AI Compliance Documents — State AI Compliance Templates

If you hire in New York City and use any automated tool to screen or evaluate candidates, you need an annual bias audit and public summary o...

The Texas Data Privacy and Security Act requires data protection assessments for targeted advertising, data sales, and profiling. If your bu...

Delaware has the lowest applicability threshold of any state privacy law — just 35,000 consumers. If your business has any meaningful presen...

If you operate across multiple states and use customer data for profiling, targeting, or automated decisions, you probably need assessments ...

If you hire in Illinois, New York City, and Colorado, you need AI disclosure documents for all three. This bundle covers all three jurisdict...

If your business processes personal data from Virginia consumers and uses it for targeted ads, profiling, or automated decisions, the VCDPA ...

Connecticut's privacy law has been in effect since 2023 and requires data protection assessments for profiling, targeted advertising, and se...

Oregon's Consumer Privacy Act requires data protection assessments for profiling that presents risk of harm to consumers. If your business p...

Minnesota's privacy law includes specific AI provisions — including algorithmic governance documentation requirements — that go beyond most ...

If you're an Illinois employer using any software that helps screen, rank, or evaluate job candidates, this law applies to you. HB3773 (775 ...

California's new ADMT regulations require documented risk assessments starting January 1, 2026 and consumer-facing opt-out and notice requir...

Colorado's AI law takes effect June 30, 2026 and requires businesses using AI in consequential decisions — hiring, lending, insurance, housi...

The EU AI Act is the world's first comprehensive AI regulation. If you develop or deploy high-risk AI systems that touch EU markets, you nee...

Even without a new federal AI law, the EEOC enforces existing anti-discrimination law when AI is involved in hiring. If your AI tools produc...

The NIST AI Risk Management Framework is voluntary, but it's referenced in multiple state laws as a compliance benchmark — and Colorado's la...

An internal policy that tells your employees what they can and can't do with AI tools at work. Covers approved uses, prohibited uses, data h...

Before you buy or renew an AI tool, you should know whether it can discriminate, what data it uses, and whether the vendor can provide the d...

A structured template for documenting whether your AI tools produce discriminatory outcomes. Required annually for NYC employers under Local...

What do you do if your AI system makes a bad decision, produces discriminatory outcomes, or fails? This is a documented plan for how your or...

When your managers need to explain to their teams that the company uses AI and what that means, these are the materials they need. Talking p...

Laws change. Your AI tools change. Your compliance documents need to keep up. This is a structured annual review checklist that walks you th...

When your board or CEO asks 'where do we stand on AI compliance?' — this is the document you hand them. A one-page status report, a presenta...

Multiple states require you to tell consumers when AI is involved in decisions about them. This kit gives you the notices in every format — ...

Before you can write a data protection assessment, you need to know what personal data you collect, where it goes, and who you share it with...

When a consumer asks to see their data, correct it, or delete it — you need a process for handling that request within the timeline the law ...

If you're a healthcare organization using AI — whether for clinical decisions, patient intake, diagnostics, or administration — you're navig...

Financial services firms using AI face overlapping requirements from FINRA, the SEC, and the CFPB. This package covers AI supervision docume...

The organizational framework that ties everything else together — who in your company is responsible for AI decisions, how new AI tools get ...

You can't comply with any AI law if you don't know what AI you're using. This is step zero — a structured inventory of every AI system in yo...

A template for publicly disclosing what AI systems your organization uses and what safeguards are in place. Required by the EU AI Act and Co...

An internal policy that protects employees who report concerns about your AI systems. Required for frontier AI developers under California S...

If your customers use AI features in your product or service, this policy tells them what they can and can't do with it. Covers permitted us...

Indiana's Consumer Data Protection Act follows the same general framework as Virginia and Connecticut — data protection assessments for prof...

Montana's privacy law has some of the lowest applicability thresholds in the country. If your business processes personal data from Montana ...

Kentucky's Consumer Data Protection Act requires data protection assessments for profiling and targeted advertising. If you have Kentucky cu...

New Jersey's Data Protection Act requires documented data protection assessments for profiling, targeted advertising, and sensitive data. If...

When Illinois employees receive your AI notice and have questions — or when you need to log each time AI is used in an employment decision —...

Illinois HB3773 specifically prohibits using zip codes as a proxy for protected classes. This workbook walks you through auditing your AI hi...

When a Colorado consumer receives an adverse AI decision and wants to appeal — or needs to correct their data — you need a documented proces...

If you discover your high-risk AI system has caused algorithmic discrimination, Colorado law gives you 90 days to report it to the Attorney ...

Colorado's law requires AI developers to provide specific documentation to deployers — including model cards, dataset cards, and impact asse...

California's ADMT regulations require a specific Pre-Use Notice before automated decisionmaking is applied to consumers, plus a documented o...

When California consumers exercise their right to know how ADMT was used in decisions about them, you need to explain the logic, key paramet...

California's CCPA regulations require annual cybersecurity audits covering 17 specific areas, plus risk assessments analyzing specific harm ...

NYC Local Law 144 requires an annual independent bias audit and public posting of results. This kit gives you the auditor RFP template, resu...

NYC requires 10 business days advance notice before using an AEDT on candidates, plus information about an alternative selection process, an...

Virginia's CDPA gives consumers 5 distinct rights with a 45-day response window and a formal appeal process. When someone exercises a right,...

Virginia requires data protection assessments specifically structured around statutory weighing factors — benefits vs. risks, de-identified ...

Virginia's CDPA requires specific contractual terms between controllers and processors — confidentiality, data return/deletion, compliance d...

Article 27 of the EU AI Act requires deployers of certain high-risk AI systems to complete a Fundamental Rights Impact Assessment before fir...

After deploying a high-risk AI system in the EU, you must monitor its operation and report serious incidents within 15 days. This kit covers...

The EU AI Act requires designated human oversight with documented competence and authority, plus worker notification before deployment. This...

Public authority deployers must register in the EU AI database, and all deployers must make transparency disclosures — including specific re...