Idaho AI Laws for Mid-Market (51-250) in Government Contractor
You likely need a dedicated compliance officer. Formal impact assessments and bias audits may be required.
AI Compliance Context for Idaho
Idaho remains in the "no dedicated AI law" cohort as of 2026-07-02 — idaho has enacted narrow ai statutes — election-deepfake disclosure (h0664, 2024) and the conversational ai safety act (sb 1297, effective july 2027) requiring conversational-ai operators to disclose that users are interacting with a machine — but no comprehensive ai or privacy law. For federal-procurement, FedRAMP-compliant, and federal-AI-inventory obligations in Idaho, federal signals set the ceiling while regional precedent sets the floor.
Two neighboring states shape regional expectations: Utah's SB 149 — AI Policy Act (amended 2025 by SB 226 & SB 332) (penalty Up to $2,500 per violation (administrative, Utah Div. of Consumer Protection), deadline In effect since May 1, 2024 (2025 amendments effective May 7, 2025; sunset July 2027)) and Montana's Consumer Data Privacy Act (AI provisions) (penalty Up to $7,500 per violation). Any Idaho-headquartered operator touching those markets inherits the stricter of the two.
Federal law still governs Government Contracting AI in Idaho primarily through FAR 52.204-21, DFARS 252.204-7012, NIST SP 800-171, and OMB Memorandum M-24-10. Adjacent federal authorities include OMB Memorandum M-24-10 (OMB M-24-10 (Mar 28, 2024), Advancing Governance, Innovation, and Risk Management for Agency Use of Artificial Intelligence); OMB Memorandum M-24-18 (AI Acquisition) (OMB M-24-18 (Oct 3, 2024), Advancing the Responsible Acquisition of Artificial Intelligence in Government); Executive Order 14110 (revoked) and successor EO 14179 (EO 14110 (Oct 30, 2023), revoked by EO 14148 (Jan 20, 2025); EO 14179 (Jan 23, 2025), Removing Barriers to American Leadership in Artificial Intelligence). OMB Memorandum M-24-10 (enforced by Office of Management and Budget) applies to federal agencies must designate chief ai officers, inventory ai use cases, and implement minimum risk-management practices for safety- and rights-impacting ai by december 1, 2024. expectations cascade to contractors through far and agency-specific solicitation clauses. Penalty exposure: not directly enforceable against contractors, but agencies impose compliance via contract requirements; non-performance creates contract default and suspension risk. OMB M-24-10 (March 2024) required agency AI inventories and Chief AI Officers by December 1 2024; OMB M-24-18 (October 2024) established AI-acquisition requirements that cascade into federal solicitations.
Because Idaho has no dedicated AI statute, regulatory obligations fall back to no comprehensive privacy statute layered with federal sector-specific rules.
The federal and neighboring-state framework that governs your AI operations. Government Contracting operators in Idaho operate under a federal-dominant framework anchored by FAR 52.204-21, DFARS 252.204-7012, NIST SP 800-171, and OMB Memorandum M-24-10, with adjacent authorities OMB Memorandum M-24-10 (OMB M-24-10 (Mar 28, 2024), Advancing Governance, Innovation, and Risk Management for Agency Use of Artificial Intelligence); OMB Memorandum M-24-18 (AI Acquisition) (OMB M-24-18 (Oct 3, 2024), Advancing the Responsible Acquisition of Artificial Intelligence in Government); Executive Order 14110 (revoked) and successor EO 14179 (EO 14110 (Oct 30, 2023), revoked by EO 14148 (Jan 20, 2025); EO 14179 (Jan 23, 2025), Removing Barriers to American Leadership in Artificial Intelligence). OMB M-24-10 (March 2024) required agency AI inventories and Chief AI Officers by December 1 2024; OMB M-24-18 (October 2024) established AI-acquisition requirements that cascade into federal solicitations. The practical risk they have to price in is FAR and DFARS non-compliance, False Claims Act liability for misrepresented AI controls, and suspension or debarment from federal contracting, and the bellwether signal to monitor is Executive Order 14110 was revoked January 20 2025 by EO 14148 and partially superseded by EO 14179 (January 23 2025), so contractors must track the evolving executive-action baseline alongside OMB implementing guidance. Utah -- SB 149 — AI Policy Act (amended 2025 by SB 226 & SB 332) sets the de-facto regional floor. Idaho has enacted narrow AI statutes — election-deepfake disclosure (H0664, 2024) and the Conversational AI Safety Act (SB 1297, effective July 2027) requiring conversational-AI operators to disclose that users are interacting with a machine — but no comprehensive AI or privacy law. Use this as a starting point; sector pages on this site go deeper into industry-specific obligations.
At 51-250 employees you need a dedicated compliance officer, a formal AI inventory, and working relationships with specialist outside counsel. Medium-stage Government Contracting operators should deploy a dedicated AI governance committee, mandatory impact assessments for new deployments, and third-party audit on a rolling schedule, with quarterly internal review and annual third-party audit and ownership resting with a Head of AI Governance reporting to the COO or General Counsel. mid-market programs ($250K-$1.5M) typically combine a dedicated compliance officer with enterprise GRC tooling. For Government Contracting specifically, the sharpest exposure to manage is FAR and DFARS non-compliance, False Claims Act liability for misrepresented AI controls, and suspension or debarment from federal contracting. Given Idaho's concentration in agriculture, natural-resource management, and technology, irrigation-optimization AI and precision-forestry analytics deserve priority in your AI inventory.
The enforcement surface for Government Contracting centres on OMB, NIST (standards influence), FAR Council, and the statute operators most often under-document is OMB Memorandum M-24-18 (AI Acquisition) (OMB M-24-18 (Oct 3, 2024), Advancing the Responsible Acquisition of Artificial Intelligence in Government) — a gap that surfaces in FAR disputes. Build an evidence binder covering solicitation-response AI representation, FedRAMP control crosswalk, FAR 52.204-21 attestation, Section-508 conformance report, and NIST SP 800-171 SSP. Treat Executive Order 14110 was revoked January 20 2025 by EO 14148 and partially superseded by EO 14179 (January 23 2025), so contractors must track the evolving executive-action baseline alongside OMB implementing guidance as your leading indicator and escalate when the signal shifts.
Verified 2026-07-02. See https://legislature.idaho.gov/sessioninfo/2026/legislation/S1297/ for the Idaho Attorney General public record on Idaho AI policy.
Applicable law: No comprehensive AI law — narrow statutes enacted (election deepfakes H0664; AI-CSAM H0465; Conversational AI Safety Act SB 1297, eff. 2027)
Idaho has no comprehensive AI law but has enacted narrow statutes: it criminalizes AI-generated child sexual abuse material and non-consensual explicit deepfakes, lets a misrepresented candidate sue over deceptive AI 'synthetic media' in election ads (H0664), and — effective July 2027 — will require conversational-AI operators to disclose that users are interacting with a machine (SB 1297).
Federal AI guidance plus state laws create complex compliance landscape. FAR AI provisions apply.
What this means for Mid-Market (51-250) in Government Contractor
For a mid-market (51-250) government contractor business operating in Idaho, AI compliance is a concrete and present-tense concern. At this size, you should have dedicated HR, legal, or compliance capacity and the organizational structure to support formal programs. The central challenge is maintaining consistent compliance across multiple departments that adopt AI tools independently and at different paces — and understanding exactly what No comprehensive AI law requires of an organization at your headcount is the essential foundation.
At the mid-market (51-250) tier, core compliance obligations under Idaho's framework include a formal AI inventory, a designated compliance officer with AI in their mandate, documented impact assessments for high-risk systems, annual bias audits for employment-affecting AI, and structured vendor compliance reviews. board-level AI governance, external annual audits, and public transparency reports are strongly recommended but not yet mandated at this size in most states — though they are required at the enterprise tier, so building toward them now is prudent. This proportionality is deliberate — regulators recognize that smaller organizations cannot sustain the same compliance infrastructure as large enterprises, but the law's fundamental requirements apply regardless of size.
The government contractor sector's very high risk classification takes on particular relevance at this scale. Federal AI guidance plus state laws create complex compliance landscape. FAR AI provisions apply. For a mid-market (51-250) business, the risk materializes because maintaining consistent compliance across multiple departments that adopt AI tools independently and at different paces is more acute at this size — AI tools from vendors may have been adopted without full compliance review, and operational workflows where AI is embedded often develop faster than governance processes.
The highest-priority actions for a mid-market (51-250) government contractor business in Idaho are: (1) conduct a formal ai impact assessment for every system that affects employees or customer outcomes; (2) establish a cross-functional ai governance committee with a documented charter and quarterly meetings; and (3) build vendor management procedures that include ai compliance questionnaires and contractual representations. These steps do not require outside counsel or enterprise compliance software — they can be executed with existing staff and documented in straightforward internal policies. The goal is to move from informal AI usage to documented AI governance, even if that governance is lightweight at first.
Understanding the financial stakes clarifies the urgency. at this size, the reputational damage of a public enforcement action routinely outweighs the direct financial penalty — particularly in states with disclosure-based enforcement frameworks. Under No comprehensive AI law, the maximum penalty is N/A. For a business at this size, that exposure — especially if it accrues on a per-violation basis across multiple AI touchpoints — warrants taking compliance seriously now rather than reactively. enterprise-scale obligations activate at the 250-employee threshold in most frameworks — prepare for that transition by investing in systems designed to mature rather than be replaced.
Beyond the headline compliance obligations, mid-market (51-250) government contractor businesses in Idaho face specific employer and operator duties tied to how AI interacts with people — employees, customers, applicants, and others affected by automated decisions. When AI assists in decisions that affect people's access to services, job opportunities, credit, or housing, Idaho law treats the deploying organization as responsible for the outcome regardless of whether the underlying model was built in-house or acquired from a vendor. This means mid-market (51-250) operators cannot outsource accountability to their AI provider — vendor contracts should be reviewed for indemnification provisions, compliance representations, and audit rights. Documenting the due diligence you performed before selecting and deploying an AI system is itself a compliance requirement in several states, and a strong defense in enforcement proceedings.
The compliance timeline for a mid-market (51-250) government contractor business in Idaho has several distinct phases. The first phase — inventory and assessment — involves documenting every AI system in use and evaluating whether it falls within the scope of No comprehensive AI law. Most compliance experts recommend completing this phase within the first 30 days of any new compliance program. The second phase — policy and disclosure — involves drafting the required notices, internal use policies, and vendor agreements. A 60-day target is realistic for most mid-market (51-250) organizations. The third phase — technical controls and ongoing monitoring — involves implementing audit logs, human review checkpoints for high-stakes decisions, and regular bias testing for any AI that affects protected populations. This phase is ongoing. With Idaho's deadline of N/A, the first two phases should be completed well before enforcement begins.
The enforcement landscape for AI compliance in Idaho is evolving, but the direction is consistent: regulators are moving from guidance to action. Once No comprehensive AI law takes effect in Idaho, enforcement typically begins immediately against the most visible violations — disclosure failures and bias-related incidents. For mid-market (51-250) government contractor businesses, the highest-risk scenarios involve automated decisions affecting individuals in ways the law covers: hiring, lending, insurance pricing, and access to services. Regulators typically prioritize cases where AI-driven harm is documented, where disclosure requirements were clearly violated, or where a company failed to provide a mandated appeal or human review process. Building a compliance program now — even a lightweight one appropriate for a mid-market (51-250) organization — establishes a documented good-faith effort that regulators consistently weigh favorably in enforcement decisions. The cost of getting started is a fraction of the cost of responding to a formal investigation.
Idaho Government Contractor resources
Other company sizes
Serve EU customers? The EU AI Act may also apply — penalties up to €35M.
AI laws for Government Contractor in other states
Anchored to the primary government source (statute, bill text, or agency rule) and verified directly against it · Last verified Jul 2, 2026. See our methodology.
- ↗legislature.idaho.govhttps://legislature.idaho.gov/sessioninfo/2026/legislation/S1297/
- ↗legislature.idaho.govhttps://legislature.idaho.gov/sessioninfo/2024/legislation/h0664/
- ↗orrick.comhttps://www.orrick.com/en/Insights/2026/04/2026-State-Chatbot-Laws-Key-Provis…