A bipartisan 269-page federal AI bill dropped June 4 that would freeze state AI laws for three years, directly affecting when and whether businesses need to build compliance frameworks for laws like Colorado's AI Act, which was set to take effect in 24 days. For any CMO, agency head, or founder currently deciding how much to invest in AI governance, the ground just shifted.
Every marketing and ops team currently building out an AI use policy for their business has been working toward a hard date: June 30, 2026, when Colorado's Consumer Protections for Artificial Intelligence Act becomes the first comprehensive state AI law in the United States to take effect. Legal reviews got commissioned. Policy templates got drafted. Compliance checklists got started. Then, on June 4, Congress dropped a 269-page federal AI bill that could freeze Colorado's law, and every other state AI law, for three years before any of it goes live. For anyone who has been building toward that deadline, the timeline just became a question mark.
The bill is called the Great American Artificial Intelligence Act, introduced as a discussion draft by Representatives Jay Obernolte (R-CA) and Lori Trahan (D-MA). It is bipartisan, it is substantial, and it is specifically designed to create a national standard that supersedes the growing patchwork of state-level AI regulation. The central mechanism is a three-year preemption of state laws that govern how AI models are developed. Under the draft, Colorado's law, California's AI transparency requirements, and similar state-level frameworks would be effectively paused while Congress builds something at the federal level.
What the Bill Would Actually Do to Business Operations
The compliance question for most marketing, agency, and operations teams is not about model development -- it is about deployment and use. The bill draws a specific line here: preemption applies to laws that regulate how AI models are built, not how they are used. That distinction matters, and it is worth understanding before anyone concludes they are completely off the hook.
Colorado's law, for instance, covers both. It requires businesses that deploy high-risk AI systems to take "reasonable care" to protect Colorado residents from algorithmic discrimination in employment, credit, insurance, housing, and healthcare. The deployment-side requirements, which is what most non-tech businesses would be subject to, could remain in force even if the development side gets preempted. The bill's language, as a discussion draft, is still vague enough on this boundary to create genuine legal uncertainty.
What that means practically: the companies most directly affected by the compliance question are not the AI labs. They are businesses using AI tools to screen job applicants, score credit applications, generate personalized marketing at scale, or route customer service interactions. If you are using an AI platform that makes consequential decisions about people, Colorado's law was aimed at you. Whether the federal bill actually changes that depends on how courts interpret the development-versus-deployment line, and that interpretation has not been established.
What the Bill Requires From Large AI Companies
For frontier AI developers -- defined as companies with more than $500 million in annual gross revenue -- the bill creates a new compliance regime that would apply regardless of what states do. Those companies would be required to publish public Frontier AI Frameworks describing how they govern their most capable models, how they assess catastrophic risk, and how they handle cybersecurity around non-public model weights. They would be required to report critical safety incidents to the federal government within 15 days and imminent risks within 24 hours.
Independent Verification Organizations, licensed through a new federal AI standards center at NIST, would conduct semi-annual audits of large developers' compliance. Penalties for violations run up to $1 million per day.
This matters to non-developer businesses for one reason: the AI tools they buy will be subject to these requirements. Vendors that are currently opaque about model risk, training data, and safety incidents would face audit obligations that force more disclosure. The procurement conversation with an AI vendor in late 2026 or 2027 looks different if that vendor is required to show you a published risk framework and a compliance audit.
The Clock That Is Still Running
Here is the part that gets lost in the preemption debate: this is a discussion draft, not an introduced bill. There is no committee assignment yet, no scheduled vote, no Senate companion legislation. The legislative path from 269-page discussion draft to enacted law typically takes years, and federal AI legislation has a history of stalling. The Great American AI Act's 2024 predecessor never made it out of committee.
Colorado's law, meanwhile, takes effect in 24 days. The bill's preemption would only apply after enactment, not in anticipation of it. Companies that have been treating the June 30 deadline as aspirational are taking a legal gamble that the federal bill will pass in time to matter, and that gamble is not well-supported by the legislative calendar.
The more defensible approach: build the compliance work you were already building, but scope it to be modular. The foundation -- an AI use inventory, a high-risk use case assessment, a vendor review process, basic documentation of how AI touches consequential decisions -- is useful under Colorado's law, under the federal bill if it passes, under California's frameworks, and under the EU AI Act for any business with European customers. Compliance work built narrowly around one state law is fragile. Compliance work built around the underlying principles is durable regardless of which law ultimately applies.
Why Congress Is Moving Now
The federal push is not accidental. More than 700 state AI bills were introduced across the US in 2025. Colorado is days away from enforcement. California has multiple AI bills in progress. The AI industry has been pushing hard for federal preemption precisely because 50 different state standards are more expensive and more restrictive than one federal standard, particularly when the federal standard is still being designed.
Labor groups read this dynamic clearly. The AFL-CIO, AFT, and Association of Flight Attendants issued a joint rejection of the bill on release day, calling it "a giveaway to the AI industry." Their concern is specific: Colorado's law includes actual anti-discrimination requirements that would be frozen during the three-year preemption window. The federal bill's general consumer protections are broader in scope but lighter in enforcement mechanism.
For business leaders trying to read the political direction, the bipartisan co-sponsorship is meaningful. Trahan's participation surprised some observers given her past support for stronger AI consumer protections. Her office framed the bill as necessary to prevent a fragmented regulatory environment from slowing AI adoption while Congress builds something lasting. Whether that framing holds through public comment and formal introduction is not clear yet.
The Honest Part
No one should delay compliance planning on the assumption this bill will pass. The discussion draft exists to generate feedback, not to create law. Even if it advances quickly, the preemption only freezes development-side regulation, and the deployment-side requirements that most businesses actually face may survive regardless. The legal interpretation of that distinction will be litigated.
More broadly, the idea that federal preemption eliminates compliance obligations is mistaken. It changes which rules apply and who enforces them. A company that built no AI governance infrastructure because it was waiting to see what law passed will be poorly positioned under any framework, federal or state. The bill makes it plausible that the specific deadline changes. It does not make the underlying question go away.
The Bigger Picture
What the Great American AI Act signals, more than any individual provision, is that the no-rules era for AI in business is ending. The argument that AI regulation was premature or unnecessary has effectively lost in the legislative arena. The debate has shifted entirely to which rules apply, at which level, and who enforces them.
For a marketing leader or agency operator using AI to automate content, personalize campaigns, or qualify leads, the practical implication is not which specific law governs your vendor's model training. It is whether you have thought through how AI touches consequential decisions in your operation, whether your vendors can tell you what their models actually do, and whether you could explain your AI use to a regulator with a straight face.
A three-year preemption window, if it passes, buys time. It does not buy the ability to skip the work entirely.
The compliance clock may have just been reset. The work itself was never optional.