- There is no single US federal AI law. Compliance in the US means understanding what sector-specific laws already apply to your AI system — employment discrimination law, consumer protection law, financial regulation — rather than looking for an AI-specific statute to follow.
- The NIST AI RMF is voluntary, but it’s not optional in practice. Enterprise customers, government contractors, and insurance underwriters increasingly expect documented alignment. Working through the GOVERN, MAP, MEASURE, and MANAGE functions reduces legal exposure under existing laws even where no AI-specific regulation yet applies.
- Existing civil rights laws already apply to AI decisions. EEOC v. iTutorGroup (2023) established that using an automated system to screen employment decisions doesn’t change the employer’s obligations under Title VII or the ADEA. If your AI makes or influences employment decisions, federal law is already in scope.
- State AI legislation is accelerating. Colorado’s AI Act (effective June 30, 2026) requires risk management programs and impact assessments for high-risk AI affecting Colorado residents. More states will follow. Governance frameworks built on voluntary standards today are the infrastructure that makes mandatory compliance tractable when requirements arrive.
If you’re managing AI projects in the US, the first question is usually: what law applies? The answer is nothing like the EU. In Europe, a single regulation provides a complete framework. In the US, there’s no equivalent federal AI law. Compliance means understanding how multiple overlapping requirements interact for your specific system, sector, and states of operation.
What you have instead: executive orders that mostly apply to federal agencies and contractors, voluntary standards like the NIST AI RMF, agency guidance extending existing law to AI contexts, and an expanding set of state laws. The landscape keeps changing. Understanding it means mapping the intersection of all these layers for your specific situation.
The Federal Landscape: Voluntary, Sectoral, and Evolving
No Omnibus AI Law
There’s no single US federal statute governing AI development or deployment in the private sector. This reflects a consistent US policy preference: let markets self-regulate emerging technology rather than impose top-down mandates early. Federal AI governance comes from three main sources, each operating differently and covering different actors:
- Executive orders. Presidential directives have addressed AI policy across multiple administrations, but these primarily govern how federal agencies and government contractors develop, acquire, and use AI. They do not directly regulate private sector AI projects unless your work involves federal contracts or government programs.
- Agency guidance. Federal agencies have issued interpretive guidance clarifying how their existing statutory authorities apply to AI. This is enforcement-oriented: it tells you what the FTC, EEOC, FDA, and SEC already have authority to act on, not what new requirements AI-specific law creates.
- Voluntary frameworks. NIST AI RMF 1.0 is the primary federal contribution to AI governance for the private sector. It is explicitly voluntary, designed to be rights-preserving, non-sector-specific, and use-case agnostic — but it carries significant practical weight as the reference standard against which responsible AI governance practice is measured.
Executive Orders: Government AI, Not Private Sector Mandates
Three executive orders frame the current federal posture:
| Executive Order | Scope and PM Implication |
|---|---|
| EO 13960 (2020) — Promoting Trustworthy AI in Federal Government | Established AI principles for federal agency use (accuracy, reliability, explainability, safety, security, accountability) and laid groundwork for subsequent federal AI governance. PM implication: Applies directly to federal agency projects; signals the governance principles federal procurement will reflect. |
| EO 14110 (2023) — Safe, Secure, and Trustworthy AI (Biden) | Comprehensive order directing federal agencies on AI risk management, civil rights, workforce impacts, and international coordination. Directed NIST standards development and EEOC and DOJ civil rights enforcement guidance. PM implication: Though largely rescinded in 2025 under EO 14179, this order produced agency guidance and enforcement activity that remains in effect — including EEOC guidance on algorithmic discrimination. |
| EO 14179 (2025) — Removing Barriers to American AI Leadership (Trump) | Revoked EO 14110, directed development of an AI Action Plan, and signalled a shift toward reducing regulatory friction on AI development. PM implication: Federal posture now prioritizes innovation over precaution at the policy level. Enforcement activity by agencies under existing law continues regardless of executive policy direction. |
The key PM implication across all three orders: unless your project involves federal contracts, federal procurement, or federal agency programs, executive orders do not directly regulate your AI project. They signal the direction of federal policy and influence what government customers will expect — but they are not legal requirements for private sector deployments.
Agency Guidance: Existing Law Already Applies
Federal agencies have been clear: the use of AI does not exempt organizations from legal obligations that apply to their sector. The most instructive case is EEOC v. iTutorGroup — the first landmark algorithmic discrimination enforcement action under existing federal civil rights law. The EEOC sued iTutorGroup after its automated hiring platform was found to automatically reject female applicants aged 55 and older, and male applicants aged 60 and older, in violation of the Age Discrimination in Employment Act. The case settled for USD 365,000 in 2023. The company’s use of an automated system was not a defense — the discrimination embedded in the algorithm’s decision logic was the discrimination under the statute.
If your AI system performs a function that is already regulated — employment screening, credit decisioning, benefit eligibility, medical diagnosis, financial advice — the regulatory framework governing that function applies to your AI system.
| Area | Applicable Law | AI-Specific Enforcement Position |
|---|---|---|
| Consumer protection | FTC Act (Section 5) | Deceptive or unfair AI practices — including deceptive AI personas, unfair algorithmic pricing, and false claims about AI capabilities — are enforceable under existing FTC authority. The FTC has stated AI does not create a legal exemption from consumer protection obligations. |
| Employment | Title VII, ADA, ADEA | Algorithmic discrimination in hiring, promotion, termination, and compensation violates civil rights law regardless of whether the decision is made by a person or a system. EEOC v. iTutorGroup (2023, USD 365,000 settlement) is the primary precedent. |
| Credit and housing | Equal Credit Opportunity Act, Fair Housing Act | Discriminatory lending or housing decisions made by AI systems are subject to the same disparate impact analysis as human decisions. The CFPB has issued guidance on adverse action notice requirements when AI is used in credit decisioning. |
| Healthcare | HIPAA, FDA device regulations | AI systems processing protected health information are covered by HIPAA’s privacy and security rules. AI-based diagnostic or treatment decision support tools meeting the definition of a medical device are regulated under FDA’s Software as a Medical Device framework. |
| Finance and securities | Securities Exchange Act, investment adviser rules | AI-related material risks require disclosure under SEC rules. The SEC’s 2024 guidance addressed conflicts of interest in AI-powered investment recommendations and predictive data analytics tools used by investment advisers and broker-dealers. |
NIST AI RMF: The Practical Standard for Private Sector Governance
The NIST AI Risk Management Framework (NIST AI 100-1, January 2023) is the primary federal contribution to AI governance for the US private sector, and it is voluntary. It is explicitly designed to be rights-preserving, non-sector-specific, and use-case agnostic. The voluntary nature of the NIST AI RMF does not mean it is optional in practice. Several dynamics make NIST AI RMF alignment a de facto requirement for many organizations:
- Federal procurement. OMB guidance on federal agency AI governance references NIST AI RMF alignment. Federal contractors and government technology suppliers face increasing expectations around documented AI risk management.
- Enterprise customer requirements. Large enterprise customers, particularly in regulated industries, are beginning to require supplier attestations of AI governance maturity. NIST AI RMF provides the reference structure against which those attestations are evaluated.
- Legal due diligence. Documented NIST AI RMF implementation creates an evidentiary record of responsible governance practice that is relevant in enforcement actions, litigation, and regulatory examinations under existing law.
- Insurance and cyber risk. As cyber insurance and technology errors-and-omissions policies begin to address AI-related risks, insurers are looking at governance frameworks as indicators of risk maturity.
NIST has also published AI 600-1 (Generative AI Profile, 2024) and NIST AI 100-5 (Agentic AI Standards Plan, 2025) as extensions of the core framework for GenAI-specific and agentic AI risk considerations. For projects involving large language models or autonomous AI agents, these documents extend the MAP function’s risk taxonomy to include hallucination, data privacy in training pipelines, and the governance implications of multi-agent orchestration.
State-Level Regulation: The Patchwork Is Accelerating
While federal action remains limited to voluntary frameworks and sector-specific agency guidance, states are moving faster. In 2024, 700 AI legislative proposals were introduced across the US, with 45 states, Puerto Rico, Washington D.C., and the US Virgin Islands introducing AI bills. The federal government’s attempt to impose a ten-year moratorium on state-level AI legislation enforcement was rejected by the Senate on a 99–1 vote in 2025. State AI regulation is not being preempted; it is accelerating.
The question “what law applies?” must be answered at the state level based on where affected individuals are located, not where your company is incorporated.
Colorado AI Act (Effective June 30, 2026)
Colorado’s Artificial Intelligence Act, enacted in May 2024, is the most comprehensive state-level AI regulation in the United States. Its core obligation: developers and deployers of high-risk AI systems must implement risk management programs and conduct impact assessments to prevent algorithmic discrimination in consequential decisions.
High-risk AI system: Any AI system making or substantially influencing consequential decisions about a Colorado consumer. Consequential decision: A decision that has a material effect on access to or the cost of housing, employment, credit, education, healthcare, insurance, or a legal service or process.
Developer obligations include: providing deployers with documentation on known or foreseeable risks of algorithmic discrimination, training data used, and evaluation metrics. Deployer obligations include: implementing a risk management program, conducting impact assessments before deployment and annually thereafter, providing notice to consumers when a consequential decision is made, and providing a mechanism for consumers to appeal and correct information.
PM implication: If your AI system makes or influences consequential decisions affecting Colorado residents, the Colorado AI Act applies regardless of where you are based. The impact assessment requirement is a project deliverable — it must be completed before deployment and updated annually.
Illinois: AI in Employment Decisions (Effective January 1, 2026)
Illinois House Bill 3773, effective January 1, 2026, amends the Illinois Human Rights Act to address AI use in employment. Key requirements for employers using AI in hiring, promotions, or termination decisions affecting Illinois workers: notice to employees and applicants that AI is being used; prohibition on AI systems that result in discrimination based on protected characteristics; and data collection obligations related to AI demographic impact.
PM implication: If your AI system is used for employment decisions affecting Illinois workers, notice and non-discrimination obligations apply as of January 2026. This is a mandatory requirement, not a best practice.
New York City: Local Law 144 (In Effect)
NYC Local Law 144 requires bias audits for automated employment decision tools used in hiring and promotion decisions affecting New York City workers. Employers and employment agencies using covered tools must: obtain and publish an annual bias audit from an independent auditor; provide notice to candidates and employees that an automated employment decision tool is being used; and disclose the tool’s characteristics and the job qualifications it evaluates.
PM implication: If your AI hiring or promotion tool affects NYC workers, the bias audit and notice obligations are already in effect. The audit must be completed before the tool is deployed for covered decisions, and results must be made publicly available.
California: A Sectoral Mosaic
California has taken a sectoral rather than comprehensive approach, passing multiple laws addressing specific AI risks. The PM’s exposure depends on the use case:
| California Law | Scope and PM Implication |
|---|---|
| AB-2885 (AI Definitions, 2024) | Defines “artificial intelligence” in California law as a machine-based system that can make predictions, recommendations, or decisions influencing real or virtual environments. Provides the definitional basis for subsequent legislation. |
| AB-3030 (Healthcare AI Disclosures, 2024) | Requires healthcare providers to disclose to patients when AI is used to generate clinical communications. PM implication: AI tools generating patient-facing communications in healthcare settings require explicit disclosure. |
| SB-926 / SB-981 (Non-consensual Intimate Images, 2024) | Criminalise non-consensual AI-generated intimate imagery. PM implication: Generative AI tools must prohibit this use in terms of service and implement safeguards. |
| AB-2355 / AB-2839 (Political AI Disclosures, 2024) | Require disclosure labels on AI-generated content in political advertisements and on deceptive materials distributed before elections. PM implication: AI tools used in political communications require disclosure mechanisms. |
| AB-2602 / AB-1836 (Digital Replicas, 2024) | Require consent for AI-generated replicas of actors and deceased performers for entertainment purposes. PM implication: AI tools that replicate individuals’ likenesses require consent frameworks. |
The Federal Preemption Question
A recurring question in US AI policy is whether federal law will eventually preempt state AI regulation, creating a uniform national framework. The 99–1 Senate vote against the AI legislation moratorium in 2025 is the clearest signal that federal preemption is not imminent. States have demonstrated both the political will and the legislative capacity to regulate AI independently.
Do not build your AI compliance strategy around the expectation that a future federal AI law will simplify the landscape. Plan for a multi-jurisdictional environment and build governance processes that can accommodate new requirements as they emerge at the state level.
Practical Governance for the US Context
The absence of comprehensive federal AI requirements does not mean governance is optional. It means governance choices fall more directly on project teams. Five practices provide a defensible foundation in a patchwork environment.
1. Start with the Laws You Already Face
Before asking “what AI law applies,” ask “what laws govern my sector, and do they apply to what my AI system does?” Employment, healthcare, finance, housing, and consumer-facing applications are all already subject to regulatory frameworks. EEOC v. iTutorGroup established that algorithmic implementation of discriminatory decision logic violates the same laws that would prohibit a human from making the same decision. Your AI system does not operate in a legal vacuum — it inherits the regulatory framework of the function it performs.
2. Map Your Jurisdictions Before You Build
State AI laws apply based on where affected individuals are located, not where your company is headquartered. Before finalizing scope, identify which states’ residents will be subject to your system’s consequential decisions. Colorado residents trigger the Colorado AI Act. Illinois workers trigger HB 3773. NYC candidates trigger Local Law 144. A system with national reach may be subject to all three simultaneously. Jurisdiction mapping is a chartering-phase activity, not a legal review step at the end of development.
3. Implement NIST AI RMF as Your Governance Backbone
NIST AI RMF provides the structured risk management approach that is most likely to remain relevant as the regulatory landscape continues to evolve. Because it is use-case agnostic and non-sector-specific, it creates a governance infrastructure that can accommodate new mandatory requirements as they arrive. Organizations that have implemented the NIST AI RMF’s GOVERN, MAP, MEASURE, and MANAGE functions before mandatory requirements arrive are not starting from scratch when they need to comply: they are mapping existing practices to new obligations.
4. Document Your Governance
In the US’s enforcement-oriented approach to AI governance, documentation of risk management decisions creates the evidentiary record that matters when questions arise. This includes: impact assessments documenting affected parties and mitigation decisions; bias testing results and the methodology used; data governance decisions during the training data selection process; human oversight design decisions; and post-deployment monitoring results. Documentation does not prevent enforcement action, but its absence significantly weakens any defense that the organization acted responsibly.
5. Build Flexibility for the Landscape That’s Coming
The US AI regulatory landscape will continue to evolve faster than any single project lifecycle. New state laws will create new requirements. Federal agency guidance will clarify existing enforcement positions. Enterprise customers will raise their expectations of supplier AI governance. Build your governance processes with parameterized scope — not customized to the minimum of what’s required today, but structured to accommodate new requirements without a complete rebuild. The Colorado AI Act’s impact assessment framework, Illinois HB 3773’s notice requirements, and NYC Local Law 144’s bias audit obligations are the leading edge of a converging national standard.
Right-Sizing for Your Situation
How much governance structure is appropriate depends on your use case risk level, jurisdictions of operation, and organizational maturity. All US AI projects benefit from the five practices above — the value is building governance that scales as the landscape changes.
The two most useful immediate steps are: run the jurisdiction check (which states’ residents does your system affect?), and ask the existing-law question (what regulatory framework governs the function your AI performs?). Those two answers will tell you whether you have mandatory requirements now or are operating under voluntary standards. If it’s the latter, set up NIST AI RMF governance basics — GOVERN decisions on risk tolerance and accountability, MAP for stakeholder scope and assumptions, and a simple documentation log for key decisions. The paper trail is the governance.
The Colorado AI Act’s annual impact assessment requirement is the right template to build around, even if Colorado isn’t currently in scope. It forces the right discipline: a formal assessment before deployment, an annual review cadence, a documented trail of mitigation decisions. Build this into your project intake as a standing deliverable for any AI system making consequential decisions about individuals. Add the jurisdiction mapping step to your chartering checklist so obligation scope is determined before architecture is locked in.
At this level the work is crosswalk and integration. NIST AI RMF implementation maps well onto Colorado AI Act requirements (MAP function to impact assessment, MEASURE to bias testing, MANAGE to ongoing monitoring and incident response). Document those mappings explicitly so your existing governance work generates the compliance evidence — you shouldn’t be running parallel processes. For federal contractor work, OMB’s AI governance guidance and the NIST AI RMF crosswalk documentation are the reference points for demonstrating alignment.
The AI Governance Advisor at app.aipmo.co can help you work through which US federal and state obligations apply to your specific AI system, use case, and jurisdictions of operation.
Framework References
NIST AI Risk Management Framework 1.0 (NIST AI 100-1, January 2023) — GOVERN, MAP, MEASURE, MANAGE functions. Primary US governance reference for private sector AI; provides the risk management structure most relevant to US enforcement and procurement requirements.
NIST AI 600-1 (Generative AI Profile, 2024) and NIST AI 100-5 (Agentic AI Standards Plan, 2025) — Extensions of the AI RMF for GenAI-specific and agentic AI risk considerations. Relevant for projects involving LLMs or autonomous AI agents.
Colorado Artificial Intelligence Act (2024, effective June 30, 2026) — High-risk AI definition based on consequential decisions; risk management and impact assessment requirements for developers and deployers. Most comprehensive US state-level AI regulation currently in force.
EEOC v. iTutorGroup (2023, USD 365,000 settlement) — First landmark federal enforcement action for algorithmic employment discrimination. Establishes that automated decision logic does not exempt employers from civil rights law obligations under Title VII and ADEA.
AIGP Body of Knowledge v1.0.0 — Domain III. US-specific non-discrimination law, agency enforcement guidance, and state privacy laws applicable to AI systems.
This article is part of AIPMO’s Frameworks series. See also: AI Risk Classification | EU AI Act Timeline | The PM’s Guide to NIST AI RMF | AI Impact Assessments