Articles

AI Regulation is Moving from Models to Moments

Date: July 14, 2026
An AI system does not have one legal identity.

A model that summarizes internal meetings may present familiar privacy, security and contract questions. Connect the same model to a hiring score, credit decision, insurance recommendation or patient interaction, and the analysis changes. Put it in a public chatbot used by minors, and a different set of concerns appears. Use it to generate images or audio, and disclosure and provenance rules may matter.

This is the most useful way to read the emerging state AI patchwork: the legal unit of analysis is not the model. It is the moment when the system interacts with a person, influences a decision or produces an output that the law treats differently.

That distinction matters for product teams. A company may use one foundation model across a dozen workflows. The law may see a dozen different activities.


One model, several legal moments

AI discussions often begin with the wrong question: “Which models do we use?” That is a useful technical question, but it rarely resolves the legal one.

Consider a general-purpose model used in four ways:
  • It drafts an internal project summary that an employee reviews.
  • It ranks job applicants and recommends who advances.
  • It answers consumer questions about healthcare services.
  • It creates promotional video and audio.
     
The model may be identical. The affected people, decisions, disclosures, data and potential harms are not.

The hiring workflow may implicate employment and discrimination law, along with state rules directed at automated decision-making. The healthcare interaction may trigger disclosure, privacy, professional-licensing and product-claim questions. Synthetic media may raise provenance and labeling requirements. The internal summary may be lower risk, although confidential information, vendor terms, and human review still matter.

A company-wide “approved model” designation therefore answers only part of the question. Approval should also turn on the workflow, user population, business purpose, data, output and authority given to the system.


Colorado’s July 13 deadline puts the shift into focus

Colorado is testing this use-specific approach in real time.

The Colorado Attorney General set July 13, 2026, as the deadline for informal pre-rulemaking feedback concerning the state’s Automated Decision-Making Technology Act and Chatbot Safety Act. Formal rulemaking is still to come. Both laws are scheduled to take effect January 1, 2027.

Colorado’s Senate Bill 26-189 does not regulate every use of computation in the same way. It focuses on automated decision-making technology used to materially influence “consequential decisions” involving education, employment, housing, lending and financial services, insurance, healthcare and essential government services or public benefits.

For covered uses, the enacted summary describes obligations involving technical information from developers, notice at the point of interaction, explanations after certain adverse outcomes, correction of inaccurate personal data, and requests for meaningful human review and reconsideration. The details remain important, and the Attorney General’s rules may clarify several of them. The point is simpler: the product’s role in a consequential decision drives the analysis.

Colorado’s House Bill 26-1263 addresses a different moment: public conversational AI. Its enacted summary includes AI-interaction disclosures, age-estimation requirements, protections for minor users, protocols concerning self-harm prompts and restrictions on portraying chatbot outputs as equivalent to services from specified licensed professionals. Again, use and audience matter.

A model may fall outside one law in an internal drafting workflow and raise questions under another law when placed in front of consumers or used to influence a consequential decision.


Other states regulate different moments

The same pattern appears elsewhere, but the statutory choices differ.

Texas’s Artificial Intelligence Protection law, effective January 1, 2026, addresses specified uses and actors. Among other provisions, it restricts certain intentionally harmful uses, addresses unlawful discrimination, requires disclosures in specified government and healthcare interactions, and gives the Texas Attorney General enforcement authority. Its structure and liability standards differ from Colorado’s.

California’s AI Transparency Act, Senate Bill 942, also operative January 1, 2026, focuses on certain large, publicly available generative AI systems. It requires covered providers to offer detection tools and addresses manifest and latent disclosures for specified AI-generated or altered image, video and audio content. California is regulating a content-creation and provenance moment rather than Colorado’s consequential-decision framework.

These laws should not be blended into one generic “AI compliance” rule. They cover different actors, uses, users, outputs and enforcement structures. A national product can encounter more than one of them, sometimes within the same customer journey.


Ask five questions about each AI-enabled workflow

Companies do not need to predict every future rule before making better product decisions. They do need to ask better questions about each use.
  1. What can the output change? Does it merely assist an employee, or can it determine, recommend, rank, approve, deny, publish, communicate, purchase or take another action?
     
  2. Who is affected, and where? Employees, applicants, patients, consumers, minors, business customers and residents of different states may trigger different rules and expectations.
     
  3. Is the system interacting, advising or deciding? A chatbot, a recommendation engine and an automated adverse decision can create different notice, explanation, review and safety issues.
     
  4. What can the affected person see or challenge? Product teams should identify applicable disclosures, correction paths, review mechanisms and escalation options before those features become release-blocking surprises.
     
  5. Who controls the system in practice? The answer may involve a model provider, application developer, customer, deployer, employee or several of them. Contracts should match the actual allocation of information, authority, monitoring, updates and remediation.

These questions are deliberately tied to the workflow. They help legal, product, engineering, security, procurement and business teams discuss the same system without assuming that the model name supplies the answer.


Product architecture now carries legal consequences

State AI laws are beginning to reach product choices that once looked like interface or workflow details.

Where is a disclosure shown? Can a person request human review? Can inaccurate personal data be corrected? Does a chatbot know when to stop a conversation and route a user elsewhere? Can a licensed customer remove a required provenance signal? Who receives notice when the vendor changes a model or a known limitation?

Those are legal questions, but they are also design, engineering and contract questions. Waiting until final review can leave a company choosing between delay and a rushed workaround.

The voluntary NIST AI Risk Management Framework offers a useful common vocabulary through its Govern, Map, Measure and Manage functions. It is not a substitute for state-law analysis, and NIST notes that AI RMF 1.0 is being revised. It can still help teams connect product facts to risk decisions while state requirements continue to develop.


The practical move

Treat each new AI capability as a change in what the product can do, not merely as the addition of an approved model.

At launch and after material updates, revisit the system’s purpose, affected people, geography, decision authority, disclosures, review paths, vendor terms and failure response. The right answer may be different for two features built on the same model.

Colorado’s rulemaking will add detail. Other states will continue to make different choices. Analyzing AI at the point of use will not eliminate legal uncertainty. It will tell the team which product decision a new rule may force.

The model matters. The moment tells you why.


ABOUT WHITEFORD | SchellIP

Whiteford and SchellIP help investors and operating companies evaluate whether their AI products and workflows comply with the emerging regulatory patchwork—assessing applicability of state and federal rules to each use case, compliance obligations across different moments of deployment and user populations, freedom to operate across jurisdictions and business contexts, and translating those findings into product strategy, implementation roadmaps and risk assessment. The goal is a clear picture of what a company can legally do with its AI, how defensible those uses are across different frameworks, and what it means for product architecture, time-to-market and enterprise value.

Selected authorities