Two documents released within eight days of each other in late March 2026 have set the stage for the most consequential regulatory collision in AI governance since the EU AI Act was first proposed.
On March 20, 2026, the Trump Administration published its National Policy Framework for Artificial Intelligence — a set of legislative recommendations to Congress that explicitly calls for preempting state AI laws that “impose undue burdens” on AI development, while preserving limited state authority to protect children, prevent fraud, and enforce laws of general applicability.
On March 27, 2026, New York Governor Kathy Hochul signed a chapter amendment finalizing the Responsible AI Safety and Education Act (RAISE Act) — New York’s law governing frontier AI models, which imposes transparency, incident reporting, and safety protocol requirements on the world’s largest AI developers. The law takes effect January 1, 2027.
These two actions are directly in tension. The White House framework is explicitly directed at restricting state authority to do what the RAISE Act does. The RAISE Act is New York asserting precisely the kind of governance the framework wants Congress to preclude.
For compliance professionals, the question is no longer “should we build an AI compliance program?” It is: “How do we build an AI compliance program that functions under regulatory uncertainty — and what happens to our investments if federal preemption materializes?”
What the RAISE Act Actually Requires
Governor Hochul signed the RAISE Act in December 2025, then signed a chapter amendment on March 27, 2026 that modified the original text in response to industry feedback and concerns she had raised about the bill’s breadth. The final version, effective January 1, 2027, is the operative framework.
Who Is Covered
The RAISE Act creates two tiers of covered entities:
Frontier Developers — any organization that has trained or initiated the training of a “Frontier Model,” defined as an AI model trained using greater than 10²⁶ computational operations (FLOPs). This covers the largest AI models currently in existence — the scale of GPT-4, Claude 3, Gemini Ultra, and their successors. All Frontier Developers must publish a transparency report before or at the time of deploying a new or substantially modified Frontier Model.
Large Frontier Developers — a subset of Frontier Developers with annual revenues exceeding $500 million and Frontier Models whose training compute costs exceeded $100 million. This tier faces enhanced obligations including incident reporting to the New York Department of Financial Services and quarterly catastrophic risk assessments.
The tiered structure means the law directly targets a small number of organizations — the major AI labs and technology companies that dominate frontier model development — while the transparency requirement applies to a somewhat broader group of organizations deploying large-scale models.
What Is Required
Transparency reports. All Frontier Developers must publish a transparency report for each new or substantially modified Frontier Model before or at deployment. Required disclosures include: the model’s website, a mechanism for contacting the developer, release date, supported languages and output modalities, intended uses, and applicable restrictions or conditions on use.
Incident reporting to DFS. Large Frontier Developers must report incidents to the New York Department of Financial Services within 72 hours of determining that an incident has occurred. The law defines “incident” in terms of events that could have significant adverse impacts on safety, security, or civil rights — a definition that will require regulatory interpretation but that tracks the general concept of AI safety incidents that major labs already report internally.
Quarterly catastrophic risk assessments. Large Frontier Developers must submit summaries of assessments of catastrophic risk from their frontier models every three months. “Catastrophic” in the RAISE Act context means large-scale harm — events affecting more than a million people, significant infrastructure disruption, or biosecurity-level risks.
DFS oversight. The final RAISE Act creates an oversight office within the Department of Financial Services to assess Large Frontier Developers, review their safety protocols, and enable transparency. DFS — New York’s financial services regulator — was chosen as the oversight body partly because of its experience with model risk management in the financial sector (SR 11-7 guidance has governed model governance in banks for over a decade) and partly because many of the largest AI developers have significant operations in New York.
Penalties. The Attorney General may bring civil actions for failure to submit required reporting or for making false statements. First violation: up to $1 million. Subsequent violations: up to $3 million.
What the White House Framework Proposes
The White House’s National Policy Framework for Artificial Intelligence, released March 20, is a legislative recommendation document — it does not have the force of law and requires Congressional action to implement. But it articulates the Trump Administration’s preferred regulatory architecture with enough specificity to serve as a reliable guide to what federal AI legislation would look like if the Administration’s preferred approach prevails.
The framework’s core tenets:
Federal preemption of state AI laws. The framework explicitly recommends that Congress preempt state AI laws that “impose undue burdens” on AI development. It would preserve state authority to enforce laws of general applicability — consumer protection, fraud, civil rights enforcement — and laws specifically protecting children. But state laws that impose model-specific compliance requirements — transparency reports, incident reporting, risk assessments — would be precluded.
No new AI regulatory body. The framework explicitly opposes creating a new federal agency to oversee AI. It calls for AI governance through existing regulatory agencies with subject-matter expertise: the FTC for consumer protection, the FDA for healthcare AI, banking regulators for financial AI, and so on. This is the sectoral model versus the horizontal model that the EU AI Act represents.
Industry-led standards. The framework favors voluntary standards and industry self-governance over prescriptive regulatory requirements. It cites NIST’s AI Risk Management Framework as the preferred model.
Against vague standards and open-ended liability. The framework specifically objects to state laws that impose liability on AI developers for harms caused by end users of their systems — a direct reference to state AI liability bills that have proliferated since 2024.
The companion legislation proposed by Senator Marsha Blackburn — the TRUMP AMERICA AI Act — would codify Executive Order 14365 (“Removing Barriers to American Leadership in Artificial Intelligence”), restrict state AI regulation, and preclude states from imposing requirements specifically on AI models or their developers beyond general-applicability laws.
The Compliance Planning Problem: Building Under Uncertainty
The direct collision between the RAISE Act trajectory and the White House preemption trajectory creates a genuine compliance planning challenge: organizations that begin building RAISE Act compliance programs in 2026 may be investing in regulatory frameworks that federal legislation renders moot by 2027.
Three scenarios are possible.
Scenario 1: Federal preemption passes and displaces state laws. Congress enacts the framework’s preferred approach. The RAISE Act, Colorado’s AI Act, and other state AI laws are preempted for model-specific requirements. A federal standard — likely lighter than current state laws — governs AI governance nationally. Companies that built to state standards have invested in frameworks that partially survive (to the extent they align with the federal baseline) and partially must be rebuilt.
Scenario 2: Federal preemption fails or stalls and state laws take effect. Congress does not act, or acts narrowly. The RAISE Act takes effect January 1, 2027. Colorado’s AI Act (SB 24-205) enforcement begins after June 30, 2026. Other state AI laws follow. Companies operating in New York and Colorado face enforceable compliance obligations. Companies that waited for federal clarity face compressed timelines.
Scenario 3: Federal legislation creates a floor, not a ceiling. Congress enacts a federal AI law that establishes minimum requirements while permitting states to impose additional requirements for their residents. This has been the pattern in some privacy law negotiations (GDPR’s floor-and-ceiling structure differs from the U.S. privacy law debate, but the conceptual model is familiar). In this scenario, both federal and state compliance programs are relevant.
The appropriate posture for compliance professionals is not to bet on one scenario but to build a program that creates value across all three.
The EU AI Act as the Stable Anchor
While the U.S. regulatory landscape remains contested, the EU AI Act provides a stable compliance anchor for organizations operating in EU markets or processing EU residents’ data.
The EU AI Act’s high-risk AI system requirements enter full enforcement on August 2, 2026 — less than four months away. High-risk AI systems include: biometric identification systems, critical infrastructure management AI, employment and HR AI, essential private service AI, law enforcement AI, migration and asylum AI, and administration of justice AI. Organizations deploying systems in these categories must have:
- Risk management systems documented and maintained throughout the system’s lifecycle
- Technical documentation demonstrating conformity with requirements
- Data governance practices for training, validation, and testing data
- Logging and record-keeping for traceability
- Transparency and provision of information to deployers and users
- Human oversight measures enabling intervention
- Accuracy, robustness, and cybersecurity measures
The penalties for violations can reach €35 million or 7% of global annual turnover for prohibited AI practices, and €15 million or 3% for non-compliance with high-risk obligations.
For organizations with EU exposure, the EU AI Act compliance program is not optional and its timeline is fixed. Building that program creates a governance architecture — model documentation, risk assessments, incident tracking, transparency reporting — that maps directly onto the RAISE Act’s requirements and onto the White House framework’s preferred industry standards. In other words, EU AI Act compliance is not just a European obligation; it is the most efficient path to building a defensible AI governance posture globally.
What the RAISE Act’s DFS Oversight Choice Signals
The decision to house RAISE Act oversight within the Department of Financial Services — rather than a new AI agency or the state attorney general’s office — is worth understanding for what it signals about the enforcement model.
DFS has operated model risk management oversight under New York’s insurance and banking regulatory framework for years. Its examiners are familiar with the SR 11-7 guidance on model risk management, which requires financial institutions to maintain model inventories, validate models against intended use cases, document model limitations, and manage model risk through governance frameworks. DFS’s approach to AI oversight will almost certainly reflect this background: documentation-intensive, focused on governance processes rather than technical deep-dives, and calibrated by the risk posed by specific model deployments rather than applied uniformly to all systems.
For frontier AI developers subject to DFS oversight, the model risk management framework provides a useful template. Organizations that already maintain model inventories, risk documentation, and validation processes for their AI systems will be substantially better positioned for DFS examination than those that have not built this infrastructure.
Colorado AI Act: The Approaching June 30 Deadline
This publication covered Colorado’s AI Act (SB 24-205) in depth in April. With a June 30, 2026 enforcement date, it remains the most immediate AI compliance deadline for high-risk AI system deployers in the United States.
The Colorado AI Act focuses on algorithmic discrimination — it applies to deployers of “high-risk AI systems” used in consequential decisions affecting Colorado consumers in housing, credit, employment, education, healthcare, and other domains. It requires risk impact assessments, transparency disclosures, and appeal mechanisms. It does not specifically target frontier model developers.
The White House framework’s preemption proposal explicitly covers laws like Colorado’s — the framework cites state AI legislation that imposes “undue burdens” on AI developers as a target for preemption. But the Colorado Act’s June 30 deadline arrives before any likely Congressional action on federal preemption. Organizations subject to Colorado AI Act requirements must treat the deadline as operative.
Building the Program That Survives Either Outcome
Given genuine regulatory uncertainty, the practical approach is to build AI governance infrastructure that creates compliance value regardless of which scenario materializes.
Document your AI systems. Maintain an inventory of all AI systems in use or development, with documentation of: the system’s intended purpose, the data it processes, the population it affects, the training data provenance, the risk classification under existing frameworks (EU AI Act, NIST AI RMF), and the controls in place. This documentation satisfies RAISE Act transparency requirements, EU AI Act technical documentation requirements, and NIST AI RMF governance requirements simultaneously.
Establish a 72-hour incident reporting capability. The RAISE Act requires Large Frontier Developers to report incidents within 72 hours. GDPR requires the same timeline for personal data breaches. Building a 72-hour incident identification, assessment, and reporting workflow is a cross-framework investment.
Conduct and document risk assessments. The RAISE Act requires quarterly catastrophic risk assessments from Large Frontier Developers. The EU AI Act requires ongoing risk management. Colorado AI Act requires risk impact assessments before deployment of high-risk systems. The substance differs by framework, but the practice — systematically identifying, documenting, and mitigating AI-specific risks — is common to all.
Map your frontier model relationships. If you are not a frontier model developer yourself but use frontier model APIs (OpenAI, Anthropic, Google, Mistral, etc.) in your products, understand your position in the compliance chain. The RAISE Act targets the developers of frontier models, not downstream deployers. But the EU AI Act’s deployer obligations and Colorado’s deployer-focused requirements mean that even organizations using third-party foundation models carry compliance responsibilities.
Monitor the federal preemption legislation. The White House framework is a legislative proposal, not law. Congressional action would require committee consideration, floor votes, and presidential signature. Track this through the IAPP’s legislative tracker, the NTIA’s AI policy blog, and Congressional committee activity in the House Energy and Commerce and Senate Commerce committees.
Bottom Line for Compliance Officers
The federal-state AI collision is real, active, and unresolved. The RAISE Act takes effect January 1, 2027. The Colorado AI Act enforcement begins June 30, 2026. The EU AI Act high-risk enforcement begins August 2, 2026. The White House framework seeks Congressional action to preempt state AI laws, but Congress has not acted and the timeline for action is unclear.
The correct response to this uncertainty is not paralysis. It is to build a cross-framework AI governance program whose core components — system inventory, risk documentation, incident reporting capability, transparency disclosures, and governance processes — create compliance value across all plausible regulatory outcomes. The cost of building that program now is lower than the cost of building it under a compliance deadline, and it is far lower than the cost of facing enforcement without it.
The RAISE Act will not be the last state AI law. The White House framework will not be the last federal preemption proposal. The ground will continue to shift. Governance infrastructure that is documented, maintained, and aligned with the most demanding applicable requirements is the only posture that survives the shifting with integrity intact.
This article draws on the text of New York’s RAISE Act (Chapter Amendment to S.7543-A/A.6453-A), the White House National Policy Framework for Artificial Intelligence (March 20, 2026), analysis from Wiley Rein, Davis Wright Tremaine, Norton Rose Fulbright, Ropes & Gray, and Carnegie Endowment for International Peace, and the European Union AI Act enforcement timeline. This article is provided for informational purposes only and does not constitute legal advice.
