US AI Regulation: A State-by-State Analysis

· 9 min read
ai compliance policy regulation technology

Note: This article represents a practitioner’s interpretation of the relevant rules and regulations in place at the time of writing. I am not a lawyer, and readers should consult with their own legal counsel and compliance teams before taking any action based on this information.

The United States presents a unique and complex landscape for AI regulation, characterized by a decentralized approach that combines federal guidance with state-level innovation. Unlike the EU’s comprehensive AI Act or China’s centralized framework, the US has adopted a more nuanced strategy that reflects its traditional preference for sector-specific regulation and market-driven solutions.

This distinctive approach creates both opportunities and challenges for organizations developing or deploying AI systems within the American market. Understanding how to navigate this multi-layered regulatory environment has become crucial for technology companies, developers, and compliance officers alike.

For US-based AI developers, the current regulatory landscape requires attention to multiple overlapping frameworks rather than a single comprehensive law. At minimum, developers must: comply with FTC requirements regarding truthful claims about AI capabilities; implement safeguards against algorithmic bias to satisfy EEOC and DOJ expectations; adhere to state-specific disclosure and transparency requirements in California, Colorado, and New York; conduct appropriate risk assessments for high-risk applications; and maintain comprehensive documentation of development processes, training data, and testing methodologies. The absence of a unified federal framework means developers must track evolving requirements across jurisdictions where their systems operate and prepare for more stringent regulations in the near future.

The Federal Framework

At the federal level, the US approach to AI regulation has evolved through a combination of existing authorities and new initiatives. The foundation for federal AI policy includes several key developments:

  • National AI Initiative Act of 2020: Established a coordinated program across federal agencies to accelerate AI research and development
  • Executive Order 14110 (October 2023): Outlined comprehensive requirements for “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence”
  • White House Blueprint for an AI Bill of Rights (2022): Provided a non-binding framework focusing on five principles for responsible AI
  • NIST AI Risk Management Framework: Offered voluntary guidance for managing risks in AI systems

Update (2025-2026): The federal landscape shifted dramatically in 2025. On January 20, 2025, President Trump signed an executive order revoking Executive Order 14110 and directing agencies to pursue a pro-innovation approach under the banner of “Removing Barriers to American Leadership in AI.” In July 2025, the administration published America’s AI Action Plan, identifying more than 90 federal policy actions. Then in December 2025, President Trump signed Executive Order 14365, “Ensuring a National Policy Framework for Artificial Intelligence,” which took direct aim at the growing patchwork of state AI laws. EO 14365 created an AI Litigation Task Force (led by the Attorney General) to challenge state AI laws on grounds of interstate commerce interference and federal preemption, directed the Secretary of Commerce to identify “onerous” state AI laws within 90 days, authorized conditioning federal funding on state alignment with federal AI policy, and directed the FCC and FTC to develop federal standards that could preempt state-level requirements. The order does carve out exceptions for child safety, AI compute infrastructure, and state government procurement.

This represents a fundamental pivot from the Biden administration’s emphasis on safety and risk management to a posture that prioritizes American competitiveness and deregulation at the federal level, while actively pushing back against states that have moved to fill the regulatory vacuum.

Rather than creating a single comprehensive framework, federal oversight of AI has emerged through the actions of various agencies applying their existing authorities to AI-related issues:

  • The Federal Trade Commission (FTC) has taken an active role in protecting consumers from deceptive AI practices, including a significant enforcement action against Rite Aid regarding facial recognition technology
  • The Equal Employment Opportunity Commission (EEOC), Consumer Financial Protection Bureau (CFPB), and Department of Justice (DOJ) issued a joint statement clarifying that their existing authority covers AI
  • The Federal Communications Commission (FCC) issued a declaratory ruling classifying AI-generated robocalls as “artificial” voices under the Telephone Consumer Protection Act

State-Level Innovation

The state-level regulatory landscape has proven particularly dynamic, with several states emerging as pioneers in AI governance:

California

California leads with the most comprehensive state-level AI legislation, including:

  • The California AI Transparency Act (SB 942): Requires businesses to disclose when they use AI systems to make decisions about consumers
  • The Health Care Services: Artificial Intelligence Act (AB 3030): Establishes requirements for AI use in healthcare settings
  • The Defending Democracy from Deepfake Deception Act (AB 2655): Prohibits the distribution of materially deceptive content created using AI
  • The Transparency in Frontier Artificial Intelligence Act (TFAIA), signed September 29, 2025, is California’s first comprehensive AI framework. It applies to frontier AI developers (models trained with more than 10^26 operations) and requires publication of governance frameworks, catastrophic risk assessments, and transparency reports. Critical incidents must be reported within 15 days (24 hours for imminent danger). Penalties reach up to $1 million per violation. Large frontier developers (over $500M revenue) face additional obligations. The law took effect January 1, 2026.

Colorado

Colorado has enacted the Colorado AI Act, which:

  • Imposes obligations on developers and deployers of high-risk AI systems
  • Grants the Colorado Attorney General rule-making and enforcement authority
  • Deems violations as unfair or deceptive trade practices

The Colorado AI Act goes into effect on February 1, 2026, making it the first comprehensive US state AI legislation to become enforceable. It imposes a “duty of reasonable care” on developers and deployers of high-risk AI systems to protect consumers from algorithmic discrimination and requires annual impact assessments.

New York

New York has implemented significant AI regulations, particularly:

  • NYC Local Law 144: Requires employers to conduct bias audits of automated employment decision tools
  • Department of Financial Services AI Guidance: Provides cybersecurity guidance for financial institutions using AI

Illinois

Illinois amended its Human Rights Act to regulate AI in employment contexts, covering recruitment, hiring, promotion, and discharge across all protected classes. These amendments took effect January 1, 2026.

This state-by-state approach has created a natural laboratory for different regulatory approaches, allowing for experimentation and adaptation to local needs. But it also presents challenges for organizations operating across state lines, who must navigate an increasingly complex patchwork of requirements.

Key Requirements and Compliance

The requirements for AI systems in the US vary significantly based on both sector and jurisdiction. At the federal level, organizations must focus on:

  • Transparency: Disclosing when AI is being used, particularly in consumer interactions
  • Testing and Validation: Implementing rigorous testing protocols for high-risk applications
  • Bias Mitigation: Ensuring AI systems don’t discriminate against protected classes
  • Data Privacy: Complying with existing data protection frameworks when collecting data for AI training

State-level compliance often involves more specific obligations. For instance:

  • California’s AI Transparency Act imposes penalties of $5,000 per violation per day
  • Colorado’s AI Act requires comprehensive risk assessments for high-risk AI systems
  • New York City’s automated employment decision tools law mandates bias audits before deployment

Enforcement Mechanisms

Recent enforcement actions provide insight into how AI regulations are being applied:

  • The FTC’s settlement with Rite Aid regarding facial recognition technology included:

    • A five-year ban on using AI facial recognition
    • Requirements to delete all photos and videos used in its facial recognition systems
    • Mandatory implementation of a comprehensive monitoring program if facial recognition is used after the ban expires

  • California’s AI legislation provides for enforcement through:

    • Civil actions by the California Attorney General, city attorneys, or county counsel
    • Potential suspension or revocation of medical licenses for violations of healthcare AI requirements
    • Injunctive relief to compel removal of deceptive AI-generated content

Implementation Strategies

Successfully navigating this complex regulatory landscape requires a sophisticated approach to compliance. Organizations should:

  1. Develop flexible frameworks that can accommodate both federal requirements and state-specific obligations
  2. Implement comprehensive documentation of AI systems, including design decisions, training data sources, and testing methodologies
  3. Conduct regular risk assessments against multiple regulatory frameworks
  4. Establish monitoring systems that can track evolving requirements across jurisdictions
  5. Create clear governance structures with defined roles and responsibilities for AI oversight

Sector-Specific Considerations

Different sectors face varying levels of regulatory scrutiny and specific requirements:

  • Financial Services: Must navigate both federal banking regulations and state-specific requirements for AI use in lending and risk assessment, with specific guidance from the NYDFS
  • Healthcare: Must ensure AI systems comply with both HIPAA requirements and state-specific patient protection measures like California’s AB 3030
  • Employment: Must address both EEOC guidance on algorithmic fairness and local requirements like NYC’s automated employment decision tools law

Future Developments

The defining dynamic for 2026 is the collision between the federal government’s deregulatory posture and the growing number of states that have enacted enforceable AI obligations. Executive Order 14365’s AI Litigation Task Force is expected to begin challenging state laws, while states like California, Colorado, and Illinois continue to enforce their own frameworks. Several additional states, including Connecticut, Massachusetts, New Mexico, New York, Texas, and Virginia, have pending AI legislation at various stages.

At the federal level, several bills remain under consideration:

  • REAL Political Advertisements Act: Would regulate AI-generated political content
  • NO FAKES Act: Would protect individuals from unauthorized digital replicas
  • AI Research, Innovation, and Accountability Act: Would establish a comprehensive framework for AI governance

Looking Forward

Success in the US regulatory environment requires more than just technical compliance with current requirements. Organizations must develop flexible, forward-looking compliance strategies that can adapt to evolving regulations across multiple jurisdictions. This means not only meeting today’s requirements but also building systems and processes that can accommodate tomorrow’s regulatory changes.

As I navigate this landscape myself, I’ve found that staying ahead of regulatory developments requires constant vigilance and a willingness to adapt quickly. The organizations that will thrive in this environment are those that view compliance not as a checkbox exercise but as an integral part of responsible AI development.

References

  1. National AI Initiative Act of 2020. H.R.6216, 116th Congress. https://www.govinfo.gov/content/pkg/COMPS-15328/pdf/COMPS-15328.pdf

  2. Executive Order 14110 of October 30, 2023. “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence.” Federal Register. https://www.federalregister.gov/documents/2023/10/30/2023-24283/safe-secure-and-trustworthy-development-and-use-of-artificial-intelligence

  3. National Institute of Standards and Technology. (2024). “AI Risk Management Framework.” NIST Special Publication 8549. https://www.nist.gov/itl/ai-risk-management-framework

  4. California Senate Bill 942: California AI Transparency Act. https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202320240SB942

  5. Colorado AI Act. https://leg.colorado.gov/bills/sb23-256

  1. White & Case. “AI Watch: Global regulatory tracker - United States.” https://www.whitecase.com/insight-our-thinking/ai-watch-global-regulatory-tracker-united-states

  2. White & Case. “State AI Laws Under Federal Scrutiny: Key Takeaways from the Executive Order Establishing Federal AI Policy Framework.” https://www.whitecase.com/insight-alert/state-ai-laws-under-federal-scrutiny-key-takeaways-executive-order-establishing

  3. White & Case. “California Enacts Landmark AI Transparency Law.” https://www.whitecase.com/insight-alert/california-enacts-landmark-ai-transparency-law-transparency-frontier-artificial

  4. White & Case. “Automated Decision Making Emerges as an Early Target of State AI Regulation.” https://www.whitecase.com/insight-alert/automated-decision-making-emerges-early-target-state-ai-regulation

Changelog

  • February 2026: Updated to reflect the revocation of Executive Order 14110, the Trump administration’s AI Action Plan and Executive Order 14365, California’s Transparency in Frontier AI Act, the Colorado AI Act’s February 2026 effective date, Illinois Human Rights Act AI amendments, and the emerging federal-state regulatory tension. Added new references from White & Case.

Linked from