Updated: July 2026
AI regulations in the US changed significantly in 2025, creating both opportunities and challenges for businesses running artificial intelligence systems. Unlike the EU AI Act, the United States has built a multi-layered regulatory framework that combines federal executive orders with state legislation, such as the Colorado AI Act. This approach means organisations must work across a complex set of requirements that vary by jurisdiction.
AI technology continues to reshape industries from healthcare to finance, and regulatory bodies at federal and state level are working to address emerging risks while keeping American AI innovation competitive. AI tools are now part of daily life for many Americans, and AI is expected to change a large share of jobs over the coming years. Compliance is now a business requirement.
This guide covers the current regulatory environment, key compliance requirements, and how to prepare your organisation for AI governance. Whether you’re deploying generative AI systems, running automated decision systems, or simply using AI tools in your operations, understanding these regulations matters for sustainable business success.
• The United States uses a multi-layered regulatory approach to AI, combining federal executive orders, agency guidance, and diverse state laws, which creates a complex compliance landscape for businesses.
• State-level legislation, such as the Colorado AI Act and California AI Transparency Act, leads AI regulation efforts by focusing on high-risk AI systems, transparency, and consumer protection.
• Organisations should build strong AI governance practices, including risk assessments, transparency measures, and ongoing monitoring.
The regulatory environment for artificial intelligence in the United States reflects a balance between innovation and oversight. Unlike jurisdictions that have passed a single federal AI law, the US relies on a combination of executive orders, agency guidance, and state laws to regulate AI systems.
Currently, no federal law explicitly governs the development and deployment of AI across all sectors. Instead, the regulatory framework consists of:
• Federal executive orders and agency guidelines that set broad principles for trustworthy AI
• Sector-specific rules enforced by agencies like the FTC, EEOC, and CFPB
• State AI laws that address specific use cases and high-risk AI systems
• Industry standards such as the NIST AI Risk Management Framework
This has created what experts call a “regulatory patchwork,” where businesses must comply with different requirements depending on their location, industry, and specific AI applications.
The regulatory landscape shifted in early 2025 with several significant developments:
• January 2025: President Trump signed the executive order “Removing Barriers to American Leadership in Artificial Intelligence,” which withdrew many of the Biden administration’s AI safety measures. The order prioritised economic competitiveness and technological leadership over regulatory scrutiny.
• The Colorado AI Act (SB24-205) became the first state law to target high-risk AI systems in employment and consumer contexts. Its effective date has been pushed back since it was first signed; check the section below for the latest timeline.
• April 2025: Executive Order 14277 “Advancing Artificial Intelligence Education for American Youth”, focused on updating education strategies to build AI literacy.
• July 2025: The White House released “Winning the AI Race: America’s AI Action Plan,” setting out three pillars for federal AI policy: speeding up innovation, building infrastructure, and leading international diplomacy.
Organisations deploying AI systems must manage this regulatory environment while keeping operations running smoothly. Without uniform federal standards, businesses operating across multiple states need compliance strategies that account for different state requirements, federal guidelines, and industry-specific rules.
A proposal in H.R. 1 (the “One Big Beautiful Bill Act”) would have paused state and local AI regulations for a decade. That moratorium was later removed from the final bill after pushback in the Senate, but the debate shows the ongoing tension between federal and state authority over AI. This makes it important for businesses to stay informed about regulatory developments and keep their compliance strategies flexible.
The federal government’s approach to AI has changed a great deal, particularly after the Trump administration’s push to remove regulatory barriers and promote American leadership in AI. Understanding the current federal framework matters for any organisation deploying artificial intelligence technology.
Rather than passing new federal legislation, the US government regulates AI through existing laws and agency guidance. This relies on principles-based frameworks and sector-specific enforcement to address AI risks while preserving incentives for innovation.
The federal strategy focuses on three main areas:
• Risk management through voluntary standards and best practices
• Civil rights enforcement using existing anti-discrimination laws
• National security measures to protect critical infrastructure and competitive advantages
The executive order “Removing Barriers to American Leadership in Artificial Intelligence” changed federal AI policy. It directed federal agencies to:
• Review and revoke policies seen as slowing down AI innovation
• Prioritise American competitiveness in global AI development
• Ensure federal procurement of AI systems is free from ideological bias
• Fast-track permits for AI infrastructure, including data centres and semiconductor facilities
The order also required the creation of an Artificial Intelligence Action Plan within 180 days, which led to the strategy released in July 2025.
The National Institute of Standards and Technology (NIST) built the AI Risk Management Framework (AI RMF 1.0), which gives voluntary guidance for managing AI risks. This framework has become a de facto standard for many organisations, even though following it is not a legal requirement.
The framework has four core functions:
• Govern: setting up organisational AI governance and risk management policies
• Map: understanding AI system contexts and identifying potential impacts
• Measure: assessing and testing AI systems for reliability, safety, and bias
• Manage: putting controls and monitoring in place throughout the AI lifecycle
Many state laws, including the Colorado AI Act, reference NIST standards, so knowing this framework matters for compliance across jurisdictions.
Federal agencies continue to enforce existing laws against discriminatory or deceptive AI practices, even without AI-specific legislation. Key enforcement areas include:
Federal Trade Commission (FTC): The FTC has acted against companies for deceptive AI claims and algorithmic bias. One notable case involved enforcement action against Rite Aid over its use of facial recognition technology, which led to false accusations and discriminatory outcomes for customers.
Equal Employment Opportunity Commission (EEOC): The EEOC actively investigates AI-related employment discrimination, particularly in automated hiring and evaluation systems. The agency has issued guidance on how existing civil rights laws apply to AI tools used in employment decisions.
Consumer Financial Protection Bureau (CFPB): The CFPB monitors the use of AI in financial services, to check fair lending compliance and protect consumers in automated decision-making.
While comprehensive federal AI legislation remains stalled, Congress continues to consider various measures, including proposals for AI training requirements for federal employees and government-wide AI governance standards. Regular House and Senate hearings examine the risks, benefits, and regulatory approaches to AI, with Republicans in both chambers raising concerns about regulatory overreach while still supporting innovation.
The path to federal legislation remains uncertain, with ongoing debate about the right balance between innovation and regulation.
State governments have become the main drivers of AI regulation in the United States. Dozens of states introduced AI-related bills in 2025, creating a diverse landscape of requirements for businesses to work through.
State AI laws typically focus on specific use cases rather than regulating all artificial intelligence systems. Common areas include:
• Employment and hiring decisions using automated decision systems
• Consumer protection and transparency requirements
• Biometric data collection and facial recognition
• Healthcare AI applications
• Government use of AI technologies
The pace of state legislation reflects growing awareness of AI risks in the absence of federal legislation.
Colorado became the first state to enact AI regulation with the passage of SB24-205, known as the Colorado AI Act. This legislation takes effect February 15, 2026, and establishes the state-level framework for regulating high-risk AI systems.
Key provisions:
• Scope: applies to developers and deployers of AI systems that make consequential decisions in employment, education, financial services, healthcare, housing, insurance, and legal services
• Risk assessments: requires impact assessments for high-risk AI systems before deployment
• Algorithmic discrimination: prohibits AI systems that cause unlawful discrimination
• Consumer rights: provides consumers the right to know when AI systems make decisions affecting them
• Disclosure requirements: requires disclosure of AI system capabilities, limitations, and known risks
The Colorado law references the NIST AI Risk Management Framework, encouraging deployers to implement these voluntary standards. Organisations that comply with equivalent AI standards may receive reduced penalties for violations.
California has passed multiple AI-related laws, effective January 2026, that set requirements for AI transparency and consumer protection.
SB-942 AI Transparency Act: requires businesses to disclose when consumers interact with generative AI systems and to label AI-generated content clearly. The law applies to any company operating in California that uses AI to interact with consumers or create content for the public.
AB 2013: requires developers of large-scale AI models to document training data, provide impact assessments, and put safety measures in place. This law targets generative AI systems and requires disclosure of copyrighted material used in training data.
The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) also contain provisions that apply to AI systems, particularly around automated decision-making and the consumer’s right to an explanation.
Illinois HB 3773: Effective January 1, 2026, this law bans discrimination in employment decisions made by artificial intelligence systems. It requires employers to give notice when AI is used in hiring and lets job applicants ask for information about how the AI system makes decisions.
Tennessee ELVIS Act (HB 2091): Effective July 1, 2024, this law protects people from unauthorised use of their voice or likeness in AI-generated content. Named after Elvis Presley, it addresses AI-generated deepfakes and gives civil remedies to those affected.
Utah SB 149 – AI Policy Act: Sets disclosure requirements for government use of AI and creates an AI policy office to coordinate state AI governance. State agencies must conduct impact assessments before deploying AI systems that have a significant impact on the public.
New York City Local Law 144: This is a local ordinance, but NYC’s bias audit requirement for automated hiring tools has become a model for other jurisdictions. Effective July 5, 2023, it requires employers to run annual bias audits of AI systems used in hiring decisions.
Several states are considering additional AI regulation for 2026 and beyond:
• Washington: Proposed AI regulation similar to Colorado’s approach
• Connecticut: Bills addressing AI in healthcare and government services
• Massachusetts: Legislation focusing on AI in criminal justice and policing
• Texas: Proposed measures addressing AI in education and employment
The trend toward state-level regulation shows no sign of slowing down, with many states treating AI governance as important for protecting residents while federal legislation remains uncertain.
Managing AI regulations means understanding common compliance themes and building risk management practices. Specific requirements vary by jurisdiction, but several core principles show up across federal guidelines and state AI laws.
Most AI regulations, federal or state, focus on similar concerns:
Risk assessment and impact evaluation: Nearly all AI regulations require some form of risk assessment for high-risk AI systems. These assessments typically look at potential impacts on civil rights, consumer protection, and safety. Organisations must identify automated decision systems that could significantly affect people and carry out impact evaluations before deployment.
Transparency and disclosure: Regulations consistently require organisations to tell users when they’re interacting with an AI system. This includes disclosing when AI makes decisions affecting consumers, employees, or other stakeholders. Specific disclosure requirements vary, but transparency stays a constant principle across jurisdictions.
Bias testing and algorithmic auditing: Many state laws require regular testing of AI systems for discriminatory impacts. This includes both pre-deployment testing and ongoing monitoring to make sure systems don’t produce biased outcomes against protected classes.
Colorado AI Act Requirements:
• Conduct impact assessments for high-risk AI systems 90 days before deployment
• Implement reasonable care standards to protect against algorithmic discrimination
• Provide consumers with notices when AI systems make consequential decisions
• Maintain documentation of AI system governance and risk management processes
• Report annually to the Colorado Attorney General on high-risk AI system usage
California Disclosure Requirements:
• Label AI-generated content clearly and conspicuously
• Disclose when consumers interact with generative AI systems
• Provide transparency reports for large-scale AI models, including training data documentation
• Implement safety measures and impact assessments for generative AI systems
Federal Agency Expectations:
• Follow NIST AI Risk Management Framework principles
• Ensure AI systems comply with existing civil rights and consumer protection laws
• Maintain human oversight for automated decision-making in sensitive contexts
• Document AI system testing and validation procedures
Different sectors face specific regulatory requirements based on existing industry rules and how AI is used:
Healthcare: AI systems in healthcare must comply with HIPAA privacy requirements, FDA medical device regulations, and state medical practice laws. Healthcare AI developers need to consider patient safety, data privacy, and clinical validation to implement AI safely.
Financial services: Financial institutions using AI must comply with fair lending laws, consumer protection regulations, and banking oversight requirements. The CFPB actively watches for discriminatory lending practices and deceptive marketing involving AI.
Employment: AI tools used in hiring, evaluation, or workplace decisions face scrutiny under civil rights laws, state employment regulations, and emerging AI-specific employment protections. The EEOC’s guidance on AI in employment gives useful insight into compliance.
Government: Public sector AI use typically faces the highest scrutiny, with requirements for public transparency, due process protections, and constitutional compliance. Many local governments have set specific policies for procuring and deploying AI.
Organisations can take several concrete steps to ensure compliance across multiple jurisdictions:
AI system inventory: Keep an inventory of all AI tools and automated decision systems used in your operations. This should include each system’s purpose, data sources, decision-making capabilities, and who it affects.
Risk assessment process: Put standard procedures in place for evaluating AI system risks before deployment. Consider using the NIST framework as a baseline, then add jurisdiction-specific requirements as needed.
Documentation standards: Build strong documentation practices covering AI system development, testing, deployment, and monitoring. This documentation matters for compliance audits and regulatory inquiries.
Training and awareness: Make sure employees understand the AI regulations relevant to their roles. Regular training reduces compliance violations and supports responsible AI practices.
Vendor management: Build AI vendor evaluation processes that check compliance capabilities and contractual protections. Many organisations rely on third-party AI systems, which makes vendor compliance a real business risk.
| Compliance Area | Key Requirements | Applicable Regulations |
| Risk Assessment | Impact evaluation before deployment | Colorado AI Act, NIST Framework |
| Transparency | User notification and disclosure | California laws, FTC guidance |
| Bias Testing | Regular algorithmic auditing | NYC Local Law 144, Colorado AI Act |
| Documentation | System governance records | Multiple state and federal requirements |
| Human Oversight | Meaningful human review | EEOC guidance, best practices |
Compliance with AI regulations needs ongoing attention rather than a one-time project.
Regular auditing: Set up periodic reviews of AI system performance, including bias testing, accuracy checks, and impact evaluations. Many regulations require annual or ongoing monitoring.
Regulatory tracking: Stay informed about evolving AI regulations through legal counsel, industry associations, and regulatory monitoring services. AI regulation continues to move fast across jurisdictions.
Incident response: Build procedures for handling AI system failures, bias discoveries, or compliance violations. A quick response and remediation shows good faith in your compliance efforts.
Stakeholder engagement: Keep open communication with affected communities, employees, and customers about how the AI system is used and its impacts. Early engagement can prevent regulatory issues and build trust.
The regulatory environment for artificial intelligence keeps evolving fast, with significant developments expected over the coming years. Organisations need forward-looking strategies to operate in this changing environment while keeping their competitive edge in AI innovation.
• Employment and hiring AI systems regulation
• Consumer protection for AI-generated content
• Healthcare AI safety and efficacy standards
• Government transparency in AI procurement and deployment
• Educational AI applications and student privacy
Federal legislative prospects remain uncertain, but several factors could speed up congressional action:
• International pressure from the EU AI Act and other global standards
• High-profile AI incidents or failures that expose regulatory gaps
• Economic competitiveness concerns over whether regulatory fragmentation hinders innovation
• Constituent pressure for consistent consumer protections
The legislative process faces competing priorities between promoting innovation and reducing risk, as well as partisan disagreement about the right federal role in AI governance.
The EU AI Act continues to influence US regulatory thinking and business practices, particularly for multinational companies. Key areas of influence include:
Global standards harmonisation: US companies operating internationally must consider EU requirements, which creates pressure for similar domestic standards. This may speed up the adoption of risk-based regulatory approaches in the United States.
Competitive positioning: The Trump administration’s focus on global AI leadership includes efforts to export American AI frameworks and standards to allied nations. This international competition may shape future US regulatory approaches to protect technological leadership.
Cross-border enforcement: As AI systems increasingly operate across jurisdictions, regulatory coordination matters more. US agencies are building frameworks for international cooperation on AI oversight and enforcement.
Agentic AI systems: As AI systems become more autonomous and capable of independent action, regulators are starting to address the risks posed by agentic artificial intelligence. These systems need new approaches to accountability, control, and safety oversight.
Generative AI content: The growth of AI-generated content across media, marketing, and communications keeps raising concerns about misinformation, intellectual property, and consumer deception. Expect wider labelling and disclosure requirements for AI-generated content.
Critical infrastructure: AI deployment in critical sectors like energy, transportation, and telecommunications faces growing regulatory scrutiny. The federal government is building specialised frameworks for AI safety in infrastructure applications.
AI in democratic processes: Growing concerns about AI’s impact on elections, political communications, and civic engagement are driving new regulatory approaches, including measures addressing AI-generated deepfakes in political content and automated influence operations.
Legal team coordination: Organisations should make sure their legal, compliance, and technology teams work closely together on AI governance. This matters more as regulations become more technically complex and enforcement grows stronger.
Vendor evaluation processes: Build vendor assessment procedures that check AI suppliers’ compliance capabilities, security measures, and how well they meet regulatory requirements. Many compliance failures happen through third-party AI tools rather than internal systems.
Policy development: Create internal AI governance policies that go beyond minimum regulatory requirements. Planning ahead gives you flexibility to adapt to new regulations while showing good faith compliance efforts.
Cross-jurisdictional planning: For organisations operating across multiple states or internationally, build compliance strategies that meet the highest common standard of requirements rather than the minimum in each jurisdiction.
Monitoring tools and resources: Put systematic approaches in place for tracking regulatory developments:
• Subscribe to regulatory monitoring services that track AI legislation across jurisdictions
• Join industry associations that provide regulatory updates and advocacy
• Establish relationships with legal counsel specialising in AI and technology law
• Participate in regulatory comment processes to influence policy development
Compliance programmes that can adapt: Design compliance programs that can quickly respond to new requirements:
• Build flexibility into AI system design and deployment processes
• Maintain modular documentation that can be updated for new requirements
• Develop standard operating procedures that can accommodate varying jurisdictional needs
• Train staff on regulatory principles rather than just specific current requirements
Risk-based prioritisation: Focus compliance efforts on the highest-risk AI applications and most likely regulatory scenarios:
• Prioritise compliance for AI systems affecting employment, healthcare, and financial services
• Invest in bias testing and fairness measures for customer-facing AI tools
• Ensure transparent practices for any AI systems making decisions about individuals
• Maintain strong data governance for AI training and operation
Technology companies: Prepare for increased scrutiny of AI model development, training data usage, and safety testing. Consider adopting voluntary standards that may become mandatory requirements.
Healthcare organisations: Focus on patient safety, privacy protection, and clinical validation for AI tools. Regulatory agencies are building specialised frameworks for medical AI applications.
Financial services: Focus on fair lending compliance, consumer protection, and risk management for AI-driven financial decisions. Expect increased enforcement of existing regulations applied to AI systems.
Employers: Prepare for wider employment-related AI regulations covering hiring, evaluation, scheduling, and workplace monitoring. Put human oversight and bias testing in place for employment AI tools to support fairness and accuracy.
The future of AI regulation in the US will be shaped by ongoing tension between innovation and oversight, between federal and state authority, and between domestic and international considerations. Organisations that address these challenges early, while keeping their compliance strategies flexible, will be best placed for success in this evolving regulatory environment.
Immediate action items:
1. Conduct a strong inventory of all AI systems currently in use
2. Assess current compliance gaps against existing federal guidelines and applicable state laws
3. Implement risk assessment procedures based on NIST framework principles
4. Develop internal AI governance policies and training programs
5. Establish monitoring systems for regulatory developments in relevant jurisdictions
Long-term strategic considerations:
• Build compliance capabilities that can scale with regulatory expansion
• Invest in AI safety and fairness technologies that exceed current requirements
• Participate in industry standards development and regulatory policy discussions
• Develop competitive advantages through responsible AI practices that build consumer trust
Start preparing your organisation today by conducting an AI inventory, adopting risk management frameworks, and developing flexible compliance policies that can evolve with the fast-changing regulatory environment. The future of AI regulation may be uncertain, but the need for early preparation is clear.
About the Author
Ana Mishova
Sales and Business Development Consultant — GDPRLocal
Ana focuses on helping organisations understand their compliance obligations and find the right data protection solutions. At GDPRLocal she works closely with businesses of all sizes, making GDPR and privacy compliance clear, practical, and accessible.
The US federal government regulates AI mainly through existing laws, executive orders, and agency guidance rather than a comprehensive federal AI law. This approach emphasises voluntary risk management, civil rights enforcement under current anti-discrimination laws, and national security measures, while promoting innovation and American leadership in AI.
The Colorado AI Act applies to developers and deployers of high-risk AI systems in sectors like employment, healthcare, and financial services. It requires impact assessments before deployment, prohibits algorithmic discrimination, requires consumer disclosures when AI makes consequential decisions, and encourages following standards like the NIST AI Risk Management Framework. Its effective date has been delayed since the law was signed, so check the current start date before relying on it.
State AI laws vary significantly, creating a complex patchwork of regulations. Businesses need compliance strategies that account for different state requirements, including transparency, bias testing, and disclosure obligations. Staying informed about evolving state legislation and adopting flexible AI governance policies matters for multi-state operations.