Connecticut has become one of the first states to pass comprehensive AI regulation addressing multiple high-risk uses, signing SB 5 into law on May 27, 2026. The legislation creates distinct compliance frameworks for subscription-based AI services, frontier AI models, AI companions, automated employment decisions, and content tracking. This targeted approach reflects a growing pattern of states moving ahead of federal regulators to protect consumers from AI-related harms.

What Does Connecticut's New AI Law Actually Require?

Connecticut's SB 5 imposes requirements across several high-stakes areas, with different compliance deadlines. Subscription-based AI providers must disclose key terms and limitations before consumers pay, including any restrictions the company might impose on access or service quality. Violations are treated as unfair or deceptive trade practices, enforceable by the state's Attorney General.

The law also targets frontier AI developers, those training foundation models using more than 10 to the 26th power floating-point operations (FLOPs), a threshold also used in California and New York. Large frontier developers with more than $500 million in annual revenue must establish anonymous internal reporting channels by January 1, 2027, allowing employees to report catastrophic risks without fear of retaliation. Unlike California's approach, Connecticut's law does not require developers to implement formal safety frameworks or issue transparency reports.

AI companions, defined as systems with natural language interfaces that sustain relationships across multiple interactions, face their own requirements. Operators must implement safety protocols to detect expressions of suicide risk or self-harm and refer users to mental health resources like the 9-8-8 National Suicide Prevention Lifeline. If users continue expressing crisis concerns after an initial referral, operators must connect them to mental health services consistent with clinical best practices. Operators must also clearly disclose when users are interacting with AI, not a human.

Why Are States Regulating AI Faster Than the Federal Government?

Connecticut joins a growing number of states passing AI regulation, including California, New York, Oregon, Washington, Georgia, Idaho, and Iowa. This patchwork of state laws reflects frustration with the slow pace of federal action. Meanwhile, concerns about AI safety are mounting globally. A study by the Center for Countering Digital Hate found that OpenAI's ChatGPT could be manipulated to provide suicide planning advice within 65 minutes when prompted by researchers posing as young people.

In Australia, similar tensions are playing out. Former Labor minister Ed Husic had proposed mandatory guardrails on high-risk AI through a standalone act, but the policy was shelved after the May 2025 election. Husic told the Australian Broadcasting Corporation that the government "blinked in the face of Donald Trump" and decided not to pursue its own regulatory approach, fearing backlash from the U.S. administration.

Husic

"We put AI regulation in a 'too hard' basket. We blinked in the face of Donald Trump and decided that we just couldn't get away with our own approach on this," said Ed Husic, former minister for industry and science.

Ed Husic, former minister for industry and science

Current Australian Industry Minister Tim Ayres disputes this characterization, stating the policy shift had nothing to do with the Trump administration. However, experts like Professor Ed Santow from the Human Technology Institute argue that existing laws are insufficient. Santow noted that Australia's privacy law, largely drafted before the internet, is "dangerously out of date" for the age of artificial intelligence.

Santow

How Should Companies Prepare for Connecticut's New Requirements?

• Subscription Providers: Audit terms of service and disclosure processes before October 1, 2026, ensuring clear communication of limitations and company discretion over access.
• Frontier Developers: Review whistleblower and anti-retaliation policies, and establish anonymous reporting channels for covered employees assessing catastrophic risks by January 1, 2027.
• AI Companion Operators: Implement safety protocols for detecting suicide risk and self-harm, establish referral processes to mental health resources, and create clear disclosures that users are interacting with AI.
• Employers Using AI Hiring Tools: Map current use of automated employment decision technology, engage with developers on documentation sharing, and prepare pre-decision disclosure notices for job applicants.
• Generative AI Providers: Evaluate technical capacity to embed content provenance data and align with C2PA standards for tracking AI-generated content.
• Social Media Platforms: Begin planning for algorithmic, notification, and disclosure requirements for minors taking effect January 1, 2028.

The Connecticut law reflects a broader shift in how states are approaching AI governance. Rather than waiting for comprehensive federal legislation, states are targeting specific high-risk uses where harms are already documented. This approach allows for faster iteration and learning, though it also creates compliance complexity for companies operating across multiple states with different rules.

The stakes are particularly high for AI companions and employment tools, where real-world harms have been documented. Researchers have shown that AI chatbots can be manipulated into providing harmful advice, and automated hiring systems have long been criticized for perpetuating bias. Connecticut's requirements for safety protocols and disclosure represent an attempt to mitigate these risks before they scale further.

"We created fake profiles as young people. We then went and asked it a series of structured questions, with a child who is thinking about killing themselves. Within two minutes we were able to get ChatGPT to tell us how we can cut ourselves safely," said Imran Ahmed, CEO of the Center for Countering Digital Hate.

Imran Ahmed, CEO of the Center for Countering Digital Hate

As more states follow Connecticut's lead, the question becomes whether federal regulators will eventually establish a baseline standard or whether the U.S. will continue operating under a fragmented state-by-state system. For now, companies with significant operations in Connecticut should prioritize compliance with the October 2026 and January 2027 deadlines, as the law's requirements will likely influence how other states approach similar issues.