Utah’s AI Governance Model: Disclosure, Safe Harbour and the Allocation of Risk

A central challenge for organisations is how existing law applies to artificial intelligence (AI) – a technology that evolves faster than regulatory frameworks. Many prominent AI regulatory frameworks around the world begin by looking inward: how a model is built, what data it uses, how it is tested, and how much risk it presents. Utah takes a different approach. It looks outward, to the moment an AI system interacts with a person, and asks a simpler question: does the individual know whether they are interacting with a human or AI?

That choice defines Utah’s framework. Utah does not try to regulate the entire AI life cycle. Instead, it requires disclosure when AI is used, imposes consumer protection consequences for misleading use, and provides limited mechanisms for the state to observe AI deployment in practice. The result is not a comprehensive AI code, but a targeted regulatory foundation.

This structure makes Utah’s approach relevant beyond Utah. The state’s approach is often described as “light-touch”, and in one sense that is true. Utah has not enacted an all-purpose AI code in the mould of the European Union’s AI Act, nor has it built a full risk-governance regime for consequential AI systems. But “light-touch” can understate what Utah is doing. Utah is not abstaining from AI regulation: it is choosing a different regulatory entry point.

The state is asking where legal risk should lie when AI performs roles that users have traditionally associated with people – roles like customer service, basic advice, consumer transactions and regulated professional communications. That is a narrower question than how AI works or should be governed as a whole, but it provides a practical foundation in a fast-moving technological landscape. Utah’s law is flexible enough to adapt as AI changes, while still protecting consumers where confusion and reliance are most likely to arise.

Regulating the interface, not the model

The structure of Utah’s law reflects that choice. The core of Utah’s consumer-facing AI law is “reactive disclosure”. Where a supplier uses generative AI to interact with an individual in connection with a “consumer transaction”, the supplier must disclose that the individual is interacting with generative AI if asked or prompted. The law is reactive in that Utah does not require every exchange with generative AI to begin with a disclosure; instead, it requires a truthful answer when the consumer asks the question. That design choice is revealing. Utah is not interested in burdening every low-stakes interaction with notice obligations; rather, the law is concerned fundamentally with deception.

Utah also takes a broad view of “consumer transactions”. The framework is not limited to traditional exchanges where a user pays directly for a product or service. Rather, it may also capture interactions that appear informal or “free” if they involve the provision of goods, services or other benefits as part of a broader economic relationship.

That matters for organisations offering no-cost chatbots, intake tools, assistants or engagement features. Even where the user does not pay at the point of interaction, the activity may be in scope if it supports monetisation elsewhere, including through data collection, user engagement, lead generation, customer retention or downstream financial benefit.

Organisations should therefore focus less on whether a user pays and more on whether the interaction forms part of a broader exchange of value. That approach tracks wider trends in privacy and consumer protection law, where regulators increasingly look beyond direct payment to how value is created and captured across the consumer relationship.

As with many AI regulations the world over, there is a significant difference in burden and requirements when the interaction between consumer and AI moves closer to professional or sensitive contexts. A person providing services in a regulated occupation like medicine or law must prominently disclose when the recipient is interacting with generative AI if the interaction between individual and AI is considered “high-risk”. In Utah, “high risk” includes interactions involving sensitive personal information or the provision of personalised advice that could reasonably be relied upon to make significant decisions about a person (eg, financial, legal, medical or mental health decisions). In those instances, an AI system must disclose that the individual is interacting with AI at the beginning of a verbal interaction and before the start of a written interaction.

Users are more likely to rely on generative AI output when seeking advice in regulated professional contexts. These are also instances where consumers are less likely to assume that their interaction is with a generative AI model – and it is precisely those interactions that Utah designates as “high risk”. Utah makes this distinction and places more of an administrative burden on the high-risk deployers without creating an unwieldy set of regulatory hurdles it must enforce.

Safe harbour as the operational default

While Utah lays out two paths of disclosure (in regular consumer interactions and with high-risk AI systems), organisations may rely on the safe harbour provisions in the Utah framework to avoid violating the disclosure provisions of the statute. Under the safe harbour provision, an organisation is not subject to enforcement for violating the disclosure section if the generative AI clearly and conspicuously discloses, at the outset and throughout the interaction, that the user is interacting with generative AI. This is a third, more practical pathway for complying with Utah’s AI law.

This shifts the compliance question from legal interpretation to product design. Once the safe harbour option is available, the most defensible and scalable path is not to rely on consumer perception or on whether a particular interaction could later be characterised as high-risk. The most defensible and scalable path is to build disclosure into the AI interface from the start and keep it visible throughout the exchange. In that sense, the statute quietly nudges organisations towards transparency by design, not because the law expressly requires disclosure in every case, but because the safe harbour makes it the easiest way to reduce risk. That is the provision that gives the Utah model its practical force.

This approach to disclosure is also where Utah’s framework becomes operationally useful across jurisdictions. Continuous disclosure is relatively inexpensive compared with the obligations imposed by broader regulatory regimes. Furthermore, disclosure can be standardised across customer journeys, embedded into products, and carried across borders. Organisations that already identify customer-facing systems as AI-generated throughout the interaction are not only closer to Utah compliance but are also likely to be better positioned for compliance with other regimes requiring transparency. Utah’s safe harbour can therefore do something that more elaborate frameworks sometimes struggle to do: create a behavioural default that businesses are willing to adopt across jurisdictions.

Disclosure is not immunity

Utah’s AI laws operate alongside traditional legal regimes. As such, while continuous disclosure may land organisations squarely within the safe harbour provisions of the Utah AI statute, disclosure is not a shield from liability.

That point is easy to miss in a disclosure-based statute, but it is what makes the law more than a labelling exercise. Utah is not absolving organisations from liability through disclosure alone: it is saying that failure to disclose may itself be unlawful, not that disclosure sanitises the substance of an unlawful interaction. For example, AI-generated content or interactions that are misleading, deceptive or unfair may trigger liability under state unfair and deceptive acts and practices (UDAP) statutes, even where AI use is properly disclosed. Disclosure clarifies that an interaction itself is automated; it does not insulate the substance of the interaction from legal scrutiny.

Utah’s approach aligns with a broader global pattern: legislatures are introducing AI-specific obligations without displacing established legal principles. The result is a layered framework in which narrow, technology-specific rules coexist with broader liability standards.

For organisations, compliance with the AI statute is necessary but not sufficient. Disclosure mitigates risk under the statute but does not address all potential liability. A comprehensive approach must consider both the AI framework and the broader legal context.

Operational implications for organisations

Utah’s approach is relatively simple in structure but requires deliberate implementation. Organisations deploying AI in Utah should take several practical steps across product design, user experience, compliance and risk management.

• Inventory customer-facing AI systems – identify AI tools that interact directly with individuals. These include chatbots, virtual assistants, automated messaging systems, generative content tools, AI-enabled intake processes and customer support technologies.
• Determine the applicable disclosure pathway – for each AI system, assess whether the organisation will rely on reactive disclosure or adopt a proactive safe harbour approach.
• Use proactive disclosure where practical – although reactive disclosure may be permitted in some situations, an upfront notice is often easier to administer and more consistent across workflows. Some organisations may also choose to disclose AI use more broadly than Utah law requires, including internal users, employees and others. This broader approach can also help organisations to apply a consistent compliance approach across jurisdictions (eg, the EU AI Act), but organisations should still confirm requirements under applicable law.
• Build disclosure into the user experience – notice should appear in the interaction itself, such as through an introductory chatbot statement, persistent visual indicator, call script or in-flow message. Organisations should not rely on disclosure in terms of service or privacy policies alone, as this is unlikely to satisfy the requirement that the disclosure be clear and conspicuous.
• Co-ordinate across internal teams – legal, product, engineering, privacy, security, customer support and business teams should understand when AI is used, how disclosure obligations are met, and when changes to products, AI usage or compliance obligations are made.
• Document disclosure decisions – organisations should keep records of how they classify AI systems, what disclosure approach they select, the notice format selected, and how those notices are maintained.
• Reassess over time – AI systems can change as models, prompts, integrations and use cases evolve. Periodic review ensures that disclosures remain accurate and aligned with actual system functionality.

In practice, compliance with Utah’s AI law should be treated as part of an organisation’s broader AI governance programme rather than a one-time notice exercise. Organisations that already maintain AI review processes can incorporate disclosure analysis into those workflows. Organisations without a formal programme can start with basic controls, which may include an AI system inventory, disclosure templates, approval procedures, monitoring and periodic reassessment.

Applying the Utah model across jurisdictions

Utah’s AI laws point toward a layered model rather than a single, comprehensive regime. At the base layer is transparency at the point of interaction – ensuring that humans know when they are speaking with an AI. Above that sit other long-standing legal regimes, including consumer protection regulations, discrimination law, professional regulation, privacy law and tort. In higher-risk scenarios, governments may impose more onerous obligations on AI deployers, such as testing, risk management programmes or audits. Colorado currently leans toward that upper layer of more onerous obligations. Utah currently leans toward the foundation.

That foundation can be applied across jurisdictions in the United States and abroad. In the US, Utah offers organisations a relatively clear and operational baseline. In practice, Utah’s rule is relatively easy to understand and implement, and it is closely tied to how the public actually encounters AI through chatbots, agents, assistants and automated-service tools. It is also readily translated into product design, compliance checklists and enforcement priorities.

Internationally, Utah does not rival comprehensive AI governance regimes like the EU AI Act in scope or ambition. But not every jurisdiction will adopt, or be able to administer, an EU-style framework in the near term. Some jurisdictions are adopting phased or targeted approaches, such as the United Kingdom’s pro-innovation model and Singapore’s emphasis on practical governance frameworks.

The key takeaway for organisations is not that disclosure is sufficient, but that interactions between humans and AI are a logical focus for compliance programmes. Businesses should identify where AI directly engages customers, employees, patients, clients and other individuals, and assess whether disclosure is required or advisable. Businesses should also build documentation and monitoring practices around those interactions.

Put differently, Utah’s AI law is not an alternative to more demanding AI regulatory frameworks. For businesses, it is better understood as a baseline. Utah provides a workable foundation for AI compliance, particularly in jurisdictions that have not yet adopted more comprehensive rules.

Looking ahead

Utah’s AI framework remains a work in progress, and future legislation may sharpen its disclosure rules, define higher-risk interactions more clearly, or address specific concerns such as AI-generated impersonation, companion chatbots or other emerging use cases. The core message of Utah’s law is already operational for businesses. When AI enters ordinary commerce or professional settings, the first and most important governance question is not what is happening inside the model; it is what the user understands.

Utah’s AI law provides a workable foundation for AI compliance programmes. Organisations should identify user-facing AI, disclose it clearly, assign responsibility for its use, and apply additional controls as risk increases. While not a complete governance model, it offers a practical step businesses can act on now. When AI stands in for a person, transparency should be built into the interaction rather than added later.