What are AI Record-Keeping Requirements?

Definition

Record-keeping obligations require you to retain evidence that you complied with AI rules: assessments, notices, audit outputs, and change logs. Regulators assume that if it is not documented, it did not happen.

See also our AI compliance glossary for short definitions of common terms.

Which regulations require this

• Illinois Biometric Information Privacy Act (BIPA)

  Requires informed written consent before collecting biometric data including facial geometry, fingerprints, and voice...

  ILAI-specificHighIn effect
• NYC Local Law 144 (Automated Employment Decision Tools)

  Requires employers using automated employment decision tools in NYC to conduct annual independent bias audits and not...

  NYCAI-specificHighIn effect
• Illinois Human Rights Act - AI Amendment (HB 3773)

  Amends Illinois Human Rights Act to prohibit employer use of AI that results in discrimination against protected clas...

  ILAI-specificHighIn effect
• California Transparency in Frontier AI Act (SB 53)

  Requires developers of frontier AI models trained above the compute threshold set in statute (very large scale) to pu...

  CAAI-specificHighIn effect
• Washington SB 5395 - AI in Health Insurance Prior Authorization

  Regulates use of AI in health insurance prior authorization decisions. Requires human review of AI-generated denials.

  WAAI-specificMediumUpcoming
• EEOC Guidance on AI in Employment Selection

  EEOC guidance clarifying that Title VII and ADA apply to employer use of algorithmic decision-making and AI in hiring...

  FEDERALFederalMediumIn effect
• FTC Enforcement Policy on AI and Algorithmic Fairness

  FTC has signaled it will use existing Section 5 authority to pursue deceptive or unfair AI practices, including biase...

  FEDERALFederalMediumIn effect
• New York Responsible AI Safety and Education Act (RAISE Act, A 9449)

  Requires developers of frontier AI models operating in New York to implement safety protocols, conduct impact assessm...

  NYAI-specificMediumUpcoming
• TAKE IT DOWN Act (S. 146)

  Requires covered online platforms to remove reported nonconsensual intimate imagery, including AI-generated deepfakes...

  FEDERALFederalMediumUpcoming
• Tennessee ELVIS Act (Ensuring Likeness, Voice, and Image Security)

  Expands Tennessee's right of publicity to cover unauthorized synthetic replicas of a person's voice, image, or likene...

  TNAI-specificMediumIn effect
• Texas TRAIGA Biometric and AI Training Amendments (HB 149, 89th Legislature)

  Amends the Texas Capture or Use of Biometric Identifier Act and related Business and Commerce Code provisions for bio...

  TXAI-specificMediumIn effect
• California AI Training Data Transparency Act (AB 2013)

  Requires developers of generative AI systems or services made available to Californians to publish high-level documen...

  CAAI-specificMediumIn effect
• California Defending Democracy from Deepfake Deception Act (AB 2655)

  Requires very large online platforms to label or take down materially deceptive AI-generated election content that mi...

  CAAI-specificMediumIn effect
• California Digital Replicas of Deceased Performers Act (AB 1836)

  Restricts commercial uses of realistic AI-generated replicas of deceased performers' voices or likenesses in audiovis...

  CAAI-specificMediumIn effect
• Montana Right to Compute Act (SB 212)

  Declares a strong default in favor of owning and using computational resources and limits government interference to...

  MTAI-specificLowIn effect
• NIST AI Risk Management Framework (AI RMF 1.0)

  NIST AI RMF is a voluntary framework used as a practical benchmark by regulators and lawmakers. Following it can supp...

  FEDERALFederalLowIn effect
• Arkansas Generative AI Content Ownership Act (HB 1876, Act 927)

  Clarifies ownership of outputs from generative AI when a user supplies prompts or inputs, when the result does not in...

  ARAI-specificLowIn effect

Which states reference this obligation

What you should do next

• Define retention periods per jurisdiction and system class.
• Store documents in a system with access controls and immutable timestamps where possible.
• Label records so counsel can assemble a packet quickly during an inquiry.
• Delete only when both engineering and legal agree the retention window ended.
• Monitor vendor subprocessors who may hold copies on your behalf.