The United States has no single, comprehensive federal law governing artificial intelligence. Instead, AI is regulated through three overlapping layers: a light-touch federal executive posture, a fast-growing patchwork of state statutes, and voluntary risk-management frameworks that increasingly set the market standard.
Three layers of US AI governance
Federal executive & sectoral
Executive orders set direction; existing agencies (FTC, EEOC, FDA, financial regulators) apply current law to AI within their sectors.
State legislation
States move faster than Congress — from comprehensive rules to narrow bans on specific uses such as hiring, biometrics and deepfakes.
Voluntary frameworks
The NIST AI RMF and sector guidance are non-binding, but procurement, insurers and courts increasingly treat them as the standard of care.
The federal layer: light-touch and shifting
Federal AI policy has moved primarily through executive action rather than legislation, and its direction changes with each administration. The 2023 executive order on safe, secure and trustworthy AI was rescinded in January 2025 and replaced with a policy emphasising innovation and reduced regulatory friction. What stays constant is sectoral enforcement: agencies apply existing consumer-protection, anti-discrimination and product-safety law to AI systems without waiting for new statutes.
The state patchwork
With Congress gridlocked, the states have become the real engine of US AI law — creating a compliance map that varies by jurisdiction and by use case.
Colorado AI Act (SB 205)
The first comprehensive state AI law: duties of care for developers and deployers of high-risk AI to prevent algorithmic discrimination. Effective 2026.
California
A cluster of laws on generative-AI transparency, training-data disclosure, deepfakes and automated decision-making.
Illinois (BIPA)
The strict Biometric Information Privacy Act drives much of the litigation around facial recognition and biometric AI.
New York City (LL 144)
Bias audits are required for automated employment decision tools used to screen candidates.
NIST AI Risk Management Framework
The NIST AI RMF is voluntary, but it has become the common vocabulary for AI governance in the US. It organises trustworthy-AI practice into four functions:
Govern
Build a culture and accountability structure for AI risk across the organisation.
Map
Establish the context and identify the risks tied to each AI system and its use.
Measure
Analyse, assess and track risks with quantitative and qualitative methods.
Manage
Prioritise and act on risks, with monitoring and response across the lifecycle.
How it evolved
What it means for companies
If you build or deploy AI that touches US users, you cannot rely on a single national rulebook. Map your exposure state by state and use case by use case, adopt the NIST AI RMF as a defensible baseline, and document your risk decisions — because sectoral regulators are already applying existing law to AI today.
Original documents
Read the primary sources referenced in this article:
↓ NIST AI Risk Management Framework (AI RMF 1.0) — PDF ↓ Colorado AI Act (Senate Bill 24-205) — official text