TL;DR: Colorado's original AI Act, which would have taken effect June 30, 2026, was replaced weeks before that deadline by SB 26-189, delaying the new automated decision-making technology (ADMT) framework until January 1, 2027. Texas's Responsible AI Governance Act (TRAIGA) has been in effect since January 1, 2026 and imposes civil penalties from $10,000 to $200,000 per violation. The one framework that provides safe harbor across both Colorado and Texas is alignment with the NIST AI Risk Management Framework (AI RMF 1.0). For NC SMBs doing multi-state business - manufacturers shipping into Colorado, hiring platforms with Texas users, financial services with residents in either state — NIST-aligned governance is the least-cost, most-durable compliance path.
Key takeaway: Chasing individual state statutes is a losing game. The 2026 US AI regulation patchwork will only get denser. A single NIST AI RMF-aligned governance program, tuned to the NC SMB reality, satisfies Colorado, Texas, and the emerging federal enforcement pattern in one motion.
Is your NC business ready for the multi-state AI regulation reality? Contact Preferred Data Corporation for an AI governance readiness assessment. BBB A+ rated, serving NC since 1987. Call (336) 886-3282.
What Just Changed in Colorado and Texas AI Regulation?
Colorado's Governor signed SB 26-189 on May 14, 2026, replacing the original Colorado AI Act mere weeks before its June 30, 2026 effective date and delaying the new framework to January 1, 2027. Texas TRAIGA has been active since January 1, 2026 with tiered civil penalties. Both statutes converge on a similar substantive requirement — govern the use of AI in consequential decisions — and diverge on scope, definitions, and enforcement.
Colorado (SB 26-189, effective Jan 1, 2027):
- Regulates automated decision-making technology (ADMT) used in "consequential decisions" (employment, credit, housing, insurance, healthcare, education, essential government services).
- Repeals the original algorithmic discrimination / duty of care framework in favor of ADMT governance.
- Lighter-touch obligations for developers and deployers than the original statute.
- Enforcement by Colorado Attorney General.
Texas (TRAIGA, effective Jan 1, 2026):
- Focuses on government agency AI use but includes private-sector liability.
- Intent-based rather than impact-based liability for private-sector use.
- Tiered civil penalties: $10,000-$12,000 per curable violation; $80,000-$200,000 per uncurable violation.
- Enforcement by Texas Attorney General.
- NIST AI RMF alignment is an affirmative defense.
For NC SMBs, the practical impact is a Q3 / Q4 2026 window to build one NIST-aligned governance program that satisfies both statutes and the growing wave of state-level AI legislation coming in 2027 (New York, California, Illinois, Virginia all have active bills).
| Attribute | Colorado (SB 26-189) | Texas (TRAIGA) |
|---|---|---|
| Effective date | January 1, 2027 | January 1, 2026 (active) |
| Primary target | ADMT in consequential decisions | Government + intent-based private |
| Sector scope | Employment, credit, housing, insurance, healthcare, education, gov services | All sectors |
| Liability standard | ADMT-specific obligations | Intent-based |
| Civil penalties | Enforced by AG, in development | $10K-$200K per violation |
| Affirmative defense | Compliance with framework | NIST AI RMF alignment |
| Small business relief | Some ADMT thresholds | No explicit SMB carve-out |
What Is the NIST AI Risk Management Framework?
The NIST AI Risk Management Framework (AI RMF 1.0), published January 2023 and refined through the Generative AI Profile in 2024, is a voluntary framework organized around four functions: Govern, Map, Measure, and Manage. It is not a compliance regime — it is a governance blueprint that both Colorado and Texas explicitly recognize as an acceptable risk-management approach.
The four AI RMF functions:
- Govern. Establish policies, accountability, and resources for AI governance. For an SMB, this looks like a written AI acceptable use policy, a designated AI risk owner, and board-level (or owner-level) visibility.
- Map. Inventory AI systems in use, characterize their context, and identify affected parties. This is the single most-often-skipped step. Most NC SMBs cannot list every AI system in use because employees have adopted ChatGPT, Claude, Copilot, and dozens of vertical tools without central oversight.
- Measure. Analyze AI risks quantitatively and qualitatively. Includes bias testing, robustness testing, and impact assessment.
- Manage. Prioritize and treat identified risks. Includes acceptable-use enforcement, vendor controls, and incident response.
For NC SMBs, mapping is the first-90-day priority. You cannot govern what you cannot list.
Key takeaway: The NIST AI RMF is not a certification. There is no auditor. There is no "certificate." The value is a defensible governance record — the same posture that turns FTC Safeguards or PCI DSS from a certification anxiety into a business-as-usual program.
What Should NC SMBs Do in the Next 90 Days?
The 90-day plan is deliberately modest. Most NC SMBs are starting from zero on AI governance and need a foundation, not a certification project.
Days 1-30: Inventory and policy.
- Send an all-hands survey: list every AI tool used for work (ChatGPT, Claude, Copilot, Gemini, Perplexity, industry-specific tools).
- Draft a written AI acceptable use policy. One page. Covers data handling (no PHI / PII / trade secrets into public LLMs), disclosure (customers know when AI is used in consequential decisions), and human review (AI outputs used in hiring, credit, insurance decisions require human sign-off).
- Designate an AI risk owner. For an SMB, this is typically the CTO, COO, or Qualified Individual (see the FTC Safeguards Rule post).
Days 31-60: Vendor oversight and technical controls.
- Add AI-specific questions to your standard vendor security questionnaire. Where does the vendor host models? What data is used for training? What audit logs are available?
- Deploy DLP controls to block sensitive data uploads to unsanctioned AI tools. Microsoft Purview, Google DLP, and third-party CASB tools cover the common cases.
- Enable audit logging for all sanctioned AI tools.
Days 61-90: Risk assessment and tabletop.
- Identify AI systems making or supporting "consequential decisions." For most NC SMBs this is a very short list — hiring, credit, insurance underwriting, admissions.
- Conduct a lightweight risk assessment for each consequential-decision system: what is the impact if the model is biased or wrong? Who is the affected party? What is the human review path?
- Tabletop an AI incident: what happens if a customer complains that an AI-driven decision was biased? Who investigates? Who communicates? Who authorizes changes?
Explore Preferred Data's managed IT services
Which NC SMBs Are Highest-Impact for AI Regulation?
Not all NC SMBs are equally exposed. The businesses that make or support "consequential decisions" using AI are the primary regulatory targets.
Highest-impact NC SMB categories:
- Hiring and staffing. Every AI resume screener, video-interview analytics tool, and assessment engine is squarely in scope. Colorado and Texas both classify employment as a consequential decision.
- Financial services. Loan underwriting, credit scoring, insurance underwriting, and claims triage. Also covered by FTC Safeguards Rule and CFPB Section 1071.
- Healthcare. Diagnostic support, prior authorization, and utilization management. Also HIPAA and state-specific health data laws.
- Real estate. Tenant screening and mortgage support tools.
- Education. Admissions, financial aid, and student assessment.
Lower-impact NC SMB categories using AI mostly for productivity (marketing copywriting, code assistance, meeting notes) have thinner regulatory exposure but still benefit from a written acceptable-use policy and vendor oversight.
Need an AI governance program for your NC business? Call Preferred Data Corporation at (336) 886-3282 or schedule a consultation.
How Does NIST AI RMF Alignment Provide Safe Harbor?
Safe harbor is not a magic word - it is a documented governance posture that shifts the burden in an enforcement action from "prove compliance" to "prove the program was inadequate." Regulators and courts consistently reward defendants who can produce a written program, evidence of execution, and a paper trail of corrective action.
How NIST alignment reduces enforcement risk:
- Texas TRAIGA. NIST AI RMF alignment is an affirmative defense. A defendant that can produce a Govern-Map-Measure-Manage program shifts the intent inquiry decisively.
- Colorado SB 26-189. The revised statute recognizes structured risk-management approaches. NIST alignment satisfies the substantive governance obligations.
- FTC UDAP. The FTC has repeatedly cited the NIST AI RMF in guidance. Alignment establishes the "reasonable care" standard.
- Future state statutes. New York, California, Illinois, and Virginia bills all reference NIST AI RMF as a benchmark.
For NC SMBs, this means the ROI on a single NIST-aligned program dwarfs the ROI on chasing individual state statutes. Build once, cite everywhere.
Learn about Preferred Data's cybersecurity services
How Does Preferred Data Help NC SMBs Build AI Governance?
Preferred Data Corporation delivers AI governance advisory, vendor oversight, technical controls (DLP, audit logging, access controls), and vCISO / Qualified Individual services for NC SMBs across manufacturing, construction, healthcare, professional services, and financial services. Our 37+ years of experience with NC business, an average client retention of 20+ years, and on-site presence within 200 miles of High Point mean we build programs that live inside the operational reality of the business, not consulting deliverables that gather dust.
Our AI governance package includes NIST AI RMF-aligned policy, inventory, vendor questionnaire, DLP deployment, audit logging, quarterly risk review, and tabletop exercise — the operational shape that satisfies Colorado, Texas, and the coming 2027 wave of state statutes.
Review our cybersecurity checklist
Frequently Asked Questions
Am I actually subject to Colorado or Texas AI law if I am based in North Carolina?
Yes, if you have customers, employees, or job applicants in those states. Both Colorado (upon 2027 effective date) and Texas (currently) apply to businesses "doing business in the state," which case law has consistently defined broadly. Any NC SMB with a website that accepts orders, applications, or inquiries from those states is likely in scope.
What is the smallest AI governance program I need to run right now?
A one-page written AI acceptable use policy, a named AI risk owner, and a one-time inventory of AI tools used in the business. That is the minimum defensible posture. It takes a small MSP-supported project 30-60 days.
Is ChatGPT / Claude / Copilot use in my company subject to these laws?
Only if you use them to make or materially support "consequential decisions" as defined in the statutes (employment, credit, housing, insurance, healthcare, education, essential government services). Using ChatGPT to draft a marketing email is not in scope. Using ChatGPT to draft a rejection letter after screening resumes is very likely in scope.
What is the difference between the original Colorado AI Act and SB 26-189?
The original statute (SB 24-205) imposed a duty of care and algorithmic discrimination framework on developers and deployers. SB 26-189 repealed and replaced it with an ADMT-focused framework that is lighter on developers and more targeted at deployers in specific sectors. The effective date moved from June 30, 2026 to January 1, 2027.
How does TRAIGA differ from the EU AI Act?
TRAIGA is intent-based (private-sector liability tied to intent to discriminate or harm) rather than impact-based (EU standard, which is more automatic). NIST AI RMF alignment is an explicit affirmative defense under TRAIGA. The EU AI Act does not treat NIST alignment the same way.
What does an AI incident response plan actually look like?
A typical SMB AI IR plan is 3-5 pages. It defines what constitutes an AI incident (bias complaint, unauthorized data disclosure, model failure with consequential impact), who owns each phase (detection, investigation, corrective action, communication), and what documentation is required. It integrates with your existing cybersecurity IR plan rather than duplicating it. Call (336) 886-3282 to discuss your AI IR needs.