AI regulation: what actually hits a small business

Two AI laws start to bite in 2026: most of the EU AI Act became applicable on 2 August, and Colorado's AI Act, the first comprehensive US state law, takes effect on 30 June. The headlines are scary. For a small business the reality is narrower than the fear, but it is not nothing.

What AI regulation actually applies to you

Most of these laws target high-risk uses: hiring, credit, housing, healthcare, insurance, decisions that materially affect someone. If you are using AI to draft emails and summarize notes, you are almost certainly fine. The exposure shows up in two places people miss: when your AI's output is used by people in the EU (extraterritorial, the way GDPR works), and through your vendors.

What it means for a small business

The sneaky path is the vendor chain. A small business in Philadelphia hiring a remote worker in Colorado can inherit Colorado AI Act exposure through its applicant-tracking system, without ever building anything 'AI' itself. Your compliance can ride in on a tool you bought. The answer is not panic. It is knowing where AI makes a consequential decision in your stack.

• List where AI touches a consequential decision: hiring, lending, anything legal or medical.
• Ask your key vendors (ATS, CRM, screening tools) what AI they use and how they comply.
• Keep a human in the loop on anything high-stakes, which is good practice regardless.

None of this is legal advice, and when it is genuinely high-risk you should get a professional. But most of the time the honest answer is that it does not apply to you. Bring me the tools your business runs on, and I'll help you spot where AI regulation might actually reach.