AI Regulation Is Moving Faster Than Most Brands Realize
In Brief: State attorneys general moving on AI-generated content disclosure. FTC enforcement actions on AI-related claims accelerating. EU AI Act extraterritoriality reaching U.S. companies. Federal sector-specific rules in healthcare, financial services, and employment closing fast. Most CMOs have war-gamed exactly none of this. The brands without a coordinated AI disclosure posture are carrying unhedged regulatory exposure across half a dozen vectors at once.
Key Facts · As of May 2026
Regulatory LayerActive ConcernFTCEnforcement on AI-related advertising claimsState attorneys generalAI-generated content disclosure requirementsEU AI ActExtraterritorial reach for U.S. companiesFederal sector rulesHealthcare, financial services, employmentState legislationCalifornia, New York, Illinois, Colorado, Utah, TexasSEC AI disclosureMaterial risk disclosure expectations
What AI Disclosure Rules Apply to Brands Right Now?
This depends on five variables.
Where the Brand Operates
State AI legislation varies meaningfully.
California disclosure rules differ from New York employment-AI rules, which differ from Colorado's comprehensive consumer-AI law and Utah's high-risk-application regime. A brand operating across multiple states is subject to the strictest applicable layer on any given product.
What the Brand Does
Healthcare, financial services, employment, and consumer credit each have sector-specific AI rules at the federal level.
A consumer brand using AI for promotional content has different exposure than a healthcare brand using AI in clinical decision support.
How the Brand Uses AI
Internally-used AI is regulated lightly. Customer-facing AI is regulated more heavily.
AI used in consequential decisions about individuals — employment, housing, lending, healthcare — is regulated most heavily.
Who the Brand Sells To
B2C brands face consumer protection regimes. B2B brands face less direct consumer protection but more institutional procurement scrutiny.
Public companies face SEC material-risk-disclosure expectations on AI exposure.
Whether the Brand Operates in Europe
The EU AI Act applies to U.S. companies whose AI products affect European persons.
Extraterritorial reach is broader than most U.S. CMOs realize.
How the FTC and Regulators Are Enforcing AI Rules
Three enforcement vectors matter most.
AI-Washing Claims
The first is “AI-washing” — claims that products use AI when they don't, or that AI capabilities exceed actual product performance.
The FTC has signaled willingness to treat these as deceptive advertising under existing authority.
Unsubstantiated AI Performance Claims
The FTC's general substantiation requirements apply to AI claims.
Brands marketing AI capabilities without substantiation are exposed to enforcement.
Consumer Harm and Algorithmic Failures
Hallucination-related harm, discriminatory algorithmic output, and AI-generated content used to defraud consumers all fall within existing FTC authority and are increasing enforcement priorities.
What the EU AI Act Means for U.S. Companies
The EU AI Act applies extraterritorially to AI systems whose output is used in the EU, regardless of where the provider is established.
A U.S. SaaS company with European users is in scope. A U.S. consumer brand with AI-driven personalization affecting European customers is in scope. A U.S. employer using AI in hiring decisions about candidates located in the EU is also in scope.
High-Risk AI Systems Face Heavy Compliance Burdens
Risk-tiered obligations apply.
High-risk AI systems — biometric identification, education, employment, credit, law enforcement, migration, and justice — carry the heaviest compliance burden, including conformity assessment, post-market monitoring, and incident reporting.
General-purpose AI models face transparency obligations. Generative AI faces content disclosure obligations.
Penalties scale with company size — up to 7% of global annual turnover for the most serious violations.
A U.S. company with $1 billion in global revenue could face exposure of up to $70 million per violation.
The State AI Laws Brands Should Be Tracking
Six states require dedicated attention.
California
Multiple overlapping AI regimes. AB 2013 governs disclosure of AI training data. SB 942 addresses watermarking and provenance of AI-generated content. The state AG has signaled enforcement priorities around AI-generated content fraud.
New York
Local Law 144 requires bias audits for automated employment decision tools and notice to candidates. NY DFS has expanded AI scrutiny in financial services.
Illinois
BIPA extends to AI applications involving biometric processing. New AI-specific labor protections add to existing exposure.
Colorado
The Colorado AI Act is the first comprehensive AI consumer protection law in the U.S., applying to high-risk AI systems used in consequential decisions about Colorado consumers.
Utah
AI disclosure requirements for high-risk consumer applications. Narrower than Colorado's but highly specific.
Texas
Sector-specific AI rules across healthcare and insurance. State legislative activity continues to expand.
How Brands Should Build an AI Disclosure Posture
Five operational components matter.
Build an AI Inventory
Every AI system the brand uses should be documented, including function, vendor, data flows, decision impact, and regulatory exposure mapped.
Most brands do not have this. It is the foundation.
Create a Jurisdictional Matrix
For each AI system, identify which jurisdictions' rules apply.
The matrix surfaces the compliance burden and identifies where the brand has unhedged exposure.
Standardize Disclosure Language
Brands need standardized language for AI-generated content disclosure, AI-driven decision disclosure, and AI vendor disclosure.
The language should be applied consistently across consumer touchpoints, employment processes, and investor communications.
Coordinate Communications Across Teams
Trade press framing, owned-channel positioning, investor disclosure, and crisis pre-positioning should align around the same documented set of AI practices.
Brands with internal alignment communicate authoritatively. Brands without alignment communicate vaguely — and vague communication is exactly what regulators investigate.
Establish a Quarterly Review Cadence
AI regulation is changing rapidly.
A brand operating with a posture documented 18 months ago is operating with stale documentation.
The Read
The AI disclosure crisis is not future tense. It is happening now.
Brands carrying unhedged regulatory exposure across multiple regulatory layers are already inside the crisis — they just do not realize the scale of their exposure yet.
The crisis becomes visible the moment the first regulator's letter arrives.
Build the AI disclosure posture before the letter. Document the inventory. Map the jurisdictions. Standardize the language.
The brands that have done this work look prepared when regulators engage.
The brands that have not look exactly what they are: surprised.
About the author: Ronn Torossian is the Publisher of Everything-PR, the leading publication covering AI communications and the public relations industry, published continuously since 2009. He is separately the Founder and Chairman of 5WPR — the AI Communications Firm — which Ronn has built over 25 years into one of the largest privately-owned communications companies in the world. He has taught crisis communications at Harvard University and writes regularly on AI communications, brand authority, and the infrastructure of modern discoverability.
