AI Compliance Templates

New York City · Effective July 5, 2023

If you hire in New York City and use any automated tool to screen or evaluate candidates, you need an annual bias audit and public summary of the results.

Texas · Effective July 1, 2024

The Texas Data Privacy and Security Act requires data protection assessments for targeted advertising, data sales, and profiling.

Texas · Effective January 1, 2026

Texas HB 149 — the Responsible AI Governance Act — took effect January 1, 2026 and applies to any business that develops or deploys AI systems in Texas.

Delaware · Effective January 1, 2025

Delaware has the lowest applicability threshold of any state privacy law — just 35,000 consumers.

Multi-State · Effective Available now

If you operate across multiple states and use customer data for profiling, targeting, or automated decisions, you probably need assessments for more than one state.

Multi-Jurisdiction · Effective Available now

If you hire in Illinois, New York City, and Colorado, you need AI disclosure documents for all three.

Virginia · Effective January 1, 2023

If your business processes personal data from Virginia consumers and uses it for targeted ads, profiling, or automated decisions, the VCDPA requires documented data protection assessments.

Connecticut · Effective July 1, 2023

Connecticut's privacy law has been in effect since 2023 and requires data protection assessments for profiling, targeted advertising, and sensitive data processing.

Oregon · Effective July 1, 2024

Oregon's Consumer Privacy Act requires data protection assessments for profiling that presents risk of harm to consumers.

Minnesota · Effective July 31, 2025

Minnesota's privacy law includes specific AI provisions — including algorithmic governance documentation requirements — that go beyond most other state privacy laws.

Federal · Effective Available now

Even without a new federal AI law, the EEOC enforces existing anti-discrimination law when AI is involved in hiring.

Federal · Effective Available now

The NIST AI Risk Management Framework is voluntary, but it's referenced in multiple state laws as a compliance benchmark — and Colorado's law gives you a legal defense if you follow a recognized framework like this one.

Federal · Effective Available now

An internal policy that tells your employees what they can and can't do with AI tools at work.

Federal · Effective Available now

Before you buy or renew an AI tool, you should know whether it can discriminate, what data it uses, and whether the vendor can provide the documentation your state law requires.

Federal · Effective Available now

A structured template for documenting whether your AI tools produce discriminatory outcomes.

Federal · Effective Available now

What do you do if your AI system makes a bad decision, produces discriminatory outcomes, or fails?

Universal · Effective Available now

When your managers need to explain to their teams that the company uses AI and what that means, these are the materials they need.

Universal · Effective Available now

Laws change.

Universal · Effective Available now

When your board or CEO asks 'where do we stand on AI compliance?

Universal · Effective Available now

Multiple states require you to tell consumers when AI is involved in decisions about them.

Universal · Effective Available now

Before you can write a data protection assessment, you need to know what personal data you collect, where it goes, and who you share it with.

Universal · Effective Available now

When a consumer asks to see their data, correct it, or delete it — you need a process for handling that request within the timeline the law requires.

Federal · Effective Available now (COPPA deadline April 22, 2026)

If you're a healthcare organization using AI — whether for clinical decisions, patient intake, diagnostics, or administration — you're navigating HIPAA, FDA guidance, and state requirements simultaneously.

Federal · Effective Available now (FINRA 2026 priority)

Financial services firms using AI face overlapping requirements from FINRA, the SEC, and the CFPB.

Federal · Effective COPPA amended rule in effect April 22, 2026

AI compliance documentation for K-12 school districts and EdTech companies.

Federal · Effective Available now

Comprehensive AI compliance bundle for HR departments and recruiting firms.

Federal · Effective Available now

The organizational framework that ties everything else together — who in your company is responsible for AI decisions, how new AI tools get approved, how risks are classified, and how compliance is maintained over time.

Federal · Effective Available now

You can't comply with any AI law if you don't know what AI you're using.

Federal · Effective Available now

A template for publicly disclosing what AI systems your organization uses and what safeguards are in place.

Federal · Effective Available now

An internal policy that protects employees who report concerns about your AI systems.

Federal · Effective Available now

If your customers use AI features in your product or service, this policy tells them what they can and can't do with it.

Indiana · Effective January 1, 2026

Indiana's Consumer Data Protection Act follows the same general framework as Virginia and Connecticut — data protection assessments for profiling, targeted advertising, and sensitive data.

Montana · Effective October 1, 2024

Montana's privacy law has some of the lowest applicability thresholds in the country.

Kentucky · Effective January 1, 2026

Kentucky's Consumer Data Protection Act requires data protection assessments for profiling and targeted advertising.

New Jersey · Effective January 15, 2025

New Jersey's Data Protection Act requires documented data protection assessments for profiling, targeted advertising, and sensitive data.

Universal · Effective Available now

A security audit checklist built for AI-generated code.

Illinois · Effective January 1, 2026

When Illinois employees receive your AI notice and have questions — or when you need to log each time AI is used in an employment decision — this kit gives you the forms.

Illinois · Effective January 1, 2026

Illinois HB3773 specifically prohibits using zip codes as a proxy for protected classes.

Colorado · Effective June 30, 2026

When a Colorado consumer receives an adverse AI decision and wants to appeal — or needs to correct their data — you need a documented process ready.

Colorado · Effective June 30, 2026

If you discover your high-risk AI system has caused algorithmic discrimination, Colorado law gives you 90 days to report it to the Attorney General.

Colorado · Effective June 30, 2026

Colorado's law requires AI developers to provide specific documentation to deployers — including model cards, dataset cards, and impact assessment artifacts.

California · Effective January 1, 2026

California's ADMT regulations require a specific Pre-Use Notice before automated decisionmaking is applied to consumers, plus a documented opt-out process.

California · Effective January 1, 2026

When California consumers exercise their right to know how ADMT was used in decisions about them, you need to explain the logic, key parameters, and output.

California · Effective January 1, 2026

California's CCPA regulations require annual cybersecurity audits covering 17 specific areas, plus risk assessments analyzing specific harm categories.

New York City · Effective July 5, 2023

NYC Local Law 144 requires an annual independent bias audit and public posting of results.

New York City · Effective July 5, 2023

NYC requires 10 business days advance notice before using an AEDT on candidates, plus information about an alternative selection process, and a 30-day data disclosure response.

Virginia · Effective January 1, 2023

Virginia's CDPA gives consumers 5 distinct rights with a 45-day response window and a formal appeal process.

Virginia · Effective January 1, 2023

Virginia requires data protection assessments specifically structured around statutory weighing factors — benefits vs.

Virginia · Effective January 1, 2023

Virginia's CDPA requires specific contractual terms between controllers and processors — confidentiality, data return/deletion, compliance demonstration, audit rights, and subcontractor flow-down.

European Union · Effective August 2, 2026 (Annex III deployer obligation — Art. 27)

Article 27(1) of the EU AI Act requires specific deployer categories to complete a Fundamental Rights Impact Assessment before first use of a high-risk AI system, covering 6 required elements.

European Union · Effective Annex III high-risk obligations effective August 2, 2026 (Prohibited AI in effect Feb 2025; GPAI in effect Aug 2025)

After deploying a high-risk AI system in the EU, you must monitor its operation and report serious incidents within 15 days.

European Union · Effective Annex III high-risk obligations effective August 2, 2026 (Prohibited AI in effect Feb 2025; GPAI in effect Aug 2025)

The EU AI Act requires designated human oversight with documented competence and authority, plus worker notification before deployment.

European Union · Effective Annex III high-risk obligations effective August 2, 2026 (Prohibited AI in effect Feb 2025; GPAI in effect Aug 2025)

Public authority deployers must register in the EU AI database, and all deployers must make transparency disclosures — including specific requirements for emotion recognition and deep fake systems.