Do the new US state AI laws even apply to your small business? Mostly no, and here is the short list of what actually does

If you run a small business in the US, the AI-regulation coverage of 2026 has probably left you with a low hum of worry: a wave of state laws, a compliance programme you have not built, a sense that you are behind. For a business under about 50 people, that worry is mostly misplaced. The laws that sound sweeping either target someone much bigger than you, or got pulled back, or ask less of you than the headline implies. And the federal law that might have simplified everything is not coming on a timeline you can plan around. The honest picture is short and mostly favourable, and this piece replaces the hum with a list.

The enterprise version of this reading, for in-house programmes with real multi-state exposure, is at the federal-versus-state standoff piece. For a small operator the conclusion is the same but the to-do list is far shorter.

California: a law about your suppliers, not you

California’s SB 53, the Transparency in Frontier Artificial Intelligence Act, is the one that sounds like it should worry everyone and worries almost no small business. It applies to frontier developers: systems trained above roughly 10^26 operations, and large developers with annual revenue over 500 million dollars. That is the largest model labs, and nobody else. If you use AI tools rather than build frontier models, SB 53 is a law about the companies that make your tools. Take it off the list.

Texas: broad reach, light touch for a deployer

Texas’s Responsible AI Governance Act took effect on 1 January 2026 and does reach broadly, to anyone offering a product or service used by Texas residents or doing business in the state (Norton Rose Fulbright). But it is intent-based, not paperwork-based. It prohibits developing or deploying AI with the intent to cause specific harms, such as unlawful discrimination or manipulation, and it is enforced by the attorney general with a cure period. For an ordinary small business, meeting it does not mean a compliance programme; it means not using AI to do things that were already unlawful. If you serve Texas customers, know the prohibition is there. You almost certainly already comply.

Colorado: the scary one retreated

Colorado is the law a lot of small owners were bracing for, because SB 24-205 was the first comprehensive US state AI law and carried real obligations. It is not the threat it looked like. On 14 May 2026 the governor signed SB 26-189, which repealed and reenacted the law into a narrower one: the duty of care on algorithmic discrimination and the risk-management and impact-assessment obligations came out, and the effective date moved from 30 June 2026 to 1 January 2027. The original had also exempted smaller employers from some duties. So the Colorado obligation is both lighter than it was and not in force until 2027. Set a reminder for late 2026 to check its final form; do not build to it now.

There is no federal law coming to change this

The piece of this most small owners get backwards is the federal one. It would be reasonable to assume Washington is about to standardise all this and that you should wait for it. It is not. The White House released a National Policy Framework for Artificial Intelligence on 20 March 2026, but it is explicitly non-binding and would need Congress to pass a law, which has not happened, and a proposed moratorium on state AI laws was not enacted (Holland & Knight). For a large enterprise that is a planning headache. For you it is almost good news: nothing federal is being added to your pile, and the state map, which for a small business is mostly favourable, is the map.

The short list that actually applies

Strip away the headlines and four cheap things remain, all of them in the 30-minute check above.

Know which states you actually touch, because the laws reach you by where you operate and whom you serve, not by existing somewhere in the country. Confirm you are a deployer and not a frontier developer, which is the single fact that removes California’s law and most of the heavy duties. Adopt disclosure hygiene now even though most US state law does not yet force it: tell people when they are dealing with an AI, and do not pass AI output off as human in regulated or consumer contexts, because it is cheap, it is good practice, and it is what the EU already requires and Colorado will from 2027, as the EU small-business deployer duties piece sets out for the regime that did not retreat. And keep a one-line policy that you never use AI to deceive or discriminate, which covers the heart of the Texas prohibition and the consumer-protection law you already live under.

This week

Do the 30-minute check once and you are done for a while. Map your states, confirm your deployer status, switch on the disclosure habits, write the two don’ts, and set the late-2026 Colorado reminder. That is a proportionate response to the 2026 US state AI laws for a small business, and it is a great deal less than the headlines told you to fear. The over-build, an enterprise-scale programme aimed at a federal floor that does not exist, costs you time you do not have for protection against obligations that mostly are not yours.

What this does not cover

This is the US state-law picture. If you also serve EU customers, the EU AI Act reaches you regardless of the US position, and its duties did not get rolled back; the EU small-business deployer duties piece is the version for that. If your concern is what you promise clients about AI in the work you deliver, the AI client-deliverable contract clauses piece is the contract cut.