There is no federal AI floor coming: what Colorado's retreat and the stalled preemption fight mean for enterprise compliance planning

Plenty of US enterprises have been running the same quiet bet on AI regulation: that the state-by-state noise would eventually resolve into a federal standard, and that the disciplined move was to wait for that standard rather than build a programme to a target that would change. The first half of 2026 settled that bet, and not in the waiter’s favour. Two things happened. The federal floor did not arrive, and the most-watched state law moved backwards.

The state that was supposed to lead, retreated

Colorado’s SB 24-205 was the first comprehensive US state AI law, the one other legislatures and general counsels were treating as the template. On 14 May 2026, Governor Jared Polis signed SB 26-189, which repealed and reenacted it into something much smaller. The reenacted law dropped the duty of care to prevent algorithmic discrimination, removed the deployer obligations to run risk-management programmes and conduct impact assessments, narrowed the statute to disclosure and transparency around certain automated decisions, and pushed the effective date from 30 June 2026 to 1 January 2027.

This was the second delay, not the first; the original February 2026 date had already been moved to June 2026 the previous summer. But the May reenactment was different in kind from a delay. One firm described it as a pivot away from the EU model (Hunton). The flagship US experiment in comprehensive AI regulation did not get postponed so much as it got shrunk. That is the opposite of the trajectory an enterprise betting on convergence was counting on.

The federal floor is a recommendation, not a law

The other half of the bet was that Washington would supply a standard. It has supplied a document. The White House released a National Policy Framework for Artificial Intelligence on 20 March 2026 that recommends preempting state AI laws judged to impose undue burdens. But the framework is, in its own terms, not binding, creates no new legal obligations, and would require Congress to pass legislation to have any effect (Holland & Knight).

Congress has not passed it. The proposed federal moratorium on state AI laws was not enacted, after the Senate had earlier removed a ten-year version of the moratorium from the 2025 budget reconciliation bill. The practical effect is that the states keep their room to legislate, and the law firms tracking this describe the realistic outlook as continued overlap rather than imminent simplification: active state-law compliance coupled with attention to federal developments that may or may not land. There is an executive order signalling the administration’s preemption intent, which King & Spalding flagged as a disruption to the new state laws, but a signalled intent is not a floor a compliance programme can stand on.

What is actually in force

While the federal debate stalls and Colorado shrinks, two broad state laws took effect on 1 January 2026, and they are nothing alike.

California’s SB 53, the Transparency in Frontier Artificial Intelligence Act, sounds sweeping and is in fact narrow. It applies only to frontier developers: systems trained above roughly 10^26 operations, and large developers with annual revenue over 500 million dollars, a threshold no current model meets and no ordinary enterprise comes near. For almost every company that deploys AI rather than trains frontier models, SB 53 is someone else’s obligation.

Texas’s Responsible AI Governance Act is the opposite shape. It applies broadly, to anyone offering a product or service used by Texas residents or doing business in the state, but it is intent-based: it prohibits developing or deploying AI with the intent to cause specified harms, rather than imposing the heavy documentation and assessment duties Colorado originally carried (Norton Rose Fulbright). It is enforced by the attorney general, with a cure period, and it asks less affirmative paperwork of an ordinary deployer than the original Colorado law did.

So the in-force US map is a narrow frontier-developer law in California, a broad intent-based prohibition in Texas, a comprehensive law deferred and narrowed in Colorado, and a federal posture that is recommendation rather than rule. That is not a floor. It is a set of differently-shaped obligations that do not stack into one.

Why waiting is the riskier choice

The instinct to wait assumes that clarity is coming and that building now means building twice. Both halves of that assumption are now weak. Clarity is not coming on a plannable horizon, and the obligations that already apply, the Texas prohibitions in force today, the EU AI Act duties for any EU-facing operation, the sector and consumer-protection law that already governs automated decisions, do not wait for the federal debate to conclude. An enterprise that paused its governance work for a federal floor has been accruing exposure under live law while waiting for a law that has not been drafted.

The defensible posture inverts the bet. Build to the strictest obligation that genuinely applies to your own deployments, mapped to where you actually operate and whose data you actually process rather than to a generic fifty-state anxiety. Build to the duties common across the serious regimes, transparency and disclosure, documented assessment for higher-stakes uses, and human oversight, because those recur across California, Texas, the deferred Colorado law, and the EU regardless of which one bites first. And treat the map as a tracked variable, because with Colorado moving backward and Washington stalled, the baseline is moving and a one-time gap analysis goes stale.

The trap on the other side

The opposite error is just as easy. Colorado narrowed, the moratorium failed, and it is tempting to read a deregulatory trend and stand the programme down. That reading is wrong too. The failed moratorium preserves the states’ authority to act, the EU did not retreat at all, it delayed its heaviest obligations while leaving its transparency and governance duties in force, as the publication’s Digital Omnibus reading sets out, and even Colorado’s reenacted law still imposes disclosure duties from 2027. The honest description is divergence, not deregulation. The regimes are moving in different directions at different speeds, which is harder to plan for than a single trend would be, and which is exactly why the answer is to build to what applies and keep the map current rather than to bet on any one direction.

The reading to leave with the CIO and general counsel

There is no federal AI floor coming on a timeline you can plan around, and the state law you were most likely watching just got smaller. Neither of those is a reason to stand down, and neither is a reason to build a maximalist programme to a standard that does not exist. The move is the unglamorous middle: inventory the regimes you are actually exposed to, build to the obligations they share, and keep the assessment live because the inputs are still moving. The enterprise that does that is ready for whichever way the next statute breaks. The one waiting for clarity is exposed under the laws already in force, holding out for a floor that, on the evidence of the first half of 2026, is not being built.

Related reading

For the contrasting regime that delayed its heavy obligations but did not retreat, see the EU AI Act Digital Omnibus reading. For the US sector-specific frameworks that govern AI-touched data regardless of the AI-specific statutes, see AI governance and data governance under US frameworks.

The operators-section version, for solo founders and small businesses asking whether any of these state laws even apply to them, is at the US AI laws small-business brief.