Overview: Maryland’s Evolving Artificial Intelligence Environment

Maryland has emerged as one of the more active US states in shaping how artificial intelligence (AI) is governed, particularly in the public sector. Rather than adopting a single comprehensive AI law, Maryland has taken a practical approach – applying existing legal frameworks (consumer protection, procurement, data privacy, and administrative law) while supplementing them with targeted statutes, policies, and workgroups addressing AI-specific risks.

Maryland’s approach reflects its unique position: the state has a high concentration of state agencies, universities, healthcare systems, and federal contractors. AI adoption spans back-office automation, generative AI productivity tools, and systems supporting eligibility decisions, fraud detection, healthcare delivery, and education. As adoption has accelerated, policymakers have prioritised transparency, accountability, and risk management – particularly where AI systems may affect individuals’ rights or access to services.

The result is a state AI environment that has grown more formal over time: early experimentation has given way to statutory requirements for inventories and policies, centralised guidance on responsible AI use in government, and increasing legislative attention to AI-driven consumer harm, bias, and automated decision-making.

Public-Sector AI Governance: Statutory and Policy Developments

Executive Order 01.01.2024.02, “Catalyzing the Responsible and Productive Use of Artificial Intelligence in Maryland State Government”, issued by Governor Wes Moore on 8 January 2024, established Maryland’s foundational public-sector AI governance framework. The Order recognises both the opportunities and risks of AI and directs that any use of AI by Maryland state agencies be grounded in principles of fairness and equity, innovation, privacy, safety, security and resiliency, validity and reliability, and transparency, accountability, and explainability.

The Artificial Intelligence Governance Act of 2024

In 2024, Maryland enacted the Artificial Intelligence Governance Act (SB 818), effective 1 July 2024. This law establishes the core statutory framework for AI governance in state government. It requires state agencies to conduct inventories and assessments of AI systems and directs the Department of Information Technology (DoIT) – working with the Governor’s AI Subcabinet – to adopt policies governing AI development, procurement, deployment, use, and assessment.

The Act focuses on process rather than prohibition, emphasising oversight throughout the AI life cycle. The key compliance message is that government AI use should be inventoried, assessed, governed, and monitored from start to finish. This framework matters for vendors selling AI systems to Maryland agencies, as contracts will likely incorporate DoIT policy requirements.

The Act reflects a growing recognition that AI risk in government comes less from the technology itself and more from how systems are designed, purchased, integrated into decision-making, and monitored after deployment. Maryland’s approach mirrors what other jurisdictions are doing: documentation, inventories, and accountability mechanisms are becoming prerequisites for responsible AI adoption at scale.

Responsible AI policy and implementation guidance

To operationalise the statute, DoIT issued a statewide Responsible AI Policy on 23 May 2025, along with Implementation Guidance. The policy establishes guiding principles – including fairness, privacy, security, reliability, and transparency – defines roles and responsibilities, requires agencies to assess and manage AI-related risks, and delineates prohibited uses.

The Implementation Guidance directs agencies to build AI literacy, designate an AI lead, co-ordinate with security and data stakeholders, and follow DoIT’s governance processes. For AI vendors, this means Maryland agency customers are likely to request technical documentation, model information, cybersecurity details, data-use limits, and audit evidence. Importantly, the policy ties AI governance to the procurement process, so that AI risks are addressed when systems are acquired rather than after problems arise.

Generative AI guidance for state employees

On 9 May 2025, Maryland issued interim guidance on the responsible use of generative AI (GenAI) by executive-branch staff. The guidance allows experimentation while emphasising privacy, security, bias, accuracy, and legal risk. It prohibits using commercial GenAI tools to make sensitive decisions affecting individual benefits, credentials, hiring, legal investigations, or individual rights. It also clarifies that procurement rules apply to paid or enterprise GenAI solutions.

Strategy and Institutional Infrastructure

Maryland’s AI governance architecture extends beyond statutes and policies to include institutional co-ordination and strategic planning. The Governor’s AI Subcabinet, established by executive order and codified by the AI Governance Act, co-ordinates AI policy, advises on governance standards, and supports agency implementation.

DoIT has developed an AI Enablement Strategy and Study Roadmap, presented to the General Assembly, framing the state’s AI programme as a shift from foundational governance to structured implementation. The Roadmap describes 2024 foundation-building work, including interim GenAI guidance, the first statewide AI inventory, free AI training for state employees, an AI intake process, initial proofs of concept, and an AI Community of Practice.

These initiatives signal that Maryland views AI governance as iterative and evolving, anticipating continued adjustment of policies, guidance, and legislation as AI capabilities change.

Consumer Protection and “High-Risk AI” Legislative Activity

While Maryland’s most developed AI governance regime applies to state agencies, the legislature has increasingly turned attention to private-sector AI uses – particularly those affecting consumers in consequential decision-making contexts. Proposals have focused on “high-risk AI systems” that materially affect employment, housing, credit, insurance, education, healthcare, or access to government services. These proposals typically include:

• obligations on developers and deployers to prevent algorithmic discrimination;
• requirements for risk or impact assessments before deployment;
• transparency and notice obligations when AI is used in consequential decisions; and
• enforcement authority vested in the state Attorney General through consumer protection statutes.

Although not all proposals have been enacted, they reflect Maryland policymakers’ view that existing consumer protection and anti-discrimination laws may need AI-specific updates to address the unique challenges AI presents – particularly its opacity and scale. These proposals also mirror national trends, suggesting businesses should anticipate increased expectations around documentation, bias mitigation, and explainability.

Maryland has also established a Workgroup on Artificial Intelligence Implementation, tasked with monitoring AI use, consumer protection implications, and impacts on government benefits – underscoring the likelihood of continued legislative engagement.

The 2026 legislative session

The 2026 Maryland General Assembly session (adjourned 13 April 2026) produced significant AI-related activity with over two dozen bills introduced. Key measures that passed both chambers and were sent to the Governor include the following:

• SB 8 (Deepfake Identity Fraud) expands identity fraud statutes to address AI deepfakes used to impersonate individuals. It imposes felony penalties – up to five years’ imprisonment and USD10,000 fine for single victims; up to ten years and USD15,000 for multiple victims – and allows civil actions.
• SB 597 (Maryland AI Partnership) establishes a centralised AI partnership within the University System of Maryland, creates an AI Public Services Fellowship, and establishes an AI Incubation Lab to assist state agencies.
• SB 141 (Election Deepfakes) addresses election misinformation, disinformation, and deepfakes.
• AI Ready Schools Act (SB 720 / HB 1057) requires the Maryland State Department of Education to develop AI guidance for educators and students, establish a statewide AI education collaborative, and require local school systems to designate AI co-ordinators.

Other bills introduced but not advancing from committee addressed AI product liability (HB 712), AI in health insurance (HB 795, HB 1385), and AI-enabled toys (HB 1261). Bills on companion chatbot regulation (HB 952), behavioural health AI (HB 883), and consumer reporting systems (HB 1399) passed committees but were not voted on.

The breadth of AI-related proposals underscores the legislature’s sustained attention to AI governance.

Data Privacy as a Driver of AI Compliance Obligations

The Maryland Online Data Privacy Act of 2024 (MODPA), effective 1 October 2025, is one of the most significant developments affecting AI governance in the private sector. MODPA establishes comprehensive requirements for businesses that handle Maryland residents’ personal data, including consumer rights, transparency obligations, and data protection assessments for high-risk processing activities.

MODPA matters for AI because many AI systems, particularly machine learning and generative AI, depend on large datasets and may involve “profiling” or automated processing that triggers heightened compliance requirements. MODPA’s rules around data minimisation (collecting only what’s needed), sensitive data handling, and risk assessments directly affect how organisations design, train, and deploy AI systems.

MODPA treats violations as unfair, abusive, or deceptive trade practices, reinforcing the connection between privacy compliance and consumer protection enforcement. Although MODPA does not create a private right of action, the Attorney General’s exclusive enforcement authority elevates the importance of documented assessments and defensible governance.

Enforcement of MODPA began on 1 April 2026, with a sunset cure period through 1 April 2027. For AI developers and deployers in Maryland, MODPA has shifted AI compliance to an immediate operational priority.

Sector-Specific Developments and Heightened Sensitivities

Maryland’s AI policy activity also reflects growing attention to sector-specific risks – situations where AI deployment intersects with vulnerable populations or regulated services.

Healthcare and behavioural health

Proposed legislation in 2026 has targeted AI systems marketed as or functioning like behavioural health services, prohibiting certain representations and treating violations as unfair or deceptive practices. These proposals reflect concern about AI systems simulating professional judgement in sensitive healthcare contexts without appropriate safeguards.

Such proposals illustrate that AI systems operating near regulated professional domains – healthcare, mental health, and social services – will face heightened scrutiny, particularly where consumers may rely on AI outputs in moments of vulnerability.

Education and government services

State agencies, including the Maryland State Department of Education, have adopted AI usage policies aligned with DoIT guidance. These policies underscore governance expectations for AI interacting with student data, educational decision-making, and public-facing services.

Children’s products and consumer AI

Commentary surrounding proposed regulation of AI-enabled toys and child-directed products highlights another emerging trend: targeted AI regulation where children’s privacy, safety, and data protection are implicated. Product-embedded AI may increasingly be regulated through consumer protection and product safety frameworks.

Federal AI Developments and Implications for Maryland Organisations

While Maryland has been building its state-level AI governance framework, federal developments are reshaping the regulatory landscape in ways that affect organisations operating in the state.

Executive Order and the National Policy Framework

On 11 December 2025, President Trump signed an executive order titled “Ensuring a National Policy Framework for Artificial Intelligence”, setting federal agency actions on compressed timelines. Key elements include a Department of Justice AI Litigation Task Force to challenge state AI laws that conflict with federal policy, Federal Trade Commission guidance on AI, and Commerce Department evaluations of “onerous” state AI laws.

In March 2026, the Trump administration released its National Policy Framework for Artificial Intelligence (Framework), with legislative recommendations organised around child protection, community safety, intellectual property, free speech, innovation, workforce development, and federal pre-emption of state AI laws imposing “undue burdens”.

The proposed Trump America AI Act

Senator Marsha Blackburn’s Trump America AI Act (Act) would codify the executive order and establish a single federal rulebook for AI governance. Key provisions include:

• First, there would be a statutory duty of care on AI developers to prevent foreseeable harm, requiring regular risk assessments.
• Second, there would be a federal products liability framework for claims against AI developers under theories of defective design, failure to warn, express warranty, and unreasonably dangerous product. This framework reflects an emerging trend: recent litigation, including Garcia v Character Technologies, Inc. (M.D. Fla. 2025), has tested whether AI applications should be treated as “products” under traditional tort doctrine. In Garcia, the court denied dismissal of design defect claims arising from a chatbot allegedly contributing to a teenager’s suicide, and held that Google could be liable as a “component part manufacturer”. Plaintiffs in similar cases have framed AI systems – their interfaces, defaults, guardrails, and marketing – as the deployed product, treating design choices such as the absence of safety features as the alleged defect.
• Third, there would be mandatory bias audits for high-risk AI systems used in employment, credit, insurance, housing, and educational decisions.

Pre-emption: a critical issue for Maryland

The interaction between federal and state AI regulation is particularly consequential for Maryland. The Framework calls for broad pre-emption of state AI laws imposing undue burdens. However, the Act provides that it “shall not pre-empt any generally applicable law, such as a body of common law or a scheme of sectoral governance”. Under the Act’s approach, Maryland’s existing frameworks – including MODPA, consumer protection statutes, and sector-specific governance – would likely remain operative.

Companies anticipating relief from state AI compliance burdens should not assume the Act will deliver the sweeping pre-emption the Framework contemplates. For Maryland organisations, the practical takeaway is clear: state AI compliance obligations remain operative and should not be deprioritised in anticipation of federal relief. Organisations should monitor federal developments closely.

Recommended preparatory steps

Organisations should integrate AI products liability risk into governance and vendor management programmes, evaluate whether their deployments fall within the Act’s high-risk definitions, maintain state compliance programmes, and consider the NIST AI Risk Management Framework as a practical governance foundation. The convergence of federal proposals and active litigation underscores the importance of preparatory steps: Maryland’s own 2026 legislative session considered HB 712, which would have established state-law product liability causes of action against AI developers and deployers. While HB 712 did not advance, product liability frameworks for AI are emerging at both the federal and state levels, and steps taken now will serve organisations regardless of which jurisdiction acts first.

Enforcement, Litigation, and Liability Considerations

Since Maryland has not created a standalone AI liability regime to date, AI-related risk continues to arise primarily through traditional legal theories:

• consumer protection claims involving alleged deception or unfair practices;
• privacy and data security enforcement under MODPA;
• employment discrimination claims linked to automated hiring or evaluation systems;
• contract disputes involving AI performance, warranties, or audit rights; and
• tort claims where AI outputs allegedly cause harm

What is changing is not the underlying legal claims, but expectations around governance and documentation. As Maryland emphasises inventories, assessments, and transparency, organisations may increasingly be judged on whether they had reasonable governance processes in place before deployment, not just on whether harm occurred.

AI and professional responsibility: Maryland’s Mezu decision

The Appellate Court of Maryland’s October 2025 decision in Chukwuemeka Mezu v Kristen Mezu represents a landmark moment for AI and legal ethics – the first time either of the state’s appellate courts addressed attorneys’ improper use of AI in court filings. Counsel submitted a brief containing citations to fictitious cases generated by AI “hallucinations”, misquoted passages, and citations that did not support the propositions cited.

The court found that the conduct implicated several Maryland Rules, including the Rules of Civil Procedure and Rules of Professional Conduct. The court denied counsel’s request to file an amended brief and referred the matter to the Attorney Grievance Commission.

The decision prompted the Maryland Standing Committee on Rules of Practice and Procedure to propose a rule change making explicit that an attorney’s signature certifies verification of every authority cited, with potential sanctions for “wilful” use of fake citations. Courts nationwide have sanctioned attorneys for AI-generated fictitious citations.

AI, privilege and discovery

A separate line of court decisions is defining how attorney-client privilege and work-product doctrine apply to AI-generated materials – with significant implications for organisations using AI in legal matters or internal investigations.

In United States v Heppner (S.D.N.Y., February 2026), the court ruled that AI-generated documents were not privileged, reasoning that the AI platform is not an attorney, the defendant’s inputs lacked confidentiality because the platform’s terms permitted disclosure to third parties, and defence counsel did not direct the AI use. The court also rejected work product protection.

By contrast, in Warner v Gilbarco, Inc. (E.D. Mich., February 2026), the court found AI-generated materials protected as work product, reasoning that “generative AI programs are tools, not persons” and waiver requires disclosure to an adversary. Similarly, Morgan v V2X Inc. (D. Colo., March 2026) found privilege applied because intermediary access alone does not automatically extinguish privacy expectations.

The divergence reflects an unsettled legal landscape. Key factors include whether counsel directed the AI use, whether platform terms preserve confidentiality, and whether the platform is consumer-grade or enterprise-level. Consumer AI platforms may risk privilege waiver, while enterprise tools used under counsel’s direction offer stronger, though not guaranteed, protection.

Third-party liability for AI-assisted litigation: Nippon Life v OpenAI

A March 2026 federal lawsuit, Nippon Life Insurance Co. v OpenAI Foundation (N.D. Ill.), raises novel questions about when AI providers may be liable for harm caused by their systems. The case involves an insurance company seeking approximately USD300,000 in compensatory damages and USD10 million in punitive damages, alleging that ChatGPT enabled a former claimant to breach a settlement agreement and file dozens of meritless court motions, including citations to fabricated case law, after her case had been dismissed. The complaint asserts claims for tortious interference, abuse of process, and unauthorised practice of law.

Some commentators have reframed Nippon as fundamentally a product liability case – echoing themes from the federal proposals discussed in Section 7. Under this view, the core issue is whether ChatGPT’s design architecture failed to incorporate adequate safeguards, such as distinguishing between legal information and legal advice or recognising when a user’s legal matter has been resolved. Like the Garcia case discussed above, Nippon tests whether AI interfaces, defaults, and guardrails should be treated as product design choices subject to traditional liability frameworks.

For Maryland organisations, the Nippon case carries several practical implications. First, it highlights the risk that AI-assisted litigation, even if meritless, may impose substantial defence costs, as corporate defendants must respond to every filing or risk default. Second, its treatment of unauthorised practice of law claims may influence how Maryland courts and regulators interpret existing rules in the AI context. Finally, the cost-recovery theory – an insurance company seeking reimbursement for defence costs – could become a model for future claims. Organisations should monitor the case’s outcome and consider how public-sector AI governance principles, including those Maryland has adopted, may inform private-sector risk management.

Practical Governance Expectations for AI Users in Maryland

Across its statutes, policies, and legislative proposals, Maryland’s emerging AI governance framework points toward several practical expectations for organisations:

• system identification and inventory – knowing what AI systems are in use, for what purpose, and with what data;
• risk-based classification – distinguishing between low-risk productivity tools and higher-risk decision-influencing systems;
• procurement discipline – addressing AI risks through vendor selection, contractual controls, and intake review;
• assessment and documentation – conducting privacy, bias, or impact assessments where AI use could affect individuals;
• human oversight and transparency – ensuring AI outputs are reviewed, explainable where necessary, and not blindly automated; and
• training and usage rules – particularly for generative AI tools broadly accessible across organisations.

While these expectations apply most directly to state agencies, they are rapidly becoming the benchmark for private-sector compliance as well. Organisations operating in heavily regulated industries – such as financial services, healthcare, life sciences, and insurance – are increasingly adopting these standards as baseline requirements, recognising that alignment with state-level AI governance frameworks signals regulatory maturity and mitigates legal and reputational risk.

Outlook

Maryland’s AI regulatory environment is likely to continue evolving gradually rather than through sweeping reform. The state has established a foundation for public-sector AI governance, made privacy a central driver of AI compliance, and signalled sustained legislative interest in AI-related consumer protection.

For organisations in Maryland, the direction is clear: AI governance is moving from informal experimentation to documented, reviewable processes. Stakeholders should expect continued guidance, targeted legislation, and enforcement focused on transparency, fairness, and accountability – particularly as AI systems increasingly influence decisions that affect people’s lives.

At the same time, the emerging federal AI governance framework introduces complexity. While the Trump America AI Act’s current text would preserve generally applicable state law, the Framework’s pre-emption aspirations create uncertainty about the durability of certain state-level requirements. Maryland organisations should maintain robust state compliance programmes while monitoring federal developments and engaging proactively with policymakers.