State-by-State AI Disclosure Rules for Professionals in 2026

The U.S. state AI law landscape moved more in 2025-2026 than in any prior year, and the picture as of mid-May 2026 is: several large states have AI disclosure laws either effective, recently delayed, or actively being amended. For professionals using AI in client-facing work, the operative question is which of these laws apply to your specific use of AI and what disclosure language each requires.

This guide walks through the laws most likely to affect working professionals as of May 2026 — what's effective, what's been delayed or amended, and what the disclosure language actually says. State law moves fast; verify current effective dates and current statutory language before relying on any of this.

The big picture as of May 2026

There is no single U.S. federal AI disclosure law for professionals using AI in client work. Disclosure obligations come from three layers:

1. Federal sectoral law — HIPAA for PHI, GLBA for financial data, FERPA for education, FTC Section 5 for unfair or deceptive practices, SEC rules for investment advisers, etc.
2. State AI-specific statutes — Colorado AI Act, Utah AIPA, Texas TRAIGA, California's package (AB 2013, SB 942, AB 489, AB 3030, etc.), Illinois HB 3773, and others.
3. State professional licensing rules and ethics opinions — state bars, medical/nursing/social work boards, accountancy boards, insurance commissioners.

This post is layer 2. For layer 1 see our HIPAA-compliant AI guide; for layer 3 see our professional ethics disclosure guide.

California

California has the largest cluster of AI-specific statutes in the U.S., several taking effect in 2026.

AB 2013 — Generative AI Training Data Transparency Act. Effective January 1, 2026. Requires developers of generative AI systems released or substantially modified in California to publicly post detailed documentation of training data — sources, types, IP status, licensing, processing history, whether personal information was used. This is a developer obligation, not a professional-user obligation, but it affects which models you can rely on for transparency-sensitive use cases.

SB 942 — California AI Transparency Act. Effective date currently August 2, 2026 (delayed from January 1, 2026). Requires "covered providers" — generative AI systems with over 1 million monthly users in California — to provide free AI-content detection tools, support manifest disclosures (visible labels), and embed latent disclosures (metadata watermarks). Again, primarily a developer obligation, but affects what tools your clients can use to verify outputs.

AB 489 — Healthcare Professions: Deceptive Terms or Letters: AI. Effective January 1, 2026. Prohibits AI from using post-nominal letters, icons, phrases, or design elements that imply care from a licensed healthcare professional unless that oversight is actually present. Restricts marketing language like "doctor-level," "clinician-guided," "expert-backed" unless genuinely supported by licensed professionals. Enforced by professional licensing boards. Each instance is a separate violation.

AB 3030 (passed 2024, in force). Health facilities, clinics, and physician/group offices using generative AI to generate written or verbal patient communications about clinical information must include: (a) a disclaimer that the communication was AI-generated, prominent at start (or throughout, for chat/video/audio), and (b) clear instructions for how to reach a human. Codified at Health & Safety Code § 1339.75.

AB 316. Affects civil liability. Prevents defendants who "developed, modified, or used" AI technology from asserting that the AI "autonomously caused the harm" as a defense. Important for malpractice contexts.

TFAIA (Transparency in Frontier AI Act). Among the 2026 California measures affecting "large frontier developers" with revenue thresholds.

What this means for California professionals: if your client-facing communications are AI-generated and a clinician/professional has not reviewed them before they reach the client, AB 3030-style disclosure is operative law. Avoid AI tool branding or marketing that implies licensure (AB 489). Be cautious about defenses that pin behavior on the AI (AB 316).

Colorado

Colorado AI Act (SB 24-205). This was the nation's first comprehensive AI law as enacted in May 2024, originally effective February 1, 2026. The effective date has shifted multiple times — currently scheduled for June 30, 2026, and a legislative effort to repeal-and-replace via SB 25-189 (passed by the legislature in May 2026) would replace it with a disclosure-based framework effective January 1, 2027. The repeal/replace status as of late May 2026 depends on whether the governor signs SB 25-189 and what amendments stand.

If the original CAIA takes effect on June 30, 2026 unchanged: developers and deployers of "high-risk AI systems" (those substantial in making consequential decisions about housing, healthcare, financial/lending services, employment, insurance, government services) have duties of reasonable care to protect consumers from algorithmic discrimination, must conduct impact assessments, must provide consumer notifications, and must publish public statements describing the system and risk management. Enforced by the Colorado Attorney General; civil penalties up to $20,000 per violation.

If SB 25-189 is signed and takes effect January 1, 2027: a narrower disclosure-based framework replaces the original CAIA.

What this means for Colorado professionals: watch the legislative status through summer 2026. If you're using AI in any of the consequential-decision domains (lending, employment, insurance, healthcare, housing), assume both versions apply at some point in your planning.

Texas

Texas Responsible AI Governance Act (TRAIGA, HB 149). Signed June 22, 2025; effective January 1, 2026. Applies to entities conducting business in Texas, offering products/services to Texas residents, or developing/deploying AI in Texas.

Key obligations:

• Prohibits intentionally developing or using AI for "restricted purposes" (social scoring, behavioral manipulation in ways that cause physical or psychological harm, etc.).
• For "high-risk" AI systems making or substantially contributing to consequential decisions (employment, education, healthcare, housing, insurance, financial services, government services): impact assessments, transparency disclosures, governance programs, and human oversight requirements.
• Establishes Texas AI Council and a regulatory sandbox.
• Enforced exclusively by Texas Attorney General; civil penalties $10,000-$200,000 per violation, accruing daily for continuing violations.
• NIST AI RMF compliance provides a statutory affirmative defense — a meaningful incentive to align with NIST.

What this means for Texas professionals: if you deploy AI in any of the consequential-decision domains for Texas residents, TRAIGA's transparency and oversight requirements apply. Aligning to NIST AI RMF gives you the statutory safe harbor.

Utah

Utah AI Policy Act (AIPA), as amended by SB 226 and SB 332 (amendments effective May 7, 2025; AIPA repeal date extended to July 1, 2027). Two operative disclosure rules:

• Consumer-request disclosure. A supplier using generative AI in a consumer transaction must disclose that the consumer is interacting with generative AI if the consumer asks in a "clear and unambiguous request" whether AI is being used.
• Regulated-occupation proactive disclosure. An individual providing services in a "regulated occupation" (licensed by Utah Department of Commerce — lawyers, therapists, financial professionals, accountants, etc.) must proactively and prominently disclose at the outset that the consumer is interacting with generative AI if the use is a "high-risk artificial intelligence interaction." "High-risk" is defined as interactions involving collection of sensitive personal information (health, financial, biometric); providing personalized recommendations that the consumer could reasonably rely on for significant personal decisions; or providing financial, legal, medical, or mental health advice or services.

Utah HB 452 — Mental Health Chatbots. Effective May 7, 2025. Specifically regulates AI tools that engage in interactive conversations "similar to the confidential communications that an individual would have with a licensed mental health therapist." Requirements include restrictions on advertising during mental-health conversations, restrictions on using user input to determine advertising, and specific disclosures. Tools that merely provide scripted outputs or connect users to human therapists are excluded.

What this means for Utah professionals: if you're in a licensed profession and use AI in a high-risk interaction with a consumer, proactive disclosure at the outset is required. If you're building or deploying mental health chatbots, HB 452 imposes specific advertising and disclosure requirements.

Illinois

HB 3773 — Amendment to the Illinois Human Rights Act. Effective January 1, 2026. Makes it a civil rights violation for an employer to:

• Use AI in recruitment, hiring, promotion, renewal, training, discharge, discipline, tenure, or terms/privileges of employment without notifying employees of the AI use, and/or
• Use AI in a way that has the effect of subjecting employees to discrimination on the basis of protected classes, including the use of ZIP codes as proxies for protected classes.

Strict liability — intent is not a defense to the discriminatory-effect prong. Rules to be promulgated by the Illinois Department of Human Rights specify the circumstances, timing, and means of notice.

What this means for Illinois employers: any AI in your hiring or employment-decision workflow triggers notice obligations to Illinois employees. ZIP code as a feature is a direct exposure to civil rights liability.

New York City

NYC Local Law 144 — Automated Employment Decision Tools (AEDT). In force since July 5, 2023; continues to apply through 2026. Requires:

• Annual independent bias audit of any AEDT used to substantially assist or replace discretionary employment decisions for candidates or employees who reside in NYC.
• Public posting of the audit summary on the employer's website (typically the careers section), including selection rates, scoring rates, impact ratios, distribution date, and audit date.
• Candidate notice at least 10 business days before use of the AEDT — identifying the AEDT, the characteristics it assesses, and providing opt-out instructions for an alternative selection process.

Follows the candidate, not the employer — if the candidate is an NYC resident, the law applies regardless of where the employer is headquartered. Penalties $500-$1,500 per violation; daily accrual.

What this means for any U.S. employer with a national applicant pool: NYC residents are in your applicant pool. Local Law 144 is functionally a baseline.

Other states moving in 2026

New York State has multiple AI bills pending; the New York SHIELD Act applies to PII broadly; New York DFS has issued AI-related cybersecurity guidance.

Virginia, Connecticut, Maryland, Tennessee, and others have AI bills introduced or pending. Some target specific sectors (insurance, employment) rather than comprehensive frameworks.

Washington — My Health My Data Act covers consumer health data outside HIPAA; affects health-adjacent AI tools.

The EU AI Act is not a U.S. state law but applies extraterritorially to AI systems placed on the EU market or whose outputs are used in the EU. Phased implementation runs through 2026-2027.

A practical disclosure framework for working professionals

Given the patchwork, most professionals find it easier to operate under one consolidated disclosure framework rather than per-state variants. The defensible baseline:

1. Identify high-risk interactions in your practice — interactions involving sensitive personal information, personalized recommendations the client could reasonably rely on, or financial / legal / medical / mental health advice.
2. Proactively disclose AI use at the outset of any high-risk interaction. This satisfies Utah AIPA, parallels California AB 3030 for healthcare communications, and is a defensible baseline elsewhere.
3. Always disclose if asked — universal across regulators and ethics bodies.
4. Disclose in writing in your engagement letter or notice of privacy practices how AI is used in the practice. Persistent disclosure satisfies general communication and competence obligations.
5. Don't overstate AI capabilities — AI washing is an SEC and FTC exposure for any business.
6. Document your AI vendor due diligence — which models, which tiers, what BAA/DPA is in place, what configuration is enforced. This supports both Colorado-CAIA-style impact assessments and TRAIGA-style governance program documentation.
7. For employment AI specifically — NYC Local Law 144 bias audit + candidate notice + Illinois HB 3773 notice + Colorado CAIA / TRAIGA impact assessments where applicable. The employment AI compliance stack is heavier than client-services AI.
8. Monitor state legislation through 2026 — the picture will shift again.

What this guide is — and what it isn't

This is general orientation as of May 21, 2026, on state AI disclosure laws affecting working professionals. State legislation moves quickly; the Colorado AI Act picture in particular depends on the outcome of SB 25-189. SB 942 has already been delayed once. Effective dates, statutory language, and rulemaking can change. This article does not constitute legal advice. For specific decisions about your practice's disclosure language and processes, consult your compliance counsel and current state-specific guidance.

Related reading: HIPAA-compliant AI guide, AI BAA vendor guide, PHI vs PII, and the professional ethics disclosure guide.

---

Sources: California AB 2013, SB 942, AB 489, AB 3030 (Health & Safety Code § 1339.75), AB 316, TFAIA; Colorado SB 24-205 (Colorado AI Act) and SB 25-189 (proposed repeal/replace); Texas HB 149 (TRAIGA); Utah AIPA as amended by SB 226 and SB 332, Utah HB 452; Illinois HB 3773 (Human Rights Act amendment); NYC Local Law 144 and DCWP enforcement guidance; analyses from Wiley, Mayer Brown, Davis Polk, Perkins Coie, Cooley, Adams and Reese, Smith Anderson, and other firms, April-May 2026. Verify current effective dates and statutory language before relying on any of this. This article does not constitute legal advice.