Texas became the first US state with a binding, comprehensive AI statute on January 1, 2026, when the Texas Responsible Artificial Intelligence Governance Act took effect. Nine days later, on January 1, 2026, California's Transparency in Frontier Artificial Intelligence Act also became enforceable, requiring frontier model developers to file catastrophic risk assessments with the state's Office of Emergency Services every three months. Neither company operating nationally gets to pick one regime and ignore the other.
The federal government spent 2025 and 2026 trying to stop exactly this outcome, and failing. A proposed 10-year moratorium on state AI regulation was stripped from the One Big Beautiful Bill Act after the Senate voted 99 to 1 to remove it in July 2025. When that failed, President Trump signed Executive Order 14365 on December 11, 2025, creating an AI Litigation Task Force to challenge state AI laws directly in court and tying federal broadband funding to state deregulation. As of mid-2026, more than 145 state AI laws had been enacted across the country, out of over 1,200 bills introduced, and the federal push to preempt them had not yet produced a single successful court challenge.
North of the border, the calculus is different but no less consequential. Canada has no federal AI statute at all: the Artificial Intelligence and Data Act died on the order paper in January 2025 when Parliament was prorogued, and the government confirmed in 2025 it will not be revived in its original form. Compliance in Canada runs instead through privacy law, above all Quebec's Law 25, which already carries penalties up to CAD 25 million or 4% of worldwide turnover for automated decision-making violations.
Which regulators actually drive AI and data governance in North America?
In the United States, there is no single AI regulator. Enforcement is split between state attorneys general acting under new AI-specific statutes, the Federal Trade Commission using its existing unfairness and deception authority, and sector regulators layering AI rules onto banking, healthcare, and employment law. Since President Trump revoked the Biden-era Executive Order 14110 on January 23, 2025 through Executive Order 14179, there has been no binding federal AI framework, only the voluntary America's AI Action Plan released in July 2025 and a preemption campaign against state laws that has not yet succeeded.
In Canada, the picture is simpler on paper and harder in practice: no federal AI law exists, so obligations flow from the Personal Information Protection and Electronic Documents Act at the federal level and from provincial statutes, chiefly Quebec's Law 25, for anything touching personal data used in automated decisions. Federally regulated sectors add their own layer, including the Office of the Superintendent of Financial Institutions for banks and insurers. Tracking which regime actually binds a given AI deployment, state, federal, or provincial, is exactly the kind of cross-jurisdiction question Obsidian's regulatory monitoring is built to answer with sourced, dated citations instead of a general impression of "AI regulation."
What does Texas's TRAIGA actually require starting in 2026?
It prohibits intentional misuse rather than mandating risk assessments for every system. TRAIGA, effective January 1, 2026, bans AI developed or deployed with the intent to unlawfully discriminate, violate constitutional rights, or manipulate behavior in a way that causes harm. The Texas Attorney General holds exclusive enforcement authority and must issue written notice with a 60-day cure period before pursuing penalties. Violations that remain uncured after that window carry civil penalties of 10,000 to 12,000 dollars for curable violations, 80,000 to 200,000 dollars for uncurable ones, and 2,000 to 40,000 dollars per day for continuing violations. TRAIGA also preempts local AI ordinances statewide and creates a 36-month regulatory sandbox, but it gives individuals no private right of action, so every case runs through the Attorney General's office.
Did Colorado's AI Act actually take effect, and what replaced it?
No, and its replacement changes the compliance target entirely. The original Colorado AI Act, passed in 2024, was scheduled to take effect June 30, 2026 and would have imposed algorithmic discrimination duties and mandatory risk management programs on developers and deployers of "high-risk" AI systems. Governor Jared Polis instead signed SB 26-189 on May 14, 2026, repealing that law before it ever took effect and replacing it with a narrower statute regulating automated decision-making technology used in "consequential decisions." The new law drops the risk management and impact assessment obligations in favor of pre-use consumer notices, a right to a post-decision explanation, and meaningful human review. It takes effect January 1, 2027, the same day California's own CCPA regulations on automated decision-making technology become enforceable, meaning two of the country's most consequential AI-adjacent rules land on the same date.
Key North America AI and data governance dates, 2026 to 2027
| Date | Regime | What changes |
|---|---|---|
| January 1, 2026 | Texas TRAIGA | First comprehensive state AI law takes effect; Attorney General enforcement begins |
| January 1, 2026 | California SB 53 (TFAIA) | Frontier developers must publish AI safety frameworks and transparency reports; quarterly catastrophic risk reporting to Cal OES begins |
| December 11, 2025 | Executive Order 14365 | AI Litigation Task Force launched to challenge state AI laws in court |
| May 14, 2026 | Colorado SB 26-189 | Original Colorado AI Act repealed and replaced with narrower ADMT statute |
| January 1, 2027 | Colorado SB 26-189 / California CCPA ADMT rules | Both automated decision-making regimes become enforceable on the same date |
Is Washington actually able to override state AI laws?
Not yet, despite two attempts. The first, a proposed federal moratorium of 5 to 10 years on state and local AI regulation, was written into an early House version of the One Big Beautiful Bill Act in May 2025 and removed after the Senate voted 99 to 1 against it in July 2025. The second, Executive Order 14365, signed December 11, 2025, took a litigation route instead of a legislative one: it directs the Department of Justice to identify "onerous" state AI laws and challenge them in court, and directs federal agencies to condition broadband deployment funding on states not enforcing AI laws deemed excessive. Neither mechanism has produced a ruling striking down TRAIGA, SB 53, or Colorado's SB 26-189 as of mid-2026, which means compliance teams still need to plan around all three as live law, not as targets for eventual federal preemption. Obsidian's AI can be asked to pull the current enforcement status of any one of these statutes on demand, sourced directly from the tracked regulatory text rather than from commentary that may already be outdated by the next court filing.
Why does Canada still have no federal AI law, and what fills the gap?
Because its one serious attempt collapsed with the government that wrote it. The Artificial Intelligence and Data Act, bundled into Bill C-27 alongside a federal privacy modernization package, passed second reading in April 2023 but never reached a final vote before Parliament was prorogued in January 2025, killing the bill. Industry Minister Evan Solomon confirmed in 2025 that AIDA would not return in its original form, and the government's 2026 "AI for All" strategy explicitly chose a distributed governance model over a single AI statute, relying instead on existing privacy, human rights, and sector-specific law.
In practice, that means Quebec's Law 25 functions as Canada's closest thing to a binding AI compliance floor for any organization processing personal data there. Section 12.1 has required, since September 2023, that anyone rendering a decision based exclusively on automated processing inform the affected person, explain the decision on request, and allow them to have it reviewed by a person. The Commission d'acces a l'information du Quebec actively enforces this, with administrative monetary penalties reaching 10 million Canadian dollars or 2% of worldwide turnover, and penal fines reaching 25 million dollars or 4% of worldwide turnover, whichever is greater in each tier. Federally regulated entities add PIPEDA's consent and purpose-limitation rules on top, so a single automated hiring tool used across Quebec, Ontario, and federally regulated banking can trigger three separate compliance obligations from three different sources, none of which is labeled an "AI law."
What should a compliance team actually do with this patchwork?
Map every AI system against the states and provinces where it is actually deployed, not against a single national standard, because none exists on either side of the border. A hiring tool live in Texas, California, and Colorado alone needs to satisfy TRAIGA's intent-based prohibitions, SB 53's transparency obligations if it touches a frontier model, and, from January 1, 2027, Colorado and California's overlapping automated decision-making disclosure rules, three regimes with different triggers, different regulators, and different penalty structures. A Canadian deployment adds PIPEDA and, if Quebec residents are affected, Law 25's stricter disclosure and human-review requirements.
Obsidian tracks these tier-0 sources, state attorneys general offices, Cal OES, the Quebec CAI, and the federal executive orders reshaping the landscape around them, at the jurisdiction and framework level, with alerts when an effective date arrives or an enforcement posture shifts. See the plans built for AI-governance and data-protection teams tracking exactly this kind of multi-jurisdiction exposure, or connect Obsidian's MCP to your own tools so the answer to "which of our AI systems is exposed to TRAIGA" comes with a citation, not a guess.