TL;DR: State privacy and AI laws are moving from policy language to operational enforcement, with Connecticut, California, Texas, and Oklahoma each adding requirements for rights handling, transparency, risk assessments, and accountability across systems, according to OneTrust. Governance now depends on whether controls actually work across websites, applications, data stores, and AI workflows, not on whether the policy exists.
NHIMG editorial — based on content published by OneTrust: Regulatory Draft Picks: March Madness Meets US Privacy and AI Laws
By the numbers:
- Organisations that describe themselves as confident in their AI deployment actually experience a 72% security incident rate, compared to 33% for those who remain cautious.
- Systems with least-privileged AI access had a 17% incident rate vs 76% for over-privileged systems.
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
Questions worth separating out
Q: How should organisations operationalise privacy and AI compliance across multiple states?
A: Treat privacy and AI obligations as control workflows, not policy checklists.
Q: When does AI governance become an access and identity problem?
A: It becomes an access and identity problem whenever AI systems can see personal data, influence decisions, or act on behalf of a business process.
Q: What do privacy programmes get wrong about automated decision-making?
A: They often focus on disclosure language and miss the operational controls underneath it.
Practitioner guidance
- Build end-to-end rights request testing Trace one access, deletion, or opt-out request through every system it touches, including archives and downstream processors.
- Create a current AI use inventory Record where AI is used, what data it consumes, what decisions it influences, and which business owner is accountable.
- Tie privacy obligations to IAM and logging Map personal-data access, decision approvals, and request handling to named roles, log sources, and evidence retention points.
What's in the full article
OneTrust's full blog covers the operational detail this post intentionally leaves for the source:
- Specific state-by-state breakdowns of the Connecticut, California, Texas, and Oklahoma requirements that teams need to map into controls.
- Examples of how privacy teams can structure DSAR, consent, and AI governance workflows across multiple systems and business owners.
- Practical guidance on turning regulatory requirements into a repeatable control model for documentation and evidence.
- The article's interpretation of where US privacy and AI governance may move next as state programmes continue to diverge.
👉 Read OneTrust's analysis of US state privacy and AI law changes →
US privacy and AI laws: what operational governance teams need now?
Explore further
Policy-first privacy programmes are no longer enough. The article shows that US state regulation is moving toward execution, where the test is whether rights handling, consent, and AI transparency work in live systems. That pattern matters because compliance failures increasingly come from broken workflows, not missing policy documents. The practitioner takeaway is to treat governance as an operational control problem.
A question worth separating out:
Q: Who is accountable when rights requests or AI disclosures fail?
A: Accountability should sit with the business owner of the workflow, supported by privacy, security, and data governance teams. Regulators usually care less about which tool failed and more about whether the organisation can show clear ownership, timely action, and preserved evidence.
👉 Read our full editorial: US privacy and AI laws are shifting from policy to execution