AI regulation is moving in months, not years. In the past quarter alone, six states enacted conversational-AI laws, Colorado repealed and replaced its landmark AI Act before it ever took effect, and the Coalition for Health AI released its governance playbooks. The Q2 2026 AI Governance Policy Suite, our sixth release, folds all of it in. And the updated policies are already live in Governor, so your automated risk assessments, vendor reviews, and model-card drafts run against the current rules, not last quarter’s.
Before you read on, three quick steps:
- Get the latest AI Governance Policy Suite — free and open source.
- See the updated policies live in Governor, our AI control tower.
- Join our Responsible AI community to follow each quarterly update.
1. A wave of state conversational-AI laws, now reflected in the Suite
Six states enacted laws this quarter governing public-facing conversational AI, with the sharpest requirements reserved for interactions with minors. The Policy Suite now tracks all six. The shared baseline is consistent across them: operators must disclose clearly, and often, that a user is interacting with an AI system rather than a person; add protections for minors (no engagement rewards, limits on sexually explicit content, and bars on simulating romantic or emotionally dependent relationships with children); and adopt protocols that respond to expressions of suicidal ideation or self-harm by routing users to crisis resources, such as the 988 Suicide and Crisis Lifeline.
California set the template with SB 243, effective January 1, 2026, and New York’s companion-model law preceded it. What changed this quarter is the breadth (six more states) and the divergence in the details that decide who is actually covered. Georgia’s SB 540 stands out for declining to exempt chatbots embedded in larger platforms.
| State | Law | Effective | Enforcement | Notable point |
|---|---|---|---|---|
| Oregon | SB 1546 | Jan 1, 2027 | Private right of action | Automated detection of self-harm signals; pauses companion responses until crisis resources are presented. |
| Washington | HB 2225 | Jan 1, 2027 | Private right of action | Recurring in-session disclosures that the user is interacting with AI. |
| Idaho | SB 1297 | Jul 1, 2027 | Attorney general | “Conversational AI Safety Act”: persistent disclosures and minor protections. |
| Nebraska | LB 525 | Jul 1, 2027 | Attorney general | “Conversational AI Safety Act”: behavior-based definition of covered systems. |
| Georgia | SB 540 | Jul 1, 2027 | Attorney general; civil penalties up to $10,000 per knowing violation | No carve-out for chatbots embedded in larger platforms; age assurance for explicit-content features. |
| Colorado | HB 26-1263 | Jan 1, 2027 | Attorney general; annual reporting | Minor protections; no engagement rewards; suicide-response protocols. |
Coverage turns on definitions that do not match. Some states use a capability-based test (can the system form an ongoing relationship?) and others a behavior-based test (does it actually sustain a human-like relationship and retain context?). The same product can be in scope in one state and out in another.
What’s next for you: inventory your conversational-AI features and map each against every state’s definitions; automate clear, recurring AI disclosures by user age and jurisdiction; add risk-based age assurance for any feature that can generate sexually explicit content; wire in crisis-escalation pathways that detect severe-harm signals and route users to crisis resources; audit persona behavior to remove dependency-inducing features and impersonation risks; and align AI governance with consumer-protection and child-safety obligations.
Control: check the list of applicable laws in the AI Governance Policy Suite to see which apply to your services.
2. Colorado rewrites its AI Act: SB 26-189 replaces SB 24-205
On May 14, 2026, Governor Jared Polis signed Senate Bill 26-189, which repeals and reenacts the 2024 Colorado AI Act (SB 24-205), the country’s first comprehensive state AI law, which had not yet taken effect. SB 26-189 takes effect January 1, 2027.
The framework changed. SB 24-205 was built around “high-risk artificial intelligence systems,” a duty of reasonable care to prevent algorithmic discrimination, mandatory risk-management programs, and impact assessments. SB 26-189 removes the duty of care, the risk-management program mandate, and the impact-assessment requirement, and replaces the framework with one built around “covered ADMT” — automated decision-making technology that processes personal data to materially influence a “consequential decision” in one of seven domains: education, employment, housing, lending and financial services, insurance, healthcare, and essential government services.
What survives is disclosure and transparency: pre-use notice, post-adverse-outcome explanations, consumer rights to correction and to human review where commercially reasonable, and recordkeeping. The definition of “consumer” expressly includes employees and Colorado job applicants. For healthcare deployers, a covered entity that is a healthcare provider operating in Colorado must give patients a general notice of its use of advanced technologies, including covered ADMT.
One important caveat: enforcement is currently in limbo. A constitutional challenge to the law is pending in federal court, a court stayed enforcement in April 2026, and Colorado’s attorney general has said the state will not enforce SB 24-205 or its replacement until rulemaking is complete, which has not formally begun. Colorado also signed HB 26-1263, its conversational-AI chatbot law, on May 29, 2026, effective January 1, 2027.
Control: check the updated AI Transparency Policy to implement the developer and deployer disclosure controls that map to SB 26-189.
3. The CHAI Playbook Series, integrated into the Suite
On May 27, 2026, the Coalition for Health AI (CHAI) released a series of governance playbooks for health systems, developed through workshops with more than 100 healthcare organizations and 150-plus health AI leaders. We’ve integrated them into the AI Governance Policy Suite. As a CHAI-certified Assurance Resource Provider, Pacific AI builds healthcare-specific governance directly into the Suite, rather than bolting it on.
The playbooks give healthcare delivery organizations a baseline set of governance controls across four domains:
- Domain 1 — AI Policy: high-level rules and ethical boundaries, compliance mandates aligned with clinical safety, and accountability and risk-tolerance boundaries.
- Domain 2 — Organizational Structure: the roles, teams, and oversight committees responsible for AI, clear reporting and decision authority, and alignment across IT, clinical staff, and executive leadership.
- Domain 3 — Organizational Resources: the infrastructure, people, budget, and tooling needed for secure AI processing, weighed against the organization’s AI maturity goals.
- Domain 4 — Organizational Processes: five subdomains covering responsible AI lifecycle management, risk and impact assessments, responsible data management and use, third-party management, and education, training, and feedback.
The playbooks are built to scale from large academic medical centers to resource-constrained community clinics, and they map toward the voluntary AI certification the Joint Commission is developing.
Control: review the CHAI-aligned controls now included across the Policy Suite, alongside ISO/IEC 42001 and the NIST AI Risk Management Framework.
4. What changed across the policies
This release updates five policies. The full change log:
| Policy | Section | What changed |
|---|---|---|
| Policy Suite | Section 4 (Introduction) | Added “Formal Approval” to the controls: leadership must formally approve and adopt the Suite to put it into effect. |
| AI Risk Management Policy | Section 3 | Added minimum required qualifications and competencies for the AI Governance Officer, including a working grasp of applicable legal frameworks. |
| AI Risk Management Policy | Section 5 | Broadened the AI Governance Officer’s risk evaluation to include feedback and follow-up, to catch bias, model drift, and other failure modes. |
| AI System Lifecycle Policy | Section 5 | Added frontier AI models to the Regulated risk level, reflecting safety-compliance, third-party audit, incident-reporting, and whistleblower expectations. |
| AI System Lifecycle Policy | Section 5 | Added “recording, retaining, and reviewing” to the AI Governance Officer’s duties for risk-level, go/no-go, and risk-criteria decisions across the lifecycle. |
| AI System Lifecycle Policy | Section 7 | Expanded third-party dataset and model documentation to include third-party risk tier and model gaps. |
| AI System Lifecycle Policy | New Section 11 | Added “Maintaining AI Inventory for Internal and External Models”: the AI Governance Officer maintains a registry of internal and external models. |
| AI Privacy Policy | Section 6 | Expanded “De-Identification of Training Data” to guide organizations whenever protected data is used. |
| AI Privacy Policy | Section 6 | Prohibited re-identification of de-identified data; the AI Risk Manager is accountable for preventing it. |
| AI Transparency Policy | Section 7 | “Disclosures When Acting as an AI Developer”: developers provide deployers documentation of use cases, limitations, and material updates. |
| AI Transparency Policy | Section 8 | “Disclosures When Acting as an AI Deployer”: deployers give end users clear notice when ADMT materially influences a consequential decision or an adverse outcome occurs. Aligned with Colorado SB 26-189. |
5. Now automated in Governor
The Q2 2026 updates are live in Governor, our AI control tower. This is the difference between governance automation and governance theater. Most governance tools hand you forms, templates, and reminders, then ask your team to do the risk analysis, vendor review, and model-card authoring by hand. Governor reads your project documentation and the updated policy library, then drafts the work: it proposes risk levels and remediation controls for each AI system on your register, analyzes a vendor’s SOC 2 and AI disclosures into a risk score with justification, and generates draft model cards. Your team reviews, adjusts, and approves, which is what the regulation requires anyway.
Because the policies updated this quarter are already in the platform, those automated assessments now run against the new state conversational-AI laws, Colorado’s SB 26-189, and the CHAI playbooks, not last quarter’s rules. Governor supports compliance with these requirements; it does not, by itself, produce legal compliance. And it works across the lifecycle: Governor for registry, risk, policy, vendor, and model cards; Gatekeeper for pre-release CI/CD gating; and Guardian for production monitoring — one platform, purpose-built for healthcare.
6. Next steps and adoption guidance
Review the new frameworks and laws
- Assign subject-matter leads (for example, clinical research, legal compliance, and procurement) to evaluate the new federal, state, and local laws and the CHAI playbooks.
Review laws across major jurisdictions
- Set up cross-functional oversight for AI laws in every market where you operate.
Set up cross-functional oversight for AI laws in every market where you operate.
- Adopting the Policy Suite alone is not compliance. Compliance requires implementing, maintaining, and continuously monitoring operational, technical, and organizational measures. The Suite and Governor give you the controls and the automation; your operations and your counsel close the loop.
Stay compliant
- Incorporate the Q2 improvements into your AI Governance Policy Suite, and refresh AI literacy training to cover the latest additions.
Self-attest and certify
- Once you’ve adopted the updates, contact us at [email protected] for a written confirmation of compliance and an updated AI Governance Badge reflecting Q2 2026 coverage.
Frequently asked questions
What’s new in the Q2 2026 AI Governance Policy Suite?
This release adds six new state conversational-AI laws, reflects Colorado’s SB 26-189 (which replaces the 2024 Colorado AI Act), and integrates the CHAI governance playbooks for health systems. It also updates five policies, including new AI inventory, frontier-model risk, de-identification, and developer/deployer disclosure controls. All updates are live in Governor.
Which states passed conversational-AI laws this quarter, and when do they take effect?
Oregon (SB 1546), Washington (HB 2225), Idaho (SB 1297), Nebraska (LB 525), Georgia (SB 540), and Colorado (HB 26-1263). Oregon, Washington, and Colorado take effect January 1, 2027; Idaho, Nebraska, and Georgia take effect July 1, 2027. Several remain subject to attorney-general rulemaking that can affect enforcement timing.
What changed with Colorado’s AI Act?
SB 26-189 repeals and reenacts the 2024 Colorado AI Act. It drops the original law’s duty of care, risk-management program, and impact-assessment requirements, and replaces the “high-risk AI system” framework with one built around “covered ADMT” used in “consequential decisions.” Disclosure, transparency, consumer rights, and recordkeeping obligations remain. It takes effect January 1, 2027.
Is Colorado’s new AI law being enforced yet?
Not yet. A constitutional challenge is pending in federal court, a court stayed enforcement in April 2026, and the state attorney general has said Colorado will not enforce the law or its predecessor until rulemaking concludes, which has not formally begun. The effective date is January 1, 2027, but the enforcement timeline is unsettled.
What are the CHAI governance playbooks, and how are they in the Suite?
Released May 27, 2026, the Coalition for Health AI’s playbooks give health systems a baseline set of governance controls across four domains, from AI policy to organizational processes. We’ve integrated those controls into the AI Governance Policy Suite, so the healthcare-specific guidance is built in rather than added separately.
How does Governor use the updated Policy Suite?
Governor reads your documentation and the updated policy library and drafts the governance work: proposed risk levels and remediation controls, vendor risk scores with justification, and draft model cards. Because the Q2 policies are live in the platform, those assessments now run against the new laws, regulations, and standards. Your team reviews and approves the drafts.
Does adopting the Policy Suite make my organization compliant?
No. The Policy Suite and Governor support compliance by giving you the controls, the automation, and the audit trail, but adopting them alone does not constitute legal compliance. Compliance also depends on how you implement, operate, and monitor your systems, and on your own legal judgment. Consult your compliance counsel for your specific deployment.
How much does it cost, and how long does it take to deploy?
Platform Core is $0 forever, with unlimited users, systems, vendors, policies, tests, monitors, and audit trails; you pay only for credits consumed by AI-enabled features. Deployment takes about 10 minutes into your own AWS or Azure environment, and it is enterprise-grade and airgap-capable.
This is not legal advice
This article describes recent legislation, frameworks, and Policy Suite updates, and how the Pacific AI platform supports organizations in meeting their requirements. It is not legal advice. The laws summarized here differ in scope, definitions, effective dates, and enforcement, and several are subject to pending rulemaking or litigation. Adopting the Policy Suite does not by itself constitute compliance with any law, regulation, or standard. Organizations should consult their own compliance counsel to determine what each rule requires for their specific systems and operations.
