AI Regulation in the United States: The 2026 Map

Voluntary federal executive order vs. mandatory state laws: what it means for Brazilian companies selling in the US in 2026.

by Cleverson Gouvêa

AI Regulation in the United States: The 2026 Map

AI regulation in the United States is no longer a distant topic—it has become an operational problem for those selling abroad. In June 2026, the federal government bet on voluntary rules while states created binding and divergent obligations. For a Brazilian company processing data from American users, this changes the game. I'll explain what happened and what to do with the information.

TL;DR

  • On 02/06/2026, the White House issued the executive order "Promoting Advanced Artificial Intelligence Innovation and Security," focusing on cybersecurity and voluntary frameworks for frontier models.
  • States went in the opposite direction: they created binding obligations. California (SB 53) has been in effect since January 2026; Colorado (SB 26-189) comes into force on 01/01/2027.
  • The result is a patchwork: "the US rule" does not exist—it depends on the state.
  • Brazilian companies (SaaS, agencies, e-commerce) that sell or process data in the US need to map obligations by state, not by country.
  • Those who organise now turn compliance into a commercial differentiator, not a dead cost.

What the June 2026 Executive Order Actually Says

On 2 June 2026, the White House published the executive order titled Promoting Advanced Artificial Intelligence Innovation and Security. The stated goal is straightforward: advance US leadership in artificial intelligence while addressing the national security risks of increasingly capable systems.

The text works on two fronts. The first is defensive: strengthening the cyber defences of government and private industry in the face of so-called "advanced AI." The second is governance: developing voluntary benchmarking and review frameworks for the safe development and release of "frontier" models—those trained with massive computing power.

Notice the key word here: voluntary. The federal bet is on innovation first, with rules that companies adopt by choice, not by imposition. There are no fines for non-compliance with benchmarks in this order. It is a signal of direction, not a straitjacket.

For product developers, this seems like a relief. And it is—at the federal level. The problem appears when you look one level down, at the states.

The Paradox: Federal Voluntary, State Mandatory

The American system is federal. Each state legislates on a range of topics, and AI has entered that list. While Washington talks about voluntary adherence, state capitals write laws with effective dates, documentation duties, and penalties.

This is the central tension of 2026. On one side, the federal government wants not to hinder the technological race. On the other, states want to protect consumers and hold those who use AI in sensitive decisions accountable. Both movements happen simultaneously and do not communicate.

The practical effect is fragmentation—what lawyers call a "patchwork." A company operating in five states may face five different sets of rules, with different deadlines and different definitions of what constitutes a "high-risk AI system."

I have seen this movie before in data privacy, when each state started creating its own law after California. With AI, the script repeats—and faster.

California: SB 53 and Frontier Model Transparency

California, as usual, led the way. The Transparency in Frontier AI Act (SB 53) brings multiple obligations that came into effect in January 2026.

The law targets developers of large frontier models. It is not about who uses a chatbot on a website—it is about who trains and releases the largest models. For these actors, SB 53 requires three concrete things:

  1. Publish risk frameworks—document how the company assesses and mitigates model risks, publicly.
  2. Report security incidents—communicate failures and critical security events related to the system.
  3. Implement whistleblower protections—ensure channels and safeguards for employees who report internal risks.

Who Really Needs to Worry

If you are a Brazilian agency or SaaS consuming the API of a frontier model, the direct weight of SB 53 falls on the model provider, not on you. But there is a cascading effect: providers will pass documentation and transparency requirements contractually. It is worth reading the terms carefully. The logic is the same as I discussed in AI Agents: What Gemini Spark Changes for Companies—responsibility flows down the chain.

Colorado: From Umbrella to Scalpel (SB 26-189)

Colorado took an interesting path. In May 2026, the state repealed and replaced its previous AI law with SB 26-189. A broad norm went out; a narrower, more surgical statute came in.

The new law regulates a specific target: automated decision-making technology (ADMT) that materially influences consequential decisions. Think credit, employment, housing, insurance—situations where an algorithm helps decide someone's life. The effective date is 01/01/2027.

The shift in philosophy is the interesting point. The old version relied on risk management programmes and impact assessments—a lot of preventive bureaucracy. SB 26-189 replaces that with more tangible, consumer-centred duties:

  • Prior notice to the consumer that a consequential decision uses ADMT.
  • Explanation of adverse outcome within 30 days when the decision is unfavourable.
  • Right to meaningful human review—a person, not just another algorithm, reanalysing the case.
  • Developer documentation duties for the technology.

For a Brazilian company selling HR software, scoring, or insurance underwriting in the US, this is the type of law that directly affects the product. "Explain an adverse outcome within 30 days" is not a footnote clause—it is UX flow, logging, and support process.

Comparative Table: Federal vs. California vs. Colorado

I have placed the three layers side by side to make the patchwork visible:

Layer Nature What it requires Primary target Effective date
Federal (Executive Order 02/06/2026) Voluntary Benchmarking and review frameworks; cybersecurity reinforcement Frontier models; government and industry Immediate (non-binding)
California (SB 53) Mandatory Publish risk framework, report incidents, protect whistleblowers Developers of large frontier models January 2026
Colorado (SB 26-189) Mandatory Prior notice, explanation of adverse outcome within 30 days, human review, documentation ADMT in consequential decisions 01/01/2027

The table is intentionally uncomfortable to read. Three jurisdictions, three natures, three deadlines. And these are just two states plus the federal level—there are dozens of state legislatures working on the topic.

Why "the US Rule" Does Not Exist (and What It Costs)

The most common mistake I see in conversations with clients is asking, "What is the US AI law?" The question has no single answer. There is a voluntary federal guideline and mandatory state laws that diverge from each other.

This has a cost. Each new state in your user base can mean:

  • Reviewing notices and consent screens.
  • Adjusting response deadlines (e.g., Colorado's 30 days).
  • Reorganising technical documentation for audits.
  • Training support to handle human review requests.

The cost of compliance grows non-linearly. It is not "one more country"—it is "one more legislature." Large companies absorb this with legal teams. Small and medium ones feel it more, because each requirement becomes engineering and process work.

It is worth remembering that this does not happen in a vacuum. The technology job market is also being reshaped by AI—I wrote about the corporate side of this pressure in Atlassian in 2026: Layoffs, AI, and the Bet on Agents. Regulation and team restructuring go hand in hand.

What Changes for Brazilian Companies Selling in the US

I will be concrete, because that is how I think when serving clients who earn revenue outside Brazil. Three profiles feel the impact differently.

SaaS

If your software makes or supports consequential decisions—credit, hiring, risk pricing—Colorado is your wake-up call. Start designing the prior notice and adverse outcome explanation flow now. Building it before the 2027 effective date is cheap; building it in a rush afterwards is expensive.

Agency

Agencies delivering automation and AI to American clients become intermediaries in the chain of responsibility. Your contracts need to clarify who documents what. A vague clause today becomes a dispute tomorrow.

E-commerce

E-commerce using AI for recommendations, fraud prevention, or dynamic pricing should map whether these decisions are "consequential" under state laws. Product recommendations rarely are; denying a transaction or adjusting prices in a discriminatory manner may be.

The common denominator is one: stop thinking of the "American market" as a single block. Think state by state, function by function. The platform updates I commented on in Google I/O 2026: What Changes for Brazilian Companies only increase this surface—more embedded AI means more points subject to state rules.

Practical Compliance Checklist

At Agathas Web, when I assess a client's regulatory exposure, I follow a lean roadmap. Adapt it to your case:

  1. Map where your users are. Not the country—the state. Geolocation and billing data already tell you a lot.
  2. Classify your automated decisions. Which are just convenience and which materially influence someone's life?
  3. List your model providers. If you use a frontier model via API, read the terms through the lens of SB 53.
  4. Implement an audit trail. Log which model decided what, when, and based on what. This serves almost every state law.
  5. Design the human review flow. A person must be able to reanalyse and reverse adverse decisions.
  6. Standardise consumer notices. Clear text that AI is involved in the decision, ready to be triggered per state.
  7. Review contracts. Distribute documentation responsibilities along the chain, in writing.

You do not need to do everything next week. You need to have the map and prioritise by the nearest deadline—in this case, the 2027 effective date in Colorado and what is already in effect in California.

Conclusion: How to Prepare Without Stalling the Product

AI regulation in the United States in 2026 is a patchwork, and it will remain so for a while. The federal level points direction with voluntary rules; states impose concrete duties with real deadlines. Those selling there need to think by state and function, not by country.

The good news is that well-done compliance does not stall the product—it becomes a sales argument. Corporate American clients value a supplier that already has an audit trail, consumer notice, and human review in place. That is trust, and trust closes deals.

If you want to understand how this exposure applies to your specific product, that is exactly the kind of diagnosis I do daily. Start with the checklist above—and if you get stuck, talk to us. Mapping early costs little; chasing after the effective date costs a lot.

#estados-unidos#inteligencia-artificial#politica-de-ia#regulacao-ia
View all

Related posts

Automatic Pix: what changes in recurring billing in 2026

Automatic Pix: what changes in recurring billing in 2026

Automatic Pix arrived in 2026 and changes recurring billing for SMEs: debit without card, fewer failures, and cleaner reconciliation. See what to do.

AI Growth Lab: the UK's Bet on AI and Chips

AI Growth Lab: the UK's Bet on AI and Chips

The UK has launched the AI Growth Lab, a sandbox for testing AI with flexible rules, and £1.1 billion in chips. See the model and the opportunity.

Lloyds Bank Outage: The Digital Resilience Lesson

Lloyds Bank Outage: The Digital Resilience Lesson

The Lloyds Bank outage knocked 26 million customers offline and exposed failures every software company should avoid. See what to learn.