Three AI Enforcement Clocks Are Running. Here's What Happens When They Hit Zero.
In This Article
- 1.Three Jurisdictions. Three Clocks. Zero Extensions.
- 2.Texas TRAIGA - Clock Status: LIVE
- 3.Colorado SB 24-205 - Clock Status: 102 DAYS
- 4.EU AI Act - Clock Status: PHASING IN
- 5.The Compound Problem: Multi-Jurisdiction Exposure
- 6.What the First Enforcement Actions Will Look Like
- 7.The Clock Is Not a Metaphor
- Q.Frequently Asked Questions
Three Jurisdictions. Three Clocks. Zero Extensions.
As of March 20, 2026, there are three active AI enforcement timelines that apply to any company deploying AI systems in the United States or Europe. None of them are theoretical. None of them are waiting for you to be ready.
This post lays out exactly where each clock stands, what triggers enforcement, and what "ready" actually looks like - because the gap between "we're working on it" and "we can prove compliance" is where the fines live.
Texas TRAIGA - Clock Status: LIVE
Enforcement date: January 1, 2026 (79 days ago)
Penalty: Up to $200,000 per violation
Enforcer: Texas Attorney General
Defense: NIST AI RMF alignment (statutory affirmative defense)
Texas TRAIGA (HB 149) has been enforceable since New Year's Day. The AG does not need to prove harm - just that your system was designed with prohibited intent or that you failed to implement required risk management practices.
There are four deployer classifications under TRAIGA, each with specific obligations. The affirmative defense requires documented alignment with the NIST AI Risk Management Framework across all four functions: Govern, Map, Measure, and Manage.
What "ready" looks like: A complete NIST AI RMF mapping with evidence artifacts for each control, bias audit documentation, a 60-day cure response plan, and continuous monitoring. Not a policy document - a system that produces verifiable evidence on demand.
If you cannot produce this evidence today, you are operating without a defense in a state where enforcement is already live.
Colorado SB 24-205 - Clock Status: 102 DAYS
Enforcement date: June 30, 2026
Penalty: Up to $20,000 per violation (Colorado Consumer Protection Act)
Enforcer: Colorado Attorney General
Defense: Rebuttable presumption of compliance via NIST AI RMF or ISO 42001
Colorado's AI Act is the most comprehensive state-level AI regulation in the country. It applies to any business deploying high-risk AI systems that make or influence consequential decisions about Colorado consumers - employment, lending, insurance, healthcare, housing, education, and legal services.
The law requires six concrete deliverables:
- AI system registry with risk classifications
- Regular bias audits with documented methodology
- Consumer notice when AI influences decisions
- Human-in-the-loop oversight documentation
- Annual impact assessments
- 90-day AG notification for discrimination incidents
102 days is not enough time to build a compliance program from scratch. Organizations that started 90 days ago are still finishing their first audit cycle. If you haven't started, you are already behind the minimum viable timeline.
What "ready" looks like: A compliance system producing SHA-256 hashed evidence snapshots, chain-linked for tamper detection. Audience-specific evidence bundles ready for the AG, legal defense, internal audit, and procurement. Consumer notices published and delivery-tracked. Bias audits running on schedule with statistical methodology documented.
The first AG investigation after June 30 will not ask if you have a policy. It will ask for your evidence bundle. See the countdown.
EU AI Act - Clock Status: PHASING IN
Key enforcement dates:
- February 2, 2025: Prohibited AI practices ban (already in effect)
- August 2, 2025: General-purpose AI model obligations (already in effect)
- August 2, 2026: High-risk AI system requirements (Annex III) take full effect
Penalty: Up to 35 million EUR or 7% of global annual turnover (whichever is higher)
Enforcer: National market surveillance authorities + European AI Office
The EU AI Act uses a risk-classification model. If your AI system falls under Annex III high-risk categories - which includes employment, credit scoring, law enforcement, migration, and critical infrastructure - you face conformity assessments, data governance documentation, and post-market surveillance obligations.
For US companies operating in Europe or serving EU customers: the territorial scope applies to any AI system whose output is "used" in the EU. You do not need a European office to be subject to the regulation.
What "ready" looks like: EU risk categorization for each AI system, conformity assessment checklists (Art. 43), data governance records (Art. 10), technical documentation, and an incident reporting pipeline to national authorities (Art. 62). All mapped to the same NIST/ISO framework backbone that satisfies Colorado and Texas.
The Compound Problem: Multi-Jurisdiction Exposure
Most companies deploying AI do not operate in a single jurisdiction. A SaaS company with customers in Colorado, Texas, and Europe faces all three enforcement regimes simultaneously - with different models of liability:
| Jurisdiction | Model | Penalty | Status |
|---|---|---|---|
| Texas | Intent-based | $200,000/violation | LIVE |
| Colorado | Impact-based | $20,000/violation | 102 days |
| EU | Risk classification | 7% global revenue | Phasing in |
Three different regulatory philosophies. Three different evidence requirements. Three different enforcement bodies.
The only sustainable approach is a single governance architecture that produces jurisdiction-specific compliance artifacts from one evidence base. Build compliance once, generate evidence for each framework. Anything else means tripling your documentation burden - or gambling that enforcement won't overlap.
Utah, Illinois, and California are drafting their own AI legislation. The number of clocks is only going up.
What the First Enforcement Actions Will Look Like
Based on how state AGs have historically enforced consumer protection statutes, the first AI enforcement actions will likely follow this pattern:
- A high-profile AI bias incident makes news - hiring discrimination, lending disparities, or healthcare triage errors
- AG office issues a Civil Investigative Demand (CID) requesting all compliance documentation
- The company has 30 days to respond with their risk management policy, bias audit records, impact assessments, consumer notices, and incident response logs
- Companies with documented compliance programs produce their evidence bundle and demonstrate reasonable care
- Companies without documentation face penalties, consent decrees, and the reputational damage of being the test case
The first company to receive a CID after June 30 will either be the company that proves the compliance framework works - or the cautionary tale that proves enforcement is real.
Which one are you building toward?
The Clock Is Not a Metaphor
102 days until Colorado enforcement. Texas is already counting violations. The EU is phasing in the largest AI regulatory framework in history.
If you deploy AI systems that make consequential decisions about people - in hiring, lending, insurance, healthcare, housing, or legal services - you are operating under active or imminent enforcement.
The question is not whether you need to comply. The question is whether you can prove it when someone asks.
See the live countdown and start your free 14-day compliance trial.
Frequently Asked Questions
Which AI law is currently being enforced in the United States?
Texas TRAIGA (HB 149) has been enforceable since January 1, 2026. The Texas Attorney General can pursue penalties up to $200,000 per violation. Colorado SB 24-205 takes effect June 30, 2026. Both laws require documented risk management practices and provide affirmative defenses for organizations aligned with the NIST AI Risk Management Framework.
How many days until Colorado AI Act enforcement begins?
As of March 20, 2026, there are 102 days until Colorado SB 24-205 enforcement begins on June 30, 2026. Most organizations need 2-4 months to implement a complete compliance program, meaning the minimum viable timeline has already started.
Can one compliance system satisfy Colorado, Texas, and EU AI Act requirements?
Yes. All three jurisdictions recognize NIST AI RMF alignment - it is the statutory affirmative defense in Texas and triggers a rebuttable presumption of compliance in Colorado. A single governance architecture that produces jurisdiction-specific evidence artifacts from one compliance backbone is the most sustainable approach. CO-AIMS is built specifically for this multi-jurisdiction model.
What is the penalty for violating the Colorado AI Act?
Violations of Colorado SB 24-205 are enforced under the Colorado Consumer Protection Act with penalties up to $20,000 per violation. Each AI system and each incident can constitute a separate violation. The law also allows for injunctive relief and consent decrees.
What evidence do I need to prove AI compliance?
At minimum: a documented risk management policy mapped to NIST AI RMF or ISO 42001, regular bias audit records with methodology, consumer notice documentation with delivery records, impact assessments, incident response logs, and a chain-linked audit trail. The evidence must be producible on demand - a policy document without supporting artifacts is not sufficient for an affirmative defense.
Automate Your Colorado AI Compliance
CO-AIMS handles bias audits, impact assessments, consumer disclosures, and evidence bundles — so you can focus on your business.
AI Solutionist and founder of CO-AIMS. Building compliance infrastructure for Colorado's AI Act. Helping law firms, healthcare providers, and enterprises navigate SB 24-205 with automated governance.