AI Disclosure Theater: Why Transparency Is Failing

Start of 2024: Three states had AI disclosure laws for hiring. By mid-2026, seventeen states have signed some form of AI transparency requirement. The EU's AI Act. California's training-data law. Connecticut's new rule. Washington's AI companion regulation. Colorado's reset on their AI law.

Every regulation says the same thing in different words: companies using AI must tell people about it.

Most companies complied the same way too. Added a line of text.

A cannabis dispensary that uses AI for customer profiling? Their disclosure reads: "This site uses AI-powered recommendations." The AI model they're using was trained on Instagram engagement data.

They've never validated it against actual cannabis compliance rules. The model occasionally recommends products to customers under the age threshold, and they have no liability chain because the vendor's contract says "client responsible for output accuracy.

A healthcare platform using AI for patient triage? Checkbox. The model was trained on 2024 data. It hallucinates diagnoses. The vendor's terms say the hospital is liable for medical decisions, even though the hospital didn't build the model and has no access to its training data.

An e-commerce brand using AI for product descriptions? Checkbox. The model generates false claims about durability. The liability chain goes: brand → vendor → model builder → vendor's vendor. Nobody actually owns it.

This isn't oversight. It's liability diffusion.

*The disclosure is there. The understanding isn't.*

Disclosure works when three things are true:

1. 1The person being disclosed to can understand what they're being told
2. 2They can make an informed choice based on that information
3. 3There's accountability if the disclosure was misleading

In AI, none of those are true.

A customer at a cannabis dispensary sees "AI-powered recommendations." What does that mean? Are their purchases being recorded? Is the AI making personalization decisions they can opt out of? Is it training on their behavior? Are they being age-gated? Is the recommendation biased? They have no way to know.

A healthcare patient gets flagged by an AI triage system. The disclosure says "This system uses machine learning." The patient has no way to evaluate whether that system is appropriate for their condition. They can't ask what data it was trained on. They can't audit its accuracy. They can't see how it arrived at its conclusion.

An e-commerce shopper sees "AI-powered descriptions" but has no way to verify the claims about the product. They're buying something with potentially false specifications generated by a language model, and the only disclosure they got is a checkbox.

So disclosure becomes theater. Companies check the box. Regulators see the checkbox. Consumers see words they don't understand. Nothing actually changes.

Here's where it gets dangerous: when something goes wrong, nobody actually owns it.

A cannabis customer buys a product recommended by an AI system. It's incompatible with their medication. They get sick. Who's liable?

The dispensary: "We used the vendor's AI. They're responsible."

The vendor: "We're just providing the model. The dispensary implemented it wrong."

The model builder: "We provided the training data. The vendor built the model."

The training-data company: "We just provided data. We don't know how it's being used."

In practice? The customer bears the liability because nobody else will. The disclosure checkbox becomes a liability waiver.

Cannabis dispensaries are particularly vulnerable here. They're operating in a compliance-heavy market where recommendations can have serious health consequences. An AI system that recommends products to someone under 21. An AI that doesn't understand state-specific restrictions. An AI that recommends high-THC products to someone with contraindicated medications.

The dispensary is liable. The AI vendor just provided a tool.

Most AI disclosure laws require companies to disclose that they're using AI. Almost none require them to disclose where the AI was trained or what data it learned from.

A cannabis-focused CRM uses an AI system for customer behavior prediction. The model was trained on Instagram user behavior and Amazon purchase history. It was never trained on cannabis-specific purchasing patterns. It doesn't understand cannabis compliance rules. But the vendor's disclosure just says "Uses AI."

A healthcare platform uses a language model for patient communication suggestions. The model was trained on Reddit threads and medical journal abstracts from 2023. It's never seen a case of the specific condition the patient has. But the disclosure checkbox is checked.

An e-commerce brand uses AI for product descriptions. The model was trained on clothing and electronics descriptions. It generates false claims about durability that apply to fashion but not to their specialty products. But the vendor's disclosure just says "AI-generated content."

Training data transparency is the one disclosure that would actually matter. It would let companies evaluate whether an AI system is appropriate for their use case. It would let regulators spot models trained on irrelevant data.

And it's the one thing almost no AI disclosure law requires.

Take a concrete example: a cannabis retail chain using AI for customer segmentation and recommendations.

The marketing department wants to use the vendor's AI to identify high-lifetime-value customers and tailor recommendations. The AI system was trained on e-commerce and retail data. It's never seen a cannabis customer dataset.

It doesn't understand age verification requirements. It doesn't know that some products are restricted in some states. It doesn't know that customer data in cannabis retail has strict privacy requirements.

But the vendor provides a checkbox. "This system uses AI."

Compliance team: "We disclosed it. We're compliant."

Marketing: "Great, we can use it for customer profiling."

Legal: "Did we disclose it?"

Compliance: "Yes, checkbox."

The AI system starts making recommendations. Over 90 days, 847 recommendations are made to customers under the age threshold because the model learned "young demographic = high engagement" from the training data, and it never learned cannabis-specific age gates.

Now:

• The cannabis company faces regulatory action
• The vendor says their tool was used inappropriately
• The vendor's contract says the client is responsible for output accuracy
• The customer bears the consequences

The disclosure checkbox protected nobody. It just created the appearance of transparency.

*Compliance checking boxes. Liability staying unchecked.*

Actual transparency in AI disclosure would require:

1. 1Training data provenance: Where was the model trained? On what data? From what time period? How representative is it of the current use case?

1. 1Failure mode documentation: What's the model's accuracy by demographic? By use case? Where does it perform poorly? What specific risks exist?

1. 1Liability ownership: Who's responsible if the model makes a wrong decision? Is it shared? Is it the vendor's or the client's?

1. 1Validation requirements: Has this model been tested in the specific regulated context where it's being deployed? Has anyone verified it works for cannabis compliance? Healthcare workflows? Financial regulation?

1. 1Opt-out mechanisms: Can users actually choose not to be subject to the AI system's decisions? Or is it mandatory?

This kind of disclosure would be expensive. It would require vendors to validate their models for specific use cases. It would require them to own some liability. It would slow down deployment.

So instead, companies take the checkbox approach. A line of text that says "AI" and nothing else.

State attorneys general are looking at the wrong metrics. They're counting checkboxes. They're not auditing what's actually being disclosed. They're not evaluating whether customers can actually understand what they're being told. They're not tracing liability chains when things go wrong.

A 2026 analysis of 50 companies in regulated industries found:

• 48/50 had disclosure checkboxes
• 3/50 disclosed training data sources
• 1/50 disclosed failure modes by demographic
• 0/50 had clearly defined liability ownership in customer-facing terms

Regulators saw those checkboxes and declared victory.

In reality, those 48 checkboxes created the appearance of compliance without the substance of protection.

Disclosure theater works because it solves the regulator's problem, not the consumer's. It lets the agency say "we fixed this." It gives the company legal cover. It satisfies the checkbox.

But the customer buying a product recommended by an AI trained on irrelevant data? The patient flagged by an AI system nobody audited for their condition? The cannabis retail chain facing liability because their AI didn't understand compliance rules?

For them, the disclosure checkbox is just a liability waiver dressed up as transparency.

Real protection would require hard questions: Where was this trained? How was it validated? Who owns the liability if it fails? What can you actually opt out of?

Until regulations require those answers, the disclosures will keep getting more elaborate while the gaps keep getting wider.

That's not transparency. That's just theater with better lighting.