What are AI Record-Keeping Requirements?

Definition

Record-keeping obligations require you to retain evidence that you complied with AI rules: assessments, notices, audit outputs, and change logs. Regulators assume that if it is not documented, it did not happen.

See also our AI compliance glossary for short definitions of common terms.

Which regulations require this

• Colorado ADMT / AI Act (SB 26-189)

  Colorado SB 26-189 repeals and reenacts SB 24-205 into an automated decision-making technology (ADMT) framework for c...

  COAI-specificHighEnacted (pending)
• CCPA/CPRA Automated Decision-Making Technology Regulations

  California's ADMT regulations require businesses using automated decisionmaking technology for significant decisions...

  CAPrivacy ADMHighEnacted (pending)
• Illinois Biometric Information Privacy Act (BIPA)

  Illinois BIPA may apply to written consent before collecting fingerprints, facial scans, voiceprints, iris scans, or...

  ILAI-specificHighIn effect
• Executive Order 14281: Restoring Equality of Opportunity and Meritocracy

  Directs federal agencies to deprioritize disparate-impact enforcement across civil rights statutes (Title VII, Title...

  FEDERALFederalHighIn effect
• California Transparency in Frontier AI Act (SB 53)

  Requires developers of frontier AI models trained above the statutory compute threshold (10^26 FLOPs) to publish safe...

  CAAI-specificHighIn effect
• California FEHA regulations on automated decision systems (Civil Rights Council)

  California Civil Rights Council regulations apply FEHA's anti-discrimination framework to automated decision systems...

  CAAI-specificHighIn effect
• California Companion Chatbots Act (SB 243)

  California's Companion Chatbot Act may apply to operators of AI chatbots designed for ongoing social interaction. Whe...

  CAAI-specificHighIn effect
• Connecticut Public Act 25-113 (SB 1295) CTDPA and profiling amendments

  Connecticut's omnibus bill dramatically expands the CTDPA. Lowers the applicability threshold from 100,000 to 35,000...

  CTPrivacy ADMHighUpcoming
• Texas TRAIGA (Responsible Artificial Intelligence Governance Act, HB 149)

  Texas RAIGA (HB 149) prohibits AI systems from intentionally manipulating behavior to cause harm, infringing constitu...

  TXAI-specificMediumIn effect
• Illinois Human Rights Act (HB 3773 AI amendment)

  Illinois HB 3773 amends the Illinois Human Rights Act to prohibit employers from using AI that has the effect of subj...

  ILAI-specificMediumIn effect
• Washington SB 5395 (AI in Health Insurance Prior Authorization)

  Enacted as Chapter 157, Laws of 2026; Governor signed March 23, 2026; effective June 11, 2026. AI tools may be used t...

  WAAI-specificMediumUpcoming
• EEOC Guidance on AI in Employment Selection

  EEOC technical assistance documents explain how existing Title VII and ADA obligations apply to AI and algorithmic em...

  FEDERALFederalMediumIn effect
• New York Responsible AI Safety and Education Act (RAISE Act, S6953B/A6453B)

  New York's RAISE Act regulates frontier AI model developers. Requires publication of a frontier AI framework, quarter...

  NYAI-specificMediumUpcoming
• TAKE IT DOWN Act (S. 146)

  Requires covered online platforms to remove reported nonconsensual intimate imagery, including AI-generated deepfakes...

  FEDERALFederalMediumIn effect
• Tennessee ELVIS Act (Ensuring Likeness, Voice, and Image Security)

  First enacted US legislation specifically designed to protect musicians from unauthorized AI voice synthesis. Covers...

  TNAI-specificMediumIn effect
• California Algorithmic Pricing Act (AB 325)

  Prohibits use of common pricing algorithms as part of anticompetitive agreements. Covers any methodology including so...

  CAAI-specificMediumIn effect
• Texas TRAIGA Biometric and AI Training Amendments (HB 149, 89th Legislature)

  Amends the Texas Capture or Use of Biometric Identifier Act (CUBI) and related Business and Commerce Code provisions...

  TXAI-specificMediumIn effect
• FTC Enforcement Policy on AI and Algorithmic Fairness

  FTC enforces Section 5 of the FTC Act against deceptive and unfair AI practices. Key areas: unsubstantiated AI market...

  FEDERALFederalMediumIn effect
• DOJ AI Litigation Task Force

  Coordinates federal civil litigation strategy on AI-related matters across the Department of Justice. Executive order...

  FEDERALFederalMediumIn effect
• FDA AI/ML Medical Device Framework

  FDA requires pre-market review (510(k), De Novo, PMA) for AI/ML-based software that meets the definition of a medical...

  FEDERALFederal guidanceMediumIn effect
• Maryland Healthcare AI Utilization Review (HB 820)

  May apply to AI tools used in healthcare coverage decisions, calling for determinations based on individual patient d...

  MDSector-specificMediumIn effect
• California AI Training Data Transparency Act (AB 2013)

  Requires developers of generative AI systems or services available to Californians to publish high-level documentatio...

  CAAI-specificMediumIn effect
• California Digital Replicas of Deceased Performers Act (AB 1836)

  Restricts commercial uses of realistic AI-generated replicas of deceased performers' voices or likenesses in audiovis...

  CAAI-specificMediumIn effect
• Texas Nonconsensual Intimate Deepfakes (SB 441)

  Criminalizes creating and distributing nonconsensual intimate deepfakes. Creates civil liability for victims. Platfor...

  TXAI-specificMediumIn effect
• HUD AI Guidance in Housing

  Fair Housing Act disparate impact standard applies to AI-driven tenant screening, lending algorithms, and property va...

  FEDERALFederal guidanceLowIn effect
• California Healthcare Provider Generative AI Disclosure (AB 3030)

  Requires healthcare providers to disclose when generative AI is used in patient interactions and to document that use...

  CAAI-specificLowIn effect
• Montana Right to Compute Act (SB 212)

  Requires deployers of critical infrastructure facilities controlled by AI to develop a risk management policy based o...

  MTAI-specificLowIn effect
• Texas SB 1188 - Healthcare AI Practitioner Disclosure

  Requires healthcare providers using AI-enabled clinical support features in electronic health record workflows to dis...

  TXAI-specificLowIn effect
• NIST AI Risk Management Framework (AI RMF 1.0)

  NIST AI RMF is a voluntary framework used as a practical benchmark by regulators and lawmakers. NIST released AI RMF...

  FEDERALFrameworkLowIn effect
• SEC AI Guidance in Financial Services

  SEC enforces existing fiduciary duties and disclosure requirements as applied to AI. Pursuing AI washing enforcement...

  FEDERALFederal guidanceLowIn effect
• New York Digital Replica Contract Protections (S7676B)

  Establishes protections for individuals regarding the use of digital replicas in professional contracts. Requires spe...

  NYAI-specificLowIn effect
• California Insurance AI Disclosures (SB 1120)

  Requires AI disclosure in insurance sector contexts. Sector-specific regulation for insurers using AI in underwriting...

  CASector-specificLowIn effect
• Executive Order 14110 on AI (Revoked)

  Established federal policy priorities for AI safety, security, and rights protections across agencies. Directed agenc...

  FEDERALFederalLowRevoked
• Connecticut Government AI Procurement and Oversight (SB 1103)

  First-in-nation state government AI procurement law. Requires state agencies to inventory AI systems, conduct impact...

  CTAI-specificLowIn effect
• DOL AI in Workplace Guidance

  Non-binding principles for AI in the workplace covering transparency, human oversight, informed consent, data protect...

  FEDERALFederal guidanceLowIn effect
• Maryland AI Governance Act of 2024 (SB 818)

  Requires Maryland state agencies to inventory AI systems, conduct impact assessments, and follow DoIT policies for AI...

  MDAI-specificLowIn effect
• California Government AI Accountability Act (SB 896)

  Requires California state agencies to disclose use of generative AI in communications with individuals about governme...

  CAAI-specificLowIn effect
• Texas Government AI Ethics and Oversight (SB 1964)

  Requires Texas state agencies and local governments to inventory AI systems, adopt an AI code of ethics aligned with...

  TXAI-specificLowIn effect

Which states reference this obligation

What you should do next

• Define retention periods per jurisdiction and system class.
• Store documents in a system with access controls and immutable timestamps where possible.
• Label records so counsel can assemble a packet quickly during an inquiry.
• Delete only when both engineering and legal agree the retention window ended.
• Monitor vendor subprocessors who may hold copies on your behalf.