TL;DR: On December 11, 2025, President Trump signed an executive order titled "Eliminating State Law Obstruction of National Artificial Intelligence Policy", directing federal agencies to evaluate whether uniform federal standards should replace or supersede the differing state AI requirements that have proliferated since 2024. This followed a January 23, 2025 executive order "Removing Barriers to American Leadership in Artificial Intelligence" that revoked the prior administration's AI safety framework. The practical effect for NC small businesses is uncertainty: federal preemption is signaled but not enacted, while state laws continue to take effect (Colorado SB 26-189 rewriting Colorado's AI Act for January 1, 2027; Texas Responsible AI Act; pending bills in over a dozen other states). The defensible posture for NC SMBs is to build a baseline AI governance program that satisfies the strictest applicable state regime - which can then be relaxed if federal preemption ultimately arrives.
Key takeaway: Federal AI policy in 2026 is moving toward deregulation and uniform federal standards. State AI policy is moving toward consumer protection and risk-based regulation. NC small businesses operate in both worlds. The right posture is a baseline AI governance program that meets the strictest state regime where you have customers or employees - not a wait-and-see approach that leaves you flat-footed when a state AG inquiry arrives.
Need an AI governance baseline for your NC small business? Preferred Data Corporation has provided managed IT, cybersecurity, and AI transformation services to North Carolina small businesses since 1987. Call (336) 886-3282 or request an AI compliance review. Serving the Piedmont Triad, Charlotte, and Raleigh metros.
What did the December 2025 federal AI executive order actually do?
Per the White House text of the order and analysis from Gunderson Dettmer, Jimerson Firm, and the Kiteworks AI regulation overview, the December 11, 2025 executive order:
- Directs federal agencies to evaluate whether uniform federal AI standards should replace or supersede state requirements that are seen as obstructing "national AI policy"
- Asserts a preemption interest but does not by itself preempt any state law - that would require either congressional action or specific federal regulations with preemptive effect
- Pairs with the January 2025 EO that revoked the prior administration's AI safety framework and the Software Improvement Group analysis of 2026 US AI legislation confirms no comprehensive federal AI law has yet been enacted
The practical effect: federal policy direction is clear (less regulation, federal preemption desired), but state laws remain in force until they are explicitly preempted by federal action.
What state AI laws actually affect NC small businesses in 2026?
NC small businesses with customers or employees in other states must navigate the strictest applicable state regime. The headline state laws as of May 2026:
| State | Law | Status | NC SMB applicability |
|---|---|---|---|
| Colorado | SB 26-189 (rewrites original SB 24-205) | Signed May 14, 2026; effective January 1, 2027 | Triggered if any Colorado consumer interacts with your "automated decision-making technology" |
| Texas | Texas Responsible AI Governance Act (TRAIGA) | Signed June 2025; effective January 1, 2026 | Triggered for businesses interacting with Texas consumers via AI |
| Utah | Artificial Intelligence Policy Act | Effective May 1, 2024 | Triggered for businesses serving Utah consumers |
| Illinois | Various AI hiring and biometric laws | In effect | Triggered for businesses with Illinois employees |
| New York | New York City Local Law 144 (automated employment decision tools) | In effect | Triggered for businesses hiring in NYC |
| California | Multiple bills including SB 53, AB 2013, AB 1008 | Various 2025-2026 effective dates | Triggered for businesses with California consumers/employees |
Per Pathopt's plain-English AI compliance checklist, NC small businesses with Colorado customers, Texas customers, or remote employees in those states are within scope of the corresponding state's AI regime regardless of where the business itself is located.
What is the practical AI compliance baseline for NC small businesses?
A defensible 90-day AI governance baseline for an NC SMB that uses AI tools internally (Microsoft Copilot, ChatGPT Business, AI-augmented CRM, automated decision-making in hiring or credit decisions):
| Days | Action | Owner |
|---|---|---|
| 1-15 | AI inventory: enumerate every AI tool, model, and agent in use across the business | IT + ops + managed AI partner |
| 15-30 | Use-case classification: tag each AI use case by risk tier (high-risk = consequential decisions, low-risk = productivity) | Legal + IT |
| 30-45 | Data governance: document training data sources, customer data inputs, data residency | IT + managed partner |
| 45-60 | Consumer-facing disclosure: identify any AI interactions with consumers; draft transparency notices | Legal + marketing |
| 60-75 | Access controls: implement least-privilege for AI agent identities; document approvals for high-risk actions | IT + managed partner |
| 75-85 | Risk assessment and policy: document AI policy with employee training; map to applicable state laws | Legal + HR + managed partner |
| 85-90 | Tabletop exercise: simulate a state-AG AI compliance inquiry and an AI-incident response | Leadership + managed partner |
For an NC SMB without dedicated legal or compliance staff, a managed AI compliance partner can compress the timeline to 45-60 days with prebuilt policy templates and inventory tooling.
Schedule an AI compliance review →
What does Colorado's SB 26-189 require for NC small businesses with Colorado customers?
Per the analysis from DBL Lawyers on AI compliance, OST agency's AI compliance guide for SMBs, and our prior coverage of Colorado SB 26-189, the rewritten Colorado AI Act:
- Replaces the original "high-risk AI system" framework with a narrower regime focused on "automated decision-making technology" (ADMT)
- Includes a 40-employee carve-out (small businesses below this threshold have reduced obligations)
- Provides a 60-day right to cure violations before enforcement
- Requires consumer-facing disclosures when ADMT is used in consequential decisions (employment, housing, credit, healthcare, education, insurance)
- Takes effect January 1, 2027 (delayed from June 30, 2026 per the original law)
- Enforced by the Colorado Attorney General with penalties up to $20,000 per violation
For NC small businesses with Colorado customers using AI in consequential decisions, the 18-month runway between May 2026 and January 2027 is the implementation window.
What does the Texas Responsible AI Governance Act require?
Per analysis from law firms covering the Texas Responsible AI Governance Act, the Texas regime focuses on:
- Disclosure obligations for AI use in consumer interactions
- Restrictions on government use of AI for biometric identification
- Documentation requirements for AI developers and deployers
- Texas Attorney General enforcement
NC small businesses with Texas customers or remote Texas employees may be in scope. The Texas law is generally narrower than Colorado's in private-sector scope but includes specific employment-related provisions.
What about the federal AI preemption question?
Per CyberAdviser's 2026 AI regulation outlook and Credo AI's regulatory update, the federal preemption posture in 2026 is:
- The executive branch has signaled an interest in federal preemption
- Congress has not yet passed comprehensive federal AI legislation
- Federal agencies (FTC, EEOC, CFPB, HHS) continue to enforce existing laws (consumer protection, anti-discrimination, healthcare privacy) as they apply to AI
- A federal regulation with preemptive effect would still need to go through notice-and-comment rulemaking
For NC small businesses, this means:
- State laws remain enforceable until specifically preempted
- Federal sector-specific regulators (FTC, EEOC) continue to enforce against AI misuse
- Wait-and-see is risky - state AGs are actively investigating AI use cases
The defensible posture is to build the governance program now, calibrate to the strictest applicable state regime, and relax if and when federal preemption arrives.
How does this connect to existing NC SMB compliance frameworks?
NC small businesses already navigating compliance frameworks should map AI obligations onto existing controls:
- CMMC 2.0 / NIST 800-171: AI tools that process CUI need to be enumerated and the data flows documented
- HIPAA: AI tools that process PHI (e.g., AI scribes, AI billing systems) require business associate agreements and security controls
- SOC 2 Type II: AI use cases that affect customer data or service delivery need to be documented in the trust services criteria
- PCI DSS: AI tools that interact with payment card data have CDE-scope implications
- GDPR / state privacy laws: Automated decision-making against EU or California residents triggers Article 22 / CCPA equivalents
For an NC manufacturer already pursuing CMMC, the AI governance program is largely an extension of existing data-flow documentation and access-control work.
Schedule a compliance crossover review →
How should NC small businesses think about AI vendor management?
Per DBL Lawyers' AI compliance analysis, AI vendor management is now a critical pillar of compliance:
- Vendor AI inventory: For every SaaS vendor your business uses, identify which products include AI components (this is increasingly all of them)
- Contractual provisions: Update Master Service Agreements with AI-specific clauses: training data restrictions ("our data is not used to train your models without consent"), output use rights, AI security attestation, breach notification on AI-related incidents
- Vendor risk tier mapping to AI: Tier-1 vendors (ERP, CRM, M365) get AI-specific due diligence; Tier-2 and below get baseline questionnaires
- Right to opt out: For consumer-facing AI features in vendor products, document opt-out mechanisms
The Black Kite 2026 Third-Party Breach Report and the Vercel OAuth supply chain breach both reinforce the broader vendor-risk discipline this work fits within.
How does Preferred Data Corporation help NC small businesses navigate AI policy?
We provide AI governance baselines specifically for NC SMB environments. We inventory AI tools across Microsoft 365, Google Workspace, line-of-business SaaS, and custom workflows. We classify use cases by risk tier and map them to applicable state regimes (Colorado, Texas, California, Illinois, NYC). We draft AI policy templates, employee training, and consumer-facing disclosures. We update vendor MSAs with AI-specific clauses. We integrate AI governance with existing CMMC, NIST 800-171, SOC 2, or HIPAA programs so the discipline is one framework instead of five. And we coordinate with legal counsel where state-specific advice is required - we do not practice law, but we make the engineering and operations work easier for the lawyers. Most NC SMBs do not need a Chief AI Officer; they need a partner who treats AI governance as a discrete operational discipline.
Frequently Asked Questions
Did the Trump December 2025 executive order preempt state AI laws?
No. The order directs federal agencies to evaluate uniform federal standards and asserts a preemption interest, but does not by itself preempt any state law. Federal preemption would require either congressional legislation or specific federal regulations with preemptive effect, and neither had occurred as of May 2026. State laws remain enforceable until explicitly preempted.
What state AI laws affect NC small businesses?
Most directly: Colorado SB 26-189 (effective January 1, 2027, with consumer disclosures and automated decision-making rules), Texas Responsible AI Governance Act (effective January 1, 2026), Utah Artificial Intelligence Policy Act (effective May 2024). Indirectly via remote employees or customers: Illinois AI hiring and biometric laws, New York City Local Law 144, California's various AI bills. NC itself has no comprehensive AI law as of May 2026.
Does the 40-employee Colorado carve-out exempt most NC small businesses?
Partially. The carve-out reduces obligations for businesses under 40 employees that meet other criteria, but does not exempt them from all AI law provisions. NC small businesses with Colorado customers using AI in consequential decisions should treat the carve-out as a reduction in burden, not an exemption.
How much does AI compliance cost for an NC small business?
A defensible 90-day AI governance baseline typically runs $8,000-$25,000 in first-year implementation cost for a 25-200 employee NC SMB (inventory, classification, policy drafting, vendor contract updates, training) plus $500-$2,500 per month for ongoing AI risk monitoring and managed AI compliance support. Larger or more AI-intensive businesses scale up from there.
What if a state AG sends an AI compliance inquiry?
Document everything: AI inventory, use-case classification, policies, training records, vendor contracts, consumer disclosures, and complaint logs. Respond within the stated timeline. Engage legal counsel familiar with the specific state's AI law. The 60-day right-to-cure provision in Colorado's SB 26-189 means rapid response can convert a potential violation into a corrected practice.
Do I need separate AI policies for each state?
Not necessarily. The most efficient approach is a single AI governance program calibrated to the strictest applicable state regime, with state-specific disclosures and procedures layered on top. For most NC SMBs, the Colorado regime (consumer disclosures, ADMT classification, opt-out mechanisms) sets the baseline; Texas and other states add specific requirements without requiring a separate framework.
Is AI insurance available for NC small businesses?
Increasingly yes. Cyber insurance carriers are adding AI-specific coverage and exclusions in 2026. Some standalone AI liability policies are emerging. NC SMBs should discuss AI use cases with their broker on the next renewal - in particular, AI use in consequential decisions (hiring, lending, healthcare) may require specific coverage endorsements.
Related Resources
- Colorado SB 26-189 signed: NC small business AI compliance reset
- AI governance for small business risk management NC
- AI data privacy compliance business protection NC
- Non-human identity crisis: NC small business 2026 NHI playbook
- AI transformation services for NC businesses
- Managed cybersecurity services for NC businesses
About the author: Preferred Data Corporation has provided managed IT, AI transformation, and cybersecurity services to North Carolina small businesses since 1987. Based at 1208 Eastchester Drive, Suite 131, High Point, NC 27265, we serve manufacturers, construction firms, and professional services organizations across the Piedmont Triad, Charlotte, and Raleigh metros. Call (336) 886-3282 or request an AI compliance review.