US AI Regulation: Federal Executive Orders, State Laws, and Agency Enforcement

Rule

Organizations developing or deploying AI systems in the United States must navigate a fragmented regulatory landscape consisting of federal executive orders, voluntary frameworks, state-level AI statutes, and existing federal agency enforcement under consumer protection, employment discrimination, and sector-specific laws. There is no single comprehensive federal AI statute as of March 2026. Instead, compliance requires mapping applicable obligations across three layers: (1) the federal executive order framework, which favors minimal regulation and federal preemption of state laws; (2) state AI statutes -- with California SB 53 imposing frontier model safety requirements with up to $1M per violation, Colorado's AI Act targeting algorithmic discrimination (effective June 30, 2026), Texas TRAIGA with $10K-$200K penalties, and Illinois HB 3773 requiring AI hiring disclosure -- all effective January 1, 2026; and (3) existing enforcement by the FTC, EEOC, and sector regulators who apply decades-old statutes to AI-specific harms. [src1, src2, src3]

Evidence

As of March 2026, all 50 states, Puerto Rico, the Virgin Islands, and Washington D.C. introduced AI legislation in 2025, with approximately 100 measures adopted or enacted across 38 states. Key state laws now in force or pending include: California SB 53/TFAIA (frontier AI transparency, penalties up to $1M/violation, effective January 1, 2026), California SB 942 (AI content disclosure for systems with 1M+ monthly users, $5,000/day per violation, effective August 2, 2026), Texas TRAIGA ($10,000-$200,000 per violation, effective January 1, 2026), Colorado AI Act ($20,000 per violation, effective June 30, 2026, delayed from February 1, 2026), Illinois HB 3773 (AI employment discrimination, effective January 1, 2026), and New York's RAISE Act ($30M for repeat violations, effective January 1, 2027). NYC Local Law 144, requiring bias audits for automated employment decision tools, has been enforced since July 2023 with penalties of $500-$1,500 per violation per day. The FTC brought five enforcement actions in its September 2024 "Operation AI Comply" sweep targeting deceptive AI claims, though it set aside its Rytr consent order in December 2025. The EEOC issued Title VII guidance in May 2023 establishing that employers are liable for disparate impact from AI hiring tools, even when provided by third-party vendors. [src1, src3, src4, src5, src7, src8]

Key Properties

• Federal framework: No comprehensive federal AI statute; regulation through executive orders, voluntary NIST framework, and existing agency authority (FTC Act Section 5, Title VII, ADA)
• Key executive orders: EO 14110 (Biden, October 2023) revoked January 20, 2025; EO 14179 "Removing Barriers" (Trump, January 23, 2025); December 11, 2025 EO directing federal preemption of state AI laws via DOJ litigation task force, FCC rulemaking within 90 days, and FTC Section 5 policy statement
• California frontier AI law (SB 53): Applies to developers training models at 10^26+ FLOP; large frontier developers ($500M+ revenue) must publish safety frameworks, file quarterly catastrophic risk assessments, and report critical safety incidents within 15 days (24 hours if imminent death/injury risk); up to $1M per violation
• State laws in force (Jan 1, 2026): Texas TRAIGA ($10K-$200K/violation), California SB 53/TFAIA ($1M/violation), California AB 2013 (training data transparency), Illinois HB 3773 (AI employment disclosure), NYC LL144 ($500-$1,500/day, enforced since July 2023)
• State laws pending: Colorado AI Act ($20K/violation, effective June 30, 2026), California SB 942 ($5K/day/violation, effective August 2, 2026), New York RAISE Act ($30M repeat violations, effective January 1, 2027)
• NIST AI RMF: Voluntary, non-binding framework (AI 100-1, January 2023; AI 600-1 GenAI Profile, July 2024); four functions: GOVERN, MAP, MEASURE, MANAGE; safe harbor reference under Texas TRAIGA
• Federal preemption risk: December 2025 EO establishes DOJ AI Litigation Task Force; Commerce Secretary must identify burdensome state laws by March 2026; $42B BEAD broadband funding conditioned on state compliance; FCC directed to initiate preemption proceedings within 90 days

Conditions

• Applies when: Organization develops, deploys, or procures AI systems for use in the United States, particularly for consequential decisions in employment, credit, housing, healthcare, insurance, education, or government services; or trains frontier AI models at 10^26+ FLOP scale
• Does NOT apply when: Organization operates exclusively outside the US with no US customers or data subjects; AI system is used only for internal research with no consumer-facing impact; system does not meet state-specific definitions of "AI system" or "high-risk" system; frontier model threshold (10^26 FLOP) not reached for SB 53 obligations
• Confidence degrades when: Federal preemption litigation outcomes are pending (expected throughout 2026); FCC and FTC rulemaking responses to December 2025 EO are not yet finalized; new state laws are enacted or amended during legislative sessions; Colorado AI Act amendments during delay period may alter obligations before June 2026 effective date; New York RAISE Act awaits gubernatorial action

Constraints

• No single federal AI statute exists; obligations are assembled from executive orders (non-binding on private sector), NIST frameworks (voluntary), FTC enforcement (case-by-case), EEOC guidance (non-binding but signals litigation risk), and state statutes (binding in respective jurisdictions) [src1]
• December 2025 executive order directs the AG to form an AI Litigation Task Force, the FCC to initiate preemption proceedings within 90 days, and conditions $42B in BEAD broadband funding on state repeal of "conflicting" AI laws; but the EO explicitly preserves state authority over child safety, AI data center infrastructure, and state government procurement [src2, src7]
• State law thresholds vary significantly: California SB 53 applies to frontier developers with $500M+ revenue training models at 10^26+ FLOP; Colorado AI Act applies to "high-risk" AI making "consequential decisions" in enumerated domains; Texas TRAIGA applies broadly to all AI developers and deployers; Illinois HB 3773 applies to employers using AI for employment decisions [src3, src8]
• Sector-specific federal laws (HIPAA for health AI, ECOA/FCRA for credit AI, FERPA for education AI) impose independent obligations that layer on top of general AI regulations [src5]
• The FTC has both expanded and contracted AI enforcement within 15 months (Operation AI Comply in September 2024, Rytr order set aside in December 2025), and is now directed by the December 2025 EO to issue a policy statement on how Section 5 applies to AI [src4, src7]

Rationale

The US AI regulatory landscape reflects a fundamental tension between innovation promotion and harm prevention that has produced a fragmented patchwork rather than a unified framework. The current administration's December 2025 executive order employs multiple levers to assert federal primacy -- a DOJ litigation task force, FCC preemption proceedings, FTC policy guidance, and $42 billion in broadband funding conditioned on state compliance -- while explicitly preserving state authority over child safety and government procurement. States, meanwhile, continue to fill the perceived federal vacuum: California's SB 53 sets the first US frontier-model safety standard, Colorado targets algorithmic discrimination in high-risk decisions, and Illinois addresses AI in employment. This dual dynamic creates compliance complexity for organizations operating across multiple jurisdictions, particularly since the December 2025 executive order cannot itself preempt state law -- only Congress or the courts can do that. [src1, src2, src3, src7]

Framework Selection Decision Tree

START -- Organization needs US AI compliance guidance
|-- What type of AI system?
|   |-- Frontier AI model (10^26+ FLOP training)
|   |   |-- Developer revenue >= $500M?
|   |   |   |-- YES --> California SB 53 full obligations (safety framework, quarterly risk assessments, incident reporting)
|   |   |   +-- NO --> California SB 53 base obligations (transparency report, incident reporting)
|   |-- Employment/hiring decision tool
|   |   |-- Operating in NYC?
|   |   |   |-- YES --> LL144 bias audit required (annual, independent auditor)
|   |   |   +-- NO --> Check state laws (Illinois HB 3773 disclosure) + EEOC Title VII guidance
|   |   +-- EEOC four-fifths rule applies regardless of location
|   |-- Consumer-facing AI product/service
|   |   |-- 1M+ monthly California users? --> SB 942 disclosure (effective Aug 2026)
|   |   |-- Making deceptive AI claims? --> FTC Section 5 enforcement risk
|   |   +-- Operating in California? --> AB 2013 transparency disclosure
|   |-- High-risk consequential decision AI
|   |   |-- Operating in Colorado? --> CAIA applies (June 30, 2026)
|   |   |-- Operating in Texas? --> TRAIGA applies (Jan 1, 2026)
|   |   +-- Operating in Utah? --> AI Policy Act applies (May 2024)
|   +-- General AI development
|       +-- NIST AI RMF voluntary adoption recommended
|-- Is the organization a developer, deployer, or both?
|   |-- Developer --> Colorado/Texas/California developer obligations
|   |-- Deployer --> Colorado/Texas deployer obligations
|   +-- Both --> Full set of obligations applies
+-- Is there an existing AI governance program?
    |-- YES --> Audit against NIST AI RMF + applicable state requirements
    +-- NO --> Start with NIST AI RMF governance and risk mapping

Application Checklist

Step 1: Map jurisdictional exposure and applicable laws

• Inputs needed: States where organization operates, serves customers, or employs workers; type of AI system; whether organization is developer, deployer, or both; annual revenue (for SB 53 large developer threshold)
• Output: Matrix of applicable federal and state AI requirements by jurisdiction and use case
• Constraint: Do not assume federal preemption has eliminated state obligations -- the December 2025 EO is an executive directive, not legislation, and state laws remain in force until successfully challenged in court or preempted by Congress [src2, src7]

Step 2: Classify AI systems by risk level and use case

• Inputs needed: AI system inventory, use cases, affected populations, decision domains, training compute (for frontier model classification)
• Output: Risk classification for each AI system under each applicable state law; identification of which systems meet "high-risk" thresholds under Colorado AI Act, TRAIGA, or frontier model thresholds under California SB 53
• Constraint: "High-risk" definitions vary by state; Colorado defines it as AI making or substantially factoring into "consequential decisions" in enumerated areas; Texas prohibits specific "restricted purposes"; California SB 53 uses a compute threshold (10^26+ FLOP) rather than use-case classification [src3, src8]

Step 3: Implement required controls and documentation

• Inputs needed: Risk classifications from Step 2, NIST AI RMF governance framework, current AI governance maturity
• Output: Risk management policies, impact assessments, bias audits (if NYC LL144 applies), consumer disclosure procedures, training data transparency (if California AB 2013 applies), frontier AI safety framework and incident response procedures (if California SB 53 applies), employment AI disclosure notices (if Illinois HB 3773 applies)
• Constraint: NYC LL144 requires bias audits by an independent auditor; Colorado requires annual impact assessments; Texas provides a 60-day cure period; California SB 53 requires critical safety incident reporting within 15 days (24 hours for imminent death/injury) [src1, src7, src8]

Step 4: Establish ongoing monitoring and legal tracking

• Inputs needed: Compliance baseline from Step 3, legal monitoring capacity, legislative calendar
• Output: Quarterly compliance review schedule, AI Litigation Task Force tracking, FCC preemption proceeding monitoring, state legislative session monitoring, FTC and EEOC enforcement action tracking
• Constraint: Escalate to legal counsel immediately if the AI Litigation Task Force files a preemption challenge against a state law your organization relies on, if the FCC issues a preemption determination, or if FTC or EEOC initiates investigation. Monitor Colorado AI Act rulemaking before June 30, 2026 effective date. [src2, src4, src7]

Anti-Patterns

Wrong: Assuming federal preemption has already eliminated state AI laws

Organizations that read the December 2025 executive order as immediately invalidating state AI requirements and halt compliance efforts. The EO directs the AG to form a task force and the Commerce Secretary to identify laws by March 2026, but no state law has been preempted as of March 2026. The EO itself expressly states it does not preempt otherwise lawful state AI laws in child safety, data center infrastructure, and government procurement. [src2, src7]

Correct: Maintain state law compliance while tracking preemption developments

Continue compliance with all applicable state AI laws while monitoring the AI Litigation Task Force actions, FCC preemption proceedings, and any BEAD funding conditions. State laws remain enforceable until a court rules otherwise. Only Congress can formally preempt state law. Treat preemption as a potential future development, not a current reality. [src1, src3]

Wrong: Treating NIST AI RMF adoption as legally sufficient compliance

Organizations that implement the NIST AI Risk Management Framework and assume it satisfies all legal requirements. NIST AI RMF is voluntary and non-binding; it does not substitute for specific statutory obligations under state laws or federal anti-discrimination requirements. [src6]

Correct: Use NIST AI RMF as a governance foundation layered with legal requirements

Adopt NIST AI RMF as a best-practice baseline (it provides safe harbor under Texas TRAIGA), then layer mandatory requirements from applicable state laws, FTC guidance, and EEOC standards on top. Document where voluntary framework compliance meets or exceeds legal obligations. [src6, src3]

Wrong: Assuming AI hiring tools are the vendor's compliance responsibility

Organizations that procure third-party AI hiring tools and assume the vendor handles bias audit compliance for NYC LL144, Illinois HB 3773 disclosure, or disparate impact analysis for EEOC purposes. The EEOC has explicitly stated employers are liable even when AI tools are provided by outside vendors. [src5]

Correct: Conduct independent compliance verification for all AI procurement

Require vendors to provide bias audit reports and disparate impact analyses, then validate independently. Under LL144, the employer -- not the vendor -- must ensure an independent bias audit exists and publish results. Under Illinois HB 3773, the employer must disclose AI use in hiring to candidates. Under EEOC guidance, the employer bears liability for disparate impact regardless of vendor assurances. [src1, src5, src8]

Wrong: Ignoring frontier model obligations because the organization is not based in California

Organizations that train models at 10^26+ FLOP but assume SB 53 does not apply because they are headquartered outside California. SB 53 applies to frontier developers regardless of location if their models are deployed or accessible in California. [src8]

Correct: Assess SB 53 applicability based on model capability and deployment, not company location

If the organization trains models at or above the 10^26 FLOP threshold and those models are used by or accessible to California users, SB 53 obligations likely apply. Large frontier developers ($500M+ revenue) face additional requirements including quarterly catastrophic risk reporting. [src8]

Counter-Arguments

• The fragmented state-by-state approach creates excessive compliance costs for organizations operating nationally, particularly startups; the Trump administration's preemption strategy, while legally uncertain, addresses a real compliance burden problem. [src2]
• Voluntary frameworks like NIST AI RMF may be more effective than prescriptive legislation because they can adapt faster than statutory law to rapidly evolving AI capabilities. [src6]
• Aggressive state regulation may drive AI development offshore or to less-regulated states, reducing the economic benefits of AI innovation without proportionally reducing harms; conditioning $42B in broadband funding on AI law repeal uses economic pressure to achieve what the EO cannot legally mandate. [src3, src7]

Common Misconceptions

Misconception: The US has no AI regulation because Congress has not passed a comprehensive AI law.
Reality: While no single federal AI statute exists, organizations face binding obligations from state laws (California SB 53, Colorado, Texas, Illinois, NYC), existing federal anti-discrimination statutes (Title VII, ADA) as applied to AI by the EEOC, FTC enforcement under Section 5, and sector-specific regulations (HIPAA, FCRA, ECOA). All 50 states introduced AI bills in 2025, with approximately 100 measures adopted across 38 states. [src1, src3, src8]

Misconception: The Biden AI Executive Order 14110 established binding requirements that are now fully repealed.
Reality: EO 14110 primarily directed federal agencies to take actions; its January 2025 revocation removed those agency mandates but did not affect the NIST AI RMF (which predates the EO), state laws, or existing FTC/EEOC enforcement authority. The NIST framework remains fully in effect as a voluntary standard. [src2, src6]

Misconception: Texas TRAIGA and Colorado AI Act have the same requirements.
Reality: They differ significantly. Texas TRAIGA prohibits specific "restricted purposes" (discrimination, rights infringement, deepfake CSAM), provides a 60-day cure period, offers safe harbors for NIST AI RMF compliance, and carries $10K-$200K penalties. Colorado's AI Act focuses on "high-risk" systems making "consequential decisions," requires annual impact assessments, vests exclusive enforcement with the AG (with a 60-day cure notice), penalizes up to $20K per violation, and does not provide a framework-based safe harbor. [src3, src8]

Misconception: California SB 53 only applies to California-based companies.
Reality: SB 53 applies to any "frontier developer" training models at 10^26+ FLOP, regardless of headquarters location, if the model is deployed or accessible in California. This potentially captures all major frontier AI developers. Penalties reach $1M per violation enforced by the California Attorney General. [src8]

Misconception: The December 2025 executive order preempts state AI laws.
Reality: The EO itself cannot preempt state law -- only Congress or the courts can do that. The EO creates mechanisms for future preemption challenges (DOJ task force, FCC proceedings) and economic pressure ($42B BEAD funding conditions), but as of March 2026 no state law has actually been preempted. The EO also explicitly preserves state authority over child safety, data center infrastructure, and government procurement. [src2, src7]

Comparison with Similar Rules

When This Matters

Fetch this when a user asks about AI compliance obligations in the United States, US AI executive orders, state AI laws (California SB 53, Colorado AI Act, Texas TRAIGA, Illinois HB 3773), FTC or EEOC enforcement against AI systems, whether AI hiring tools require bias audits, frontier AI model safety requirements, whether federal preemption has eliminated state AI requirements, or how to build an AI governance program for a US-based organization.