 942 ($5K/day), CA AB 2013 training data |
| Federal Preemption | Dec 2025 EO, DOJ Task Force | 10-year moratorium in “One Big Beautiful Bill,” sandbox exemptions |
| Safe Harbors | General compliance | TRAIGA NIST defense, internal testing harbor, Utah disclosure harbor, ISO 42001 as evidence |
Blind Spot 2: Preemption Uncertainty as a Client Risk
The December 2025 executive order directed DOJ to challenge state AI laws. The House passed a 10-year moratorium on state AI regulation in the “One Big Beautiful Bill.” Three scenarios require distinct advice: no preemption (comply with strictest state requirements), partial preemption (differentiate preserved vs. preempted requirements), full preemption (satisfy the federal standard, likely NIST-based).
The advisory obligation is clear regardless: build programs around durable principles (risk assessment, transparency, accountability, documentation) that remain defensible under any scenario. Advising clients to wait for clarity exposes them to current enforcement from existing laws.
The preemption paradox: The executive order does not propose preemption of child safety regulations, state government AI procurement, or AI infrastructure regulation. Organizations in these areas should assume continued state enforcement. For everything else, build to survive all three scenarios.
Blind Spot 3: Sector-Specific Triggers
Healthcare: The disclosure cascade. CA AB 489 (no implied licensure), TX SB 1188 (practitioner AI disclosure), TRAIGA (government healthcare), TN (mental health prohibition), CA SB 243 (chatbot crisis referrals). A healthcare org deploying AI across states may trigger 5+ separate disclosure obligations with different content and timing requirements.
Employment: Beyond NYC LL144. Illinois video interview AI (2020). HB 3773 (2026). California Civil Rights AI regs (October 2025). California 4-year retention. Colorado consequential decisions. All cumulative, not alternative.
Financial services: Quiet convergence. CFPB adverse action, IN/KY/RI profiling impact assessments, Colorado financial/lending coverage, SEC AI washing, FINRA output responsibility. A national financial firm may face 6+ simultaneous obligations from different sources for a single AI system.
Content and advertising: Overlooked specifics. CA SB 942 ($5,000/violation/day for unlabeled AI content, 1M+ user threshold). CA AB 2013 training data summaries. Montana AI likeness. Nevada political AI. These are transparency laws that create AI liability.
Blind Spot 4: Safe Harbors You Are Not Using
TRAIGA NIST compliance defense. The strongest safe harbor in any U.S. AI law. Substantial NIST AI RMF compliance = affirmative defense. Recommend NIST alignment as litigation defense preparation.
TRAIGA internal testing safe harbor. Discovering violations through red-teaming and adversarial testing = protection. Document all testing as potential safe harbor evidence.
Utah disclosure safe harbor. SB 226 protects organizations that disclose AI use throughout consumer interactions. Compliance-for-protection trade many have not implemented.
ISO 42001 as defensive evidence. Certification provides third-party verified governance maturity. Demonstrates reasonable care (Colorado’s standard). As TRAIGA rewards recognized framework alignment, ISO 42001 strengthens the defensive position in enforcement, regulatory inquiry, and litigation.
How to Close the Gaps
- Expand regulatory monitoring. Track TRAIGA, Utah UAIPA, Illinois employment AI, IN/KY/RI privacy profiling, 11+ state chatbot bills, and healthcare AI disclosure laws. Not just Colorado, California, and EU AI Act.
- Map safe harbors per client. TRAIGA NIST defense, internal testing harbor, Utah disclosure harbor. Document which apply to each client’s jurisdictional exposure. Recommend framework alignment as legal defense.
- Advise on preemption as risk, not resolution. Current laws are enforceable now. Build around durable principles. Monitor the moratorium proposal and DOJ Task Force.
- Audit sector-specific triggers. Healthcare: disclosure cascade. Employment: beyond LL144. Financial services: quiet convergence. Content: labeling penalties. Each sector has obligations general assessments miss.
- Build framework credentials. ISO 42001 Lead Implementer certification and NIST AI RMF expertise. TRAIGA’s safe harbor makes NIST compliance a legal defense tool. ISO 42001 provides third-party evidence in enforcement proceedings.
Even in the absence of a single comprehensive AI law, lawyers already have multiple enforcement pathways available under existing U.S. legal frameworks.
The Regulation You Are Not Tracking Creates the Liability
The regulatory surface extends far beyond the laws most lawyers monitor. 70+ laws in 27 states. Chatbot legislation in 11+ states. Safe harbors most lawyers have not flagged. Preemption uncertainty requiring advisory. Sector triggers creating overlapping obligations. The lawyers who serve clients best track the full surface, not just the headlines.
The practical first step: expand your regulatory monitoring scope and audit your current client assessments against the blind spot map in this article. The gaps you find are the advisory engagements waiting to be delivered.
GAICC offers ISO/IEC 42001 Lead Implementer training that provides the framework expertise for AI governance advisory, including the NIST AI RMF alignment that TRAIGA’s safe harbor rewards. Explore the program to build the credential that converts into both client value and legal defense strategy.
