Skip to main content
AI Regulation Reference Guides

AI regulations your organization needs to understand

The AI regulatory landscape is evolving fast. This guide covers every major AI law and framework — what it requires, who it affects, and how Risk Meridian helps you build a defensible AI governance record.

Six AI regulations. One platform to help you stay organized.

Risk Meridian helps you document your AI systems once and reuse that record across frameworks — TRAIGA today, with others on our roadmap — to avoid duplicating effort.

Texas Responsible AI Governance Act

Texas, USA

In force — Jan 1, 2026Supported today

The Texas Responsible AI Governance Act (HB 149) is an intent-based prohibition statute, in force since January 1, 2026. It prohibits specific intentional harmful uses of AI and places affirmative disclosure duties primarily on government entities, plus a narrower disclosure duty on healthcare providers. It does not impose a general AI-inventory, risk-assessment, public-disclosure, or board-reporting mandate on private deployers. It is one of the first comprehensive state AI laws in the United States.

Key obligations

Prohibitions on intentional harmful uses of AI (such as manipulation toward self-harm or crime, unlawful discrimination against a protected class, and unlawful deepfakes), plus disclosure of AI use by government entities and by healthcare providers. Enforced solely by the Texas Attorney General, after a 60-day cure period, with no private right of action.

Who's affected

Organizations and individuals that develop or deploy AI systems in Texas, or that market AI to Texas residents. Government agencies and healthcare providers also face specific AI-use disclosure duties. Enforcement rests with the Texas Attorney General.

EU Artificial Intelligence Act

European Union

Phased rolloutOn roadmap

The world's first comprehensive AI regulation, the EU AI Act classifies AI systems into risk tiers — prohibited, high-risk, limited-risk, and minimal-risk — and imposes proportionate obligations on providers and deployers. High-risk AI systems require technical documentation, conformity assessment, post-market monitoring, and transparency obligations.

Key obligations

Risk tier classification, technical documentation, conformity assessment, human oversight for high-risk systems, post-market monitoring, and EU database registration.

Who's affected

Any organization providing or deploying AI systems in the European Union — including organizations outside the EU whose AI systems affect EU residents.

NIST AI Risk Management Framework

United States (Federal)

VoluntaryOn roadmap

The NIST AI Risk Management Framework is a voluntary but widely adopted guidance document that organizes AI risk management into four functions: Govern, Map, Measure, and Manage. It has become the de facto reference standard for AI governance programs in the US and is explicitly referenced by multiple state AI laws.

Key obligations

Structured AI risk management across four functions: Govern (policies and accountability), Map (context and risk identification), Measure (risk analysis), and Manage (risk response and monitoring).

Who's affected

Any organization seeking a structured approach to AI risk management. Federal agencies are increasingly required to align with NIST AI RMF, and it is commonly referenced by state AI regulations including TRAIGA.

ISO 42001 AI Management Systems

International

VoluntaryOn roadmap

ISO/IEC 42001 is the international standard for AI management systems. It provides a framework for establishing, implementing, maintaining, and continually improving an AI management system — similar to ISO 27001 for information security. Certification is available and increasingly expected by enterprise customers and regulators.

Key obligations

AI management system requirements covering context, leadership, planning, support, operations, performance evaluation, and continual improvement.

Who's affected

Organizations seeking third-party certification of their AI management program. Particularly relevant for AI providers serving regulated industries, government customers, or EU markets under the EU AI Act.

California AI Legislation

California, USA

EmergingMonitoring

California has enacted several targeted AI laws — such as AB 2013 (training-data transparency) and the SB 942 AI Transparency Act — and regulates automated decision-making through its privacy rules. Its high-profile comprehensive bill, SB 1047, was vetoed in September 2024, so California currently has no single comprehensive AI act. The landscape continues to evolve.

Key obligations

Transparency and disclosure obligations under enacted California laws and privacy/ADMT rules. Requirements vary by statute; there is no single comprehensive California AI act (SB 1047 was vetoed in 2024).

Who's affected

Organizations deploying AI systems in California or making decisions that affect California residents. The world's fifth-largest economy means nearly every large enterprise faces potential California AI exposure.

Colorado Artificial Intelligence Act

Colorado, USA

Revised — effective Jan 1, 2027Monitoring

Colorado's original AI Act (SB 24-205) — which would have required algorithmic impact assessments, annual disclosures, and a duty of care against algorithmic discrimination — never took effect as written. A federal court paused enforcement in April 2026, and on May 14, 2026 Colorado enacted SB 189, replacing it with a narrower disclosure/transparency (ADMT) framework effective January 1, 2027. The impact-assessment and duty-of-care provisions were eliminated.

Key obligations

Under the revised SB 189 framework (effective January 1, 2027): transparency and disclosure obligations for automated decision-making technology (ADMT). The earlier impact-assessment, consumer-notification, and duty-of-care requirements were removed. The law remains in flux pending implementing guidance.

Who's affected

Developers and deployers of automated decision-making systems affecting Colorado residents, once SB 189 takes effect on January 1, 2027. The precise scope will be defined by the new framework and any implementing rules.

How the regulations compare

Different frameworks impose different obligations. A checkmark below means the framework includes that obligation for at least some covered parties — not that every organization must do it. TRAIGA in particular is prohibition-based: its only affirmative disclosure duties fall on government entities and healthcare providers, it is enforced solely by the Texas Attorney General (after a 60-day cure period), and it has no private right of action.

ObligationTexas TRAIGAEU AI ActNIST AI RMFISO 42001California AIColorado AI Act
AI system inventory
Risk assessment
Public disclosures
Human oversight documentation
Bias / fairness testing
Incident reporting
Board / executive accountability
Technical documentation
Third-party audit / conformity
Annual impact assessment

Risk Meridian supports your TRAIGA documentation today, with EU AI Act, NIST AI RMF, and ISO 42001 mapping on our roadmap. See how the platform works →

Stop tracking AI regulations in a spreadsheet

Risk Meridian helps you document and manage your AI systems in one place — with TRAIGA support today and EU AI Act, NIST AI RMF, and ISO 42001 on our roadmap. Get your first AI system inventoried in under 10 minutes.

TRAIGA support today, more frameworks on the roadmap

Document your controls once and reuse them across frameworks

Board-ready reports generated in minutes, not weeks