Virginia’s High-Risk AI Law: Compliance, Disclosures & Enforcemen

Artificial intelligence has officially left the “cool demo” phase and entered the “please loop in Legal” phase. In Virginia, that shift became especially visible with House Bill 2094, the High-Risk Artificial Intelligence Developer and Deployer Act. The bill was passed by the Virginia General Assembly in 2025 but later vetoed by Governor Glenn Youngkin, meaning it is not currently an active Virginia law. Still, for businesses using AI in hiring, lending, housing, health care, education, insurance, legal services, or other sensitive areas, HB 2094 remains one of the clearest roadmaps for where state-level AI compliance may be heading.

Why should companies care about a bill that did not become law? Because vetoed bills can be policy prototypes. They show what lawmakers are testing, what consumer advocates are demanding, what industry groups are resisting, and what compliance teams may need to build before the next version arrives. Virginia’s high-risk AI proposal also sits in a fast-growing national trend: states are trying to regulate AI systems that make or influence consequential decisions about real people.

This guide explains what Virginia’s proposed high-risk AI framework covered, how compliance would have worked, what disclosures businesses would have needed, how enforcement was structured, and what practical lessons companies can take from it now.

What Was Virginia’s High-Risk AI Bill?

Virginia HB 2094 was designed to regulate the development, deployment, and use of high-risk artificial intelligence systems. In plain English, it focused on AI tools that could meaningfully affect a person’s access to major life opportunities or essential services. Think less “AI makes a playlist” and more “AI helps decide whether someone gets a job interview, loan approval, housing access, insurance coverage, or health care service.”

The bill followed the same general philosophy as the Colorado Artificial Intelligence Act: AI regulation should be risk-based, not one-size-fits-all. A chatbot that helps customers find store hours is not the same as a machine-learning model used to rank mortgage applicants. Virginia’s proposal tried to draw that line by focusing on “high-risk” AI systems used in consequential decisions.

Although the bill was vetoed, its structure matters because it reflects the core elements many U.S. AI laws are beginning to share: a duty of reasonable care, risk management, impact assessments, documentation, consumer disclosures, and attorney general enforcement.

What Counts as a High-Risk AI System?

Under the Virginia proposal, a high-risk AI system was generally an AI system specifically intended to autonomously make, or be a substantial factor in making, a consequential decision. That definition is important because it does not cover every spreadsheet, recommendation engine, or workflow automation tool. The focus is on AI that carries real-world consequences.

Examples of Consequential Decisions

The bill identified several areas where an AI-assisted decision could be considered consequential. These included education enrollment or opportunity, employment access, financial or lending services, health care services, housing, insurance, legal services, and certain criminal justice-related decisions such as parole, probation, or release from court supervision.

For example, an AI tool that screens job applicants for a retail company may fall into the high-risk category if it meaningfully determines who gets interviewed. A lending model that ranks borrowers by creditworthiness could also be covered. On the other hand, an AI tool that suggests better email subject lines for a marketing team would usually be outside the core scope. Annoying? Maybe. High-risk? Probably not.

Developers vs. Deployers: Who Had Compliance Duties?

Virginia’s proposed law separated responsibilities between developers and deployers. This distinction is essential for AI compliance because many companies use AI tools they did not build themselves.

Developers

A developer is the organization that creates, sells, leases, licenses, or otherwise provides a high-risk AI system. Developers would have been expected to use reasonable care to protect consumers from known or reasonably foreseeable risks of algorithmic discrimination. They also would have needed to provide deployers with information about the system’s intended uses, limitations, performance, and risk controls.

In practice, this means an AI vendor could not simply hand over a black box and say, “Good luck, may the algorithm be ever in your favor.” The developer would need to document how the system works at a useful level, where it may fail, what data it was designed for, and how deployers should monitor it.

Deployers

A deployer is the organization that uses a high-risk AI system to make or help make consequential decisions. Deployers would have had their own duty of reasonable care. They would also have needed to complete impact assessments, implement risk management practices, provide consumer notices, and maintain records demonstrating compliance.

For example, if a bank uses a third-party AI scoring tool to evaluate loan applicants, the vendor may be the developer, while the bank is the deployer. Both may have duties, but the deployer is closer to the consumer-facing decision and would likely carry major responsibility for disclosure, monitoring, and review.

Core Compliance Requirements Businesses Should Understand

Even though HB 2094 was vetoed, its compliance structure offers a practical checklist for responsible AI governance. Companies that prepare now will be in better shape if Virginia revisits the issue or if they operate in states with similar rules.

1. Maintain an AI Inventory

The first step is knowing where AI is used. Many organizations discover that AI tools are scattered across HR, marketing, customer support, cybersecurity, sales, analytics, and product teams. A serious compliance program starts with an inventory that lists each AI system, its owner, vendor, purpose, data inputs, users, and decision impact.

For high-risk AI, the inventory should answer one practical question: could this system affect someone’s access to employment, housing, credit, education, health care, insurance, legal services, or another important opportunity? If yes, it deserves closer review.

2. Conduct Impact Assessments

Impact assessments are the heart of modern AI compliance. Under the Virginia proposal, deployers would have needed to assess how a high-risk AI system is used, what risks it creates, how those risks are mitigated, and whether the system may contribute to algorithmic discrimination.

A useful AI impact assessment should cover the system’s purpose, decision role, data sources, performance metrics, known limitations, testing results, human oversight, appeal process, and mitigation measures. It should not be a decorative PDF that lives in a forgotten compliance folder. It should be a working document that product, legal, privacy, security, and business teams can actually use.

3. Build a Risk Management Program

Virginia’s bill referenced recognized AI risk management practices. The NIST AI Risk Management Framework is especially relevant because it encourages organizations to govern, map, measure, and manage AI risks. That approach fits neatly with high-risk AI compliance because it turns abstract principles such as fairness and transparency into repeatable internal processes.

A strong AI risk management program should include vendor due diligence, bias testing where appropriate, model monitoring, access controls, incident response procedures, documentation standards, and clear accountability. Someone must own the system after launch. AI governance cannot be a ribbon-cutting ceremony where everyone celebrates the deployment and then quietly backs away.

4. Document System Limitations

One major theme in HB 2094 was documentation. Developers would have needed to explain known or reasonably foreseeable limitations of high-risk AI systems. This matters because AI tools often perform differently across populations, contexts, languages, data quality levels, or real-world conditions.

For example, a résumé-screening model trained primarily on historical hiring data may reflect old patterns that disadvantage certain groups. A health care triage tool may perform poorly if used outside the population it was tested on. A lending model may produce risky outcomes if economic conditions shift. Documentation should make these limitations visible before they become expensive problems.

Disclosure Requirements: What Consumers Would Need to Know

Transparency is one of the biggest themes in high-risk AI regulation. Virginia’s proposed law would have required deployers to notify consumers when a high-risk AI system was being used to make or substantially influence a consequential decision.

What a Good AI Disclosure Should Include

A practical disclosure should be clear, timely, and understandable. It should tell the consumer that AI is being used, describe the general purpose of the system, explain the type of decision involved, and provide a way to request more information or human review when appropriate.

Bad disclosure sounds like this: “An automated computational mechanism may facilitate decisional optimization.” Good disclosure sounds like this: “We use an automated system to help review applications. The system may affect whether your application moves forward. You may request additional information or ask for human review.”

The difference is not just style. Clear disclosure helps consumers understand their rights and helps businesses show regulators that transparency is more than a buzzword printed on a conference banner.

Adverse Decisions and Human Review

High-risk AI rules often focus on adverse decisions. If an AI system contributes to a denial, rejection, ranking downgrade, or other negative outcome, consumers may need an explanation and a meaningful way to challenge the result. Virginia’s proposal pointed in this direction by requiring information that could help consumers understand AI-influenced decisions.

For businesses, this means human review should be real. A company should not create an “appeal” process where a human clicks approve on whatever the model already decided. Regulators are increasingly alert to fake oversight. Human reviewers need authority, training, access to relevant information, and the ability to correct bad outcomes.

Generative AI and Synthetic Content

Virginia’s bill also addressed generative AI systems that produce synthetic content, including text, images, audio, and video. The proposal would have required certain AI-generated or substantially modified synthetic content to be identifiable through industry-standard methods, with exceptions for some low-risk or creative uses.

This provision reflects a broader concern: people should know when content has been generated or materially altered by AI, especially when that content could mislead, impersonate, or influence important decisions. For companies, the practical takeaway is simple. If generative AI is used in customer communications, hiring materials, public claims, legal workflows, health-related content, or financial services, disclosure and review controls are not optional decorations. They are becoming table stakes.

Enforcement: Who Would Police the Law?

Virginia HB 2094 would have been enforced by the Virginia Attorney General. The bill did not create a private right of action, meaning individual consumers would not have been able to sue directly under the proposed AI law. Instead, enforcement would have come through the state’s top legal office.

Proposed penalties varied by violation type, and legal summaries of the bill highlighted civil penalties for noncompliance and higher penalties for willful violations. The bill also included a cure period concept, allowing businesses an opportunity to fix certain violations before penalties were pursued, depending on the circumstances.

For compliance teams, the lesson is clear: documentation is your best friend when regulators call. If a company cannot show its AI inventory, risk assessments, consumer notices, vendor documentation, testing records, and remediation steps, it may be forced to explain a complex system with nothing but confidence and vibes. Regulators are not known for accepting vibes as evidence.

Why Was the Bill Vetoed?

Governor Youngkin vetoed HB 2094 after expressing concern that the bill would create a burdensome AI regulatory framework and could harm innovation, job creation, startup growth, and business investment in Virginia. Industry groups also raised concerns that the bill could impose heavy compliance costs, especially on smaller companies.

At the same time, some consumer and privacy advocates argued that the bill did not go far enough. That unusual squeezetoo much regulation for some, too little protection for othersshows how difficult AI lawmaking has become. Lawmakers are trying to regulate systems that are powerful, technical, fast-changing, and often poorly understood by the public. Businesses want clarity. Consumers want protection. Regulators want accountability. AI vendors want flexibility. Everyone wants innovation, but nobody wants to be the test case in a headline.

How Virginia Compared With Colorado’s AI Act

Colorado enacted the first comprehensive U.S. state law focused on high-risk AI systems. Virginia’s bill borrowed from that general model but was viewed by many analysts as narrower and more business-friendly. Virginia focused on systems that autonomously make or substantially influence consequential decisions, and its approach included trade secret protections and a more limited enforcement structure.

Colorado’s law has become the benchmark for U.S. high-risk AI compliance. Virginia’s bill showed that other states may follow the same architecture while adjusting definitions, exemptions, timelines, enforcement powers, and business obligations. For companies operating nationally, this means AI compliance should not be built state by state in a panic. It should be built as a flexible governance program that can adapt to multiple state rules.

Practical Compliance Checklist for Companies

Businesses do not need to wait for a final Virginia AI law to begin preparing. The smartest approach is to build controls that make sense regardless of where the next state law lands.

• Create and maintain an inventory of AI systems across departments.
• Classify AI systems by risk level and decision impact.
• Identify systems used in employment, lending, housing, education, health care, insurance, legal services, or similar areas.
• Conduct impact assessments before deployment and after major system changes.
• Require vendors to provide documentation about data, performance, limitations, and risk controls.
• Write clear consumer disclosures for AI-influenced consequential decisions.
• Provide meaningful human review for adverse outcomes where appropriate.
• Monitor systems for drift, bias, accuracy issues, and unexpected outcomes.
• Keep records that demonstrate reasonable care and risk mitigation.
• Align internal practices with recognized frameworks such as the NIST AI Risk Management Framework.

Specific Example: AI in Hiring

Consider a Virginia employer using an AI tool to rank applicants for customer service positions. The system reviews résumés, scores candidates, and recommends who should move to the interview stage. Under a high-risk AI framework like HB 2094, the employer would likely need to ask several questions. Was the model trained on representative data? Does it disadvantage applicants based on protected characteristics? Can the employer explain why a candidate was rejected? Is there a human review process? Has the vendor provided documentation about limitations?

The employer would also need a disclosure that applicants can understand. A simple notice during the application process could explain that an automated system assists in reviewing applications and that applicants may request more information. Internally, the company should test outcomes, document review procedures, and ensure hiring managers do not treat AI scores as divine commandments from the cloud.

Specific Example: AI in Lending

Now imagine a fintech company using AI to evaluate personal loan applications. The model considers credit history, income, repayment behavior, and other variables. Because lending decisions affect access to financial services, this would sit squarely in high-risk territory.

A responsible compliance program would document the model’s purpose, inputs, performance metrics, limitations, and monitoring plan. The company would need to review whether the model creates unfair outcomes for protected groups, provide legally appropriate adverse action explanations, and ensure humans can review contested decisions. Vendor contracts should require cooperation, audit support, and timely notification of material model changes.

What Businesses Should Do Now

The most important move is to stop treating AI governance as a future problem. Companies already use AI in ways that affect customers, workers, applicants, patients, tenants, and borrowers. Even where no AI-specific state law applies, existing anti-discrimination, privacy, consumer protection, employment, and financial laws may still apply.

Organizations should form a cross-functional AI governance team that includes legal, compliance, privacy, cybersecurity, data science, product, HR, and business leaders. The team should approve high-risk uses, review vendors, set documentation standards, and decide when human oversight is required. AI governance works best when it is built into procurement and product development, not stapled on after launch like a warning label on a rocket.

Experience Notes: Lessons From Preparing for High-Risk AI Compliance

In real-world compliance work, the hardest part of high-risk AI governance is rarely writing the policy. Anyone can write a beautiful AI policy. Some policies are so beautiful they should be framed, hung in a hallway, and ignored forever. The real challenge is turning policy into repeatable behavior across teams that buy, build, test, deploy, and monitor AI systems.

One common experience is that companies underestimate how many AI tools they already use. A legal team may think the organization has three AI systems. After a proper inventory, the number may become thirty. HR uses a screening tool. Marketing uses generative AI for campaign drafts. Customer service uses automated routing. Finance uses fraud scoring. Sales uses predictive lead scoring. Product teams use recommendation engines. Suddenly, the AI governance project looks less like a legal memo and more like a treasure hunt with spreadsheets.

Another lesson is that vendor management becomes critical. Many businesses rely on third-party AI vendors but do not receive enough information to assess risk. A vendor may promise that its model is “fair,” “explainable,” or “enterprise-ready,” which sounds comforting until the compliance team asks for testing methods, training data summaries, model limitations, or audit rights. Responsible companies should update procurement workflows so high-risk AI vendors must provide meaningful documentation before purchase, not after a regulator asks for it.

Impact assessments also work best when they are practical. Long questionnaires can create fatigue, especially for product teams moving quickly. A better approach is to use tiered assessments. Low-risk tools get a short review. Medium-risk tools get more questions. High-risk systems trigger deeper review, legal involvement, vendor documentation, testing, and executive approval. This keeps governance focused instead of turning every AI spell-checker into a federal case.

Human oversight is another area where theory and practice often differ. A policy may say that humans remain in control, but the workflow may encourage employees to accept AI outputs automatically. Meaningful oversight requires training people to question results, giving them authority to override systems, and measuring whether overrides actually happen. If a human reviewer never disagrees with the model, the company should ask whether oversight is real or just theater with a login screen.

Finally, the best AI compliance programs are not anti-innovation. They make innovation safer, faster, and easier to defend. When teams know the approval path, documentation expectations, risk standards, and disclosure rules, they can launch AI tools with fewer surprises. Virginia’s vetoed high-risk AI bill may not be active law, but it provides a useful preview of the controls businesses will likely need as state AI regulation continues to mature.

Conclusion

Virginia’s High-Risk Artificial Intelligence Developer and Deployer Act did not become law, but it remains highly relevant. HB 2094 captured the direction of U.S. AI regulation: focus on high-risk systems, prevent algorithmic discrimination, require reasonable care, improve transparency, document limitations, and give regulators a clear enforcement path.

For businesses, the smartest response is not to wait for the next bill to pass. The smarter response is to build an AI governance program now. Start with an inventory. Identify high-risk use cases. Conduct impact assessments. Improve vendor contracts. Write clear disclosures. Train human reviewers. Keep evidence. In the age of AI, “we didn’t know what the model was doing” is not a compliance strategy. It is a plot twist, and usually not the fun kind.