In Eleven Days, You Become Liable for What Your AI Decides

Colorado's AI Act takes effect June 30, requiring companies to actively guard against AI making discriminatory decisions. It is not alone. A draft federal bill, a White House fight with the states, and an EU labeling mandate are all moving at once. The companies treating AI compliance as next year's problem are about to discover the regulators moved faster than they did.

Most executives I talk to have a vague sense that AI regulation is coming someday. Someday is a comfortable word. It lets you put the issue in a folder marked later and get back to deployment. The problem is that someday has a date now, and for a lot of companies that date is eleven days away.

On June 30, 2026, Colorado's AI Act takes effect, requiring companies to implement risk management programs, conduct impact assessments, and take active measures to prevent algorithmic discrimination in consequential decisions like hiring, lending, housing, and insurance. This is one of the first broad AI laws in the country to carry real obligations for the companies that deploy these systems, not just the ones that build them. And it is arriving while most enterprises are still focused on rolling AI out, not on being accountable for what it does.

I write and speak about AI for business leaders, and I want to be direct about the part that is easy to miss. This is not one law you can study and check off. It is the leading edge of a regulatory wave that is forming from several directions at the same time, and the companies that prepared for a single statute are about to find themselves surrounded.

This is not one law, it is a convergence

Look at what is moving right now. At the federal level, Representatives Jay Obernolte and Lori Trahan released a discussion draft of the Great American Artificial Intelligence Act in early June, proposing the first comprehensive federal framework for governing AI in the United States, with sections covering frontier AI governance, workforce, and cybersecurity. At the same time, the White House is pushing to centralize AI regulation at the federal level, and states are actively resisting, setting up a jurisdictional fight over who actually gets to make the rules.

Across the Atlantic, the European Commission is expected to deliver a new Code of Practice for marking and labeling AI-generated content by June 2026. And at the state level, Colorado is the one with a hard deadline this month, but it is far from alone. With federal legislation stalled, states have become the primary drivers of binding AI regulation, with multiple laws taking effect through 2026.

Put these together and the picture is not a single regulation you can comply with and forget. It is a thickening web of overlapping rules, federal and state and international, some in tension with each other, all landing in the same eighteen-month window. A company operating across multiple states and countries does not have one compliance problem. It has a patchwork, and the patchwork is the point.

The obligation that changes everything: you own the decision

Here is the conceptual change underneath all of this, and it is the part leaders need to absorb. Under laws like Colorado's, if an AI system makes a consequential decision about a person, your company is responsible for that decision and its effects, even when you cannot fully explain how the system reached it.

This breaks a comfortable assumption. Many executives have quietly treated AI as a kind of liability shield. The algorithm decided, not us. The model is a black box, so how could we be accountable for its specific outputs? That defense is closing. The new laws say the opposite: you deployed it, you benefit from it, you are answerable for it. The black box is not an excuse. It is an exposure.

Think about what that means in practice. If your hiring system uses AI to screen resumes and it systematically disadvantages a protected group, you are liable for that discrimination, regardless of whether you intended it or understood the mechanism. If your lending model prices loans in a way that produces a discriminatory pattern, the regulator does not care that the pattern emerged from training data you did not write. The decision carries your company's name, so it carries your company's liability.

And the layoff context makes this sharper. As I have written this week, companies are deploying AI into employment decisions at speed. Colorado's AI Act will require employers to guard against algorithmic discrimination in those very decisions. The same systems being used to cut and reshape the workforce are the systems now under regulatory scrutiny.

Why the black box defense fails

There is a particular trap I want leaders to see clearly. The more autonomous and opaque your AI systems become, the larger your liability grows, not the smaller. This is the opposite of what most people assume.

Analysts describe security and accountability exposure that grows with every autonomous agent a company deploys. Every agent you let act on its own is a decision-maker operating in your name, in domains the regulators are now watching. If you cannot explain why it did what it did, you have not reduced your risk by hiding behind complexity. You have increased it, because the law now asks you to demonstrate that you took active measures to prevent harm, and inability to explain your own system is evidence that you did not.

The companies that will struggle most are the ones that deployed AI fastest and documented it least. They have agents making consequential calls across hiring, pricing, and customer decisions, and no clear record of what those agents are doing or why. When the regulator comes asking for the impact assessment Colorado now requires, those companies will be assembling it from scratch under a deadline, which is the worst possible time to learn what your own systems have been doing.

Compliance is not a legal problem, it is an operations problem

The instinct in most companies is to hand AI regulation to the legal department and consider it managed. That instinct will fail, because this is not primarily a legal problem. It is an operations problem that has legal consequences.

You cannot comply with a rule about how your AI makes decisions if you do not know where your AI makes decisions. And most companies simply do not know. AI has spread organically through their operations, embedded in a hiring tool here, a pricing engine there, a customer service agent somewhere else, often adopted by individual teams without central tracking. The map does not exist.

That missing map is the real vulnerability. Colorado's requirement for impact assessments assumes you can identify every consequential decision your AI touches. The EU's labeling requirement assumes you know everywhere you generate content. These obligations are impossible to meet if you cannot first answer a basic question: where, exactly, does AI make or shape a decision about a real person in our business?

The patchwork is the burden, and it is permanent

The single fact that makes this hard is that there will be no one rule to comply with. A company operating in multiple states and countries faces a patchwork of overlapping and sometimes conflicting requirements, and that patchwork is not a temporary mess on the way to a clean federal standard. It may be the permanent condition.

Watch the structure of the fight. The White House is trying to centralize AI rulemaking at the federal level while states actively resist, and states have become the primary drivers of binding regulation precisely because federal legislation keeps stalling. Even the Great American AI Act is still a discussion draft, not a law, which means that for the foreseeable future the binding requirements are coming from individual states like Colorado, each on its own timeline, each with its own definitions. Add the EU's content-labeling regime on top, and a global company is now tracking obligations that do not line up with each other and were never designed to.

This has a practical consequence most leaders have not absorbed. You cannot solve AI compliance with a single policy document and a one-time legal review, because there is no single thing to comply with. You need an internal capability that can map your AI usage against a moving set of jurisdiction-specific rules and keep doing it as new ones land. That is an operating function, like tax or security, not a project with an end date. The companies that set this up as ongoing infrastructure will absorb each new law as a manageable update. The companies waiting for the rules to settle so they can comply once will be perpetually behind, because the rules are not going to settle.

The cost of that capability is real, but it is smaller than the cost of getting it wrong. A discrimination finding under a law like Colorado's does not just carry a penalty. It carries discovery, public exposure, and the kind of headline that makes every other regulator and plaintiff's attorney look harder at you. The price of building the function is a budget line. The price of skipping it is open-ended.

What to do in the next eleven days and beyond

Start with the map, because everything else depends on it. Make a list of every place AI currently touches a hiring, lending, pricing, insurance, or other consequential decision in your company. This is the single most useful artifact you can produce right now, and the uncomfortable truth is that most leaders cannot produce it today. That inability is your risk profile in miniature.

Once you have the map, prioritize by exposure. The decisions that affect people's employment, money, and access to services are where the laws bite hardest and where the deadlines are real. Colorado is live on June 30. Those are the systems that need an impact assessment first.

Then build the muscle, not just the document. The companies that handle this well will not treat it as a one-time compliance exercise. They will create an ongoing practice of knowing what their AI systems decide, being able to explain those decisions, and being able to show they took active steps to prevent harm. That practice is becoming a permanent cost of operating AI at scale, the same way financial controls are a permanent cost of handling money.

The leaders treating this as next year's problem are making a specific bet: that the regulators will be slower than the deployment. This week's news says they lost that bet. The rules are arriving on a schedule measured in days, and the obligation underneath them is permanent. So before this month ends, ask yourself the question most executives cannot currently answer: if a regulator asked you tomorrow to show every decision your AI makes about a person, and to prove you guarded against harm, could you? If the answer is no, that is not a legal gap. That is an operating gap, and the clock on it is already running.

Sharon Gai is an AI transformation strategist, keynote speaker, and author of How to Do More with Less Using AI. She advises Fortune 500 companies on AI adoption and organizational redesign.