Connecticut just passed the CART Act. It is the broadest state AI law yet — and it starts soon.
On June 2, 2026, Connecticut became the seventh state to enact a comprehensive AI law. Unlike Colorado’s, this one did not stall in court or get rewritten before it took effect. The first obligations land October 1, 2026.
What Connecticut actually passed
Governor Lamont signed Senate Bill 5 as Public Act 26-15, the Artificial Intelligence Responsibility and Transparency Act — the “CART Act.” It is among the most wide-ranging state AI statutes enacted to date. Rather than regulating one use case, it reaches across several: automated employment decision tools, consumer-facing chatbots, frontier-model developers, generative-AI provenance, online platforms used by minors, and AI in healthcare.
The obligations phase in on a staggered schedule, which matters more than the headline date:
- October 1, 2026: anti-discrimination amendments, the developer–deployer framework, a new AI-related layoff disclosure tied to the state’s WARN provisions, synthetic-content provenance requirements for large generative-AI providers (those with more than one million monthly users), and frontier-model whistleblower protections.
- January 1, 2027: rules for AI companion chatbots, and a requirement that large frontier developers (over $500M in revenue) stand up anonymous internal reporting channels.
- October 1, 2027: interactive disclosure and pre-decision notice obligations for automated employment decision tools, plus a duty for developers to give deployers information about those tools.
The Act also creates a Connecticut AI Academy and directs state agencies to inventory and assess their own AI systems — a signal of where the state expects private deployers to eventually land.
Disclosure first — not bias audits
Here is the part worth reading carefully, because it cuts against the assumption many businesses are operating on. As enacted, the CART Act leans heavily on disclosure and written notice rather than mandatory bias audits or third-party impact assessments. Connecticut’s employment provisions require deployers to tell applicants and employees that an automated tool is being used, describe the decision and the tool, identify the categories and sources of personal data involved, and provide contact information — closer in spirit to the slimmed-down version of Colorado’s law than to its original, audit-heavy draft.
That is a lighter lift than a full algorithmic-impact assessment. It is not nothing. You cannot disclose what an automated tool does, or what data feeds it, if you do not first know which tools you run and how they reach decisions. The notice requirement quietly assumes an inventory most organizations have never built.
The phase-in is a gift. The patchwork is the problem.
A sixteen-month runway to the employment-tool obligations is unusually generous, and Connecticut deployers should treat it as preparation time, not idle time. But the more important story is national. Colorado, Texas, Illinois, New Jersey, and now Connecticut have each drawn the line in a slightly different place — different triggers, different definitions of a covered tool, different effective dates. A federal executive order issued in December 2025 has further signaled an intent to federalize AI policy, adding uncertainty about how long this state-by-state layer will stand. None of that lets a business in the meantime ignore a law that is signed and dated.
The way through is not to chase each statute individually. Every one of these laws rhymes on the same four expectations: know which AI systems you operate, manage their risks deliberately, document the foreseeable harms, and tell the people affected. Build that foundation once and Connecticut’s notice rules become a formatting exercise rather than a scramble.
If you hire, lend, or serve customers in Connecticut, do these three things
1. Inventory your AI — especially vendor tools used in hiring, screening, or customer decisions; the October 1, 2026 framework assumes you know what you run. 2. Draft your disclosures now, mapping each covered tool to the notice elements the Act requires, so they are ready well before the October 2027 employment deadline. 3. Stand up a lightweight risk-management process aligned to NIST AI RMF and ISO/IEC 42001 — the structure that travels across Connecticut, Colorado, Texas, and whatever comes next.
Connecticut did what Colorado could not: pass a broad AI law and keep it on the calendar. The deadline is real, the runway is generous, and the work it rewards is the same work every other state is converging on.
This briefing is general information from Sentinel Assurance Group, not legal advice. Regulatory dates and requirements change — we maintain these briefings, but verify against primary sources and counsel before acting. Effective dates and scope reflect law-firm analyses of Public Act 26-15 as enacted; specific provisions may be clarified by future rulemaking. Last reviewed June 10, 2026.
See how a Gap Assessment maps your exposure →Not sure which of these reach you?
Find out in 30 minutes.
The free AI Risk Exposure call maps your AI footprint to the obligations that actually apply — and the ones that don’t.
Book the call →