Three things happened in rapid succession that changed AI compliance for every U.S. business:
On March 20, 2026, the White House released a National AI Legislative Framework — a comprehensive risk-tier system for classifying AI tools, registering high-risk deployments, and updating federal contractor rules. On August 2026, the EU AI Act moved into full high-risk enforcement, applying to any company with EU customers regardless of where it's headquartered. And Colorado's SB 205 — the first U.S. state law directly regulating consequential AI decisions — took effect on June 30, 2026, with a scope that reaches well beyond Colorado's borders.
No single guide has mapped all three frameworks across all 16 industries simultaneously. This is that guide.
The 3 Frameworks Every U.S. Business Needs to Know
1. White House National AI Legislative Framework (March 20, 2026)
The framework establishes a five-tier risk classification system — Tier 1 (minimal) through Tier 5 (critical). The classification burden falls on developers, but deployers share accountability. Misclassifying your tier is itself a violation.
Key mechanics:
- Tier 3+ systems must register with the newly established AI Safety and Innovation Office (ASIO), housed within the Department of Commerce. Civil penalties reach $5 million per violation for non-safe-harbor entities.
- Tier 4 systems (clinical AI, resume screening, performance management) require pre-deployment federal agency review.
- Tier 5 / Critical Infrastructure systems go through a separate national security track managed by CISA with classified requirements.
- Federal contractors face mandatory AI governance requirements via a FAR (Federal Acquisition Regulation) update effective Q3–Q4 2026 — the earliest hard enforcement deadline in the entire framework.
- Safe harbor: Voluntary compliance with NIST AI Risk Management Framework standards provides statutory protection from certain private litigation, with annual recertification required.
Status: Legislative framework released; ASIO becomes operational Q3 2026; full legislation realistically 2027, phased compliance through 2029.
2. EU AI Act
The EU AI Act classifies AI systems into four risk tiers and applies to any U.S. business whose AI affects EU residents — regardless of where the company is incorporated or headquartered.
Key mechanics:
- Banned systems: Social scoring, real-time public biometric surveillance.
- High-risk systems (hiring, credit decisions, healthcare, education, law enforcement): Require conformity assessments, technical documentation, human oversight implementation, and transparency notices to affected individuals.
- Penalties: Up to €35 million or 7% of global annual turnover for prohibited AI use; up to €15 million or 3% for high-risk non-compliance — whichever is higher.
- Full high-risk enforcement began August 2026.
If you use AI in hiring and you have a single EU-based applicant, you are covered.
3. Colorado SB 205
Colorado SB 205 — formally the Colorado Artificial Intelligence Act — is the first comprehensive U.S. state law regulating high-risk AI. It took effect June 30, 2026.
Key mechanics:
- Applies to any business deploying a "high-risk AI system" that substantially influences consequential decisions affecting Colorado residents: employment, housing, credit, education, healthcare.
- Both developers and deployers (businesses using third-party AI tools) are regulated. You don't have to build the AI to be liable.
- Required actions: Impact assessments, consumer notification when AI influences a decision, reasonable care documentation.
- Enforcement: Colorado Attorney General; violations constitute unfair trade practices.
The most common misconception: "We didn't build the AI, so we're not covered." Wrong. If you deploy it to make consequential decisions, SB 205 applies to you.
Industry-by-Industry Compliance Table
| Vertical | Primary AI Compliance Exposure | Required Actions | Timeline |
|---|---|---|---|
| Healthcare | Tier 4 (White House) — Clinical decision support and diagnostic AI; HIPAA + FDA oversight; EU MDR/IVDR if serving EU patients | Register Tier 4 systems with ASIO; clinical evidence documentation; human oversight protocols; NIST AI RMF or ISO 42001 alignment; Joint Commission readiness | ASIO operational Q3 2026; EU Act full enforcement Aug 2026 |
| Finance | Model inventory requirements; credit underwriting AI = high-risk (EU Act + SB 205); SEC AI disclosure for public companies; Basel III/SOX integration | Formal model inventory; independent validation artifacts; approved release processes; performance review cadence; SB 205 impact assessments for credit decisions | SB 205: June 30, 2026; EU Act: Aug 2026; FAR (federal): Q3–Q4 2026 |
| Construction | Federal contractors = FAR update Q3 2026; hiring AI = SB 205 high-risk; AI safety monitoring on job sites may qualify as high-risk under White House Tier 3–4 | Inventory all AI scheduling, bidding, and hiring tools; FAR compliance review if you hold federal contracts; SB 205 impact assessment if using AI in hiring | FAR: Q3–Q4 2026; SB 205: June 30, 2026 |
| Franchise | EU Act applies to any franchise with EU locations or EU job applicants; SB 205 applies to any U.S. franchise using AI in hiring decisions (headquarters and franchisees) | Audit AI hiring tools across all franchise locations; SB 205 impact assessments; EU Act conformity assessments for EU-market franchisees; system-wide transparency notices | SB 205: June 30, 2026; EU Act: Aug 2026 |
| Legal | AI-assisted legal work flagged as high-risk under EU Act (justice system category); attorney ethics rules add separate obligation layer | Human oversight required for all AI-assisted legal analysis; client disclosure protocols; bar association ethics guidance review; document AI tool inventory | EU Act: Aug 2026; bar guidance: varies by state |
| Real Estate | Lending and credit decisions = high-risk (EU Act + SB 205 + existing FCRA/ECOA obligations); AI in property valuation = Tier 3+ exposure | SB 205 impact assessment for AI credit/lending tools; EU Act conformity if serving EU buyers; ASIO registration for valuation AI at Tier 3+ | SB 205: June 30, 2026; EU Act: Aug 2026 |
| Immigration | AI in document review and visa/petition assessment = high-risk classification (affects consequential legal decisions); Tier 4 candidate under White House framework | Human oversight mandatory; document AI decision pathways; SB 205 applies if AI influences employment-based immigration decisions for Colorado residents | ASIO registration: Q3 2026 for Tier 3+; SB 205: June 30, 2026 |
| Supply Chain | AI in logistics routing generally lower-risk unless AI influences hiring or worker scheduling decisions (SB 205 trigger); federal contractor supply chains hit by FAR update | Separate operational AI (routing, inventory) from consequential decision AI (hiring, worker management); SB 205 assessment for workforce AI | FAR: Q3–Q4 2026; SB 205: June 30, 2026 |
| Energy | Critical infrastructure = highest tier under White House framework (Tier 5); separate CISA track with classified security requirements; NERC CIP constraints for grid AI | CISA engagement; NERC CIP cybersecurity perimeter compliance for all AI touching bulk electric systems; no self-classification — federal coordination required | ASIO/CISA track: Q3 2026; grid AI: ongoing NERC enforcement |
| Insurance | SB 205 carve-out if subject to state insurance commissioner AI guidance that meets specified criteria; EU Act applies to underwriting AI affecting EU policyholders | Confirm state commissioner AI rules meet SB 205 criteria for exemption; EU Act conformity for cross-border underwriting; document AI in pricing/claims | SB 205: June 30, 2026; EU Act: Aug 2026 |
| Government / Defense | CMMC, NIST 800-171, and White House framework overlap; federal AI procurement changes via FAR Q3 2026; law enforcement AI = EU Act high-risk | CMMC Level alignment; FAR compliance for AI procurement; EU Act high-risk conformity for any law enforcement AI with EU exposure | FAR: Q3–Q4 2026 |
| Coaching / Professional Development | Lower-risk category generally — AI in coaching does not directly make consequential decisions; EU Act limited-risk transparency rules apply if deploying chatbots to EU users | Chatbot disclosure if AI-powered coaching tools deployed to EU users; no SB 205 trigger absent consequential decisions; monitor as definition of "consequential" evolves | EU Act: Aug 2026 |
| Faith Organizations | Generally low-risk; donor/fundraising AI does not trigger high-risk classifications; exception: any AI used in employment decisions (staff hiring) activates SB 205 | No ASIO registration for pastoral or operations AI; SB 205 applies if AI used in staff hiring; document AI tool inventory as baseline governance | SB 205: June 30, 2026 |
| Technology / Software | Likely building or deploying Tier 3–4 systems; EU Act + White House dual compliance exposure; ASIO registration if building Tier 3+ products | Classify all products by White House tier; register Tier 3+ with ASIO; EU Act conformity assessments for any product touching high-risk categories; safe harbor via NIST | ASIO: Q3 2026; EU Act: Aug 2026 |
| Retail / E-Commerce | AI in credit/BNPL decisions = SB 205 + EU Act high-risk; AI product recommendations generally minimal-risk; EU Act limited-risk transparency rules for chatbots | Impact assessment for any AI influencing credit or financing; chatbot disclosure for EU customers; SB 205 compliance if hiring AI used | SB 205: June 30, 2026; EU Act: Aug 2026 |
| Manufacturing | Federal contractors: FAR update applies; hiring AI = SB 205; AI quality/safety systems monitoring workers may qualify as high-risk (influencing employment decisions) | FAR compliance if federal contracts exist; SB 205 assessment for hiring and workforce management AI; worker safety AI review against White House tier definitions | FAR: Q3–Q4 2026; SB 205: June 30, 2026 |
2026 Compliance Timeline: Key Dates
Q1 2026 (January–March)
- White House National AI Legislative Framework released: March 20, 2026
- Colorado SB 205 original target enforcement date (subsequently delayed)
Q2 2026 (April–June)
- Congressional hearings on White House framework begin
- Colorado SB 205 enforcement: June 30, 2026
- NIST AI RMF standards development launches under ASIO preparation
Q3–Q4 2026 (July–December)
- ASIO becomes operational — Tier 3+ AI system registration opens
- FAR update effective — federal contractor AI governance mandatory
- EU AI Act full high-risk enforcement: August 2026
- NIST safe harbor certification process opens
2027–2029
- Earliest realistic full White House framework legislation enactment
- Phased compliance deadlines across Tier 1–5 systems
- Annual ASIO recertification cycles begin
What "High-Risk AI" Actually Means for Your Business
Every framework uses the phrase "high-risk AI." Here's the practical test:
Your AI tool is high-risk if it makes or substantially influences any of these decisions:
- Whether to hire, promote, discipline, or terminate someone
- Whether to extend credit, a loan, or insurance coverage
- A clinical diagnosis, treatment recommendation, or medication decision
- An educational assessment, admission, or grading outcome
- A housing or tenancy decision
If your answer is yes to any of the above, you are operating high-risk AI — regardless of whether you built it or simply subscribe to a SaaS product that runs it. The EU Act and Colorado SB 205 both explicitly regulate deployers, not just developers.
The second practical test: Do you have EU customers? If yes, the EU AI Act's high-risk provisions apply to your AI stack. There is no revenue threshold. A single EU job applicant processed through your AI ATS makes you a covered entity.
The third test: Are you a federal contractor? If yes, the FAR update hits you Q3–Q4 2026 — ahead of every other hard enforcement deadline in the White House framework.
First Steps: 5-Action Compliance Checklist
1. Inventory every AI tool your business uses — including third-party SaaS. You cannot comply with what you haven't mapped. Include scheduling tools, ATS platforms, credit decision engines, chatbots, and diagnostic aids. Flag every tool that influences a decision affecting a person's employment, credit, housing, healthcare, or education.
2. Identify which decisions each tool influences. For each tool on your inventory, write one sentence: "This tool influences [decision type] for [population affected]." That sentence tells you your compliance exposure. If the decision type appears on the high-risk list above, you have an active obligation.
3. Determine your tier under the White House framework. Tier 1–2: Monitor and document. Tier 3: ASIO registration required (Q3 2026). Tier 4: Pre-deployment review + annual bias audits + employee notification rights. Tier 5 (critical infrastructure): Federal coordination required now.
4. Review Colorado SB 205 if you use AI in hiring — even once, even through a vendor. The law covers any business deploying high-risk AI affecting Colorado residents. If your workforce includes Colorado-based employees or applicants, and your hiring process involves AI screening tools, you need an impact assessment and consumer notification process in place by June 30, 2026. The AG's enforcement authority is active on that date.
5. Check EU exposure if you have any European customers, users, or job applicants. Full EU Act high-risk enforcement launched August 2026. The conformity assessment process — documentation, human oversight protocols, transparency notices — takes 60–90 days minimum for organizations doing it for the first time. If you haven't started, start now.
The Cross-Vertical Bottom Line
Every business using AI for decisions that affect people is now a regulated entity. The era of "we just use the vendor's tool" as a shield is over — deployers are explicitly covered under every major framework active in 2026.
The good news: the compliance path is the same regardless of vertical. Inventory → classify → document → register (where required) → build oversight. Most businesses can complete the core steps in one quarter without outside legal counsel.
The window to get ahead of enforcement is narrow. The White House framework is new. ASIO isn't fully operational yet. The AG's office in Colorado has just started enforcing. Companies that build their AI governance documentation now are building it before enforcement cases create case law that narrows your options.
This article covers all 16 Stack Network verticals: Healthcare, Finance, Construction, Franchise, Legal, Real Estate, Immigration, Supply Chain, Energy, Insurance, Government/Defense, Coaching, Faith Organizations, Technology/Software, Retail/E-Commerce, and Manufacturing.