Utah AI Policy Act (stack — SB 149 + 2025 + 2026 amendments) — Record-Keeping & Documentation

Q: Does Utah AI Policy Act (stack — SB 149 + 2025 + 2026 amendments) require Record-Keeping & Documentation?

Yes. Utah AI Policy Act (stack — SB 149 + 2025 + 2026 amendments) addresses Record-Keeping & Documentation through 3 provisions.

Does Utah AI Policy Act (stack — SB 149 + 2025 + 2026 amendments) require Record-Keeping & Documentation?

Utah • enforcing

Yes — 3 provisions

Requirements at a glance

This regulation imposes 13 specific requirements for Record-Keeping & Documentation across 3 provisions:

15-element policy — Written policy covering intended purposes, therapist involvement, clinical best practices, testing, risk identification, user reporting, acute-risk protocols, safety reviews, safe-use instructions, AI-awareness disclosure, engagement-over-safety prohibition, non-discrimination, HIPAA compliance
Documentation — Foundation models used, training data, HIPAA compliance, user data practices, ongoing accuracy/safety efforts
Filing — Must file with Division of Consumer Protection + annual fee
Compliance requirement — Must comply with filed policy at time of alleged violation
Participant eligibility — Five prongs per §13-72-402: technical capability, financial resources, substantial consumer benefits outweighing risks, risk-monitoring plan, appropriately-limited scope
Agreement contents — Scope limits, safeguards, mitigation granted, required consumer disclosures, reporting requirements (§13-72-401(4))
Counterparties — OAIP + relevant state agency or governmental entity (judiciary, higher-ed, political subdivisions per HB 320)
Term — Initial 12 months + up to 2 × 12-month extensions (36 months total per §13-72-403)
Mandatory audits — OAIP "shall perform regular audits" while agreement is active (§13-72-401(6), HB 320)
Agreement types — Regulatory mitigation (waives specified law) or joint interpretation (clarifies statute application to AI)
Annual report — Nov 30 to Business & Labor Interim Committee: learning agenda, findings/participation/outcomes, executed agreements, recommended legislation (§13-72-201(3)(d))
Civil (§13-75-102) — "Not a defense" that GenAI made the violative statement, undertook the violative act, or was used in furtherance
Criminal (§76-2-107) — Principal may be found guilty if they commit offense "with the aid of" or "intentionally prompt" GenAI to commit offense

Mental Health Chatbot Safety Policy #

Obligation:

Record Keeping

enforcing

Effective:

May 7, 2025

Risk tier:

high-risk

Scope:

mental health chatbot suppliers

Requirements

Requirement	Details
15-element policy	Written policy covering intended purposes, therapist involvement, clinical best practices, testing, risk identification, user reporting, acute-risk protocols, safety reviews, safe-use instructions, AI-awareness disclosure, engagement-over-safety prohibition, non-discrimination, HIPAA compliance
Documentation	Foundation models used, training data, HIPAA compliance, user data practices, ongoing accuracy/safety efforts
Filing	Must file with Division of Consumer Protection + annual fee
Compliance requirement	Must comply with filed policy at time of alleged violation

Penalties

Violation	Fine
Affirmative defense	Available only against §58-1-501(1) and (2) unauthorized-practice actions; not against DCP enforcement

Regulatory Mitigation and Joint Interpretation Agreements #

Obligation:

Record Keeping

enforcing

Effective:

Invalid Date

Risk tier:

variable (per agreement)

Scope:

Learning Lab participants

Requirements

Requirement	Details
Participant eligibility	Five prongs per §13-72-402: technical capability, financial resources, substantial consumer benefits outweighing risks, risk-monitoring plan, appropriately-limited scope
Agreement contents	Scope limits, safeguards, mitigation granted, required consumer disclosures, reporting requirements (§13-72-401(4))
Counterparties	OAIP + relevant state agency or governmental entity (judiciary, higher-ed, political subdivisions per HB 320)
Term	Initial 12 months + up to 2 × 12-month extensions (36 months total per §13-72-403)
Mandatory audits	OAIP "shall perform regular audits" while agreement is active (§13-72-401(6), HB 320)
Agreement types	Regulatory mitigation (waives specified law) or joint interpretation (clarifies statute application to AI)
Annual report	Nov 30 to Business & Labor Interim Committee: learning agenda, findings/participation/outcomes, executed agreements, recommended legislation (§13-72-201(3)(d))

Penalties

Violation	Fine
Agreement violation

Liability for AI-Assisted Violations #

Obligation:

Record Keeping

enforcing

Effective:

Invalid Date

Risk tier:

all

Scope:

any principal using or prompting GenAI

Requirements

Requirement	Details
Civil (§13-75-102)	"Not a defense" that GenAI made the violative statement, undertook the violative act, or was used in furtherance
Criminal (§76-2-107)	Principal may be found guilty if they commit offense "with the aid of" or "intentionally prompt" GenAI to commit offense

Penalties

Violation	Fine
Civil	Per underlying consumer-protection statute
Criminal	Per underlying offense — no separate penalty

View full regulation View obligation Obligation matrix