Understanding the US Approach to AI Regulation: A State-by-State Analysis

Note: This article represents a practitioner’s interpretation of the relevant rules and regulations in place at the time of writing. I am not a lawyer, and readers should consult with their own legal counsel and compliance teams before taking any action based on this information.

The United States presents a unique and complex landscape for AI regulation, characterized by a decentralized approach that combines federal guidance with state-level innovation. Unlike the EU’s comprehensive AI Act or China’s centralized framework, the US has adopted a more nuanced strategy that reflects its traditional preference for sector-specific regulation and market-driven solutions.

This distinctive approach creates both opportunities and challenges for organizations developing or deploying AI systems within the American market. Understanding how to navigate this multi-layered regulatory environment has become crucial for technology companies, developers, and compliance officers alike.

For US-based AI developers, the current regulatory landscape requires attention to multiple overlapping frameworks rather than a single comprehensive law. At minimum, developers must: comply with FTC requirements regarding truthful claims about AI capabilities; implement safeguards against algorithmic bias to satisfy EEOC and DOJ expectations; adhere to state-specific disclosure and transparency requirements in California, Colorado, and New York; conduct appropriate risk assessments for high-risk applications; and maintain comprehensive documentation of development processes, training data, and testing methodologies. The absence of a unified federal framework means developers must track evolving requirements across jurisdictions where their systems operate and prepare for more stringent regulations in the near future.

The Federal Framework

At the federal level, the US approach to AI regulation has evolved through a combination of existing authorities and new initiatives. The foundation for federal AI policy includes several key developments:

  • National AI Initiative Act of 2020: Established a coordinated program across federal agencies to accelerate AI research and development
  • Executive Order 14110 (October 2023): Outlined comprehensive requirements for “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence”
  • White House Blueprint for an AI Bill of Rights (2022): Provided a non-binding framework focusing on five principles for responsible AI
  • NIST AI Risk Management Framework: Offered voluntary guidance for managing risks in AI systems

Rather than creating a single comprehensive framework, federal oversight of AI has emerged through the actions of various agencies applying their existing authorities to AI-related issues:

  • The Federal Trade Commission (FTC) has taken an active role in protecting consumers from deceptive AI practices, including a significant enforcement action against Rite Aid regarding facial recognition technology
  • The Equal Employment Opportunity Commission (EEOC), Consumer Financial Protection Bureau (CFPB), and Department of Justice (DOJ) issued a joint statement clarifying that their existing authority covers AI
  • The Federal Communications Commission (FCC) issued a declaratory ruling classifying AI-generated robocalls as “artificial” voices under the Telephone Consumer Protection Act

State-Level Innovation

The state-level regulatory landscape has proven particularly dynamic, with several states emerging as pioneers in AI governance:

California

California leads with the most comprehensive state-level AI legislation, including:

  • The California AI Transparency Act (SB 942): Requires businesses to disclose when they use AI systems to make decisions about consumers
  • The Health Care Services: Artificial Intelligence Act (AB 3030): Establishes requirements for AI use in healthcare settings
  • The Defending Democracy from Deepfake Deception Act (AB 2655): Prohibits the distribution of materially deceptive content created using AI

Colorado

Colorado has enacted the Colorado AI Act, which:

  • Imposes obligations on developers and deployers of high-risk AI systems
  • Grants the Colorado Attorney General rule-making and enforcement authority
  • Deems violations as unfair or deceptive trade practices

New York

New York has implemented significant AI regulations, particularly:

  • NYC Local Law 144: Requires employers to conduct bias audits of automated employment decision tools
  • Department of Financial Services AI Guidance: Provides cybersecurity guidance for financial institutions using AI

This state-by-state approach has created a natural laboratory for different regulatory approaches, allowing for experimentation and adaptation to local needs. However, it also presents challenges for organizations operating across state lines, who must navigate an increasingly complex patchwork of requirements.

Key Requirements and Compliance

The requirements for AI systems in the US vary significantly based on both sector and jurisdiction. At the federal level, organizations must focus on:

  • Transparency: Disclosing when AI is being used, particularly in consumer interactions
  • Testing and Validation: Implementing rigorous testing protocols for high-risk applications
  • Bias Mitigation: Ensuring AI systems don’t discriminate against protected classes
  • Data Privacy: Complying with existing data protection frameworks when collecting data for AI training

State-level compliance often involves more specific obligations. For instance:

  • California’s AI Transparency Act imposes penalties of $5,000 per violation per day
  • Colorado’s AI Act requires comprehensive risk assessments for high-risk AI systems
  • New York City’s automated employment decision tools law mandates bias audits before deployment

Enforcement Mechanisms

Recent enforcement actions provide insight into how AI regulations are being applied:

  • The FTC’s settlement with Rite Aid regarding facial recognition technology included:

    • A five-year ban on using AI facial recognition
    • Requirements to delete all photos and videos used in its facial recognition systems
    • Mandatory implementation of a comprehensive monitoring program if facial recognition is used after the ban expires

  • California’s AI legislation provides for enforcement through:

    • Civil actions by the California Attorney General, city attorneys, or county counsel
    • Potential suspension or revocation of medical licenses for violations of healthcare AI requirements
    • Injunctive relief to compel removal of deceptive AI-generated content

Implementation Strategies

Successfully navigating this complex regulatory landscape requires a sophisticated approach to compliance. Organizations should:

  1. Develop flexible frameworks that can accommodate both federal requirements and state-specific obligations
  2. Implement comprehensive documentation of AI systems, including design decisions, training data sources, and testing methodologies
  3. Conduct regular risk assessments against multiple regulatory frameworks
  4. Establish monitoring systems that can track evolving requirements across jurisdictions
  5. Create clear governance structures with defined roles and responsibilities for AI oversight

Sector-Specific Considerations

Different sectors face varying levels of regulatory scrutiny and specific requirements:

  • Financial Services: Must navigate both federal banking regulations and state-specific requirements for AI use in lending and risk assessment, with specific guidance from the NYDFS
  • Healthcare: Must ensure AI systems comply with both HIPAA requirements and state-specific patient protection measures like California’s AB 3030
  • Employment: Must address both EEOC guidance on algorithmic fairness and local requirements like NYC’s automated employment decision tools law

Future Developments

The US regulatory landscape for AI continues to evolve rapidly. Several significant federal bills are under consideration:

  • REAL Political Advertisements Act: Would regulate AI-generated political content
  • NO FAKES Act: Would protect individuals from unauthorized digital replicas
  • AI Research, Innovation, and Accountability Act: Would establish a comprehensive framework for AI governance

The interaction between federal and state regulations is likely to become more complex, particularly as more states develop their own AI-specific legislation. Organizations should prepare for increased regulatory attention and potentially more stringent requirements across jurisdictions.

Looking Forward

Success in the US regulatory environment requires more than just technical compliance with current requirements. Organizations must develop flexible, forward-looking compliance strategies that can adapt to evolving regulations across multiple jurisdictions. This means not only meeting today’s requirements but also building systems and processes that can accommodate tomorrow’s regulatory changes.

As I navigate this landscape myself, I’ve found that staying ahead of regulatory developments requires constant vigilance and a willingness to adapt quickly. The organizations that will thrive in this environment are those that view compliance not as a checkbox exercise but as an integral part of responsible AI development.

References

  1. National AI Initiative Act of 2020. H.R.6216, 116th Congress. https://www.govinfo.gov/content/pkg/COMPS-15328/pdf/COMPS-15328.pdf

  2. Executive Order 14110 of October 30, 2023. “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence.” Federal Register. https://www.federalregister.gov/documents/2023/10/30/2023-24283/safe-secure-and-trustworthy-development-and-use-of-artificial-intelligence

  3. National Institute of Standards and Technology. (2024). “AI Risk Management Framework.” NIST Special Publication 8549. https://www.nist.gov/itl/ai-risk-management-framework

  4. California Senate Bill 942: California AI Transparency Act. https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202320240SB942

  5. Colorado AI Act. https://leg.colorado.gov/bills/sb23-256

  6. White & Case. “AI Watch: Global regulatory tracker - United States.” https://www.whitecase.com/insight-our-thinking/ai-watch-global-regulatory-tracker-united-states

Subscribe to the Newsletter

Get the latest posts and insights delivered straight to your inbox.