Disruption Now® is a tech-empowered platform helping elevate organizations in entrepreneurship, social impact, and creativity. Through training, product development, podcasts, events, and digital media storytelling, we make emerging technology human-centric and accessible to everyone. This week I've been reflecting on a conversation with a CEO who told me his team was "waiting for federal AI regulations before building a compliance plan." I had to tell him what I'm about to tell you: the regulations aren't coming. They're already here.

There's a dangerous assumption circulating in boardrooms right now: that AI regulation is a future problem. That we have time. We don't.

Last week, California Governor Gavin Newsom signed Executive Order N-5-26 — requiring any company doing business with the state to disclose its AI usage, explain its policies on bias prevention, demonstrate civil rights protections, and implement safeguards against harmful content distribution. The order also directs California's Department of Technology to develop the nation's first guidance on watermarking AI-generated media. This is not a suggestion. It's a procurement requirement.

But California is just the loudest signal. In 2025, 38 states adopted roughly 100 AI-related measures. Colorado's AI Act takes effect June 30 — less than 90 days from now — requiring organizations that deploy high-risk AI to conduct impact assessments, implement measures to prevent discrimination, and provide consumer opt-out rights. Violations carry penalties up to $20,000 each. California's SB 53, which took effect on January 1, requires large-scale AI developers to publish risk management frameworks. Texas, New York, Illinois, Utah, and Maine all have enforceable AI transparency laws on the books.

The regulatory landscape isn't just growing — it's fragmenting. And fragmentation is the enemy of compliance.

Colorado focuses on high-risk AI decisions in employment, lending, and housing. California requires transparency in training data and content watermarking. New York mandates annual bias audits for automated employment tools and disclosure of synthetic performers in advertising. Texas prohibits the use of AI for biometric identification and social scoring. These aren't overlapping requirements; they're distinct requirements with distinct definitions, thresholds, and enforcement mechanisms.

For an organization operating across state lines, this creates a compliance matrix that didn't exist 18 months ago. If you use AI in hiring, you need Colorado's impact assessments, New York's bias audits, Illinois' video interview consent, and New Jersey's algorithmic discrimination guidance simultaneously.

Meanwhile, the federal government is not simplifying this. President Trump's December 2025 executive order signals intent to challenge "onerous" state regulations through litigation and funding conditions. But the order does not preempt existing state laws or establish new federal standards. Legal experts at Ropes & Gray note significant constitutional limitations on overriding state AI regulation through executive action alone. The federal government is telling states to stop, yet has no binding mechanism to enforce it, and states are accelerating anyway.

The organizations waiting for clarity are the ones most exposed to risk.

The narrative feels reassuring: the current administration is pro-innovation and anti-regulation. Federal agencies have been told to adopt AI, not restrict it. Therefore, AI regulation is not a near-term priority. This narrative is incomplete. The federal government's light-touch posture does not erase the 100-plus state laws already on the books. It does not pause the Colorado AI Act's June 30 enforcement date. And it does not change the fact that California — the fifth-largest economy globally — now requires AI governance disclosures as a condition of doing business with the state.

This is the California Effect in action — the same dynamic that made California's vehicle emissions standards the de facto national standard for automakers. As Axios reported last week, California's multipronged approach makes it likely that AI companies will treat the state's rules as a de facto national standard. When California sets a procurement standard, it doesn't stay in California. Companies adopt those standards enterprise-wide because maintaining two separate compliance frameworks costs more than maintaining one.

The deeper issue is organizational. Most enterprises don't have a single person responsible for AI governance across jurisdictions. Compliance lives in legal. AI deployment lives in IT. Procurement lives in operations. Nobody owns the intersection, and that’s exactly where regulatory risk is concentrating. A 2026 analysis found that 78% of organizations cannot validate data before it enters training pipelines, 77% cannot trace the origins of training data, and 53% cannot recover training data after an incident. These aren't advanced capabilities. They're the baseline requirements that multiple state laws now impose.

Building an AI governance framework doesn't require an army of compliance attorneys. It requires you to do what you should have done six months ago: inventory your AI exposure, understand your jurisdictional obligations, and build a cross-functional governance structure.

Start with an AI systems inventory. Every AI tool your organization uses — from the ChatGPT licenses in marketing to the automated screening tool in HR to the AI analytics platform in sales — needs to be cataloged. For each system, document what it does, what data it processes, what decisions it influences, and which jurisdictions it touches. Colorado's AI Act specifically requires high-risk AI deployers to maintain this documentation. California's AB 2013 requires developers to publish summaries of their training data. You cannot comply with laws you don't know apply to you.

Next, prioritize by jurisdiction and risk level. The laws focus on high-risk applications — systems that influence employment decisions, lending, housing, insurance, healthcare, and consumer safety. If your organization uses AI in any of these domains, those systems are your compliance priority. Focus first on California, Colorado, and New York. Add EU AI Act requirements if you serve European customers — it's a high-risk system obligations phase in through August 2026.

Then, build the governance structure: a cross-functional team spanning legal, IT, product, HR, and operations. Documented policies for AI procurement, deployment, monitoring, and incident response. Regular bias audits for high-risk systems. And a clear escalation path when AI systems produce outcomes that raise discrimination or civil rights concerns.

At Disruption Now®, we've been building exactly these frameworks for enterprise clients. The organizations that start this work in Q2 will have a defensible framework before Colorado's enforcement begins. Those who wait will be scrambling.

We built an assessment that helps enterprise teams understand their AI compliance exposure in 15 minutes, maps their AI systems, identifies which state laws apply, and flags the highest-priority gaps.

The organizations that will thrive in this regulatory environment are not the ones with the biggest legal teams. They're the ones that treat governance as a competitive advantage. When you can tell a client, a partner, or a government agency that your AI systems are documented, audited, and compliant across jurisdictions, that's not a burden. That's trust at scale.

The enterprises that built compliance frameworks early in the data privacy era — before GDPR enforcement, before CCPA penalties started landing — didn't just avoid fines. They won contracts their competitors couldn't compete for. The same dynamic is playing out right now. The organizations that build the framework in Q2 2026 will compete for California state contracts, Colorado government partnerships, and enterprise clients who are starting to require AI compliance as a procurement condition. Those who wait will discover that "we're working on it" is no longer an acceptable answer.

For enterprise teams of 20+ looking to navigate the state AI regulatory landscape — let's talk. We help organizations inventory their AI systems, map their compliance obligations, and build governance frameworks that work across jurisdictions before enforcement deadlines arrive.

Disruption Now® interviews leaders focused on the intersection of emerging tech, humanity, and policy.

Keep Disrupting, My Friends.

Rob Richardson – Founder, Disruption Now® & Chief Curator of MidwestCon