AI regulations your organization needs to understand
The AI regulatory landscape is evolving fast. This guide covers every major AI law and framework — what it requires, who it affects, and how Risk Meridian helps you build a defensible AI governance record.
Six AI regulations. One platform to help you stay organized.
Risk Meridian helps you document your AI systems once and reuse that record across frameworks — TRAIGA today, with others on our roadmap — to avoid duplicating effort.
Texas Responsible AI Governance Act
Texas, USA
The Texas Responsible AI Governance Act (HB 149) is an intent-based prohibition statute, in force since January 1, 2026. It prohibits specific intentional harmful uses of AI and places affirmative disclosure duties primarily on government entities, plus a narrower disclosure duty on healthcare providers. It does not impose a general AI-inventory, risk-assessment, public-disclosure, or board-reporting mandate on private deployers. It is one of the first comprehensive state AI laws in the United States.
Key obligations
Prohibitions on intentional harmful uses of AI (such as manipulation toward self-harm or crime, unlawful discrimination against a protected class, and unlawful deepfakes), plus disclosure of AI use by government entities and by healthcare providers. Enforced solely by the Texas Attorney General, after a 60-day cure period, with no private right of action.
Who's affected
Organizations and individuals that develop or deploy AI systems in Texas, or that market AI to Texas residents. Government agencies and healthcare providers also face specific AI-use disclosure duties. Enforcement rests with the Texas Attorney General.
EU Artificial Intelligence Act
European Union
The world's first comprehensive AI regulation, the EU AI Act classifies AI systems into risk tiers — prohibited, high-risk, limited-risk, and minimal-risk — and imposes proportionate obligations on providers and deployers. High-risk AI systems require technical documentation, conformity assessment, post-market monitoring, and transparency obligations.
Key obligations
Risk tier classification, technical documentation, conformity assessment, human oversight for high-risk systems, post-market monitoring, and EU database registration.
Who's affected
Any organization providing or deploying AI systems in the European Union — including organizations outside the EU whose AI systems affect EU residents.
NIST AI Risk Management Framework
United States (Federal)
The NIST AI Risk Management Framework is a voluntary but widely adopted guidance document that organizes AI risk management into four functions: Govern, Map, Measure, and Manage. It has become the de facto reference standard for AI governance programs in the US and is explicitly referenced by multiple state AI laws.
Key obligations
Structured AI risk management across four functions: Govern (policies and accountability), Map (context and risk identification), Measure (risk analysis), and Manage (risk response and monitoring).
Who's affected
Any organization seeking a structured approach to AI risk management. Federal agencies are increasingly required to align with NIST AI RMF, and it is commonly referenced by state AI regulations including TRAIGA.
ISO 42001 AI Management Systems
International
ISO/IEC 42001 is the international standard for AI management systems. It provides a framework for establishing, implementing, maintaining, and continually improving an AI management system — similar to ISO 27001 for information security. Certification is available and increasingly expected by enterprise customers and regulators.
Key obligations
AI management system requirements covering context, leadership, planning, support, operations, performance evaluation, and continual improvement.
Who's affected
Organizations seeking third-party certification of their AI management program. Particularly relevant for AI providers serving regulated industries, government customers, or EU markets under the EU AI Act.
California AI Legislation
California, USA
California has enacted several targeted AI laws — such as AB 2013 (training-data transparency) and the SB 942 AI Transparency Act — and regulates automated decision-making through its privacy rules. Its high-profile comprehensive bill, SB 1047, was vetoed in September 2024, so California currently has no single comprehensive AI act. The landscape continues to evolve.
Key obligations
Transparency and disclosure obligations under enacted California laws and privacy/ADMT rules. Requirements vary by statute; there is no single comprehensive California AI act (SB 1047 was vetoed in 2024).
Who's affected
Organizations deploying AI systems in California or making decisions that affect California residents. The world's fifth-largest economy means nearly every large enterprise faces potential California AI exposure.
Colorado Artificial Intelligence Act
Colorado, USA
Colorado's original AI Act (SB 24-205) — which would have required algorithmic impact assessments, annual disclosures, and a duty of care against algorithmic discrimination — never took effect as written. A federal court paused enforcement in April 2026, and on May 14, 2026 Colorado enacted SB 189, replacing it with a narrower disclosure/transparency (ADMT) framework effective January 1, 2027. The impact-assessment and duty-of-care provisions were eliminated.
Key obligations
Under the revised SB 189 framework (effective January 1, 2027): transparency and disclosure obligations for automated decision-making technology (ADMT). The earlier impact-assessment, consumer-notification, and duty-of-care requirements were removed. The law remains in flux pending implementing guidance.
Who's affected
Developers and deployers of automated decision-making systems affecting Colorado residents, once SB 189 takes effect on January 1, 2027. The precise scope will be defined by the new framework and any implementing rules.
How the regulations compare
Different frameworks impose different obligations. A checkmark below means the framework includes that obligation for at least some covered parties — not that every organization must do it. TRAIGA in particular is prohibition-based: its only affirmative disclosure duties fall on government entities and healthcare providers, it is enforced solely by the Texas Attorney General (after a 60-day cure period), and it has no private right of action.
| Obligation | Texas TRAIGA | EU AI Act | NIST AI RMF | ISO 42001 | California AI | Colorado AI Act |
|---|---|---|---|---|---|---|
| AI system inventory | ||||||
| Risk assessment | ||||||
| Public disclosures | ||||||
| Human oversight documentation | ||||||
| Bias / fairness testing | ||||||
| Incident reporting | ||||||
| Board / executive accountability | ||||||
| Technical documentation | ||||||
| Third-party audit / conformity | ||||||
| Annual impact assessment |
Risk Meridian supports your TRAIGA documentation today, with EU AI Act, NIST AI RMF, and ISO 42001 mapping on our roadmap. See how the platform works →
Stop tracking AI regulations in a spreadsheet
Risk Meridian helps you document and manage your AI systems in one place — with TRAIGA support today and EU AI Act, NIST AI RMF, and ISO 42001 on our roadmap. Get your first AI system inventoried in under 10 minutes.
TRAIGA support today, more frameworks on the roadmap
Document your controls once and reuse them across frameworks
Board-ready reports generated in minutes, not weeks