AI Regulations in the US What You Need to Know in 2025

AI Regulations in the US: What You Need to Know in 2025

Updated: July 2026

AI regulations in the US changed significantly in 2025, creating both opportunities and challenges for businesses running artificial intelligence systems. Unlike the EU AI Act, the United States has built a multi-layered regulatory framework that combines federal executive orders with state legislation, such as the Colorado AI Act. This approach means organisations must work across a complex set of requirements that vary by jurisdiction.

AI technology continues to reshape industries from healthcare to finance, and regulatory bodies at federal and state level are working to address emerging risks while keeping American AI innovation competitive. AI tools are now part of daily life for many Americans, and AI is expected to change a large share of jobs over the coming years. Compliance is now a business requirement.

This guide covers the current regulatory environment, key compliance requirements, and how to prepare your organisation for AI governance. Whether you’re deploying generative AI systems, running automated decision systems, or simply using AI tools in your operations, understanding these regulations matters for sustainable business success.

Key Takeaways:

The United States uses a multi-layered regulatory approach to AI, combining federal executive orders, agency guidance, and diverse state laws, which creates a complex compliance landscape for businesses.

State-level legislation, such as the Colorado AI Act and California AI Transparency Act, leads AI regulation efforts by focusing on high-risk AI systems, transparency, and consumer protection.

Organisations should build strong AI governance practices, including risk assessments, transparency measures, and ongoing monitoring.

What is the current state of AI regulation in the US?

The regulatory environment for artificial intelligence in the United States reflects a balance between innovation and oversight. Unlike jurisdictions that have passed a single federal AI law, the US relies on a combination of executive orders, agency guidance, and state laws to regulate AI systems.

What does the multi-layered regulatory approach look like?

Currently, no federal law explicitly governs the development and deployment of AI across all sectors. Instead, the regulatory framework consists of:

Federal executive orders and agency guidelines that set broad principles for trustworthy AI
Sector-specific rules enforced by agencies like the FTC, EEOC, and CFPB
State AI laws that address specific use cases and high-risk AI systems
Industry standards such as the NIST AI Risk Management Framework

This has created what experts call a “regulatory patchwork,” where businesses must comply with different requirements depending on their location, industry, and specific AI applications.

What happened in AI regulation in 2025?

The regulatory landscape shifted in early 2025 with several significant developments:

January 2025: President Trump signed the executive order “Removing Barriers to American Leadership in Artificial Intelligence,” which withdrew many of the Biden administration’s AI safety measures. The order prioritised economic competitiveness and technological leadership over regulatory scrutiny.

The Colorado AI Act (SB24-205) became the first state law to target high-risk AI systems in employment and consumer contexts. Its effective date has been pushed back since it was first signed; check the section below for the latest timeline.

April 2025: Executive Order 14277 “Advancing Artificial Intelligence Education for American Youth”, focused on updating education strategies to build AI literacy.

July 2025: The White House released “Winning the AI Race: America’s AI Action Plan,” setting out three pillars for federal AI policy: speeding up innovation, building infrastructure, and leading international diplomacy.

What challenges do businesses face?

Organisations deploying AI systems must manage this regulatory environment while keeping operations running smoothly. Without uniform federal standards, businesses operating across multiple states need compliance strategies that account for different state requirements, federal guidelines, and industry-specific rules.

A proposal in H.R. 1 (the “One Big Beautiful Bill Act”) would have paused state and local AI regulations for a decade. That moratorium was later removed from the final bill after pushback in the Senate, but the debate shows the ongoing tension between federal and state authority over AI. This makes it important for businesses to stay informed about regulatory developments and keep their compliance strategies flexible.

How does the federal government regulate AI?

The federal government’s approach to AI has changed a great deal, particularly after the Trump administration’s push to remove regulatory barriers and promote American leadership in AI. Understanding the current federal framework matters for any organisation deploying artificial intelligence technology.

What is the current federal approach?

Rather than passing new federal legislation, the US government regulates AI through existing laws and agency guidance. This relies on principles-based frameworks and sector-specific enforcement to address AI risks while preserving incentives for innovation.

The federal strategy focuses on three main areas:

Risk management through voluntary standards and best practices
Civil rights enforcement using existing anti-discrimination laws
National security measures to protect critical infrastructure and competitive advantages

What does the 2025 executive order on AI leadership do?

The executive order “Removing Barriers to American Leadership in Artificial Intelligence” changed federal AI policy. It directed federal agencies to:

Review and revoke policies seen as slowing down AI innovation
Prioritise American competitiveness in global AI development
Ensure federal procurement of AI systems is free from ideological bias
Fast-track permits for AI infrastructure, including data centres and semiconductor facilities

The order also required the creation of an Artificial Intelligence Action Plan within 180 days, which led to the strategy released in July 2025.

What is the NIST AI Risk Management Framework?

The National Institute of Standards and Technology (NIST) built the AI Risk Management Framework (AI RMF 1.0), which gives voluntary guidance for managing AI risks. This framework has become a de facto standard for many organisations, even though following it is not a legal requirement.

The framework has four core functions:

Govern: setting up organisational AI governance and risk management policies
Map: understanding AI system contexts and identifying potential impacts
Measure: assessing and testing AI systems for reliability, safety, and bias
Manage: putting controls and monitoring in place throughout the AI lifecycle

Many state laws, including the Colorado AI Act, reference NIST standards, so knowing this framework matters for compliance across jurisdictions.

How do federal agencies enforce AI rules?

Federal agencies continue to enforce existing laws against discriminatory or deceptive AI practices, even without AI-specific legislation. Key enforcement areas include:

Federal Trade Commission (FTC): The FTC has acted against companies for deceptive AI claims and algorithmic bias. One notable case involved enforcement action against Rite Aid over its use of facial recognition technology, which led to false accusations and discriminatory outcomes for customers.

Equal Employment Opportunity Commission (EEOC): The EEOC actively investigates AI-related employment discrimination, particularly in automated hiring and evaluation systems. The agency has issued guidance on how existing civil rights laws apply to AI tools used in employment decisions.

Consumer Financial Protection Bureau (CFPB): The CFPB monitors the use of AI in financial services, to check fair lending compliance and protect consumers in automated decision-making.

What is Congress doing about AI?

While comprehensive federal AI legislation remains stalled, Congress continues to consider various measures, including proposals for AI training requirements for federal employees and government-wide AI governance standards. Regular House and Senate hearings examine the risks, benefits, and regulatory approaches to AI, with Republicans in both chambers raising concerns about regulatory overreach while still supporting innovation.

The path to federal legislation remains uncertain, with ongoing debate about the right balance between innovation and regulation.

What AI laws exist at the state level?

State governments have become the main drivers of AI regulation in the United States. Dozens of states introduced AI-related bills in 2025, creating a diverse landscape of requirements for businesses to work through.

What do state AI laws usually cover?

State AI laws typically focus on specific use cases rather than regulating all artificial intelligence systems. Common areas include:

Employment and hiring decisions using automated decision systems
Consumer protection and transparency requirements
Biometric data collection and facial recognition
Healthcare AI applications
Government use of AI technologies

The pace of state legislation reflects growing awareness of AI risks in the absence of federal legislation.

What does the Colorado AI Act require?

Colorado became the first state to enact AI regulation with the passage of SB24-205, known as the Colorado AI Act. This legislation takes effect February 15, 2026, and establishes the state-level framework for regulating high-risk AI systems.

Key provisions:

Scope: applies to developers and deployers of AI systems that make consequential decisions in employment, education, financial services, healthcare, housing, insurance, and legal services
Risk assessments: requires impact assessments for high-risk AI systems before deployment
Algorithmic discrimination: prohibits AI systems that cause unlawful discrimination
Consumer rights: provides consumers the right to know when AI systems make decisions affecting them
Disclosure requirements: requires disclosure of AI system capabilities, limitations, and known risks

The Colorado law references the NIST AI Risk Management Framework, encouraging deployers to implement these voluntary standards. Organisations that comply with equivalent AI standards may receive reduced penalties for violations.

What AI laws has California passed?

California has passed multiple AI-related laws, effective January 2026, that set requirements for AI transparency and consumer protection.

SB-942 AI Transparency Act: requires businesses to disclose when consumers interact with generative AI systems and to label AI-generated content clearly. The law applies to any company operating in California that uses AI to interact with consumers or create content for the public.

AB 2013: requires developers of large-scale AI models to document training data, provide impact assessments, and put safety measures in place. This law targets generative AI systems and requires disclosure of copyrighted material used in training data.

The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) also contain provisions that apply to AI systems, particularly around automated decision-making and the consumer’s right to an explanation.

What other state AI laws should you know?

Illinois HB 3773: Effective January 1, 2026, this law bans discrimination in employment decisions made by artificial intelligence systems. It requires employers to give notice when AI is used in hiring and lets job applicants ask for information about how the AI system makes decisions.

Tennessee ELVIS Act (HB 2091): Effective July 1, 2024, this law protects people from unauthorised use of their voice or likeness in AI-generated content. Named after Elvis Presley, it addresses AI-generated deepfakes and gives civil remedies to those affected.

Utah SB 149 – AI Policy Act: Sets disclosure requirements for government use of AI and creates an AI policy office to coordinate state AI governance. State agencies must conduct impact assessments before deploying AI systems that have a significant impact on the public.

New York City Local Law 144: This is a local ordinance, but NYC’s bias audit requirement for automated hiring tools has become a model for other jurisdictions. Effective July 5, 2023, it requires employers to run annual bias audits of AI systems used in hiring decisions.

Which states are planning new AI laws?

Several states are considering additional AI regulation for 2026 and beyond:

Washington: Proposed AI regulation similar to Colorado’s approach
Connecticut: Bills addressing AI in healthcare and government services
Massachusetts: Legislation focusing on AI in criminal justice and policing
Texas: Proposed measures addressing AI in education and employment

The trend toward state-level regulation shows no sign of slowing down, with many states treating AI governance as important for protecting residents while federal legislation remains uncertain.

What are the core compliance requirements?

Managing AI regulations means understanding common compliance themes and building risk management practices. Specific requirements vary by jurisdiction, but several core principles show up across federal guidelines and state AI laws.

What themes appear across AI regulations?

Most AI regulations, federal or state, focus on similar concerns:

Risk assessment and impact evaluation: Nearly all AI regulations require some form of risk assessment for high-risk AI systems. These assessments typically look at potential impacts on civil rights, consumer protection, and safety. Organisations must identify automated decision systems that could significantly affect people and carry out impact evaluations before deployment.

Transparency and disclosure: Regulations consistently require organisations to tell users when they’re interacting with an AI system. This includes disclosing when AI makes decisions affecting consumers, employees, or other stakeholders. Specific disclosure requirements vary, but transparency stays a constant principle across jurisdictions.

Bias testing and algorithmic auditing: Many state laws require regular testing of AI systems for discriminatory impacts. This includes both pre-deployment testing and ongoing monitoring to make sure systems don’t produce biased outcomes against protected classes.

What specific requirements do you need to meet?

Colorado AI Act Requirements:

Conduct impact assessments for high-risk AI systems 90 days before deployment
Implement reasonable care standards to protect against algorithmic discrimination
Provide consumers with notices when AI systems make consequential decisions
Maintain documentation of AI system governance and risk management processes
Report annually to the Colorado Attorney General on high-risk AI system usage

California Disclosure Requirements:

Label AI-generated content clearly and conspicuously
Disclose when consumers interact with generative AI systems
Provide transparency reports for large-scale AI models, including training data documentation
Implement safety measures and impact assessments for generative AI systems

Federal Agency Expectations:

Follow NIST AI Risk Management Framework principles
Ensure AI systems comply with existing civil rights and consumer protection laws
Maintain human oversight for automated decision-making in sensitive contexts
Document AI system testing and validation procedures

How do requirements differ by industry?

Different sectors face specific regulatory requirements based on existing industry rules and how AI is used:

Healthcare: AI systems in healthcare must comply with HIPAA privacy requirements, FDA medical device regulations, and state medical practice laws. Healthcare AI developers need to consider patient safety, data privacy, and clinical validation to implement AI safely.

Financial services: Financial institutions using AI must comply with fair lending laws, consumer protection regulations, and banking oversight requirements. The CFPB actively watches for discriminatory lending practices and deceptive marketing involving AI.

Employment: AI tools used in hiring, evaluation, or workplace decisions face scrutiny under civil rights laws, state employment regulations, and emerging AI-specific employment protections. The EEOC’s guidance on AI in employment gives useful insight into compliance.

Government: Public sector AI use typically faces the highest scrutiny, with requirements for public transparency, due process protections, and constitutional compliance. Many local governments have set specific policies for procuring and deploying AI.

What practical steps can you take?

Organisations can take several concrete steps to ensure compliance across multiple jurisdictions:

AI system inventory: Keep an inventory of all AI tools and automated decision systems used in your operations. This should include each system’s purpose, data sources, decision-making capabilities, and who it affects.

Risk assessment process: Put standard procedures in place for evaluating AI system risks before deployment. Consider using the NIST framework as a baseline, then add jurisdiction-specific requirements as needed.

Documentation standards: Build strong documentation practices covering AI system development, testing, deployment, and monitoring. This documentation matters for compliance audits and regulatory inquiries.

Training and awareness: Make sure employees understand the AI regulations relevant to their roles. Regular training reduces compliance violations and supports responsible AI practices.

Vendor management: Build AI vendor evaluation processes that check compliance capabilities and contractual protections. Many organisations rely on third-party AI systems, which makes vendor compliance a real business risk.

Compliance AreaKey RequirementsApplicable Regulations
Risk AssessmentImpact evaluation before deploymentColorado AI Act, NIST Framework
TransparencyUser notification and disclosureCalifornia laws, FTC guidance
Bias TestingRegular algorithmic auditingNYC Local Law 144, Colorado AI Act
DocumentationSystem governance recordsMultiple state and federal requirements
Human OversightMeaningful human reviewEEOC guidance, best practices

How do you stay compliant over time?

Compliance with AI regulations needs ongoing attention rather than a one-time project.

Regular auditing: Set up periodic reviews of AI system performance, including bias testing, accuracy checks, and impact evaluations. Many regulations require annual or ongoing monitoring.

Regulatory tracking: Stay informed about evolving AI regulations through legal counsel, industry associations, and regulatory monitoring services. AI regulation continues to move fast across jurisdictions.

Incident response: Build procedures for handling AI system failures, bias discoveries, or compliance violations. A quick response and remediation shows good faith in your compliance efforts.

Stakeholder engagement: Keep open communication with affected communities, employees, and customers about how the AI system is used and its impacts. Early engagement can prevent regulatory issues and build trust.

How can you prepare for future AI regulation?

The regulatory environment for artificial intelligence keeps evolving fast, with significant developments expected over the coming years. Organisations need forward-looking strategies to operate in this changing environment while keeping their competitive edge in AI innovation.

What regulatory changes should you expect?

Employment and hiring AI systems regulation
Consumer protection for AI-generated content
Healthcare AI safety and efficacy standards
Government transparency in AI procurement and deployment
Educational AI applications and student privacy

Federal legislative prospects remain uncertain, but several factors could speed up congressional action:

International pressure from the EU AI Act and other global standards
High-profile AI incidents or failures that expose regulatory gaps
Economic competitiveness concerns over whether regulatory fragmentation hinders innovation
Constituent pressure for consistent consumer protections

The legislative process faces competing priorities between promoting innovation and reducing risk, as well as partisan disagreement about the right federal role in AI governance.

How do international rules affect US companies?

The EU AI Act continues to influence US regulatory thinking and business practices, particularly for multinational companies. Key areas of influence include:

Global standards harmonisation: US companies operating internationally must consider EU requirements, which creates pressure for similar domestic standards. This may speed up the adoption of risk-based regulatory approaches in the United States.

Competitive positioning: The Trump administration’s focus on global AI leadership includes efforts to export American AI frameworks and standards to allied nations. This international competition may shape future US regulatory approaches to protect technological leadership.

Cross-border enforcement: As AI systems increasingly operate across jurisdictions, regulatory coordination matters more. US agencies are building frameworks for international cooperation on AI oversight and enforcement.

What new areas will regulators focus on?

Agentic AI systems: As AI systems become more autonomous and capable of independent action, regulators are starting to address the risks posed by agentic artificial intelligence. These systems need new approaches to accountability, control, and safety oversight.

Generative AI content: The growth of AI-generated content across media, marketing, and communications keeps raising concerns about misinformation, intellectual property, and consumer deception. Expect wider labelling and disclosure requirements for AI-generated content.

Critical infrastructure: AI deployment in critical sectors like energy, transportation, and telecommunications faces growing regulatory scrutiny. The federal government is building specialised frameworks for AI safety in infrastructure applications.

AI in democratic processes: Growing concerns about AI’s impact on elections, political communications, and civic engagement are driving new regulatory approaches, including measures addressing AI-generated deepfakes in political content and automated influence operations.

How should businesses prepare?

Legal team coordination: Organisations should make sure their legal, compliance, and technology teams work closely together on AI governance. This matters more as regulations become more technically complex and enforcement grows stronger.

Vendor evaluation processes: Build vendor assessment procedures that check AI suppliers’ compliance capabilities, security measures, and how well they meet regulatory requirements. Many compliance failures happen through third-party AI tools rather than internal systems.

Policy development: Create internal AI governance policies that go beyond minimum regulatory requirements. Planning ahead gives you flexibility to adapt to new regulations while showing good faith compliance efforts.

Cross-jurisdictional planning: For organisations operating across multiple states or internationally, build compliance strategies that meet the highest common standard of requirements rather than the minimum in each jurisdiction.

How do you stay compliant across states?

Monitoring tools and resources: Put systematic approaches in place for tracking regulatory developments:

Subscribe to regulatory monitoring services that track AI legislation across jurisdictions
Join industry associations that provide regulatory updates and advocacy
Establish relationships with legal counsel specialising in AI and technology law
Participate in regulatory comment processes to influence policy development

Compliance programmes that can adapt: Design compliance programs that can quickly respond to new requirements:

Build flexibility into AI system design and deployment processes
Maintain modular documentation that can be updated for new requirements
Develop standard operating procedures that can accommodate varying jurisdictional needs
Train staff on regulatory principles rather than just specific current requirements

Risk-based prioritisation: Focus compliance efforts on the highest-risk AI applications and most likely regulatory scenarios:

Prioritise compliance for AI systems affecting employment, healthcare, and financial services
Invest in bias testing and fairness measures for customer-facing AI tools
Ensure transparent practices for any AI systems making decisions about individuals
Maintain strong data governance for AI training and operation

How should different industries prepare?

Technology companies: Prepare for increased scrutiny of AI model development, training data usage, and safety testing. Consider adopting voluntary standards that may become mandatory requirements.

Healthcare organisations: Focus on patient safety, privacy protection, and clinical validation for AI tools. Regulatory agencies are building specialised frameworks for medical AI applications.

Financial services: Focus on fair lending compliance, consumer protection, and risk management for AI-driven financial decisions. Expect increased enforcement of existing regulations applied to AI systems.

Employers: Prepare for wider employment-related AI regulations covering hiring, evaluation, scheduling, and workplace monitoring. Put human oversight and bias testing in place for employment AI tools to support fairness and accuracy.

Conclusion

The future of AI regulation in the US will be shaped by ongoing tension between innovation and oversight, between federal and state authority, and between domestic and international considerations. Organisations that address these challenges early, while keeping their compliance strategies flexible, will be best placed for success in this evolving regulatory environment.

Immediate action items:

1. Conduct a strong inventory of all AI systems currently in use
2. Assess current compliance gaps against existing federal guidelines and applicable state laws
3. Implement risk assessment procedures based on NIST framework principles
4. Develop internal AI governance policies and training programs
5. Establish monitoring systems for regulatory developments in relevant jurisdictions

Long-term strategic considerations:

Build compliance capabilities that can scale with regulatory expansion
Invest in AI safety and fairness technologies that exceed current requirements
Participate in industry standards development and regulatory policy discussions
Develop competitive advantages through responsible AI practices that build consumer trust

Start preparing your organisation today by conducting an AI inventory, adopting risk management frameworks, and developing flexible compliance policies that can evolve with the fast-changing regulatory environment. The future of AI regulation may be uncertain, but the need for early preparation is clear.

Ana Mishova

About the Author

Ana Mishova

Sales and Business Development Consultant — GDPRLocal

Ana focuses on helping organisations understand their compliance obligations and find the right data protection solutions. At GDPRLocal she works closely with businesses of all sizes, making GDPR and privacy compliance clear, practical, and accessible.

Frequently Asked Questions

What is the current federal approach to AI regulation in the US?

The US federal government regulates AI mainly through existing laws, executive orders, and agency guidance rather than a comprehensive federal AI law. This approach emphasises voluntary risk management, civil rights enforcement under current anti-discrimination laws, and national security measures, while promoting innovation and American leadership in AI.

What are the key provisions of the Colorado AI Act?

The Colorado AI Act applies to developers and deployers of high-risk AI systems in sectors like employment, healthcare, and financial services. It requires impact assessments before deployment, prohibits algorithmic discrimination, requires consumer disclosures when AI makes consequential decisions, and encourages following standards like the NIST AI Risk Management Framework. Its effective date has been delayed since the law was signed, so check the current start date before relying on it.

How do state AI laws impact businesses operating across multiple states?

State AI laws vary significantly, creating a complex patchwork of regulations. Businesses need compliance strategies that account for different state requirements, including transparency, bias testing, and disclosure obligations. Staying informed about evolving state legislation and adopting flexible AI governance policies matters for multi-state operations.