State AI Law Preemption After Trump's Executive Order: Why Compliance Just Got Harder, Not Easier

State AI Law Preemption After Trump's Executive Order: Why Compliance Just Got Harder, Not Easier

July 11, 202615 min readIndustry Trends

The 'Ensuring a National Policy Framework for Artificial Intelligence' order was supposed to simplify AI compliance by wiping out state law. Instead, Colorado's SB 189 and California's existing frameworks are still in force, litigation is pending, and GRC teams now need to track two regimes at once, not one.

Read the actual text of the December 11, 2025 executive order, and one sentence does the heavy lifting: it directs the Attorney General to establish an AI Litigation Task Force to "challenge State laws that unconstitutionally regulate interstate commerce." That is a directive to sue, not a declaration that state AI statutes are void. Colorado's SB 189 and California's automated decision-making rules are still in force today, still enforceable by their respective attorneys general, and still binding on any company deploying consequential AI systems in those states. State AI law preemption, as a legal fact rather than a headline, has not happened yet.

What Does the December 11, 2025 AI Executive Order Actually Preempt?

The order titled "Ensuring a National Policy Framework for Artificial Intelligence" preempts nothing on its own. It instructs federal agencies to identify state laws they consider obstacles to a uniform national AI policy, prepares the DOJ to litigate against those laws, and signals that certain federal funding streams may be conditioned on state cooperation. None of that is the same as a state statute becoming unenforceable the moment the order was signed.

The Text vs. the Press Coverage

Coverage in the days after the order ran headlines like "Trump Preempts State AI Laws" and "White House Moves to Kill State AI Regulation." Read against the operative text, those framings collapse a three-step process into one step. The order (1) directs agencies to catalog state laws for challenge, (2) stands up litigation infrastructure at DOJ, and (3) references potential FCC and FTC involvement in preemption arguments. Step three is the closest thing to an actual mechanism, and even that requires the FCC or FTC to issue a rule or take an enforcement action that a court later upholds as occupying the field. None of the three steps is self-executing preemption.

This gap between text and coverage matters for anyone building a compliance calendar. If your legal team read the headlines and concluded Colorado's high-risk AI obligations are now moot, you have a compliance gap, not a compliance win. SB 189 is still the operative law in Colorado as of this writing, with its own effective dates and enforcement posture, regardless of what the executive order says about future intentions.

What Preemption Can and Can't Do via Executive Order

Executive orders bind federal agencies. They tell the DOJ, the FTC, the FCC, and other executive branch bodies how to prioritize resources and where to focus enforcement or litigation. They do not bind state legislatures, they do not bind state courts, and they cannot themselves invalidate a state statute. Actual preemption in U.S. law happens through one of three channels:

  • A federal statute that expressly preempts state law in a given domain, passed by Congress and signed into law
  • A court ruling, typically under the Supremacy Clause or dormant Commerce Clause, finding that a specific state law conflicts with federal law or unduly burdens interstate commerce
  • Field occupation by a federal agency acting under statutory authority, similar to how the FCC has historically preempted certain state telecom regulations, again subject to judicial review

The executive order sets the DOJ up to pursue the second channel. That means a lawsuit, filed in federal court, naming a specific state law, arguing it burdens interstate commerce or conflicts with federal authority. That lawsuit then proceeds through the normal litigation timeline: district court, likely appeal, possibly certiorari. State AI law preemption via this route is a multi-year process with an uncertain outcome, not a switch that gets flipped by an order.

The distinction between "directs DOJ to sue states" and "state laws are void" is the single most consequential gap in how this order has been reported, and it is the gap every compliance team needs to internalize before adjusting its posture.

Why Did Colorado Replace Its Original AI Act With SB 189?

Colorado did not replace its AI Act because the concept failed. It reworked the law because the original version, SB 24-205, drew sustained business pushback over vague high-risk definitions and compliance burdens that fell on companies with limited AI-specific legal infrastructure. SB 189 is a legislative refinement of the same regulatory goal, not an abandonment of it, and that distinction matters enormously for how defensible the law is against a federal challenge.

From the Colorado AI Act to SB 189

SB 24-205 passed in 2024 with an effective date set out far enough in the future to allow implementation guidance and stakeholder input. Between passage and that effective date, business groups, including major tech employers with a footprint in Colorado, argued the definitions of "high-risk AI system" and "algorithmic discrimination" were broad enough to sweep in ordinary software features. The legislature responded by delaying the effective date more than once and eventually passing a substantially reworked bill, which became SB 189.

This is a normal legislative pattern. States pass a first-generation law, industry pushes back on ambiguous scope, the legislature narrows and clarifies rather than repealing. California's own privacy law went through comparable amendment cycles after the original CCPA passed in 2018, well before CPRA arrived to patch it. Colorado's AI regulation is following the same arc, just compressed into a shorter window because AI development is moving faster than the original bill anticipated.

What SB 189 Keeps, Drops, and Changes

SB 189 narrows the definition of "high-risk AI system" relative to the original bill, focusing enforcement more tightly on systems that make or are a substantial factor in consequential decisions, such as employment, lending, housing, healthcare, and legal services. It also adjusts the split of obligations between developers and deployers, shifting some documentation burden toward the party closer to the underlying model architecture rather than the party operating the system in a specific business context. Notice requirements to consumers and the structure of required impact assessments were also revised, generally toward more specific, checklist-style obligations rather than open-ended risk narratives.

What did not change is the underlying premise: that consequential automated decisions deserve documented human oversight, a disclosed basis for the decision, and a path for consumers to contest outcomes. Colorado did not decide AI regulation was a mistake. It decided the first draft was operationally unworkable and rewrote the mechanics while keeping the goal. That is a meaningfully harder target for a federal preemption argument than a state that refused to negotiate with industry at all, because Colorado can point to a public record of responsiveness to exactly the burden-on-commerce argument the DOJ is likely to raise.

How Does California's AI Regulatory Framework Compare to Colorado's?

California regulates AI through a collection of statutes and regulations layered on its existing privacy infrastructure, rather than through one omnibus AI act like Colorado's. Automated decision-making technology rules sit inside CCPA/CPRA regulations enforced by the California Privacy Protection Agency, generative AI training data transparency requirements exist as a separate statutory track, and sector-specific rules govern insurance and employment uses independently. The two states are regulating overlapping ground through structurally different legal architectures.

Overlapping but Non-Identical Obligations

Colorado built AI-specific statutory language: a defined "high-risk AI system," duties assigned explicitly to "developers" and "deployers," and enforcement housed with the state Attorney General. California instead extended its privacy regulator's authority to cover automated decision-making technology as an extension of existing data protection duties, added disclosure obligations for generative AI training data under a separate bill, and left sector regulators, such as the Department of Insurance, to write AI-specific rules within their existing jurisdiction. Neither state copied the other's approach, and neither statute maps cleanly onto the other's defined terms.

The enforcement mechanism difference is not cosmetic. California's CPPA enforcement draws on rulemaking authority and existing privacy enforcement precedent, meaning penalties and investigative processes follow a track record already tested through years of CCPA enforcement actions. Colorado's AG enforcement of SB 189 is comparatively new, with less precedent to draw on, but has the advantage of statutory language written specifically for AI harms rather than adapted from privacy law.

Dimension Colorado SB 189 California (CCPA/CPRA + sector rules) Federal EO preemption push
Legal form Single AI-specific statute Multi-statute, privacy-regulator extension Executive order plus anticipated DOJ litigation
Trigger definition "High-risk AI system" involved in consequential decisions Automated decision-making technology (ADMT) affecting significant decisions No single definition; targets state laws deemed to burden interstate commerce
Enforcement body Colorado Attorney General California Privacy Protection Agency and state AG DOJ AI Litigation Task Force, possible FCC/FTC referrals
Core obligation Impact assessments, consumer notice, developer/deployer duties ADMT opt-out rights, disclosure, training data transparency None yet codified; directs agencies to identify targets
Effective posture In force, amended once already In force, phased rulemaking ongoing Signed, litigation not yet resolved

Reading this table straight, the case for treating these as redundant regulations ripe for federal consolidation does not hold up. Colorado is testing an algorithmic accountability theory built around defined categories of high-risk systems. California is testing a consumer protection theory built around an existing privacy enforcement apparatus. A single federal standard that actually replaced both would need to absorb two different regulatory theories, and the executive order does not attempt that synthesis. It identifies targets for litigation; it does not draft a substitute framework.

What Is the Compliance Fork Enterprise AI Buyers Now Face?

Enterprise AI buyers face a binary choice right now: build to the strictest applicable state requirement today and treat any future federal preemption as a bonus, or wait for DOJ litigation to resolve before committing to compliance infrastructure. Nearly every GRC team advising on this decision is choosing the first path, because state enforcement does not pause during litigation absent a court-ordered injunction.

Betting on Litigation vs. Building to the Strictest Regime

Path A means building impact assessment workflows, developer/deployer documentation, and consumer notice mechanisms that satisfy Colorado's SB 189 and California's ADMT rules as they exist today, and updating that infrastructure if and when a court actually strikes a provision. Path B means holding off on state-specific compliance work, betting that DOJ litigation invalidates the relevant state statutes before an enforcement action or private right of action reaches your company. Path B is the riskier bet by a wide margin, because an executive order does not stay a state attorney general's enforcement authority. Only a court injunction does that, and injunctions require an actual filed case with a plaintiff demonstrating likelihood of success on the merits.

The realistic litigation timeline supports Path A. Constitutional challenges to state regulatory statutes, based on comparable precedent from state privacy law challenges under CCPA and similar consumer protection statutes, typically take somewhere in the range of a year and a half to three years to reach appellate resolution, accounting for district court proceedings, discovery, and at least one round of appeal. A company that waits for that resolution before building compliance infrastructure is choosing to operate out of compliance with an enforceable state law for the entire span of that litigation, on the hope that the litigation eventually favors deregulation.

None of this is new to companies that have already navigated CCPA, the Virginia Consumer Data Protection Act, and the Colorado Privacy Act as three separately enforced regimes with overlapping but non-identical obligations. State AI law preemption is following the same operational shape as state privacy law fragmentation did: multiple statutes, multiple enforcement bodies, and a federal preemption argument that takes years to resolve in court while state enforcement continues in the meantime. Compliance teams that survived that fragmentation already have the muscle memory this fork requires. They are applying it to a new subject matter, not learning a new operating model.

Where Does the TAKE IT DOWN Act Fit Into This Fork?

The TAKE IT DOWN Act, a federal statute signed into law in 2025, sits entirely outside the state law preemption fight because it is a federal obligation layer added on top of state AI laws rather than a replacement for them. It requires covered platforms to implement notice-and-takedown processes for non-consensual intimate imagery, explicitly including AI-generated deepfakes, within a defined response window after receiving a valid request.

This is the clearest illustration available right now of what an actually converged federal-state AI framework would look like, and it looks nothing like the December 11 executive order. TAKE IT DOWN does not challenge Colorado's or California's authority to regulate AI-driven consequential decisions. It adds a distinct, narrowly scoped federal duty focused on a specific harm category, non-consensual intimate imagery, and leaves state AI statutes fully intact around it. A company operating in Colorado is subject to both SB 189's high-risk system obligations and TAKE IT DOWN's takedown SLA, simultaneously, with no conflict between them.

GRC tooling needs to track TAKE IT DOWN as its own independent compliance track rather than folding it into a generic "state AI law" bucket or assuming any federal AI executive action automatically supersedes it. The practical upside is that the infrastructure required for TAKE IT DOWN compliance, content provenance tracking, audit logging of takedown requests and response times, incident response documentation, overlaps heavily with infrastructure most companies are already building for state AI high-risk system compliance. A platform that has built audit logging to satisfy Colorado's impact assessment documentation requirements is most of the way to a defensible TAKE IT DOWN response process. The marginal build is a takedown SLA tracker and a request intake channel, not a parallel compliance stack from scratch.

What Should AI Compliance and GRC Tooling Actually Track Right Now?

Compliance tooling needs three layers of tracking running concurrently: per-state applicability flags for each deployment, live litigation status for every challenged state law, and model-level observability data that serves as compliance evidence rather than just engineering telemetry. A single "AI compliant: yes/no" flag cannot represent any of this accurately.

State-by-State Applicability Flags

Each AI deployment needs a structured record of which state-specific triggers it activates. Does this system meet Colorado's narrowed "high-risk AI system" definition under SB 189? Does it qualify as automated decision-making technology under California's ADMT rules? Are there sector-specific triggers, insurance underwriting, employment screening, healthcare intake, that pull in additional obligations regardless of the general AI statute? A boolean per state, per statute, per deployment is the right granularity. Anything coarser hides the actual compliance posture.

deployment_id: hiring_screener_v3
state: CO
statute: SB189
high_risk_flag: true
impact_assessment_status: completed_2025-11-02
next_review_due: 2026-05-02

deployment_id: hiring_screener_v3
state: CA
statute: ADMT_regs
admt_flag: true
opt_out_mechanism: implemented
last_audit: 2025-10-15

EO and Litigation Status Tracking

Every state law targeted by the DOJ AI Litigation Task Force needs a live status field: filed, injunction granted, injunction denied, appeal pending, resolved. Compliance posture should never assume an outcome that has not happened. A team that stops enforcing its own Colorado compliance program because a lawsuit was filed against SB 189, before any injunction issued, is exposing the company to enforcement risk based on a prediction rather than a legal fact.

Model and Pipeline Observability as Compliance Evidence

Pre-deployment red-teaming tooling like Promptfoo, scored 8.5/10 by the TopReviewed AI panel, can be configured to test specifically against state-defined high-risk use case criteria, not just generic safety benchmarks, giving legal teams an actual test artifact tied to a specific statutory definition. Production-time audit trails required under impact assessment rules are a natural fit for observability platforms like Honeycomb or Grafana, both scored 8.5/10 by the panel, which can capture the decision inputs and outputs a regulator would expect to see documented after a consequential-decision failure.

Model registries such as MLflow, also scored 8.5/10, already track lineage and versioning as a core function. Extending that metadata to record which state's regulatory definition a given model version was evaluated against, Colorado's high-risk criteria versus California's ADMT criteria, turns an engineering artifact into a legal one, and it is far cheaper to add that field now than to reconstruct it after an enforcement inquiry. Infrastructure-as-code tools like HashiCorp Terraform, scored 8.6/10, let teams encode data residency and processing-boundary rules as policy-as-code, which matters wherever state AI laws intersect with existing data localization requirements. And error tracking through Sentry, scored 8.3/10, stops being purely an engineering tool the moment a state statute requires documented incident response for high-risk AI system failures; a Sentry incident log, properly retained, is exactly the kind of evidence an impact assessment audit will ask for.

How Should Teams Build a Multi-Jurisdiction AI Compliance Stack Without Overbuilding?

Teams should classify use cases before selecting tooling, because most of the regulatory weight in both Colorado and California falls on a narrow slice of consequential-decision applications, not on general-purpose AI assistance. Sorting deployments into "consequential decision-making" versus "general assistance" up front prevents overbuilding compliance infrastructure for systems that were never going to trigger high-risk classification in the first place.

Avoid building a 50-state compliance matrix for laws that do not exist yet. Track the states with enacted or genuinely near-enacted frameworks, Colorado and California today, with Texas, Illinois, and New York worth watching closely as their own AI-specific bills move through committee. A speculative matrix covering every state legislature's draft bill wastes engineering time on requirements that may never take the form assumed and diverts attention from the compliance work that is actually due now under statutes already in force.

A lightweight internal registry does most of the practical work here. It does not need to be a purpose-built policy engine at first; a well-maintained spreadsheet mapping deployment to state of operation, applicable statute, current compliance status, and next review date covers the majority of use cases a mid-sized company will have. Treat any DOJ litigation outcome as a trigger for re-review of that registry, not as a reason to pause maintaining it. The registry's job is to reflect the law as it currently stands, and the law as it currently stands includes Colorado's SB 189 and California's ADMT rules in full force, regardless of what a federal court eventually decides about them.

Set your next registry review date for the moment any DOJ Litigation Task Force filing against Colorado or California produces a ruling, not for some fixed calendar interval. That single change, tying re-review to actual legal events instead of an arbitrary quarterly cycle, is the difference between a compliance program that tracks state AI law preemption accurately and one that guesses at it.

AI regulationstate AI law preemptionAI complianceGRC toolingColorado SB 189

More from the Blog

AI software insights, comparisons, and industry analysis from the TopReviewed team.