June 2 is the signing date. Not May 1. That distinction matters.
Connecticut’s legislature passed Public Act 26-15 (originally SB 5) on May 1, and prior reporting treated that passage as enactment. But Connecticut law takes effect upon the Governor’s signature. Governor Ned Lamont signed the bill on June 2, 2026. The law is now enacted. The compliance clock for October 1, 2026 is running.
The companion AI provisions are the new story here. Prior coverage of Connecticut’s AI law focused on the high-risk AI requirements: the reasonable care standard for consequential decisions in employment, education, housing, finance, and healthcare; the discrimination reporting obligation; and the AI-related reduction-in-force notice requirements for employers. Those provisions are confirmed and effective October 1, 2026.
The January 2027 layer adds something different. Under the Act’s text, conversational AI companion applications must incorporate self-harm detection features and reference the 9-8-8 Suicide and Crisis Lifeline, and are prohibited from serving users under 18 where the companion encourages harmful behaviors. These aren’t disclosure requirements or risk assessments. They’re product-level mandates. A companion AI product that doesn’t build detection and crisis referral into its architecture won’t be compliant in Connecticut after January 1, 2027.
Connecticut PA 26-15, Two-Deadline Compliance Checklist
- October 1, 2026: Implement reasonable care standard for high-risk AI in consequential decisions
- October 1, 2026: Build 90-day discrimination reporting workflow, 1,000-consumer threshold triggers AG notification
- October 1, 2026: Establish employer AI disclosure and pre-RIF notification process
- January 1, 2027: Companion AI, integrate self-harm detection and 9-8-8 referral architecture
- January 1, 2027: Companion AI, implement minor (under 18) user restrictions where harmful behavior encouraged
- Monitor AG office for safe harbor invocation guidance before committing to ISO/IEC 42001 / NIST AI RMF safe harbor strategy
The safe harbor matters here, and it’s unresolved. The Act includes safe harbor provisions for developers who’ve adopted recognized frameworks including ISO/IEC 42001 and the NIST AI RMF. According to legal analysis from law firms reviewing the Act, however, the Connecticut Attorney General hasn’t yet clarified how developers actually invoke those safe harbors. That’s not a minor gap. A safe harbor that requires AG interpretation before it’s usable isn’t functioning yet. Compliance teams shouldn’t build their programs around safe harbor assumptions until that process produces guidance.
The discrimination reporting threshold is precise. According to the Act’s text, as analyzed by legal counsel, developers must notify the Connecticut Attorney General and all deployers within 90 days of discovering algorithmic discrimination affecting at least 1,000 consumers. That’s the trigger: 1,000 consumers, 90-day window, AG notification required. Companies deploying high-risk AI systems in Connecticut above that threshold need that workflow built before October 1.
Two compliance timelines. Keep them separate. The October cluster covers high-risk AI provisions, reasonable care standard, discrimination reporting, employment disclosures. The January cluster covers companion AI, detection protocols, crisis referral requirements, minor restrictions. Conflating them creates a program that’s either over- prepared on the wrong deadline or under-prepared on the right one.
Unanswered Questions
- How does the AG's office intend for developers to invoke the ISO/IEC 42001 and NIST AI RMF safe harbors?
- Does the 1,000-consumer discrimination threshold apply per deployment instance or in aggregate across a developer's product line?
- How are 'harmful behaviors' defined for the companion AI minor restriction, is there a regulatory standard or is it left to developer judgment?
- Does the companion AI provision apply to general-purpose chatbots with companion features, or only to purpose-built companion products?
The real question is whether the companion AI provisions land on a product category that was already regulated elsewhere, or whether Connecticut’s law is creating new requirements for an unregulated space. Connecticut is the second state this week to address AI companions specifically, Colorado signed related legislation days earlier. That’s a pattern. Product teams building conversational AI applications should be treating multi-state compliance as the baseline assumption now, not the edge case.
Don’t expect the AG’s safe harbor clarification before October 1. The combination of an Attorney General who hasn’t yet issued guidance, a June 2 signing date, and an October 1 effective date for the high-risk provisions gives compliance teams roughly four months to build programs without the safe harbor pathway being operational. If your organization is planning to rely on ISO/IEC 42001 adoption as a compliance basis, verify that assumption with counsel before committing to it.