.svg){kind=icon}
A law can pass and still produce no governance. Here is what state AI laws mean for local government — and how to build a framework that actually holds.
The law can pass and still nothing changes
In May 2026, Colorado quietly proved the central problem with AI governance in the public sector. Its landmark AI Act, SB 24-205, had been signed back in 2024 — and in two years it never once took effect. The operative date was pushed twice, a court suspended enforcement, and in May 2026 the legislature repealed and replaced it outright with SB 26-189, which now waits until January 1, 2027. A statute existed on the books the whole time. The governance it was supposed to produce did not.
That gap — between a policy that exists and governance that actually happens — is the real story for local government. And it is not hypothetical. In April 2025, New York State Comptroller Thomas DiNapoli audited how state agencies were using AI. New York had an AI policy. Yet the audit (SGA-2025-23S50) found the policy "lacks adequate guidance," and that the Office of Information Technology Services "does not have an inventory of AI systems in use by state entities." More than a year after publishing the policy, no one could say what AI the state was actually running.
A policy you cannot enforce and an inventory you do not have are not governance. They are paperwork. For cities and counties now navigating a wave of state AI laws, that distinction is the whole game.
What state AI laws actually require of local government
The headlines move fast, so it helps to separate what is enacted from what is contested. Two laws genuinely reach into public-sector operations today; a third is the cautionary tale above.
One more piece of context belongs on the table. On December 11, 2025, a federal executive order created a Department of Justice "AI Litigation Task Force" charged with challenging state AI laws on preemption and interstate-commerce grounds — naming California's and Colorado's laws specifically. So the honest framing for any city is this: state AI laws today are enacted but contested. Deadlines may move. Statutes may be challenged. What does not change is the underlying obligation — knowing what AI you run, who owns it, and what risk it carries.
Why local government faces a harder version of this problem
Cities and counties cannot phase governance in gradually the way a private company can, because three pressures converge on them at once.
First, the public-trust stakes are higher. When a business deploys a biased model, it loses customers who can shop elsewhere. When a city uses AI to flag code violations, prioritize repairs, or triage service requests, a biased model denies services to constituents who have no alternative provider. The decision carries governmental authority, and the resident is captive to it.
Second, local governments operate under transparency obligations the private sector never faces. Public-records requests, open-meeting laws, and council oversight mean AI decision-making cannot hide behind a "proprietary vendor" claim. Sooner or later, someone — a council member, a journalist, a resident — will ask what the city is running and how it decides. The only acceptable answer is a documented one.
Third, there is the resource reality. Most municipalities have no Chief AI Officer and no data-science team. The people adopting AI are department heads who found a vendor tool that saves time, doing it without central oversight because no one told them they needed it. That is not negligence. It is the predictable result of capable tools meeting thin governance capacity.
The shadow AI problem inside municipal government
The biggest governance risk in local government is not the AI system you bought through formal procurement. It is the AI already in use that leadership does not know about.
According to IDC's 2025 research, 56% of employees use unauthorized AI tools at work, while only 23% use AI their organization provides and governs. In local government, where department autonomy is culturally embedded, the unsanctioned share is unlikely to be lower. Picture the everyday reality: a planning department drafting staff reports in a public chatbot. A finance team running budget submissions through an AI anomaly detector. A code-enforcement division using image recognition on aerial imagery to spot violations.
None of these went through an AI governance review. None has a documented impact assessment or a bias-testing protocol. And every one of them touches the things public-sector AI most needs to protect: resident PII, records-retention rules, due-process rights, and an auditable trail of how a decision was made. That is precisely the inventory gap the DiNapoli audit exposed at the state level — and it is the gap a city must close before a regulator, a council, or a records request forces the question.
How to build an AI governance framework for your municipality
The path from ungoverned AI to a defensible program follows a predictable sequence. It maps cleanly onto the NIST AI Risk Management Framework — GOVERN, MAP, MEASURE, MANAGE — which is the voluntary federal standard (NIST AI 100-1) most public-sector programs anchor to. You do not need a new department to run it. You need a system of record.
- Inventory every AI tool (MAP). You cannot govern what you cannot see. Run a department-by-department audit that reaches past formal procurements to capture SaaS tools with embedded AI, free tools individual staff adopted, and vendor systems that quietly use AI for analytics or recommendations. This is the step New York skipped — and the one that makes everything after it possible.
- Classify risk by decision impact. A tool that drafts meeting minutes is not the same as one that influences who gets a permit, a benefit, or an inspection. Map each system to the decisions it touches, then sort it into a risk tier. The "consequential decision" lens — employment, housing, government services — is a practical place to start.
- Assign a named owner. Every AI system needs one accountable person — typically a department head for departmental tools, and the City or County Manager's office for enterprise-wide systems. An inventory without owners is just a list; ownership is what turns it into accountability.
- Standardize impact assessments. Make the assessment repeatable and auditable. Each one should document the system's purpose, the data it uses, the decisions it influences, bias and accuracy checks, privacy controls, and what happens when it produces an unexpected result.
- Run regular reporting and oversight (MEASURE / MANAGE). Governance is only as good as its monitoring cadence. Establish quarterly cycles that surface performance, risk indicators, and compliance status to leadership — so problems are caught in review, not in a headline.
- Prepare for public disclosure. Build the registry assuming it will face a records request, a council presentation, and media scrutiny. The more proactive the disclosure, the more trust you earn with constituents.
Where ClearPoint Strategy fits
Most cities already run their strategic plans and performance reporting in ClearPoint. AI governance is the same discipline applied to a new portfolio — which means you can run it as a system of record in the platform your leadership already reviews, rather than standing up a separate tool nobody maintains.
In practice, that means giving every AI initiative the four things governance requires: an owner, a status, a risk tier, and a board- or council-ready report. ClearPoint keeps a living inventory of AI tools across departments, holds the named owner and review cadence for each, and turns that into a council-ready summary on demand — one export in minutes, not a week of assembly. The discipline is the same one ClearPoint already supports across 17,700+ active plans at 562 organizations; AI governance is a natural extension of it.
The shortcoming is rarely the framework — NIST published a perfectly good one. The shortcoming is the operating layer: somewhere to record what AI you run, who owns it, and what risk it carries, in a form your council can actually read. That is the gap the DiNapoli audit named, the gap a passed-but-dormant statute leaves wide open, and the gap a system of record is built to close.
If you want to see what that looks like for a city or county, request a demo. For the foundations of building and tracking a plan, start with our comprehensive guide to strategic planning, the broader AI governance guide, and the practical first move — building an AI initiative inventory and learning how to map shadow AI across your departments.
Frequently asked questions
Which state AI laws actually apply to local governments right now?
As of 2026, Texas TRAIGA is the most directly relevant: effective January 1, 2026, it requires government agencies to disclose when residents interact with AI, bans government social scoring, and prohibits biometric identification without consent. California's SB 53 (the Transparency in Frontier AI Act) signals the disclosure direction but targets frontier-model developers, not municipalities. Colorado's original AI Act never took effect and was replaced by SB 26-189, which is not in force until January 1, 2027. Treat every deadline as provisional — a December 2025 federal executive order is now challenging several of these laws in court.
Did Colorado's AI Act take effect?
No. Colorado SB 24-205, signed in 2024, had its start date delayed twice and was suspended by a court before the legislature repealed and replaced it with SB 26-189 in May 2026. The replacement is effective January 1, 2027. It is the clearest example of a law existing on paper without producing any actual governance.
What is shadow AI, and why is it the bigger risk for municipalities?
Shadow AI is any AI tool used without IT or governance approval — the AI analogue of shadow IT. IDC's 2025 research found 56% of employees use unauthorized AI tools while only 23% use governed AI. In local government that means planning, finance, and code-enforcement teams may already be using AI on resident data with no impact assessment, no bias testing, and no audit trail — exactly the inventory gap a New York State Comptroller audit found at the state level in April 2025.
How should a city start building AI governance?
Start with a complete inventory across every department, including shadow AI adopted without procurement. Then classify each system by the decisions it influences, assign a named owner, standardize impact assessments, run quarterly reporting, and prepare the registry for public disclosure. This sequence maps to the NIST AI RMF functions (GOVERN, MAP, MEASURE, MANAGE) and does not require a new department — only a system of record where owners, status, and risk live in one place.
Does any state law require local governments to maintain an AI inventory?
A growing number of states require public agencies to inventory their AI use — by the Center for Democracy & Technology's count, roughly eleven, including California, New York, Texas, Connecticut, and Maryland. Texas TRAIGA's disclosure duties point the same way. Whether or not a specific mandate applies to your jurisdiction yet, an inventory is the foundational step every AI governance framework and federal standard begins with.
