AI & Emerging Tech Compliance
Legal obligations when building or deploying AI systems
Overview
AI regulation is moving from theory to enforcement faster than most companies expected. The EU AI Act — the first comprehensive AI law anywhere — is now in force, with obligations phasing in through 2026 and 2027. In the US, Colorado passed the first comprehensive state AI law in 2025, followed by Texas's TRAIGA. A dozen more states have introduced or passed AI-related bills. The FTC has issued guidance on AI and deceptive practices. The EEOC has weighed in on AI in hiring. NIST published its AI Risk Management Framework.
The central organizing concept in most AI regulation is risk classification. Laws distinguish between AI systems that pose higher risk — because they make consequential decisions about employment, credit, housing, healthcare, or critical infrastructure — and systems that pose lower risk. Higher-risk systems face more demanding obligations: impact assessments, human oversight requirements, transparency disclosures, bias auditing. Understanding where your AI system falls on the risk spectrum is the first compliance question to answer.
Federal Laws
Federal
Communications Decency Act Section 230
Section 230
Provides immunity to online platforms from liability for third-party content. The foundational law enabling user-generated content platforms, review sites, social networks, and any platform that hosts content created by others. Not absolute — does not protect platforms from federal criminal law, IP claims, or content the platform itself creates or materially contributes to. Under active legislative scrutiny — the scope of Section 230 immunity has narrowed through case law and remains politically contested.
Federal
Cybersecurity Maturity Model Certification
CMMC
DoD-specific cybersecurity certification requirement for defense contractors and subcontractors. Effective November 2025. Three levels — Level 1 (basic), Level 2 (advanced, requires third-party assessment for most), Level 3 (expert). Any company in the defense industrial base — including software vendors, IT service providers, and cloud providers touching DoD systems — must understand which CMMC level applies. Non-compliance means losing DoD contracts.
Federal
SBIR/STTR Programs
SBIR/STTR
Small Business Innovation Research and Small Business Technology Transfer programs provide federal R&D funding to small businesses across 11 agencies. Awardees generally retain IP rights under Bayh-Dole principles. A major entry point for tech companies seeking federal contracts.
Browse by State
Browse by Country
How Jurisdictions Differ
The EU AI Act is extraterritorial — if your AI system is used in the EU or its output is used there, the law may apply regardless of where you're located. US state laws are generally narrower in scope and focus on specific use cases (hiring, consumer decisions) rather than AI broadly. The key differences across state laws are: what qualifies as "high risk," what obligations attach (audit vs. disclosure vs. impact assessment), and whether there's a private right of action or only agency enforcement.
Official Resources
Related Articles
More articles coming soon.