top of page
Search

US AI Governance Regulations are Here, With More on the Way. Small to Midsize Business (SMB) Readiness Starts Now.

Writer's picture: jeangwwjeangww

By Jonathan K. Hustis, Member, Fulton Jeang, PLLC, Dallas, Texas USA


Jonathan Hustis
Jonathan Hustis

The current AI landscape in the U.S., when viewed with common sense and our previous experiences with privacy regulation, indicates that yesterday was the time to start AI regulation readiness. The gun has gone off, for small to midsize businesses (SMBs) to run and get ahead of these new regulatory risks. Regulation to protect businesses and consumers, however beneficial, creates business and compliance risks for SMBs that can be avoided or mitigated.

 

Key trends:

  1. AI is an avalanche.  The speeds of AI system development, adoption and regulation are accelerating. Each’s speed and impact on businesses, consumers, and regulators can fairly be said to be beyond the specific expectations of many or most small-to-midsize business (SMB) CEOs, IT departments, consumers and regulators. I.e., beyond their expectations and beyond the scope of existing risk avoidance measures. See McKinsey’s mid-2024 analysis titled The State of AI in Early 2024.

 

  1. State legislators are moving to pass comprehensive legislation. Colorado passed a comprehensive AI regulatory governance statute in 2024. California's comprehensive attempt was vetoed by its governor in September. Texas legislators introduced in 2024 a comprehensive AI governance bill that is pending for action in 2025. Expect legislators in states like California, Illinois, New York, Washington, Georgia, Hawaii, New Jersey, Oklahoma, Utah and others not to want to be left behind.

 

  1. Noncomprehensive (targeted) state legislation is already being passed and proposed. Some states are already enacting subject-specific or industry-sectoral (i.e., not comprehensive) AI legislation. Many of these enactments are focused on nondiscrimination, prohibiting use of  algorithms in AI that are unfairly biased or that might discriminate against protected groups. Fines are included for noncompliance.

 

  1. Internal federal guidelines are in place; federal regulations and legislation are being proposed. US government agencies have published an assortment of internal guidelines in 2023 and 2024 for AI development and implementation, as well as proposed regulations affecting businesses and consumers. Bills have been introduced in the US House and Senate.

 

  1. A varying, sectoral federal approach vs. a uniform, comprehensive approach will  create complexity. No comprehensive federal regulation is publicly in the works.  Keep in mind that US history in privacy regulation would indicate that no comprehensive federal regulation of AI may issue at all. This history of federal US privacy regulations on businesses shows a "sectoral" approach influenced by industry groups, consumer groups, etc., rather than a uniform, comprehensive for all US consumers and businesses. SMBs will need to be proficient in multiple states' AI regulations and multiple sectoral federal regulations where their businesses reach consumers in multiple states, where the business operations are spread among different states, or where their businesses involve AI in certain regulated industry segments, or affect protected groups of consumers.

 

  1. No state uniform models are mandated or being adopted nationally. State legislators, regulators, and other policy-makers are looking for regulatory models. There are large industry and "think-tank" forums discussing and proposing, and some influential models such as the EU’s 2023 AI Act, but nothing binding on any state. So, while there is national research and thinking occurring, the implementations are local, different in each state, forming a complex compliance matrix for SMBs trying to standardize their business practices nationally.

 

  1. Impact of EU AI Act as a possible model for frameworks and legislation. The European Union passed a comprehensive EU AI Act in 2023, which by default may be serving as an initial primary or influential model for US state regulators and thought leaders. An EU AI Act influence appears in the Colorado statute and the proposed Texas bill. But the devil for SMBs and their lawyers will be in the details of each state's departures from these models. It is hard to imagine that state legislators and their constituents will be (nor should they be) comfortable with blindly following EU business culture or practices. Continuous improvement and different regulatory cultures will drive diverse regulatory schemes in different states. This will increase SMBs’ risks of noncompliance with such a complicated web of diverse regulations.

 

  1. Possible secondary impact of EU's GDPR, and existing state privacy legislation. The phenomenon of AI regulatory impact is comparable to the rise of privacy protection and regulation over the past 27 years or so in the EU and the US.  AI regulation is occurring at a faster rate of acceleration. Many states have passed privacy legislation in the past few years, and seem likely to pattern their AI regulation on frameworks and concepts borrowed from the EU's GDPR, implemented first in the 1990's, and which the EU has modified since then. The EU's experience in privacy protection regulations has strongly influenced the 2023 EU AI Act.

 

  1. CEOs and Boards of SMBs should institute policies, recurring education, diligence reviews and monitoring,  As said above, this is a complex regulatory web. Multi-state and global SMBs need to adopt and monitor internal company policies regulating AI that actually achieve the goal of compliance in each jurisdiction.  Map your own company’s matrix of internal regulations to target full compliance, in order to achieve at least a very high level of compliance. Monitor results periodically. Where results fall short, SMBs will need to show a significant, diligent, good faith effort to align and comply with each of the different applicable requirements and laws. Company operations should formulate their organizational changes, educational and training requirements, and implementation policies to meet these needs.

 

The topic requires more detailed and tailored guidance than can be included here. You should open up a discussion with your counsel as soon as possible, to assess what has occurred and what may be coming. Finding and developing a relationship with legal counsel who understands your particular business and who focuses on AI and privacy will be important.  Your general legal counsel is likely to seek that focus in his or her firm or through outside resources. For example, the law firm of Fulton Jeang PLLC provides such resources from an agile, efficient group that includes a mix of privacy, AI, and corporate compliance attorneys. Its tech-focused counsel can support your SMB’s AI risk assessment as an early step in compliance readiness.

 

 

Jonathan K. Hustis, the author, is a member of Fulton Jeang PLLC, whose legal practice includes technology company corporate governance, M&A, compliance, financing, contracts, and privacy law. He is admitted to practice in Texas and federal courts in the Northern District of Texas. Jon is also a Certified Information Privacy Professional/US.

31 views0 comments

Comments


bottom of page