Executive Summary

US state legislatures enacted 99 AI bills in 2024. In 2025, that number climbed to 145. And in just the first quarter of 2026, lawmakers in 45 states had already introduced 1,561 AI-related bills — more than the entire 2024 introduction count, in three months (NCSL, 2026). Year over year, introductions rose 91% and enactments rose 47%. No single force explains the surge. Three of them converged: a vacuum at the federal level after several attempts at unified AI legislation stalled in Congress, a steady drumbeat of AI incidents in the news (Character.AI minor cases, ChatGPT mental-health incidents, election deepfakes), and the political incentive structure inside individual statehouses, where AI policy is now legibly bipartisan in a way few other technology issues are.

The category mix is just as revealing as the volume. According to Transparency Coalition (2026), chatbot-related bills became the fastest-rising category in Q1 2026, with 78 active bills across 27 states. The three most active strands are automated decision-making (the Colorado model), chatbot safety (the Georgia model), and content provenance (the Utah model). NCSL's taxonomy adds healthcare, employment, education, government use, and election deepfakes close behind. The Transparency Coalition's narrower count of 73 AI-related bills enacted across 27 states in 2025 — a tighter subset than NCSL's 145, focused on the categories with material industry impact — is itself a useful signal. Even with the most conservative count, the year-over-year acceleration is unmistakable.

1.1Why States, Not Congress

Multiple attempts at federal AI legislation stalled across 2024 and 2025, blocked by lobbying pressure and a deep partisan split over preemption, liability, and innovation policy. Brookings (2026) argues that the absence of a unified federal framework actively accelerated state-level lawmaking — when there is no national ceiling, every statehouse becomes a viable venue for whatever policy entrepreneurs can build local coalitions around. Colorado set the tone in 2024 with SB 24-205 (the original AI Act). California, New York, and Texas followed with sectoral bills covering algorithmic hiring, automated insurance underwriting, and education AI. Utah and Georgia narrowed in on content and chatbots respectively, each picking a single politically resonant slice of the problem space. NCSL has taken to calling the pattern "fifty little AI Acts," each made at the state level — a description that captures both the scale of the activity and the structural incoherence that any company operating across state lines now has to manage.

1.2Where Big Tech's Influence Hit a Wall

Big Tech's response to the state-level surge has been unusually overt. The political-spending campaign that began with California SB 1047 in 2024 expanded nationwide through 2025 and 2026. Politico (2026) reports Meta spent roughly $7.1 million fighting SB 1047, while OpenAI ran a federal-preemption campaign aimed at displacing state laws altogether — a strategy that, if it had worked, would have left a single federal standard in place of fifty incompatible ones. Anthropic moved in the opposite direction. The company publicly backed California SB 53 (the Responsible AI Reporting Act) and committed $20 million to its "Public First Action" arm explicitly to support safety legislation (Anthropic Policy Blog, 2026). The split inside the frontier-model industry over how to engage with regulation is now visible enough that any analysis treating "Big Tech" as a single actor on this issue is misreading the field.

The clearest evidence of Big Tech's limits came in Georgia. According to Politico (May 2026), Meta, Google, and Snap all lobbied for carve-outs from SB 540. None made it into the final text. When the cause is minor safety, the standard playbook stops working — the political cost of being seen to oppose protection for minors is too high for any state legislator to absorb, and lobbying budgets do not change that calculus. With 78 chatbot bills now active across 27 states, the industry has run out of containment moves. Block one state, and the next one will pass. Win a single carve-out in one statehouse, and the same coalition will write the next bill without it. The structural shift from "block any single bill" to "shape the inevitable bill" is, in retrospect, exactly what Anthropic's pivot recognized first.

In the spring of 2026, three AI bills were signed into law almost simultaneously, on opposite sides of the country. Colorado SB 26-189 mandates post-hoc explanation for automated decisions. Georgia SB 540 requires minor-safety protocols for conversational AI. Utah HB 276 forces digital content to carry provenance signatures. The three bills cover different industries, demand different controls, and take effect on different dates. But reduce them to one word and the same word appears — traceability.

2.1Colorado SB 26-189 — Explaining the Black Box, After the Fact

On May 14, 2026, Colorado's governor signed SB 26-189 into law (Consumer Finance Monitor, 2026). The bill replaces Colorado's original AI Act (SB 24-205) and takes effect January 1, 2027. Whenever an AI system makes a "consequential decision" in employment, education, housing, credit, insurance, or healthcare, five obligations attach: advance notice to the consumer, post-hoc explanation within 30 days, the right to correct underlying data, guaranteed human review, and a duty on developers to hand deployers technical documentation describing the system's nature and limits.

The structural shift is what matters. The original Colorado AI Act demanded broad governance frameworks and impact assessments. SB 26-189 strips much of that overhead and concentrates instead on disclosures the consumer can actually see. Consumer Finance Monitor (2026) describes the move as a pivot "from broad governance to targeted consumer disclosure." The Colorado Attorney General enforces. A 60-day cure period exists — but it sunsets in 2030.

2.2Georgia SB 540 — Protecting Minors From Conversational AI

Georgia SB 540, formally the "Conversational AI Safety Act," was signed on May 13, 2026 (Privacy Daily). Effective July 1, 2027, it imposes five duties on any conversational AI service used by minors: (1) a session-start disclosure that the user is talking to an AI; (2) the same disclosure repeated every three hours; (3) a protocol that connects the user to the 988 Crisis Lifeline when self-harm signals appear; (4) a prohibition on engagement rewards designed to keep minors interacting longer; and (5) parental and minor control tools. Each of the five maps directly back to a specific incident — Character.AI, ChatGPT minor cases, and others.

The political signal from Georgia is the more interesting story. Meta, Google, and Snap all sought carve-outs. None got one. According to Politico (2026), minor safety is one of the very few AI-policy areas in which the parties agree and Big Tech's lobby simply does not work. Any Korean company with minor-aged US users — youth tutoring chatbots, K-pop fandom bots, in-game NPCs, mental-health support assistants targeted at teens — has a hard deadline of July 1, 2027, and the operational scope of the duties is larger than it looks at first glance. Session-start disclosure and three-hour re-disclosure require UI changes. The 988 routing protocol requires real-time detection of self-harm signals integrated with crisis-response handoffs, not a static help link in the footer. Engagement-reward prohibitions force a review of every nudge mechanic the product team has built — streaks, badges, personalization that increases dwell time — because anything designed to keep a minor in the conversation longer is now structurally exposed.

2.3Utah HB 276 — When a Standard Becomes Law

Utah HB 276, the "Digital Content Provenance Standards Act," became the first US state law to require provenance embedding when it was signed in spring 2026. Troutman Pepper (2026) summarizes the core duty bluntly — AI operators must embed provenance data into generated content. The scope covers GenAI services with more than one million active users and platforms with more than two million. The statute never names C2PA explicitly, but its requirements — cryptographic signatures, source metadata, edit history — line up almost exactly with the C2PA Content Credentials specification. In practice, C2PA has become the operative standard, written into law by reference.

Utah passed a second law in the same session: HB 286, the "Artificial Intelligence Transparency Amendments." HB 286 adds an obligation for frontier-model operators to publish safety plans — a model-layer rule that exists alongside the content-layer rule in HB 276. Colorado and Georgia regulate at the application layer. Utah regulates at the model and content layers simultaneously. The pairing matters strategically. A state that legislates both the model and the artifacts it produces ends up with leverage at every point in the generation pipeline, from training-time decisions through deployment-time disclosures down to the metadata embedded in each output. Other states watching Utah's experiment now have a template for stacking model-layer and content-layer obligations together rather than picking one and leaving the other to the federal government.

2.4Three Bills, Side by Side

The surface differences are real. But place the obligations next to each other and a single question shows through all three — what AI, trained on what data, generated what output, affecting whom. That is the spine.

Academia started talking about data provenance seven years before the law caught up. Gebru et al. (2018) proposed Datasheets for Datasets — short structured documents covering the motivation, composition, collection process, and recommended uses of any released dataset. Mitchell et al. (2019) followed with Model Cards, doing the equivalent at the model level: intended use, performance characteristics, known limitations, and the populations the model was evaluated on. In 2023, the Data Provenance Initiative led by Longpre and colleagues audited 1,800 training datasets and showed that more than 70% had inaccurate license information (NeurIPS 2024) — a finding that should have caused alarm in 2023 and is now appearing in the operative text of state statutes. That same year, Kirchenbauer et al. introduced a statistical watermarking technique for LLM outputs at ICML, embedding a soft-token signal that downstream detectors can identify with bounded false positives. By 2024, Google DeepMind had published SynthID-Text in Nature — a token watermark deployable at industrial scale (Dathathri et al., 2024), and the first watermarking system from a major lab subjected to peer-reviewed evaluation rather than blog-post disclosure.

Academia treated these two threads as separate research programs. Training-data provenance lived in one community — dataset auditing, license tracking, attribution. Generated-content marking lived in another — watermarking, steganography, deepfake detection. The conferences barely overlapped, the citations barely crossed, and the toolchains never integrated. US state law has braided them together without waiting for the research communities to do it themselves. Colorado SB 26-189's "developer technical documentation" duty maps to the training-data thread. Utah HB 276's "embedded provenance" duty maps to the content thread. They are two faces of the same traceability requirement, and a company has to satisfy both simultaneously, with one operations team, one budget, and one set of audit reports.

3.1The Pebblous Three-Layer Traceability Frame

The integrating frame has been missing. This report proposes one that follows the contours of what US state law actually demands — three layers of traceability: training-data provenance, generated-content marking, and decision audit trail. Colorado, Georgia, and Utah distribute their weight across these three layers in different proportions, but no statute escapes the frame.

3.2Watermarks Are Not Provenance — And the Difference Matters

A common conflation: treating watermarks and provenance as the same thing. They are complements, not substitutes. Provenance — the C2PA Content Credentials model — is closer to a genealogy. Who made this, when, with what tool, edited how — all recorded as cryptographically signed metadata that travels with the file. A watermark embeds an invisible signal inside the content itself, robust enough for forensic detection but vulnerable to paraphrasing, back-translation, or cropping attacks. The C2PA specification recommends using both together.

Academia mapped the limits of both approaches in theory. Maastricht's Rijsbosch et al. (2025, arXiv:2503.18156) made the practical version of the problem concrete. They surveyed 50 commercial image and text generation services. Only 38% had implemented watermarking to a robust, verifiable standard. Only 18% clearly labeled synthetic media. EU AI Act Article 50's requirements were already on the books — and industry was nowhere near them. That gap is precisely why lawmakers stopped waiting for voluntary adoption.

3.3C2PA — A Standard Built by 6,000 Companies, Now Law

C2PA — the Coalition for Content Provenance and Authenticity — was founded in 2021 by Adobe, Microsoft, BBC, Sony, and OpenAI. The Content Authenticity Initiative (CAI), its industry-side sister organization, grew from roughly 4,000 members in October 2024 to more than 6,000 by January 2026 (Eyesift, 2026). That is 50% growth in fifteen months. Utah HB 276 is the first instance of C2PA becoming a de facto legal requirement. EU AI Act Article 50 is converging in the same direction.

One gap remains uncomfortable. Independent academic security analysis of C2PA v2.0 is still limited, and the lag between standard publication and legal mandate is now visible. NIST AI Risk Management Framework 1.0 (2023) and the BBC's Project Origin white papers serve as adjacent reference material, but a systematic evaluation of C2PA's attack surface at commercial scale has not yet appeared. Once a standard becomes law, the next research priority is testing the law's foundation.

Korea's AI Basic Act took effect on January 22, 2026. The EU AI Act's high-risk-system obligations land on August 2, 2026. US state laws are scattered, but the enforcement calendar runs from Colorado in January 2027 to Georgia in July 2027. The three regimes look architecturally different. Korea uses a framework law plus implementing decrees. The EU built a single unified regulation. The US is operating fifty parallel jurisdictions. And yet, when you reduce each of them to one phrase, the phrase is the same — data traceability.

4.1Korea's AI Basic Act — Framework Law Plus Decrees

Korea's "Act on the Development of Artificial Intelligence and Establishment of Trust" (commonly called the AI Basic Act) was passed by the National Assembly on December 26, 2024, and took effect on January 22, 2026, with a grace period of more than one year built in (Korea Policy Briefing, 2026). Operators of "high-impact AI" face six obligations: (1) impact assessment, (2) risk management, (3) safety and reliability assurance, (4) ongoing monitoring, (5) document creation and retention, and (6) information provision. Generative AI carries an additional duty to watermark outputs.

The "document creation and retention" duty deserves a close look. It maps almost one-to-one with Colorado SB 26-189's "developer technical documentation" duty and with the EU AI Act's "technical documentation" requirement. The vocabularies differ. The demand does not — record, retain, and make available the lineage of the training data and the limits of the model.

4.2The EU AI Act — Unified Law, Phased Enforcement

The EU AI Act has been phasing in since 2024 (artificialintelligenceact.eu, 2026). General-Purpose AI rules took effect August 2, 2025. High-risk-system obligations are scheduled for August 2, 2026, though the Digital Omnibus package is currently negotiating partial extensions through December 2027, leaving the final timeline fluid. Article 50 is the explicit content-labeling mandate — and the obligation that maps most directly onto Utah HB 276. The GPAI Code of Practice serves as the voluntary implementation guide bridging the gap between legal text and operational reality, and the structure of the Code itself — with detailed sub-guidance on documentation, copyright, and risk assessment — is now the practical reference point for any GPAI provider trying to demonstrate compliance ahead of the high-risk phase.

4.3The Three Regimes, Side by Side

The differences are real but architectural. The five axes that matter — scope, transparency intensity, traceability depth, penalty severity, and enforcement timing — make the surface differences clear and the underlying convergence equally clear.

For a Korean SaaS or chatbot company, entering the US market means entering US state law. Operating in the EU — with users or infrastructure on EU soil — means entering the AI Act. Compliance with the Korean AI Basic Act alone is no longer sufficient. Global expansion is now automatically a three-regime compliance problem, and the only rational architectural response is a single infrastructure that satisfies the common denominator — data traceability — across all three. Trying to satisfy each regime separately, with bespoke documentation and bespoke audit trails per jurisdiction, multiplies compliance cost by three for the same underlying engineering work. Treating traceability as a single product, mapped onto each regime's vocabulary at the documentation layer, brings the marginal cost of adding the next regime close to zero.

Regulation does generate cost. Gartner (2026) projects worldwide spending on AI governance platforms to grow from $492 million in 2026 to more than $1 billion by 2030. The European Commission's own impact assessment estimates EU AI Act compliance at roughly €29,277 per model — €10,733 for robustness verification, €7,764 for human oversight, €4,390 for documentation, and the remainder split across other obligations. California's SB 53 impact assessment put small-business compliance at around $16,000. The numbers are not small.

5.1Korea's US Exposure

The Korean AI industry's exposure to US regulation is meaningful. The Software Policy and Research Institute (SPRi, 2024) reports total Korean AI exports of KRW 424.8 billion (approximately $293 million at ~1,450 KRW/USD) in 2023, with 23.7% directed to the United States — roughly $70 million directly exposed to the US regulatory perimeter. Only about 4% of Korean AI companies export at all, meaning the majority have not yet begun serious work on global compliance infrastructure. The asymmetry inside that 4% is also worth noting. Companies large enough to export are also the ones large enough to attract regulatory attention, but most of them are not yet large enough to fund dedicated compliance teams. The mid-market band — companies with US revenue but without an internal governance function — is the most exposed segment in the dataset and the segment most likely to need external diagnostic infrastructure.

5.2Three Response Tiers — Startup, Mid-Market, Enterprise

The right response varies by company size. For startups, the cheapest path is to design provenance into the data pipeline from day one. Retrofitting metadata into an existing pipeline tends to cost two to three times more than building it in, primarily because the retrofit has to reconstruct lineage information that no one bothered to record at ingestion time. For mid-market companies, the sensible step is adding a provenance layer to existing data catalogs and MLOps systems — this is the natural entry point for diagnostic tools like DataClinic, which can produce a compliance-grade documentation artifact without rewriting the underlying pipeline. For enterprises, the standard pattern is a dual track: a proprietary provenance system internally, externally aligned with C2PA and NIST AI RMF, supported by an in-house governance team and external compliance advisors in parallel. The strategic question for enterprises is no longer whether to build this infrastructure but how to keep it from fragmenting across regions — Korea, US, and EU compliance teams running in parallel with different schemas creates exactly the kind of internal incoherence that audit findings tend to surface.

5.3The Compounding Effect of Compliance Spending

The cost does not vanish. It accumulates somewhere else. Recording the lineage of training data — that itself becomes data quality infrastructure that future model iterations can reuse without redoing the same audit work. Embedding provenance in generated content — that itself becomes a brand-trust asset that consumers, partners, and downstream platforms can verify independently. Producing a decision audit trail — that itself becomes a litigation defense asset, useful exactly when a discrimination claim or an automated-decision dispute lands in the legal team's inbox. The 38% and 18% adoption rates Rijsbosch et al. (2025) measured are not evidence that this infrastructure is useless. They are evidence of market immaturity — voluntary adoption never reaches the coverage law requires, and the gap closes only when there is a forcing function. Law is that forcing function.

The generative AI chatbot market is projected to grow from roughly $9.9 billion in 2025 to about $113 billion by 2030, compounding at close to 50% annually (MarketsandMarkets and other market trackers converge in this range). AI governance spending over the same window goes from $492 million to roughly $1 billion. Governance spending tracks at roughly 1% of the market it governs. The right question is not whether compliance is expensive in absolute terms. The right question is whether 1% is the right ratio. If 1% of governance spending underwrites 99% of market trust, that ratio is more than reasonable. The comparison worth running is not "cost of compliance vs. revenue" but "cost of compliance vs. cost of a major incident" — and on that comparison the math becomes uncomfortable for any company still treating data quality infrastructure as optional.

145 laws are pointing in one direction. That direction is where Pebblous's five business pillars have already been heading. DataClinic diagnoses the quality, lineage, and provenance of training data. AADS (Audit and Diagnosis System) records the diagnostic history in a form that any auditor — internal, external, or regulatory — can inspect after the fact. AI-Ready Data defines the metadata standards that make a dataset usable for both modeling and compliance. DataGreenhouse produces verifiable synthetic data with provenance built into each generated record. PebbloSim simulates automated decision-making scenarios so that consequential-decision systems can be stress-tested before they ship. These five lines describe where Pebblous operates — and simultaneously describe the coordinates of the new market US state law has just created.

Regulation Is Not a Cost — It Is Forced Investment in Data Quality Infrastructure

DataClinic's quality score has historically been a technical KPI — evaluating missing values, outliers, duplicates, license cleanliness, and lineage to predict downstream model performance. With US state law on the books, the same score now extends into the territory of a regulatory KPI. Colorado SB 26-189's "developer technical documentation," the data-provenance portion of Utah HB 276's embedded-provenance verification, and Korea's "document creation and retention" duty all map naturally onto the diagnostic outputs DataClinic already produces. When a technical KPI extends into a regulatory KPI, a single diagnostic reduces cost in both domains simultaneously. The same audit that improves model accuracy also produces the documentation an attorney general's office would request in an enforcement inquiry — two outputs from one process, two budget lines that compress into one.

Provenance Mandates Are Accelerating the ISO-ification of Metadata Systems

Datasheets for Datasets (2018) and Model Cards (2019) began as academic recommendations. They depended on voluntary adoption for seven years. Rijsbosch et al. (2025) measured what voluntary adoption produced — 38% and 18%. Utah HB 276 turning C2PA into a de facto legal requirement marks the shift from recommendation to obligation, from voluntary standard to ISO-style norm. AADS extends naturally into a global compliance tool as a consequence. A single audit trail system can handle Korea's "document creation and retention," the EU's Technical Documentation, and the US states' Developer Documentation — three names, one artifact.

AI-Ready Data Is Converging Into Compliance-Ready Data

"AI-Ready Data" is Pebblous's term for data prepared to the point a model can learn from it directly — consistent, complete, internally coherent, fully described by metadata, and with a documented lineage. The "data traceability" requirement that US state law, Korea's AI Basic Act, and the EU AI Act all impose is built into the definition of AI-Ready Data. Companies that have done the work to make their data AI-Ready are already, structurally, sitting on Compliance-Ready data. Three layers — training-data provenance, content credentials, decision audit trail — integrated together. That integration is where Pebblous sits. And the convergence is not a coincidence: regulators are reaching for the same metadata structures that production ML teams have been quietly building for their own performance reasons. What looks like two separate initiatives — quality and compliance — is one initiative seen from two different angles.

The Synthetic-Data Paradox — Labeling Mandates Expand the Market

Counter to intuition, mandatory synthetic-media labeling does not shrink the synthetic-data business — it expands it. Synthetic data with embedded labels, signatures, and lineage satisfies labeling mandates automatically. Synthetic data without provenance metadata becomes a regulatory liability. Demand for verifiable synthetic-data infrastructure — DataGreenhouse's category — grows with each new mandate. Regulation creates a market split: traceable synthetic data on one side, untraceable synthetic data on the other. Pebblous's position is on the traceable side.

Open Questions Worth Watching

Several questions remain genuinely open. When a data quality score extends into a regulatory KPI, who sets the absolute threshold — the regulator, the standards body, or the auditor? With independent academic security analysis of C2PA Content Credentials still thin, who certifies the robustness of the underlying cryptographic standard before it is invoked in every Utah enforcement action? When a Korean company attempts to satisfy Korea, US, and EU compliance through a single infrastructure, which metadata schema actually translates across all three regimes without lossy conversion at the boundary? How should synthetic data with embedded labels be verified by an external party, and what does the verification cost? What does an audit trail for a "consequential decision" actually look like in practice, given that the underlying model is itself opaque to the team that deployed it? These are the questions Pebblous is positioned to address first in the Korean-language ecosystem — and DataClinic, AADS, and AI-Ready Data are the working answers under construction, refined each time a real enforcement action or regulatory guidance document narrows the space of acceptable solutions.

Academic Papers

• 1.Gebru, T., Morgenstern, J., Vecchione, B., Vaughan, J. W., Wallach, H., Daumé III, H., & Crawford, K. (2021). "Datasheets for Datasets." Communications of the ACM, 64(12), 86–92. arXiv:1803.09010
• 2.Mitchell, M., Wu, S., Zaldivar, A., Barnes, P., Vasserman, L., Hutchinson, B., Spitzer, E., Raji, I. D., & Gebru, T. (2019). "Model Cards for Model Reporting." ACM FAT* 2019. arXiv:1810.03993
• 3.Longpre, S., Mahari, R., Chen, A., et al. (2023). "The Data Provenance Initiative: A Large Scale Audit of Dataset Licensing & Attribution in AI." NeurIPS 2024 D&B Track. arXiv:2310.16787
• 4.Longpre, S., Mahari, R., et al. (2024). "Position: Data Authenticity, Consent, & Provenance for AI are all broken: what will it take to fix them?" ICML 2024. arXiv:2404.12691
• 5.Kirchenbauer, J., Geiping, J., Wen, Y., Katz, J., Miers, I., & Goldstein, T. (2023). "A Watermark for Large Language Models." ICML 2023, PMLR Vol. 202. arXiv:2301.10226
• 6.Dathathri, S., See, A., Ghaisas, S., Huang, P., McAdam, R., Welbl, J., Bachani, V., et al. (2024). "Scalable watermarking for identifying large language model outputs." Nature, 634, 818–823. doi:10.1038/s41586-024-08025-4
• 7.Rijsbosch, B., van Dijck, G., & Kollnig, K. (2025). "Missing the Mark: Adoption of Watermarking for Generative AI Systems in Practice and Implications under the new EU AI Act." arXiv:2503.18156

Legislation and Government Documents

• 8.Colorado General Assembly (2026). "SB 26-189: Automated Decision-Making Technology." Signed May 14, 2026; effective January 1, 2027.
• 9.Georgia General Assembly (2026). "SB 540: Conversational AI Safety Act." Signed May 13, 2026; effective July 1, 2027.
• 10.Utah State Legislature (2026). "HB 276: Digital Content Provenance Standards Act."
• 11.Utah State Legislature (2026). "HB 286: Artificial Intelligence Transparency Amendments."
• 12.National Assembly of the Republic of Korea (2024). "Act on the Development of Artificial Intelligence and Establishment of Trust (AI Basic Act)." Effective January 22, 2026.
• 13.European Commission (2024). "EU AI Act Implementation Timeline." artificialintelligenceact.eu.

Statistics, Trackers, Industry Reports

• 14.National Conference of State Legislatures (2026). "Artificial Intelligence Legislation Database (2026)."
• 15.Transparency Coalition AI (2026). "AI Legislative Update — May 22, 2026."
• 16.MultiState (2026). "Artificial Intelligence (AI) Legislation Tracker."
• 17.Gartner (2026). "Gartner Forecasts Worldwide AI Governance Platform Spending to Reach $492 Million in 2026." Gartner Press Release.
• 18.Eyesift / Content Authenticity Initiative (2026). "C2PA Content Credentials 2026 — Cryptographic Provenance Adoption."
• 19.Software Policy and Research Institute (SPRi) (2024). "Korean AI Industry Survey 2024 — Total exports KRW 424.8 billion, US share 23.7%." Ministry of Science and ICT, Republic of Korea.
• 20.Privacy Daily (2026-05-13). "Georgia Governor Signs Conversational AI Safety Act."
• 21.Consumer Finance Monitor (2026). "Colorado SB 26-189 Replaces Original AI Act — Shift from Governance to Consumer Disclosure."
• 22.Troutman Pepper (2026). "Utah's Digital Content Provenance Standards Act — Deepfake Protections and Provenance Data Embedding."
• 23.Korea Policy Briefing (January 2026). "AI Basic Act Takes Effect on the 22nd — Mandatory Watermarking for Generative AI Outputs."