April 1, 2026

Today's briefing is heavily weighted toward US state-level developments; EU coverage is limited to one analytical item. The dominant story across 29 US events is the continued fragmentation of state AI governance into sector-specific and function-specific regimes — health care AI, companion AI, conversational AI, insurance automation, and AI auditing infrastructure are all advancing on parallel tracks across multiple states simultaneously. Legal and policy teams managing multi-state exposure should treat this as a structural compliance design problem, not a series of isolated legislative events.

Colorado's HB1139 passed a second reading with amendments, extending the state's AI oversight framework into health care settings and sitting alongside the previously enacted SB205. Colorado is developing one of the denser stacks of sector-specific AI law among US states; health systems, insurers, and AI vendors operating in Colorado should begin scoping obligations under both measures rather than waiting for final enactment. Separately, HB1263 — targeting operators of conversational AI services — has been assigned to the Business Affairs & Labor Committee, raising the question of whether Colorado intends to build a comprehensive operator-liability regime across AI modalities. Watch level: PREPARE (health AI developers, insurers, conversational AI operators in Colorado)

Oregon's SB1546, regulating AI companion applications, has been signed by the Speaker, placing it a step away from enactment. This is among the first state laws to directly address AI systems designed for social or emotional interaction — a category that spans consumer wellness apps, eldercare tools, and platforms used by minors. The practical question for operators is whether existing disclosure, data minimization, and vulnerability-protection frameworks are sufficient, or whether Oregon's enacted provisions require product-level changes. Compliance teams should obtain the enrolled text immediately. Watch level: ACT NOW (AI companion product operators, consumer app developers)

Virginia's SB384 and HB797 — both establishing frameworks for independent AI verification organizations — have now cleared the legislature with strong margins (99-0 and 84-14, respectively). Covered yesterday as passing by wide margins, today's reporting confirms the House agreed to the Senate substitute on HB797, suggesting both bills are now positioned for gubernatorial action. Virginia appears to be building a parallel infrastructure to California's SB813 (currently at first reading in the Assembly), which proposes similar verification bodies under a state AI Standards and Safety Commission. The convergence of Virginia and California activity on third-party AI auditing suggests this governance model is gaining legislative traction; organizations developing internal AI audit programs should monitor whether these frameworks define auditor qualifications or scope in ways that affect vendor selection. Watch level: PREPARE (AI developers and deployers subject to Virginia law, AI auditing firms)

Utah's HB0450 (data privacy amendments) has been enrolled and transmitted for gubernatorial action, and HB0320 (amendments to the state's Office of Artificial Intelligence Policy) has similarly been sent to the governor. Both measures are at final threshold. Utah has been among the most active subnational AI and privacy regulators; any amendments to the Consumer Privacy Act framework or the AI Policy Office's mandate warrant immediate review once signed. Vermont's H0814, establishing neurological rights protections and constraining AI in health and human services contexts, has cleared committee with a favorable recommendation — an early-stage signal, but one that warrants monitoring as cognitive liberty legislation remains rare at the state level and may foreshadow similar efforts elsewhere. Watch level: ACT NOW for HB0450 (Utah privacy compliance teams); MONITOR for H0814 (health AI developers, neurotechnology firms)

Two bills stalling deserve equal attention. Washington's HB2157 — which sought to regulate high-risk AI systems comprehensively — has been shelved in the House Rules 'X' file, effectively ending its prospects this session. Oregon's HB4103 similarly died in committee. These failures continue a pattern: broad horizontal AI governance bills struggle to advance, while narrow, sector-specific measures move more readily. The CDT's coalition challenge to the Treasury Department's SORN aggregating personal data across federal financial assistance recipients warrants monitoring by federal privacy practitioners; the objection frames the consolidation as exceeding Privacy Act authority, a legal theory that may resurface in litigation if Treasury proceeds.