Most companies building AI products are watching Washington and waiting for the rulebook. A 2026 analysis from the law firm Morgan Lewis suggests that is the wrong place to look: state attorneys general are already moving, and they are doing it with laws that have been on the books for decades.
Old laws, new targets
Federal policy may eventually set a national AI standard, and much compliance planning assumes it will. But state AGs are not waiting for AI-specific statutes. Per the Morgan Lewis analysis, they are pursuing cases on algorithmic bias, fair lending, and chatbots targeting minors using existing consumer protection frameworks, many modeled on FTC Section 5.
An unfair or deceptive practice claim is all an AG needs to sue an AI company, and existing statutes already cover that.
What is happening in 2026
The analysis describes two tracks moving at once:
- New state statutes are taking effect. The Colorado AI Act is now effective, mandating impact assessments and transparency requirements for automated decision-making systems.
- Enforcement under existing law is picking up. State AGs are reportedly bringing cases on bias, fair lending, and chatbots aimed at minors, without waiting for AI-specific legislation to pass.
Comprehensive federal legislation, meanwhile, remains stalled. The result is a patchwork of different rules, thresholds, and enforcement postures, state by state.
One caveat worth stating plainly: the analysis is forward-looking and does not name specific defendants or finalized settlements. The direction of travel is clear in the source; the case-by-case record is not.
Why betting on federal preemption is risky
Companies that built their compliance posture on the assumption of a permissive federal regime face exposure on two fronts:
- Immediate burden. State-level requirements like Colorado's impact assessments apply now, before any future federal preemption fight resolves.
- Settlement risk. The analysis projects that state enforcement under existing consumer protection law could drive settlements into the millions. That is a projection from a single firm rather than a documented settlement record, and the actual scale will depend on how aggressively individual AGs pursue these cases.
A fragmented landscape is arguably harder to comply with than one strict federal law would be. Fifty potential enforcement regimes, each reinterpreting general-purpose statutes for AI, means the compliance target keeps moving.
What this means for agentic systems
High-risk AI uses, including agentic systems, sit squarely inside this patchwork. If you are deploying agents in regulated verticals such as finance, healthcare, or education, the practical implication is architectural as much as legal:
- Governance has to live at the runtime layer. Auditable logs of what an agent decided and why, produced as a byproduct of operation rather than reconstructed after a subpoena.
- Bias controls need to be testable. Colorado-style impact assessments assume you can actually measure and document how your automated decisions behave. If your system cannot produce that evidence, you cannot complete the assessment at all, and that blocks you from the market itself.
- Transparency obligations vary by state. Design for the strictest regime you operate in, because retrofitting disclosure into an agent pipeline is far more expensive than building it in.
The takeaway
Waiting for federal clarity is a strategy with a specific failure mode: you become the test case a state AG uses to establish precedent. The companies that fare best over the next two years will likely be the ones that treat state enforcement as the operative regime today and build agent systems where governance evidence is generated automatically rather than assembled under legal pressure.
If the current trajectory holds, the rulebook is being written one enforcement action at a time, in state courts, under laws that predate the technology entirely.