The United States doesn’t have a single federal AI law. Instead, it has a rapidly growing patchwork of state legislation, federal agency guidance, and local regulations that together form one of the most complex AI governance landscapes in the world.
For companies deploying AI across multiple US states, this patchwork is both a challenge and an opportunity. This guide maps the current landscape and provides a compliance strategy for navigating it.
The Federal Landscape: Agency by Agency
NIST AI Risk Management Framework (AI RMF 1.0)
The NIST AI RMF remains the primary voluntary governance standard for US organizations. It provides a structured approach to identifying, assessing, and managing AI risks through four functions:
- Govern: Establish AI risk management policies and processes
- Map: Identify AI systems and their contexts, purposes, and impacts
- Measure: Assess AI risks using quantitative and qualitative methods
- Manage: Implement risk treatment strategies
AI RMF 2.0, expected in late 2026, will add sector-specific implementation guidance and updated risk taxonomies.
FTC Enforcement
The Federal Trade Commission has been the most active federal enforcer on AI. Key enforcement areas:
- Deceptive AI claims: Companies making unsubstantiated claims about AI capabilities
- Algorithmic discrimination: AI systems that result in unfair or discriminatory outcomes
- Dark patterns: AI-driven interfaces that manipulate users into unintended actions
- Data practices: AI training data obtained through unfair or deceptive means
The FTC has brought enforcement actions against companies for AI-related violations and has signaled that AI enforcement remains a top priority.
SEC Guidance
The Securities and Exchange Commission requires public companies to disclose material AI risks in their 10-K filings. The SEC has also warned against „AI washing“ — making misleading claims about AI capabilities to attract investment.
EEOC Guidance
The Equal Employment Opportunity Commission has issued guidance on AI in employment decisions. Key requirements:
- Employers using AI screening tools must conduct adverse impact analyses
- The „four-fifths rule“ applies: if a selection rate for any group is less than 80% of the rate for the most-selected group, adverse impact may exist
- Employers are liable for discriminatory outcomes even when using third-party AI tools
FDA: AI/ML in Medical Devices
The FDA has approved over 700 AI/ML-enabled medical devices as of 2026. The regulatory framework includes:
- Predetermined Change Control Plans: Manufacturers can pre-specify anticipated modifications without new submissions
- Real-world performance monitoring: Post-market surveillance requirements for AI/ML devices
- Transparency: Patients must be informed when AI is involved in their care
State-Level AI Laws: The Patchwork
Colorado AI Act (SB 24-205) — Effective July 1, 2026
Colorado passed the most comprehensive state AI law in the US. Key requirements:
Applies to: Deployers and developers of „high-risk AI systems“ — AI systems that make „consequential decisions“ in:
– Education
– Employment
– Financial services
– Healthcare
– Housing
– Insurance
– Legal services
Deployer obligations:
– Conduct an impact assessment for each high-risk AI system
– Publish a transparency statement summarizing the AI system and its purpose
– Provide notice to affected individuals when AI is used in consequential decisions
– Offer an appeal process for AI-driven decisions
– Conduct annual reviews of high-risk AI systems
Developer obligations:
– Provide deployers with information about the AI system’s capabilities, limitations, and training data
– Disclose known risks of the AI system
– Cooperate with deployer impact assessments
Enforcement: Colorado Attorney General has exclusive enforcement authority. No private right of action.
California: Privacy + AI
California’s approach combines the CCPA/CPPA framework with emerging AI-specific rules:
ADMT Rules (Automated Decision-Making Technology):
– Consumers have the right to opt out of ADMT for consequential decisions
– Consumers have the right to access information about how ADMT works
– Businesses must provide pre-use notice for ADMT
California AI Safety Act (SB 1047): While the original version was vetoed, a revised version focusing on frontier model safety is in committee.
New York City: Local Law 144
NYC’s automated employment decision tool (AEDT) law requires:
– Annual bias audits by independent auditors
– Publication of audit results on the employer’s website
– Notice to candidates that AI is being used in hiring decisions
– Effective since July 2023, with ongoing enforcement
Illinois: AI Video Interview Act
- Employers must notify candidates before using AI to analyze video interviews
- Must explain how the AI works and what characteristics it evaluates
- Candidates must consent to AI analysis
- Employers must destroy video recordings within 30 days of request
Texas: AI Consumer Protection
Texas has enacted consumer protection laws that apply to AI:
– Prohibition on using AI to manipulate consumers in financial transactions
– Requirements for transparency in AI-driven pricing
– Enforcement through the Texas Attorney General
Other Notable State Laws
- Utah: AI disclosure requirements for consumer-facing AI interactions
- Connecticut: State agency AI inventory and risk assessment requirements
- Montana: AI deepfake regulations for election content
- Massachusetts: Government AI use transparency requirements
- Washington: Facial recognition restrictions for government use
The Emerging Patchwork: 40+ States
As of mid-2026, over 40 states have AI-related bills in various stages of the legislative process. Key trends:
- Employment AI: 15+ states considering laws on AI in hiring and employment decisions
- Deepfakes: 20+ states with deepfake legislation, particularly focused on elections and non-consensual intimate imagery
- AI in healthcare: 10+ states considering AI-specific healthcare regulations
- Children’s safety: 15+ states with AI-related children’s online safety bills
- Government AI use: 20+ states requiring transparency and oversight of government AI systems
Compliance Strategy for Multi-State Companies
Step 1: Build a Unified AI Inventory
Catalog all AI systems, their deployment locations, and the decisions they make. This is the foundation for all compliance activities.
Step 2: Map Regulatory Requirements
For each AI system, identify which state laws apply based on:
– Where the company operates
– Where affected individuals are located
– The sector in which the AI is deployed
Step 3: Implement the Highest Standard
Where multiple state laws apply, implement the most stringent requirements as your baseline. This simplifies compliance and reduces risk.
Step 4: Build Modular Compliance Processes
Design compliance processes that can be adapted for specific state requirements:
– Impact assessment templates with state-specific modules
– Notice and consent mechanisms that can be customized
– Audit processes that satisfy multiple state requirements simultaneously
Step 5: Monitor Legislative Developments
State AI legislation is evolving rapidly. Assign responsibility for monitoring new bills and assessing their impact on your AI systems.
Step 6: Engage with Regulators
Proactive engagement with state attorneys general and regulatory agencies can help shape favorable regulatory outcomes and demonstrate good faith compliance efforts.
What’s Coming: 2026-2027 Outlook
- Federal AI legislation: Multiple bills in committee, but comprehensive federal AI law remains unlikely before 2027
- More state laws: Expect 10+ additional states to enact AI laws by end of 2027
- Enforcement actions: First enforcement actions under Colorado AI Act expected in late 2026
- FTC rulemaking: Potential FTC rulemaking on AI transparency and fairness
- International coordination: Increasing US-EU dialogue on AI governance alignment
The Bottom Line
The US AI regulatory landscape is complex, but it’s navigable. The key is to build a compliance program that’s:
– Comprehensive: Covers all applicable state and federal requirements
– Adaptable: Can be updated as new laws are enacted
– Risk-based: Focuses resources on the highest-risk AI systems
– Documented: Maintains records demonstrating compliance efforts
Organizations that invest in understanding and complying with the US AI patchwork will be better positioned than those that wait for a single federal law that may never come.
This article is part of DataGate.ch’s AI Governance series. Also in this series: EU AI Act Compliance Guide | Enterprise AI Governance | China AI Regulation