March 20, 2026

Virginia has emerged as the day's most significant legislative actor, with two bills establishing independent AI verification organizations advancing in tandem. SB384 cleared the House on a unanimous 99-0 vote while HB797 passed 84-14 on a Senate substitute — together signaling that Virginia is moving with unusual legislative consensus toward codifying third-party AI auditing as a formal compliance mechanism. The near-simultaneous passage of companion measures through both chambers indicates the framework is on track for enrollment and gubernatorial action imminently. Practitioners should note that this model — credentialed external verifiers with defined legal standing — is also taking early shape in California (SB813) and Ohio (HB628), suggesting a convergent structural approach to AI oversight across multiple U.S. states that compliance teams will need to track as a category, not just jurisdiction-by-jurisdiction.

The AI governance footprint in health care is expanding on multiple fronts. Colorado's HB1139 has passed the House on second reading with amendments, extending the state's already active AI regulation posture into clinical and health care settings. More notably, Vermont's H0814 — covering neurological rights and AI use in health and human services — has cleared committee with a favorable recommendation. Vermont's approach is substantively distinct: it proposes codifying brain-derived data as a protected rights category, separate from existing biometric frameworks. If enacted, this would represent one of the first statutory recognitions of cognitive autonomy as an AI-specific privacy interest, with potential downstream implications for health AI developers operating across the Northeast. These two measures, read together, indicate that health care AI is becoming a discrete legislative priority rather than a subset of general algorithmic accountability efforts.

Transparency obligations for AI-generated content and training data are consolidating as a second major legislative theme. Washington State's HB1170 — requiring platforms to disclose AI-generated or AI-modified content to users — has reached the Governor's desk, placing a disclosure mandate one signature away from enactment. Simultaneously, New York's paired measures S06955 and A06578 (the Artificial Intelligence Training Data Transparency Act) have both advanced to third reading in their respective chambers, targeting supply-chain accountability by requiring public disclosure of training data provenance. These bills operate at different points in the AI content lifecycle — output disclosure in Washington, input disclosure in New York — and together trace the contours of a transparency regime that extends from data sourcing through to end-user interaction. Developers and operators serving either market should treat both layers as near-term compliance obligations rather than speculative policy.

At the federal level, the Center for Democracy and Technology's coalition challenge to the Treasury Department's System of Records Notice warrants close attention from privacy and government affairs teams. The opposition contends the SORN — which would consolidate personal information across nearly all Treasury-administered financial assistance programs — exceeds Privacy Act authority on scope, purpose limitation, and data minimization grounds. This challenge represents organized civil society resistance to a federal data consolidation posture that has broader implications beyond any single agency, and it echoes the structural concerns that have animated state-level data minimization statutes. Separately, CDT Europe's fifth installment analyzing GPAI obligations under the EU AI Act continues to develop the interpretive record around foundation model compliance — a useful reference for organizations working through the Act's enforcement timeline as GPAI provisions come into effect.

Several developments warrant a forward-looking note. Utah's HB0320 amending the Office of Artificial Intelligence Policy now awaits gubernatorial action, as does Washington's HB1170 — both decisions expected in the near term. Colorado's HB1263 on conversational AI operator requirements is in early committee stage but reflects a narrowing of legislative focus toward specific AI deployment modalities that may produce more durable, enforceable obligations than broad-framework bills. Washington's HB2157 — the high-risk AI systems bill — has been shelved in the Rules 'X' file for this session, but sponsors are expected to return with revised language; its failure this cycle is procedural rather than substantive. The pronounced stall of Utah SB0205 on law enforcement AI and Oregon HB4103 at session end reinforces an observable pattern: AI accountability measures targeting public-sector actors continue to face harder legislative paths than those focused on private-sector operators.