Maryland AI Governance Act of 2024 (SB 818)
Effective date
Penalty
No civil penalties. Internal state government administrative compliance.
Obligations mapped
Tracked
Overview
Requires Maryland state agencies to inventory AI systems, conduct impact assessments, and follow DoIT policies for AI procurement and use. Applies to state government agencies only, not the private sector.
This is an AI-specific state law.
See if this regulation applies to your company with the free exposure scan.
Who this applies to
This regulation applies to the following roles:
- Developers of covered AI systems
- Deployers and users of covered AI systems
- Organizations operating in Maryland
This regulation applies to both companies that build AI products and companies that use AI tools from other vendors.
SB 818
AI categories covered
- Government AI use
- General purpose AI
Specific AI use cases:
- document processing
What this requires you to do
Detailed obligation packs are not yet mapped for this entry in XIRA. Obligation areas from the catalog are listed below.
What this requires you to do
Complete an impact assessment. Document the potential risks and effects of your AI system on affected people.
Provide transparency notices. Inform affected individuals that AI is being used and how it influences decisions.
Maintain records. Keep documentation of your AI systems, decisions made, and compliance activities.
Implement a risk management program. Maintain ongoing processes to identify, assess, and mitigate AI-related risks.
Regulation summaries are simplified for readability and may not capture every nuance of the underlying statute. Verify important details against primary sources linked on this page.
Enforcement and penalties
No civil penalties. Internal state government administrative compliance.
Penalty amounts are based on statutory text and may be subject to adjustment, judicial interpretation, or enforcement discretion.
Legislative history
effective
First agency AI inventory due
signed
Signed by Governor Moore
Related regulations
- In EffectAI-Specific
Texas Government AI Ethics and Oversight (SB 1964)
Requires Texas state agencies and local governments to inventory AI systems, adopt an AI code of ethics aligned with NIST AI RMF, conduct impact assessments for AI that autonomously influences consequential decisions, and disclose AI use to affected individuals. Applies to government entities only, not the private sector.
Effective
- In EffectFramework
NIST AI Risk Management Framework (AI RMF 1.0)
NIST AI RMF is a voluntary framework used as a practical benchmark by regulators and lawmakers. NIST released AI RMF 2.0 in February 2024, building on early adoption experiences and adapting to generative AI paradigms. Companion documents include the AI RMF Playbook and Generative AI Profile (NIST AI 600-1), developed under EO 14110, which persists as a voluntary framework even though EO 14110 was revoked. State laws that reference NIST as a safe harbor or affirmative defense include Texas TRAIGA (HB 149), Tennessee TIPA, and Montana Right to Compute Act (SB 212). Colorado SB24-205 NIST-aligned controls remain useful historical and reusable governance evidence after SB26-189, but they should not be described as the current Colorado ADMT minimum-law safe harbor without legal review. Alignment with NIST AI RMF increasingly affects legal exposure under these state laws.
Effective
- In EffectAI-Specific
Maryland HB 1202 (Facial Recognition in Hiring)
Prohibits creating facial templates of job applicants during interviews without signed consent. Where applicable, the waiver may need to include the applicant's name, interview date, consent to facial recognition use, and whether the applicant read the waiver. Scope is narrower than Illinois BIPA: it only covers facial recognition during interviews, not biometric data collection generally.
Effective
- In EffectPrivacy ADM
Maryland Online Data Privacy Act (MODPA), ADM and profiling provisions
Statute effective October 1, 2025, but enforcement does not begin until April 1, 2026. The law does not apply to processing activities before April 1, 2026. Considered one of the strongest state privacy laws due to strict data minimization and a complete ban on selling sensitive data (not only opt-in consent). The threshold of 35,000 consumers is lower than most states. Controllers must handle profiling and automated decision-making with strong consumer protections, including documented risk assessments and opt-out rights. Impact assessments required per algorithm used in high-risk processing. Nonprofits are largely included. Universal opt-out signals required from day one. 60-day cure period with no sunset date in the current statute.
Effective
- In EffectAI-Specific
Maryland Nonconsensual Pornography Deepfake Expansion (SB 360)
Expands Maryland's revenge porn statute to cover AI-generated and computer-generated sexual imagery. Strengthens civil remedies for victims of synthetic intimate images.
Effective
- In EffectSector-Specific
Maryland Healthcare AI Utilization Review (HB 820)
May apply to AI tools used in healthcare coverage decisions, calling for determinations based on individual patient data rather than group datasets. Where applicable, final utilization review decisions may need to be made by a physician in the same specialty. Where applicable, carriers may need to report whether AI was used in adverse decisions. Does not ban AI in healthcare: where applicable it may require AI to use individual patient data and may mandate human physician final decisions.
Effective
Maryland AI regulation guide lists every tracked rule for this jurisdiction with timelines and obligation tallies.
Regulation summaries are simplified for readability and may not capture every nuance of the underlying statute. Verify important details against primary sources linked on this page.