By the Shadow AI Policy team
The week of June 4–11, 2026 was one of the busiest in AI governance in recent memory. Congress dropped a sweeping bipartisan AI bill, the White House signed a new executive order on AI security, the EU finalized its mandatory playbook for labeling AI-generated content just weeks before the August deadline, and Colorado's landmark AI employment law inches toward its June 30 enforcement date — all within ten days.
This week we're covering four stories that directly affect how HR, legal, and compliance teams at small and midsize businesses need to operate right now: the Great American AI Act draft and what it would mean for your AI-related layoffs and whistleblower exposure; the Trump administration's June 2 executive order on AI security; the EU's freshly published Code of Practice on AI-generated content labeling; and the imminent arrival of Colorado's AI employment law on June 30.
The Colorado AI Act (S.B. 24-205) enforcement date of June 30, 2026 is now less than three weeks away — if your company operates in Colorado or hires Colorado residents remotely and uses any AI tool in hiring, promotion, or termination decisions, you must have a risk management policy, an impact assessment, and employee disclosure notices in place before that date. If you haven't started, start today.
Published: June 4, 2026. On June 4, 2026, Representative Jay Obernolte (R-CA) and Representative Lori Trahan (D-MA) released a discussion draft of AI legislation titled the "Great American AI Act" (GAAIA), alongside a joint op-ed in Bloomberg Law. The draft bill has not yet been formally introduced in Congress. At 269 pages, it is Congress's most significant step yet toward establishing a national framework for artificial intelligence.
Most coverage has focused on the bill's proposed preemption of state AI laws, but HR and operations teams at employers of any size should focus elsewhere. The bill would directly affect how you manage layoffs, how you treat workers who raise AI concerns, and how closely the federal government monitors AI's impact on the labor market. Specifically: the draft would require employers to provide 60 days' advance notice when AI is a "substantial factor" in a mass layoff, including information on the AI involved, the estimated share of job losses attributable to AI, and pre-layoff upskilling or retraining efforts.
The whistleblower provisions are equally broad. The bill would establish federal whistleblower protections for employees and independent contractors who report "AI violations," defined broadly as any violation of federal law or regulations related to the development, deployment, or operation of artificial intelligence — and that definition extends to workers at any employer, not just large frontier AI developers. The bill also includes an anti-waiver provision stating that these rights cannot be waived or limited by contract, policy, or even an arbitration agreement.
On the data collection side, the bill would create an AI Workforce Research Hub inside the Department of Labor charged with evaluating AI's impact on the workforce, and direct the Bureau of Labor Statistics and Census Bureau to update federal surveys to capture AI use and adoption data. These provisions don't impose immediate obligations on individual employers, but the data they generate will likely inform future enforcement priorities, regulatory guidance, and litigation trends — meaning employers who track their AI use internally now will be better positioned as that federal data infrastructure matures.
This is a discussion draft, not law. The House Democratic Commission on AI framed itself in opposition hours after the draft's release, leaving the bill's path to formal introduction or passage filled with uncertainty. But even a draft of this scope signals where Congress is heading on employer obligations. Read the full draft and press release at Rep. Obernolte's official press release. You can also generate a tailored AI policy kit that's already calibrated to these emerging workforce transparency requirements.
Published: June 2, 2026. On June 2, the Trump administration issued an executive order on artificial intelligence and cybersecurity. The order acknowledges that advanced AI capabilities introduce new national security considerations that require coordinated action across executive departments and agencies.
The stated policy is to promote AI innovation and security by working collaboratively with the private sector to modernize government and private sector information systems and harden them against external threats, protect American ingenuity and intellectual property from adversaries, and cultivate America's advanced AI-enabled capabilities. On the enforcement side, the Attorney General is directed to prioritize enforcement of 18 U.S.C. §§ 1028, 1030, and 1343 — and all other applicable federal criminal laws — against anyone who utilizes AI to illegally access or damage a computer without authorization, or employs AI agents to unlawfully access data subsequently used for criminal purposes.
The order came just days before Congress released the Great American AI Act draft. The executive order establishes a voluntary framework for certain frontier AI developers to share models with the federal government before public release for national security and cybersecurity assessment. For most midsize employers, the direct impact is limited — this is primarily aimed at frontier model developers and government systems. But the order underscores the direction of federal policy: AI security is now treated as a national security matter, and the DOJ has explicit direction to prosecute AI-enabled computer crimes. Review the full order at WhiteHouse.gov.
Published: June 10, 2026. The European Commission published the final Code of Practice on marking and labelling of AI-generated content. The Code is voluntary and sets out practical steps to help providers and deployers of generative AI systems meet the AI Act transparency obligations that will apply from 2 August 2026.
From August 2, the AI Act will require clear labelling in key cases: deepfakes and AI-generated or AI-manipulated text published on matters of public interest must be clearly labelled, and users must be informed when they are interacting with an interactive AI system such as a chatbot. Once approved by the Commission and the AI Board as complying with the requirements of the Regulation, providers and deployers signing up to the Code will be able to demonstrate their compliance with the relevant obligations under the AI Act. Providers and deployers choosing to meet the transparency requirements by other means will have to demonstrate that those measures offer an equivalent level of protection.
For HR and marketing teams at companies operating in the EU, this has practical day-to-day implications. If your company uses AI to draft customer-facing communications, job postings, or public-interest content for EU audiences, those workflows will need labeling or disclosure processes in place by August 2. Deployers should maintain internal compliance documentation, train employees, and establish mechanisms for reporting and correcting incorrect or omitted labels. The Code is available directly from the European Commission's digital strategy site.
Note also that broader EU AI Act deadlines are shifting. On May 7, 2026, negotiators from the Council of the EU, the European Parliament, and the European Commission reached a provisional agreement on the Digital Omnibus on AI — the first set of amendments to the EU AI Act since its adoption in June 2024 — reflecting a mix of pragmatic timeline extensions, focused simplification measures, and a small number of substantive policy changes. For use-based high-risk AI systems (Annex III), compliance obligations are postponed from 2 August 2026 to 2 December 2027. That's a 16-month reprieve — but the August transparency rules (Article 50) are not delayed for new deployments. Don't conflate the two.
Enforcement date: June 30, 2026. The Colorado Artificial Intelligence Act (CAIA, S.B. 24-205) takes effect on June 30, 2026. Employers that use AI in any employment decisions — hiring, termination, promotion — are categorized as "Deployers," and any AI system affecting such decisions is considered a "High-Risk System." Employers must implement policies and procedures for managing AI risk and conduct annual impact assessments for each high-risk system to ensure no algorithmic discrimination occurs.
Colorado's law requires businesses and government agencies to run impact assessments, notify workers if an AI tool will be used to make an employment decision, give applicants or employees a chance to appeal an AI decision, and make a publicly available statement about the types of AI systems in use and how those systems manage the risk of discrimination. The state attorney general has the exclusive authority to enforce the law — there is no private right of action.
This matters even if your company isn't headquartered in Colorado. Employers seeking remote applicants or employing remote workers should be aware that while they may not be based in a jurisdiction with an AI law, their recruiting or hiring in such jurisdictions renders them subject to those regulations. If you post jobs targeting Colorado residents and use an AI-powered applicant tracking system (ATS), resume screener, or any algorithmic ranking tool, you are a deployer under this law.
The table below maps the three active state AI employment laws most likely to affect midsize employers right now:
| State / Law | Effective Date | Key Employer Obligations | Private Right of Action? | Who Enforces |
|---|---|---|---|---|
| Colorado S.B. 24-205 | June 30, 2026 | Annual impact assessments, employee notice, appeal mechanism, public statement on AI use | No | State Attorney General |
| Illinois H.B. 3773 (amends Illinois Human Rights Act) | January 1, 2026 | Notify workers when AI is used in hiring/firing/discipline; no ZIP code proxy discrimination | No (IDHR complaint) | IL Dept. of Human Rights |
| NYC Local Law 144 | July 2023 (ongoing) | Annual independent bias audit; public notice of audit results before use of any AEDT | No | NYC Commission on Human Rights |
Read the full Colorado law text and enforcement guidance at the Colorado Legislature's official bill page. Fisher Phillips and K&L Gates have both published detailed employer-facing analyses this week — see Fisher Phillips and K&L Gates.
About Shadow AI Policy: We build AI acceptable use policy tools for HR and operations teams at 50–500 person companies. We publish guides on shadow AI, acceptable use policies, and AI governance, updated as regulations and AI tools change.
If you're a U.S. employer using AI in any hiring, promotion, or termination process, you have active legal obligations right now — not hypothetical future ones. Colorado's AI Act (S.B. 24-205) enforcement begins June 30, Illinois's AI employment amendment has been in force since January 1, and NYC Local Law 144 is ongoing. Even if none of those apply directly, the Great American AI Act's draft signals that federal AI whistleblower protections and AI layoff disclosure rules are coming and could apply to employers of any size. Start by auditing every AI tool your HR team uses and documenting whether it influences any employment decision.
Yes, especially if you operate in Colorado, Illinois, or New York City — or if you hire remote workers in those states. The Colorado law's June 30 enforcement date is three weeks away, and it requires published documentation of your AI risk management program and employee notice procedures. Beyond state law, the EU's new AI-generated content labeling Code of Practice takes effect August 2, 2026 for any company deploying AI systems that interact with EU-based users or publish AI-generated content in the EU. Even if neither applies to you today, a written AI acceptable use policy is your first line of defense as federal frameworks develop.
Not yet, and possibly not at all. The Great American AI Act is still a discussion draft — it has not been formally introduced, and it already faces significant opposition. The proposed three-year preemption applies only to laws "specifically regulating the development" of AI models, and explicitly does not preempt state laws of "general applicability," which means existing state privacy laws and human rights act amendments (like Illinois's) would likely remain in effect regardless. Colorado's June 30 deadline is live law today. Don't wait on a bill that may not pass in anything close to its current form.
Tailored to your industry and the AI tools your team uses. Free preview, $79 one-time or $149/mo with monthly updates.
Generate my policy kit →