March 25, 2026

TOP LINE

Virginia has sent two companion AI verification bills — SB384 and HB797 — to the Governor after passing the House by margins of 99-0 and 84-14 respectively. The bills create a formal licensing framework for independent AI verification organizations, making Virginia the first state to institutionalize third-party AI auditing infrastructure at this level of statutory specificity. Governance leads and AI developers operating in Virginia should treat gubernatorial action as the next material threshold.

KEY DEVELOPMENTS

Virginia's SB384 and HB797 both establish structured roles for independent organizations to verify AI system compliance and performance. The near-unanimous votes suggest strong bipartisan appetite for third-party accountability mechanisms, a pattern also visible in California's SB813 (currently held at the Assembly desk) and Ohio's newly introduced HB628, which proposes a licensing regime for AI risk mitigation firms. The practical question for AI developers is whether third-party audits will become a de facto compliance requirement in multiple states simultaneously — and whether audit standards will be harmonized or diverge by jurisdiction. Watch level: PREPARE (AI developers, enterprise AI deployers, legal and compliance teams)

Colorado's HB1139 governing AI use in health care passed its House Second Reading with amendments and now heads to the Senate, while Vermont's H0814 on neurological rights cleared committee with a favorable-with-amendment recommendation. Both bills reflect a distinct regulatory posture: high-stakes AI applications in health contexts warrant specific statutory constraints, not just general AI governance. Colorado has already established a pattern with SB205 on algorithmic discrimination, and HB1139 suggests the state is building a layered compliance framework for health AI. Developers and health care operators in both states should begin scoping the amended bill texts for emerging obligations. Watch level: PREPARE (health AI developers, clinical decision support operators, digital health legal teams)

Washington State's HB1170 — requiring disclosure when AI has developed or modified content — has been delivered to the Governor for signature or veto. This is the most procedurally advanced AI transparency mandate currently at the executive action stage in any U.S. state, and a signature would trigger immediate compliance planning obligations for AI content platforms. Separately, Washington's HB2157 on high-risk AI has been placed in the Rules 'X' file, effectively stalling for this session, while SB6284 on AI consumer protection is now before the Ways and Means Committee. Washington's legislative picture is mixed: transparency mandates are advancing while broader high-risk AI regulation has slowed. Watch level: ACT NOW if signed (AI content platforms, marketing technology operators, media and publishing counsel); MONITOR (enterprise AI deployers tracking broader Washington AI governance)

The CDT-led coalition challenge to the Treasury Department's SORN consolidating personal data across financial assistance programs represents a notable escalation in civil society resistance to federal data aggregation initiatives. The challenge invokes the Privacy Act's scope and statutory authority limits — arguments that, if pursued in litigation, could establish constraints on executive branch records management practices more broadly. Privacy counsel advising agencies or contractors interfacing with federal financial systems should review whether similar SORN structures are in their operational footprint. Watch level: MONITOR (federal contractors, financial services privacy counsel, government affairs teams)

New York's S06955 and A06578 — companion Senate and Assembly bills requiring generative AI training data disclosure — have both advanced to third reading. Dual-chamber advancement signals coordinated legislative intent, though New York's legislative calendar means enactment is not certain this session. If enacted, the Artificial Intelligence Training Data Transparency Act would impose web-based disclosure obligations on any developer offering generative AI models or services in New York, a broad jurisdictional hook given the state's market reach. AI developers without established training data documentation practices should treat this as a preparation signal regardless of final outcome. Watch level: PREPARE (generative AI developers, foundation model providers, AI product counsel)

FORWARD LOOK

Gubernatorial action on Washington's HB1170 and Virginia's SB384/HB797 represents the most time-sensitive procedural threshold in the current cycle — signatures on any of these would move compliance obligations from preparation to immediate action. Utah's HB0320 amending the Office of AI Policy and HB0450 amending the consumer privacy framework are also pending gubernatorial review; Utah's AI office modifications may signal updated regulatory priorities worth tracking. Colorado's HB1139 Senate trajectory and Oregon's enacted SB1546 on AI companion systems each warrant follow-on monitoring for implementing guidance or agency rulemaking timelines, neither of which has been publicly signaled yet.