What is an AI Impact Assessment?

Definition

An AI impact assessment is a structured review of how an automated system affects people. It records what data the system uses, what decisions it influences, what could go wrong, and what the company does to lower risk. Several state laws expect a written assessment before or during use of higher-risk AI in consequential decisions.

See also our AI compliance glossary for short definitions of common terms.

Which regulations require this

• CCPA/CPRA Automated Decision-Making Technology Regulations

  California's ADMT regulations require businesses using automated decisionmaking technology for significant decisions...

  CAPrivacy ADMHighEnacted (pending)
• Colorado Privacy Act (CPA profiling and ADM)

  Colorado profiling rules define three tiers: Solely Automated Processing, Human Reviewed Automated Processing, and Hu...

  COPrivacy ADMHighIn effect
• Connecticut Public Act 25-113 (SB 1295) CTDPA and profiling amendments

  Connecticut's omnibus bill dramatically expands the CTDPA. Lowers the applicability threshold from 100,000 to 35,000...

  CTPrivacy ADMHighUpcoming
• Maryland Online Data Privacy Act (MODPA), ADM and profiling provisions

  Statute effective October 1, 2025, but enforcement does not begin until April 1, 2026. The law does not apply to proc...

  MDPrivacy ADMMediumIn effect
• Minnesota Consumer Data Privacy Act - ADM and profiling provisions

  Minnesota is the first state privacy law to require controllers to create and maintain a data inventory. The right to...

  MNPrivacy ADMMediumIn effect
• Rhode Island Data Transparency and Privacy Protection Act - ADM provisions

  Rhode Island's privacy framework includes consumer rights tied to profiling and automated decisions, including opt-ou...

  RIPrivacy ADMMediumIn effect
• Virginia Consumer Data Protection Act (VCDPA, Profiling Provisions)

  Grants Virginia consumers the right to opt out of profiling in furtherance of decisions that produce legal or signifi...

  VAPrivacy ADMMediumIn effect
• New Hampshire Privacy Act - Profiling Provisions

  Grants New Hampshire consumers the right to opt out of profiling for decisions with legal or significant effects.

  NHPrivacy ADMMediumIn effect
• New Jersey Data Privacy Act (Profiling Provisions)

  Uniquely covers nonprofits with no revenue threshold. Universal opt-out mechanism (UOOM) requirement effective July 1...

  NJPrivacy ADMMediumIn effect
• FDA AI/ML Medical Device Framework

  FDA requires pre-market review (510(k), De Novo, PMA) for AI/ML-based software that meets the definition of a medical...

  FEDERALFederal guidanceMediumIn effect
• Nebraska Data Privacy Act - ADM and profiling provisions

  Nebraska requires consumer opt-out rights and risk assessments for qualifying profiling and automated decisions with...

  NEPrivacy ADMMediumIn effect
• Texas Data Privacy and Security Act, Profiling Provisions (HB 4)

  Texas comprehensive privacy law with profiling provisions. Requires data protection assessments for profiling that pr...

  TXPrivacy ADMLowIn effect
• Indiana Consumer Data Protection Act - Profiling Provisions

  Grants Indiana consumers the right to opt out of profiling for decisions with legal or significant effects. Applies t...

  INPrivacy ADMLowIn effect
• Montana Consumer Data Privacy Act - Profiling Provisions

  Grants Montana consumers the right to opt out of profiling for decisions with legal or significant effects. 2025 amen...

  MTPrivacy ADMLowIn effect
• Oregon Consumer Privacy Act - Profiling Provisions

  Grants Oregon consumers the right to opt out of profiling for decisions with legal or significant effects. Opt-out li...

  ORPrivacy ADMLowIn effect
• Tennessee Information Protection Act - Profiling Provisions

  Grants Tennessee consumers the right to opt out of profiling for decisions with legal or significant effects. First s...

  TNPrivacy ADMLowIn effect
• Delaware Personal Data Privacy Act - Profiling Provisions

  Grants Delaware consumers the right to opt out of profiling for decisions with legal or significant effects. Opt-out...

  DEPrivacy ADMLowIn effect
• Kentucky Consumer Data Protection Act - Profiling Provisions

  Grants Kentucky consumers the right to opt out of profiling for decisions producing legal or significant effects. Vir...

  KYPrivacy ADMLowIn effect
• HUD AI Guidance in Housing

  Fair Housing Act disparate impact standard applies to AI-driven tenant screening, lending algorithms, and property va...

  FEDERALFederal guidanceLowIn effect
• NIST AI Risk Management Framework (AI RMF 1.0)

  NIST AI RMF is a voluntary framework used as a practical benchmark by regulators and lawmakers. NIST released AI RMF...

  FEDERALFrameworkLowIn effect
• Connecticut Government AI Procurement and Oversight (SB 1103)

  First-in-nation state government AI procurement law. Requires state agencies to inventory AI systems, conduct impact...

  CTAI-specificLowIn effect
• Maryland AI Governance Act of 2024 (SB 818)

  Requires Maryland state agencies to inventory AI systems, conduct impact assessments, and follow DoIT policies for AI...

  MDAI-specificLowIn effect
• Texas Government AI Ethics and Oversight (SB 1964)

  Requires Texas state agencies and local governments to inventory AI systems, adopt an AI code of ethics aligned with...

  TXAI-specificLowIn effect

Which states reference this obligation

What you should do next

• Inventory the system, owners, and data sources tied to the automated decision.
• Document who is affected, which outcomes matter, and known limits of the model or rules.
• Compare against applicable protected classes and fairness expectations in each state you touch.
• Keep the assessment updated when the model, data, or use case changes in a meaningful way.
• Line up retention and access rules so you can show regulators or counsel the file on request.