AI Regulation in the United States: The 2026 Map

Federal voluntary executive order vs. mandatory state laws: what changes for Brazilian companies selling in the US in 2026.

by Cleverson Gouvêa

AI Regulation in the United States: The 2026 Map

AI regulation in the United States has moved from a distant agenda to an operational problem for those selling abroad. In June 2026, the federal government bet on voluntary rules while states created binding and divergent obligations. For a Brazilian company processing data from American users, this changes the game. I'll explain what happened and what to do with the information.

TL;DR

  • On 06/02/2026, the White House issued the executive order "Promoting Advanced Artificial Intelligence Innovation and Security," focused on cybersecurity and voluntary frameworks for frontier models.
  • States went in the opposite direction: they created binding obligations. California (SB 53) has been in effect since January 2026; Colorado (SB 26-189) takes effect on 01/01/2027.
  • The result is a patchwork: "the US rule" does not exist — it depends on the state.
  • Brazilian companies (SaaS, agency, e-commerce) that sell or process data in the US need to map obligations by state, not by country.
  • Those who organize now turn compliance into a commercial differentiator, not a dead cost.

What the June 2026 Executive Order Actually Says

On June 2, 2026, the White House published the executive order titled Promoting Advanced Artificial Intelligence Innovation and Security. The stated goal is straightforward: advance US leadership in artificial intelligence while addressing the national security risks of increasingly capable systems.

The text works on two fronts. The first is defensive: strengthening the cybersecurity defenses of government and private industry in the face of so-called "advanced AI." The second is governance: developing voluntary benchmarking and review frameworks for the safe development and deployment of "frontier" models — those trained with massive computing power.

Notice the key word here: voluntary. The federal bet is on innovation first, with rules that companies adopt by adherence, not by imposition. There are no fines for non-compliance with benchmarks in this order. It is a directional signal, not a straitjacket.

For product developers, this seems like a relief. And it is — at the federal level. The problem appears when you look one level down, at the states.

The Paradox: Federal Voluntary, State Mandatory

The American system is federal. Each state legislates on a range of topics, and AI has entered that list. While Washington talks about voluntary adherence, state capitals write laws with effective dates, documentation duties, and penalties.

This is the central tension of 2026. On one side, the federal government wants not to hinder the technological race. On the other, states want to protect consumers and hold those using AI in sensitive decisions accountable. Both movements happen simultaneously and do not communicate.

The practical effect is fragmentation — what lawyers call a "patchwork." A company operating in five states may face five different sets of rules, with different deadlines and different definitions of what constitutes a "high-risk AI system."

I've seen this movie before in data privacy, when each state started creating its own law after California. In AI, the script repeats — and faster.

California: SB 53 and Frontier Model Transparency

California, as usual, led the way. The Transparency in Frontier AI Act (SB 53) brings multiple obligations that took effect in January 2026.

The law targets developers of large frontier models. It is not about who uses a chatbot on a website — it is about who trains and deploys the largest models. For these actors, SB 53 requires three concrete things:

  1. Publish risk frameworks — document how the company assesses and mitigates model risks, publicly.
  2. Report security incidents — communicate failures and critical security events related to the system.
  3. Implement whistleblower protections — ensure channels and safeguards for employees who report internal risks.

Who Really Needs to Worry

If you are a Brazilian agency or SaaS consuming the API of a frontier model, the direct weight of SB 53 falls on the model provider, not on you. But there is a cascade effect: providers will pass documentation and transparency requirements contractually. It's worth reading the terms carefully. The logic is the same as I discussed in AI Agents: What Gemini Spark Changes for Companies — responsibility flows down the chain.

Colorado: From Umbrella to Scalpel (SB 26-189)

Colorado took a curious path. In May 2026, the state repealed and replaced its previous AI law with SB 26-189. A broad norm went out; a narrower, more surgical statute came in.

The new law regulates a specific target: automated decision-making technology (ADMT) that materially influences consequential decisions. Think credit, employment, housing, insurance — situations where an algorithm helps decide someone's life. The effective date is 01/01/2027.

The philosophical shift is the interesting point. The old version bet on risk management programs and impact assessments — lots of preventive bureaucracy. SB 26-189 replaces that with more tangible, consumer-centered duties:

  • Prior notice to the consumer that a consequential decision uses ADMT.
  • Explanation of adverse outcome within 30 days when the decision is unfavorable.
  • Right to meaningful human review — a person, not just another algorithm, reanalyzing the case.
  • Developer documentation duties for the technology.

For a Brazilian company selling HR software, scoring, or insurance underwriting in the US, this is the type of law that directly affects the product. "Explain adverse outcome within 30 days" is not a footnote clause — it's UX flow, logging, support process.

Comparative Table: Federal vs. California vs. Colorado

I put the three layers side by side to make the patchwork visible:

Layer Nature What it Requires Primary Target Effective Date
Federal (Executive Order 06/02/2026) Voluntary Benchmarking and review frameworks; cybersecurity reinforcement Frontier models; government and industry Immediate (non-binding)
California (SB 53) Mandatory Publish risk framework, report incidents, protect whistleblowers Developers of large frontier models January 2026
Colorado (SB 26-189) Mandatory Prior notice, explanation of adverse outcome within 30 days, human review, documentation ADMT in consequential decisions 01/01/2027

The table's reading is intentionally uncomfortable. Three jurisdictions, three natures, three deadlines. And these are just two states plus the federal level — there are dozens of state legislatures working on the topic.

Why "the US Rule" Doesn't Exist (and What It Costs)

The most common mistake I see in conversations with clients is asking "what is the US AI law?" The question has no single answer. There is a federal voluntary guideline and there are mandatory state laws that diverge from each other.

This has a cost. Each new state in your user base can mean:

  • Reviewing notices and consent screens.
  • Adjusting response deadlines (Colorado's 30 days, for example).
  • Reorganizing technical documentation for auditing.
  • Training support to handle human review requests.

Compliance costs grow non-linearly. It's not "one more country" — it's "one more legislature." Large companies absorb this with legal teams. Small and medium ones feel it more, because each requirement becomes engineering and process work.

It's worth remembering this doesn't happen in a vacuum. The technology job market is also being reshaped by AI — I wrote about the corporate side of this pressure in Atlassian in 2026: Layoffs, AI, and the Bet on Agents. Regulation and team restructuring go hand in hand.

What Changes for Brazilian Companies Selling in the US

I'll be concrete, because that's how I think when serving clients billing outside Brazil. Three profiles feel the impact differently.

SaaS

If your software makes or supports consequential decisions — credit, hiring, risk pricing — Colorado is your warning sign. Start designing the prior notice and adverse outcome explanation flow now. Building it before the 2027 effective date is cheap; building it in a rush later is expensive.

Agency

Agencies delivering automation and AI to American clients become intermediaries in the chain of responsibility. Your contracts need to clarify who documents what. A vague clause today becomes a dispute tomorrow.

E-commerce

E-commerce using AI for recommendation, fraud prevention, or dynamic pricing should map whether these decisions are "consequential" under state laws. Product recommendation rarely is; denying a transaction or adjusting price in a discriminatory way might be.

The common denominator is one: stop thinking of the "American market" as a single block. Think state by state, function by function. The platform updates I commented on in Google I/O 2026: What Changes for Brazilian Companies only increase this surface — more embedded AI means more points subject to state rules.

Practical Compliance Checklist

At Agathas Web, when I assess a client's regulatory exposure, I follow a lean roadmap. Adapt it to your case:

  1. Map where your users are. Not the country — the state. Geolocation and billing data already tell a lot.
  2. Classify your automated decisions. Which are just convenience and which materially influence someone's life?
  3. List your model providers. If you use a frontier model via API, read the terms under SB 53's lens.
  4. Implement an audit trail. Log which model decided what, when, and based on what. This serves almost every state law.
  5. Design the human review flow. A person must be able to reanalyze and reverse adverse decisions.
  6. Standardize consumer notices. Clear text that there is AI in the decision, ready to trigger by state.
  7. Review contracts. Distribute documentation responsibilities in the chain, in writing.

You don't need to do everything next week. You need to have the map and prioritize by what has the nearest deadline — in this case, the 2027 effective date in Colorado and what is already in effect in California.

Conclusion: How to Prepare Without Stalling the Product

AI regulation in the United States in 2026 is a patchwork, and it will remain so for a while. The federal level points direction with voluntary rules; states impose concrete duties with real deadlines. Those selling there need to reason by state and function, not by country.

The good news is that well-done compliance doesn't stall the product — it becomes a sales argument. Corporate American clients value a supplier that already has an audit trail, consumer notice, and human review in place. That is trust, and trust closes deals.

If you want to understand how this exposure applies to your specific product, that's exactly the kind of diagnosis I do daily. Start with the checklist above — and if you get stuck, talk to us. Mapping early costs little; chasing after the effective date costs a lot.

#estados-unidos#inteligencia-artificial#politica-de-ia#regulacao-ia
View all

Related posts

Automatic Pix: What Changes in Recurring Billing in 2026

Automatic Pix: What Changes in Recurring Billing in 2026

Automatic Pix arrived in 2026 and changes recurring billing for SMEs: debit without a card, fewer failures, and cleaner reconciliation. See what to do.

AI Growth Lab: The UK's Bet on AI and Chips

AI Growth Lab: The UK's Bet on AI and Chips

The UK launched the AI Growth Lab, a sandbox to test AI with flexible rules, and £1.1 billion in chips. See the model and the opportunity.

Lloyds Bank Outage: The Digital Resilience Lesson

Lloyds Bank Outage: The Digital Resilience Lesson

The Lloyds Bank outage knocked 26 million customers offline and exposed failures every software company should avoid. See what to learn.