The United States has no single, comprehensive federal law governing artificial intelligence. Instead, AI is regulated through three overlapping layers: a light-touch federal executive posture, a fast-growing patchwork of state statutes, and voluntary risk-management frameworks that increasingly set the market standard.

0Comprehensive federal AI statutes
1stColorado — first comprehensive state AI law
Dozensof state AI bills introduced each session
VoluntaryNIST AI Risk Management Framework

Three layers of US AI governance

Federal executive & sectoral

Executive orders set direction; existing agencies (FTC, EEOC, FDA, financial regulators) apply current law to AI within their sectors.

State legislation

States move faster than Congress — from comprehensive rules to narrow bans on specific uses such as hiring, biometrics and deepfakes.

Voluntary frameworks

The NIST AI RMF and sector guidance are non-binding, but procurement, insurers and courts increasingly treat them as the standard of care.

The federal layer: light-touch and shifting

Federal AI policy has moved primarily through executive action rather than legislation, and its direction changes with each administration. The 2023 executive order on safe, secure and trustworthy AI was rescinded in January 2025 and replaced with a policy emphasising innovation and reduced regulatory friction. What stays constant is sectoral enforcement: agencies apply existing consumer-protection, anti-discrimination and product-safety law to AI systems without waiting for new statutes.

The state patchwork

With Congress gridlocked, the states have become the real engine of US AI law — creating a compliance map that varies by jurisdiction and by use case.

Colorado AI Act (SB 205)

The first comprehensive state AI law: duties of care for developers and deployers of high-risk AI to prevent algorithmic discrimination. Effective 2026.

California

A cluster of laws on generative-AI transparency, training-data disclosure, deepfakes and automated decision-making.

Illinois (BIPA)

The strict Biometric Information Privacy Act drives much of the litigation around facial recognition and biometric AI.

New York City (LL 144)

Bias audits are required for automated employment decision tools used to screen candidates.

NIST AI Risk Management Framework

The NIST AI RMF is voluntary, but it has become the common vocabulary for AI governance in the US. It organises trustworthy-AI practice into four functions:

Govern

Build a culture and accountability structure for AI risk across the organisation.

Map

Establish the context and identify the risks tied to each AI system and its use.

Measure

Analyse, assess and track risks with quantitative and qualitative methods.

Manage

Prioritise and act on risks, with monitoring and response across the lifecycle.

How it evolved

2023 — NIST releases the AI Risk Management Framework 1.0.
2023 — Federal executive order on safe, secure and trustworthy AI.
2024 — Colorado enacts the first comprehensive state AI law (SB 205).
2025 — The 2023 order is rescinded; the federal posture shifts toward innovation.
2026 — The Colorado AI Act takes effect; more states follow with their own bills.

What it means for companies

If you build or deploy AI that touches US users, you cannot rely on a single national rulebook. Map your exposure state by state and use case by use case, adopt the NIST AI RMF as a defensible baseline, and document your risk decisions — because sectoral regulators are already applying existing law to AI today.

📄