✅

Alaska AI Compliance Checklist

Updated for 2026. Status: No Law. Deadline: N/A.

By AI Law Tracker Editorial Team · Legal research team

Published Apr 22, 2026Reviewed Apr 22, 2026

AI Compliance Context for Alaska

As of 2026-04-22, Alaska has not enacted an AI-specific statute; the Alaska Attorney General office defers to no comprehensive privacy statute; UDAP coverage via Alaska Stat. sec. 45.50.471. Operators across sectors in Alaska watch federal signals first.

The practical effect for Alaska operators: AI compliance risk is driven by federal agencies first, with Alaska Attorney General acting on UDAP residual authority only when consumer harm surfaces.

Federal law still governs Cross-Sector AI in Alaska primarily through FTC Section 5 (15 USC 45) and NIST AI RMF 1.0. Adjacent federal authorities include Gramm-Leach-Bliley Act (GLBA) / NIST Cybersecurity Framework (15 U.S.C. § 6801-6809; NIST CSF 2.0); California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA) (CA Civil Code §§ 1798.100-1798.199); General Data Protection Regulation (GDPR) (for EU users) (EU Regulation 2016/679). Gramm-Leach-Bliley Act (GLBA) / NIST Cybersecurity Framework (enforced by Federal Trade Commission; NIST) applies to saas platforms handling personal/financial data via ai must implement nist csf security standards: identify, protect, detect, respond, recover. Penalty exposure: ftc civil penalties up to $100,000/violation; private litigation for data breaches. FTC Operation AI Comply (Sep 2024) targeted five companies across sectors.

The federal and neighboring-state framework that governs your AI operations. Cross-Sector operators in Alaska operate under a federal-dominant framework anchored by FTC Section 5 (15 USC 45) and NIST AI RMF 1.0, with adjacent authorities Gramm-Leach-Bliley Act (GLBA) / NIST Cybersecurity Framework (15 U.S.C. § 6801-6809; NIST CSF 2.0); California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA) (CA Civil Code §§ 1798.100-1798.199); General Data Protection Regulation (GDPR) (for EU users) (EU Regulation 2016/679). FTC Operation AI Comply (Sep 2024) targeted five companies across sectors. The practical risk they have to price in is cross-sector FTC Section 5 exposure and state UDAP liability, and the bellwether signal to monitor is NIST AI RMF 1.0 (Jan 2023) is cited as the federal baseline across 30+ agency guidance documents. Washington -- SB 5426 — AI Accountability Act sets the de-facto regional floor. Alaska legislature has not advanced AI legislation; federal FAA and NOAA guidance governs most critical AI use cases. Use this as a starting point; sector pages on this site go deeper into industry-specific obligations.

The enforcement surface for Cross-Sector centres on FTC, CFPB, State Attorneys General, and the statute operators most often under-document is California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA) (CA Civil Code §§ 1798.100-1798.199) — a gap that surfaces in cross-sector FTC Section 5 exposure disputes. Build an evidence binder covering AI inventory, risk-tier register, incident-response runbook, and board-level AI risk report. Treat NIST AI RMF 1.0 (Jan 2023) is cited as the federal baseline across 30+ agency guidance documents as your leading indicator and escalate when the signal shifts.

Three neighboring regimes create compounding exposure: Washington (SB 5426 — AI Accountability Act, penalty Civil penalties up to $7,500/violation), Oregon (HB 4006 — AI in Public Services, penalty TBD), and California (SB 942 — AI Transparency Act, penalty $5,000/day per violation). Multi-state Cross-Sector operators headquartered in Alaska default to the strictest stack.

With 11-50 employees you can justify a half-time compliance lead and part-time external counsel on retainer. Small-stage Cross-Sector operators should deploy a named compliance lead, formal AI inventory, quarterly bias spot-checks, and a documented escalation path, with semi-annual internal audit with annual external review and ownership resting with a designated AI compliance lead reporting to the CEO. small-business budgets ($50K-$250K) justify a compliance lead plus a GRC tool such as Credo AI, Fairly, or Holistic AI. For Cross-Sector specifically, the sharpest exposure to manage is cross-sector FTC Section 5 exposure and state UDAP liability. Given Alaska's concentration in natural resources, remote healthcare, and logistics, autonomous marine systems and predictive maintenance for pipeline infrastructure deserve priority in your AI inventory.

Verified 2026-04-22. See https://www.akleg.gov/ for the Alaska Attorney General public record on Alaska AI policy.

Applicable laws

📜 No AI-specific law

Key requirements

No state AI law. Remote workforce considerations may affect AI hiring tool compliance.

An AI compliance checklist under No AI-specific law is not a best-practice wishlist — it is a structured map of statutory obligations where every item carries direct liability if left unmet. While Alaska does not yet have a dedicated AI law in effect, the checklist below reflects the federal AI compliance baseline that applies immediately and positions your business for state law adoption when it occurs. The checklist is organized in implementation order — disclosure and documentation first, because they are both the most frequently audited requirements and the fastest to implement; technical controls and governance programs second, because they require more resource and runway. Do not defer disclosure obligations to address later steps first: disclosure is the highest enforcement-probability item because violations are detected through individual complaints, not agency audits.

The first checklist section is the AI system inventory. Before you can disclose, document, test, or govern an AI system, you must know it exists. The inventory should capture every AI system your organization uses, including off-the-shelf AI products from third-party vendors, AI embedded in enterprise software such as CRM tools, HR platforms, customer service systems, and content tools, and any internally built models or workflows. For each system, document: the name and vendor or origin; the version or release deployed; what decisions or recommendations the system produces; whether those outputs influence consequential outcomes — employment decisions, credit determinations, insurance pricing, healthcare recommendations, access to housing, or government services; who within the organization owns the system from a compliance standpoint; and what personal data the system processes. This inventory is the master record to which every other checklist obligation attaches. Regulators consistently treat the absence of an AI inventory as an aggravating factor in enforcement proceedings because it suggests an organization has not exercised basic oversight over its AI operations.

The disclosure checklist covers the most frequently audited obligation in state AI law: notifying individuals when an AI system materially influenced a decision affecting them. No state AI law. Remote workforce considerations may affect AI hiring tool compliance. For each high-impact AI system identified in the inventory, your checklist must include: a written disclosure notice in plain language explaining that AI was used and what data it considered; delivery of that notice to the affected individual before the AI decision is finalized or communicated; a mechanism by which the individual can request human review or contest the AI outcome; an update to your website privacy policy specifically referencing AI systems in use and the categories of decisions they influence; and internal documentation showing that each disclosure notice was designed to be accessible — not buried in terms of service and not written in technical language that an ordinary person cannot understand. Each individual who receives an AI-driven decision without required disclosure is a separately actionable violation in most state AI penalty frameworks.

The documentation checklist covers the records your organization must maintain to demonstrate compliance if regulators investigate. These include: a dated impact assessment for each high-impact AI system, completed before deployment or immediately for systems already in production, that documents the system's purpose, training data source, validation methodology, performance across demographic groups, and identified risk-mitigation measures; per-decision logs for high-risk AI capturing the system inputs, model version, output, and whether human review occurred, retained for at least three years; written AI policies governing how AI may be used internally and externally, who may deploy new AI tools, and how compliance questions are escalated; and records of bias testing and fairness assessments, including the date conducted, the methodology, the protected categories evaluated, and the findings. Documentation is not a background requirement — it is the evidentiary foundation that determines whether your organization can defend itself if an enforcement action is filed. Absence of documentation is treated by regulators as evidence of inadequate controls, not simply an administrative gap.

The bias testing and risk assessment checklist requires that high-impact AI systems be evaluated for disparate outcomes before deployment and on a recurring basis thereafter. Alaska regulators expect documented testing that covers whether the AI system produces materially different outcomes for protected demographic groups — race, gender, age, disability status, national origin, and other characteristics covered under applicable anti-discrimination law. The checklist items include: select a bias-testing methodology appropriate for the system type, such as disparate impact analysis for classification systems or performance parity testing for predictive models; apply the methodology across protected demographic groups using held-out test data not used during training; document the results, including any identified disparities and what threshold was applied to determine acceptability; implement mitigation for any disparate impact that exceeds acceptable variance, by rebalancing training data, adjusting decision thresholds, or restricting system scope; and schedule annual re-testing, with immediate re-testing triggered by material changes to the model, training data, or deployment context. Organizations that commission bias testing once and assume permanent compliance misunderstand the obligation — model drift is real and ongoing testing is required.

The human review checklist ensures that individuals have a genuine pathway to contest AI-driven adverse outcomes. Most state AI laws require that when AI materially influences a decision affecting an individual — particularly in employment, lending, insurance, or access to services — that individual must have a right to request human review by someone with actual authority to override the AI outcome. The checklist items are: designate a named role with specific authority to review and override AI-driven decisions; document the review process in writing, including timelines for response, what information the reviewer may consider, and how the outcome is communicated to the requesting individual; train designated reviewers on how the AI system works, what its known limitations are, and what constitutes a legitimate basis for override; create a log of every human-review request, its resolution, and the reviewer's documented reasoning; and audit human-review outcomes monthly to identify patterns where the AI is consistently overridden — a signal that the model may be miscalibrated and requires retraining.

The vendor due diligence checklist reflects the principle that compliance obligations flow to the deploying organization regardless of who built the AI system. If you purchase AI from a third-party vendor and deploy it in ways that affect individuals in Alaska, you are the responsible operator under No AI-specific law. The checklist requires: before deploying any new vendor AI tool, obtain and review the vendor's documentation of bias testing results, impact assessments, and data-processing practices; review the vendor's data-processing agreement for AI-specific provisions, including what data the vendor may use for model training, what subprocessors have access, and how the vendor handles data-deletion requests; negotiate contract provisions that include vendor representations about AI law compliance, indemnification for AI-law-specific violations, and audit rights allowing your organization to review vendor compliance documentation; and document this due diligence in your files for potential regulatory production. Vendors that cannot or will not provide basic compliance documentation should be treated as high-risk deployments — deploying their tools without due diligence documentation creates exposure your organization cannot shift retroactively.

The governance and ongoing monitoring checklist establishes the permanent operational infrastructure that keeps your compliance program current. AI compliance is not a one-time audit event; it is a continuous organizational function. Checklist items include: designate an AI compliance owner by name with a written description of their responsibilities, including maintaining the inventory, tracking regulatory updates, coordinating bias testing schedules, and responding to individual rights requests; establish a quarterly review cadence for the AI inventory to account for new tools deployed, existing tools retired, or material changes to model versions; implement staff training for all employees who interact with AI systems in consequential workflows, covering disclosure obligations and escalation pathways; configure automated alerts or calendar reminders for annual re-assessment and re-testing deadlines; and maintain a compliance log documenting each checklist item's completion status, the date completed, and the name of the person responsible. Federal AI frameworks already expect this governance function — building it now positions your organization for state law adoption when Alaska enacts dedicated AI legislation.