The U.S. has 1,200 AI bills and no good test for any of them

In an interview this week on Fox Business, IBM Chairman and CEO Arvind Krishna pressed Washington on the central question facing AI policy: “The balance between too many regulations, it’s terrible; too few, we may not love the outcome, so we got to find the Goldilocks middle.” Krishna extended his warning to the international landscape: “If it turns into a bloated bureaucracy, that would not be so good for us to win the AI race.”

The balance Krishna identifies extends well beyond federal policy. It runs downward into a state-by-state patchwork of legislation now reshaping how American companies build and deploy AI, and upward into a global contest where technological competitiveness underwrites both economic prominence and national security. No clear path forward has emerged at any level. In our conversations with CEOs and political leaders, that lack of clarity is the common refrain.

In the past nine months, the United States has produced more AI legislation than in the prior decade, and on three different theories of what AI policy is supposed to do. California’s SB 53 focuses on transparency from frontier developers. New York’s Responsible AI Safety and Education (RAISE) Act mandates stricter incident reporting and a new oversight office inside the Department of Financial Services. The Texas Responsible Artificial Intelligence Governance Act (TRAIGA) prohibits specific intentional misuses and establishes a 36-month regulatory sandbox. Connecticut joined two weeks ago, when both chambers passed Senate Bill 5 (SB5) by lopsided margins after years of failed attempts.

Meanwhile, federal policy has lurched in opposite directions. President Trump’s December 11 executive order directed the Department of Justice to challenge state AI laws and conditioned broadband funding on alignment with a “minimally burdensome” national standard. The 2026 National Defense Authorization Act (NDAA), signed the day before, excluded preemption language entirely. In April, Anthropic’s disclosure of Mythos Preview, a model withheld from public release due to its autonomous cyber capabilities, introduced a new category of risk into a federal conversation unprepared to absorb such capabilities. The scare has reportedly prompted the White House to consider an executive order establishing an FDA-like pre-release vetting system for advanced AI models—an idea proposed by the second author to the U.S. Senate in 2023.

All this unfolds against a sharper international backdrop. The EU is implementing the AI Act, and China is deploying frontier capability under state direction, while the line between commercial AI and national-security capability is collapsing—raising the cost of incoherent U.S. policy.

By one count, state legislatures introduced over 1,200 AI-related bills in 2025 and enacted just under 150, with the pace accelerating since. Beneath the volume lies a more fundamental problem. Policymakers at every level are working without a shared test to determine whether their legislative efforts constitute good policy.

Why the Current Debate is Stuck

Too often, the debate has been framed as a binary choice between sweeping regulation and unrestricted operation, as though there were no middle ground, and with too little attention given to how proposals might conflict with existing law. Both sides talk past each other because neither has a clear test for which specific regulation, aimed at which actor, addresses which gap, and at what cost to whom, is actually necessary.

At the state level, most bills attempt to regulate “AI” as a category even though many uses sit cleanly within existing consumer protection, civil rights, intellectual property, and data privacy law. Colorado and Utah passed omnibus statutes “with reservations” in 2024, attaching sunset clauses and delayed effective dates that signaled their drafters’ uncertainty, and both states are now visibly retreating.

Colorado passed a “repeal and reenact” maneuver in its final session weeks to roll back onerous audit mandates in favor of targeted transparency. Utah narrowed its disclosure rules, extended the sunset to 2027, and swapped additional omnibus attempts for nine surgical bills targeting chatbot medical advice, AI-generated defamation, and child protection. In Connecticut, a broad 2025 bill died in the House amid a gubernatorial veto threat, while the narrower Connecticut Artificial Intelligence Responsibility and Transparency Act (SB 5) passed in its place two weeks ago, replacing mandatory developer audits with consumer transparency measures.

Yet these narrower successors still impose new compliance burdens beyond those imposed by existing civil rights and consumer protection law. Across statehouses, the same pattern is recurring. Well-intentioned legislation that, read carefully, replicates existing protections at the cost of substantial new compliance burdens.

At the federal level, three live propositions each flop on different grounds. Broad state preemption, in the form of presidential executive authority and the failed congressional moratorium, trades real protection against demonstrable harms, such as deepfake-generated child sexual abuse material (CSAM), AI-driven election fraud, and automated hiring discrimination, for the illusion of federal uniformity. Mandatory frontier-model approval, as currently floated, is poorly targeted and creates an incumbent moat that locks in the largest developers; however, perhaps a better version could be........

© Fortune