US AI Regulation: Federal Executive Orders, State Laws, and Agency Enforcement

Summary

As of May 2026 the US has no single federal AI statute -- compliance is a federal-plus-state patchwork. The December 11, 2025 executive order's preemption machinery is now moving (Commerce policy document ~March 16, 2026; FTC Section 5 AI policy statement issued March 7, 2026 on a 3-2 vote; FCC proceeding expected mid-2026), but no state law has actually been preempted and a coalition of state AGs has urged the FCC not to issue preemptive rules. [src10] State frontier-model laws now bind $500M+ developers: California SB 53 ($1M/violation) and New York's RAISE Act (signed December 19, 2025; $1M first / $3M repeat; 72-hour incident reporting; effective January 1, 2027), with Illinois SB 315 passed by both chambers in May 2026 and awaiting the governor. [src11] In a major reversal, Colorado repealed and replaced its first-in-the-nation AI Act with SB 26-189 (signed May 14, 2026), dropping the duty of care, risk-management programs, and impact assessments in favor of a narrower disclosure regime for "covered ADMT," AG-only enforcement, no private right of action, effective January 1, 2027. [src9] Texas TRAIGA ($10K-$200K), NYC LL144 bias audits, the EEOC's Title VII guidance, and sector-specific federal laws (HIPAA, ECOA/FCRA) continue to apply on top. [src1, src3, src5]

Rule

Organizations developing or deploying AI systems in the United States must navigate a fragmented regulatory landscape consisting of federal executive orders, voluntary frameworks, state-level AI statutes, and existing federal agency enforcement under consumer protection, employment discrimination, and sector-specific laws. There is no single comprehensive federal AI statute as of May 2026. Instead, compliance requires mapping applicable obligations across three layers: (1) the federal executive order framework, which favors minimal regulation and federal preemption of state laws -- the December 2025 EO's machinery is now in motion (Commerce policy document issued ~March 2026, FTC AI policy statement issued March 7, 2026), though no state law has yet been preempted; (2) state AI statutes -- with California SB 53 imposing frontier-model safety requirements with up to $1M per violation, New York's RAISE Act (signed December 19, 2025) imposing parallel frontier obligations, Texas TRAIGA with $10K-$200K penalties, and Illinois HB 3773 requiring AI hiring disclosure -- most effective January 1, 2026, while Colorado repealed and replaced its risk-based AI Act with a narrower disclosure regime (SB 26-189, effective January 1, 2027); and (3) existing enforcement by the FTC, EEOC, and sector regulators who apply decades-old statutes to AI-specific harms. [src1, src2, src3, src9]

Evidence

As of May 2026, all 50 states, Puerto Rico, the Virgin Islands, and Washington D.C. introduced AI legislation in 2025, with approximately 100 measures adopted or enacted across 38 states. Key state laws now in force or pending include: California SB 53/TFAIA (frontier AI transparency, penalties up to $1M/violation, effective January 1, 2026), California SB 942 (AI content disclosure for systems with 1M+ monthly users, $5,000/day per violation, effective August 2, 2026), Texas TRAIGA ($10,000-$200,000 per violation, effective January 1, 2026), Illinois HB 3773 (AI employment discrimination, effective January 1, 2026), and New York's RAISE Act (frontier AI safety, signed December 19, 2025, penalties up to $1M for a first violation and $3M for repeat violations, 72-hour incident reporting to the AG and Division of Homeland Security, effective January 1, 2027). Colorado's first-in-the-nation AI Act was repealed and replaced by SB 26-189 (passed May 12, 2026, signed by Governor Polis on May 14, 2026): the new law eliminates the original duty of care, risk-management programs, impact assessments, and algorithmic-discrimination provisions in favor of a narrower disclosure-and-transparency regime for "covered ADMT," enforced solely by the Colorado AG under the Colorado Consumer Protection Act with a 60-day cure period (sunsetting January 1, 2030) and no private right of action, effective January 1, 2027. NYC Local Law 144, requiring bias audits for automated employment decision tools, has been enforced since July 2023 with penalties of $500-$1,500 per violation per day. Illinois SB 315 (AI Safety Measures Act), which would make Illinois the third frontier-model state after California and New York, passed both legislative chambers in May 2026 and awaits the governor's decision. The FTC brought five enforcement actions in its September 2024 "Operation AI Comply" sweep targeting deceptive AI claims, set aside its Rytr consent order in December 2025, and on March 7, 2026 issued (by a 3-2 vote) its first comprehensive policy statement on how Section 5 applies to AI -- false/exaggerated AI claims, "AI washing," and discriminatory outcomes. The EEOC issued Title VII guidance in May 2023 establishing that employers are liable for disparate impact from AI hiring tools, even when provided by third-party vendors. [src1, src3, src4, src5, src7, src8, src9, src10, src11]

Key Properties

• Federal framework: No comprehensive federal AI statute; regulation through executive orders, voluntary NIST framework, and existing agency authority (FTC Act Section 5, Title VII, ADA)
• Key executive orders: EO 14110 (Biden, October 2023) revoked January 20, 2025; EO 14179 "Removing Barriers" (Trump, January 23, 2025); December 11, 2025 EO directing federal preemption of state AI laws via DOJ litigation task force, FCC rulemaking, and FTC Section 5 policy statement (the FTC statement was issued March 7, 2026)
• California frontier AI law (SB 53): Applies to developers training models at 10^26+ FLOP; large frontier developers ($500M+ revenue) must publish safety frameworks, file quarterly catastrophic risk assessments, and report critical safety incidents within 15 days (24 hours if imminent death/injury risk); up to $1M per violation
• New York RAISE Act: Signed December 19, 2025, effective January 1, 2027; applies to "large developers" of frontier models ($500M+ revenue, aligned with California); requires published safety protocols, 72-hour incident reporting to the AG and Division of Homeland Security, and a new oversight office; penalties up to $1M (first violation) / $3M (repeat)
• State laws in force (Jan 1, 2026): Texas TRAIGA ($10K-$200K/violation), California SB 53/TFAIA ($1M/violation), California AB 2013 (training data transparency), Illinois HB 3773 (AI employment disclosure), NYC LL144 ($500-$1,500/day, enforced since July 2023)
• Colorado AI Act repealed and replaced (SB 26-189): Passed May 12, 2026, signed May 14, 2026; the original risk-based framework (duty of care, risk-management programs, impact assessments, algorithmic-discrimination provisions) was eliminated and replaced by a narrower disclosure regime for "covered ADMT" in seven domains; AG-only enforcement under the Colorado Consumer Protection Act, 60-day cure (sunsets Jan 1, 2030), no private right of action; effective January 1, 2027
• State laws pending / in motion: California SB 942 ($5K/day/violation, effective August 2, 2026), Illinois SB 315 (AI Safety Measures Act, passed both chambers May 2026, awaiting governor; would be the third frontier-model state law)
• NIST AI RMF: Voluntary, non-binding framework (AI 100-1, January 2023; AI 600-1 GenAI Profile, July 2024); four functions: GOVERN, MAP, MEASURE, MANAGE; safe harbor reference under Texas TRAIGA
• Federal preemption status: December 2025 EO established the DOJ AI Litigation Task Force; Commerce issued its policy document (~March 16, 2026); FTC issued its Section 5 AI policy statement March 7, 2026; FCC preemption proceeding expected mid-2026; $42B BEAD broadband funding conditioned on state compliance. No state AI law has actually been preempted as of May 2026

Conditions

• Applies when: Organization develops, deploys, or procures AI systems for use in the United States, particularly for consequential decisions in employment, credit, housing, healthcare, insurance, education, or government services; or trains frontier AI models at 10^26+ FLOP scale
• Does NOT apply when: Organization operates exclusively outside the US with no US customers or data subjects; AI system is used only for internal research with no consumer-facing impact; system does not meet state-specific definitions of "AI system" or "high-risk" system; frontier model threshold (10^26 FLOP) not reached for SB 53 obligations
• Confidence degrades when: Federal preemption litigation outcomes are pending (expected throughout 2026); the FCC preemption proceeding (expected mid-2026) is not yet initiated and DOJ AI Litigation Task Force challenges have not been decided; new state laws are enacted or amended during legislative sessions (e.g., Illinois SB 315 awaits the governor's signature; Colorado's rewritten SB 26-189 may see implementing rules before its January 1, 2027 effective date)

Constraints

• No single federal AI statute exists; obligations are assembled from executive orders (non-binding on private sector), NIST frameworks (voluntary), FTC enforcement (case-by-case), EEOC guidance (non-binding but signals litigation risk), and state statutes (binding in respective jurisdictions) [src1]
• December 2025 executive order directs the AG to form an AI Litigation Task Force, the FCC to initiate preemption proceedings within 90 days, and conditions $42B in BEAD broadband funding on state repeal of "conflicting" AI laws; but the EO explicitly preserves state authority over child safety, AI data center infrastructure, and state government procurement [src2, src7]
• State law thresholds vary significantly: California SB 53 and New York's RAISE Act apply to frontier developers with $500M+ revenue (SB 53 training models at 10^26+ FLOP); Colorado's rewritten SB 26-189 applies to developers/deployers of "covered ADMT" in seven consequential-decision domains (effective Jan 1, 2027) rather than the original "high-risk" duty-of-care model; Texas TRAIGA applies broadly to all AI developers and deployers; Illinois HB 3773 applies to employers using AI for employment decisions [src3, src8, src9, src11]
• Sector-specific federal laws (HIPAA for health AI, ECOA/FCRA for credit AI, FERPA for education AI) impose independent obligations that layer on top of general AI regulations [src5]
• The FTC has both expanded and contracted AI enforcement (Operation AI Comply in September 2024, Rytr order set aside in December 2025) and, as directed by the December 2025 EO, issued its first Section 5 AI policy statement on March 7, 2026 (3-2 vote) targeting false/exaggerated AI claims, "AI washing," and discriminatory outcomes [src4, src7, src10]

Rationale

The US AI regulatory landscape reflects a fundamental tension between innovation promotion and harm prevention that has produced a fragmented patchwork rather than a unified framework. The current administration's December 2025 executive order employs multiple levers to assert federal primacy -- a DOJ litigation task force, FCC preemption proceedings, FTC policy guidance, and $42 billion in broadband funding conditioned on state compliance -- while explicitly preserving state authority over child safety and government procurement. States, meanwhile, continue to fill the perceived federal vacuum: California's SB 53 sets the first US frontier-model safety standard, Colorado targets algorithmic discrimination in high-risk decisions, and Illinois addresses AI in employment. This dual dynamic creates compliance complexity for organizations operating across multiple jurisdictions, particularly since the December 2025 executive order cannot itself preempt state law -- only Congress or the courts can do that. [src1, src2, src3, src7]

Framework Selection Decision Tree

START -- Organization needs US AI compliance guidance
|-- What type of AI system?
|   |-- Frontier AI model (10^26+ FLOP training)
|   |   |-- Developer revenue >= $500M?
|   |   |   |-- YES --> California SB 53 full obligations (safety framework, quarterly risk assessments, incident reporting)
|   |   |   +-- NO --> California SB 53 base obligations (transparency report, incident reporting)
|   |-- Employment/hiring decision tool
|   |   |-- Operating in NYC?
|   |   |   |-- YES --> LL144 bias audit required (annual, independent auditor)
|   |   |   +-- NO --> Check state laws (Illinois HB 3773 disclosure) + EEOC Title VII guidance
|   |   +-- EEOC four-fifths rule applies regardless of location
|   |-- Consumer-facing AI product/service
|   |   |-- 1M+ monthly California users? --> SB 942 disclosure (effective Aug 2026)
|   |   |-- Making deceptive AI claims? --> FTC Section 5 enforcement risk
|   |   +-- Operating in California? --> AB 2013 transparency disclosure
|   |-- High-risk consequential decision AI
|   |   |-- Operating in Colorado? --> Rewritten CAIA (SB 26-189) disclosure regime for covered ADMT applies Jan 1, 2027
|   |   |-- Operating in Texas? --> TRAIGA applies (Jan 1, 2026)
|   |   +-- Operating in Utah? --> AI Policy Act applies (May 2024)
|   +-- General AI development
|       +-- NIST AI RMF voluntary adoption recommended
|-- Is the organization a developer, deployer, or both?
|   |-- Developer --> Colorado/Texas/California developer obligations
|   |-- Deployer --> Colorado/Texas deployer obligations
|   +-- Both --> Full set of obligations applies
+-- Is there an existing AI governance program?
    |-- YES --> Audit against NIST AI RMF + applicable state requirements
    +-- NO --> Start with NIST AI RMF governance and risk mapping

Application Checklist

Step 1: Map jurisdictional exposure and applicable laws

• Inputs needed: States where organization operates, serves customers, or employs workers; type of AI system; whether organization is developer, deployer, or both; annual revenue (for SB 53 large developer threshold)
• Output: Matrix of applicable federal and state AI requirements by jurisdiction and use case
• Constraint: Do not assume federal preemption has eliminated state obligations -- the December 2025 EO is an executive directive, not legislation, and state laws remain in force until successfully challenged in court or preempted by Congress [src2, src7]

Step 2: Classify AI systems by risk level and use case

• Inputs needed: AI system inventory, use cases, affected populations, decision domains, training compute (for frontier model classification)
• Output: Risk classification for each AI system under each applicable state law; identification of which systems meet "high-risk" thresholds under Colorado AI Act, TRAIGA, or frontier model thresholds under California SB 53
• Constraint: "High-risk" definitions vary by state; Colorado defines it as AI making or substantially factoring into "consequential decisions" in enumerated areas; Texas prohibits specific "restricted purposes"; California SB 53 uses a compute threshold (10^26+ FLOP) rather than use-case classification [src3, src8]

Step 3: Implement required controls and documentation

• Inputs needed: Risk classifications from Step 2, NIST AI RMF governance framework, current AI governance maturity
• Output: Risk management policies, impact assessments, bias audits (if NYC LL144 applies), consumer disclosure procedures, training data transparency (if California AB 2013 applies), frontier AI safety framework and incident response procedures (if California SB 53 applies), employment AI disclosure notices (if Illinois HB 3773 applies)
• Constraint: NYC LL144 requires bias audits by an independent auditor; Colorado's rewritten SB 26-189 (effective Jan 1, 2027) drops impact-assessment mandates in favor of developer/deployer disclosures and a 30-day post-adverse-outcome notice; Texas provides a 60-day cure period; California SB 53 requires critical safety incident reporting within 15 days (24 hours for imminent death/injury), and New York's RAISE Act requires 72-hour incident reporting [src1, src7, src9, src11]

Step 4: Establish ongoing monitoring and legal tracking

• Inputs needed: Compliance baseline from Step 3, legal monitoring capacity, legislative calendar
• Output: Quarterly compliance review schedule, AI Litigation Task Force tracking, FCC preemption proceeding monitoring, state legislative session monitoring, FTC and EEOC enforcement action tracking
• Constraint: Escalate to legal counsel immediately if the AI Litigation Task Force files a preemption challenge against a state law your organization relies on, if the FCC issues a preemption determination, or if FTC or EEOC initiates investigation. Track the rewritten Colorado AI Act (SB 26-189) and any implementing rules before its January 1, 2027 effective date, and watch Illinois SB 315 for signature. [src2, src4, src7, src9]

Anti-Patterns

Wrong: Assuming federal preemption has already eliminated state AI laws

Organizations that read the December 2025 executive order as immediately invalidating state AI requirements and halt compliance efforts. The EO directed the AG to form a task force and Commerce to issue its policy document (done ~March 2026), and the FTC has issued its Section 5 AI policy statement, but no state law has been preempted as of May 2026. The EO itself expressly states it does not preempt otherwise lawful state AI laws in child safety, data center infrastructure, and government procurement. [src2, src7, src10]

Correct: Maintain state law compliance while tracking preemption developments

Continue compliance with all applicable state AI laws while monitoring the AI Litigation Task Force actions, FCC preemption proceedings, and any BEAD funding conditions. State laws remain enforceable until a court rules otherwise. Only Congress can formally preempt state law. Treat preemption as a potential future development, not a current reality. [src1, src3]

Wrong: Treating NIST AI RMF adoption as legally sufficient compliance

Organizations that implement the NIST AI Risk Management Framework and assume it satisfies all legal requirements. NIST AI RMF is voluntary and non-binding; it does not substitute for specific statutory obligations under state laws or federal anti-discrimination requirements. [src6]

Correct: Use NIST AI RMF as a governance foundation layered with legal requirements

Adopt NIST AI RMF as a best-practice baseline (it provides safe harbor under Texas TRAIGA), then layer mandatory requirements from applicable state laws, FTC guidance, and EEOC standards on top. Document where voluntary framework compliance meets or exceeds legal obligations. [src6, src3]

Wrong: Assuming AI hiring tools are the vendor's compliance responsibility

Organizations that procure third-party AI hiring tools and assume the vendor handles bias audit compliance for NYC LL144, Illinois HB 3773 disclosure, or disparate impact analysis for EEOC purposes. The EEOC has explicitly stated employers are liable even when AI tools are provided by outside vendors. [src5]

Correct: Conduct independent compliance verification for all AI procurement

Require vendors to provide bias audit reports and disparate impact analyses, then validate independently. Under LL144, the employer -- not the vendor -- must ensure an independent bias audit exists and publish results. Under Illinois HB 3773, the employer must disclose AI use in hiring to candidates. Under EEOC guidance, the employer bears liability for disparate impact regardless of vendor assurances. [src1, src5, src8]

Wrong: Ignoring frontier model obligations because the organization is not based in California

Organizations that train models at 10^26+ FLOP but assume SB 53 does not apply because they are headquartered outside California. SB 53 applies to frontier developers regardless of location if their models are deployed or accessible in California. [src8]

Correct: Assess SB 53 applicability based on model capability and deployment, not company location

If the organization trains models at or above the 10^26 FLOP threshold and those models are used by or accessible to California users, SB 53 obligations likely apply. Large frontier developers ($500M+ revenue) face additional requirements including quarterly catastrophic risk reporting. [src8]

Counter-Arguments

• The fragmented state-by-state approach creates excessive compliance costs for organizations operating nationally, particularly startups; the Trump administration's preemption strategy, while legally uncertain, addresses a real compliance burden problem. [src2]
• Voluntary frameworks like NIST AI RMF may be more effective than prescriptive legislation because they can adapt faster than statutory law to rapidly evolving AI capabilities. [src6]
• Aggressive state regulation may drive AI development offshore or to less-regulated states, reducing the economic benefits of AI innovation without proportionally reducing harms; conditioning $42B in broadband funding on AI law repeal uses economic pressure to achieve what the EO cannot legally mandate. [src3, src7]

Common Misconceptions

Misconception: The US has no AI regulation because Congress has not passed a comprehensive AI law.
Reality: While no single federal AI statute exists, organizations face binding obligations from state laws (California SB 53, Colorado, Texas, Illinois, NYC), existing federal anti-discrimination statutes (Title VII, ADA) as applied to AI by the EEOC, FTC enforcement under Section 5, and sector-specific regulations (HIPAA, FCRA, ECOA). All 50 states introduced AI bills in 2025, with approximately 100 measures adopted across 38 states. [src1, src3, src8]

Misconception: The Biden AI Executive Order 14110 established binding requirements that are now fully repealed.
Reality: EO 14110 primarily directed federal agencies to take actions; its January 2025 revocation removed those agency mandates but did not affect the NIST AI RMF (which predates the EO), state laws, or existing FTC/EEOC enforcement authority. The NIST framework remains fully in effect as a voluntary standard. [src2, src6]

Misconception: Texas TRAIGA and Colorado's AI Act have the same requirements, and Colorado still imposes a risk-management/impact-assessment regime.
Reality: They differ significantly, and Colorado's law changed in May 2026. Texas TRAIGA prohibits specific "restricted purposes" (discrimination, rights infringement, deepfake CSAM), provides a 60-day cure period, offers safe harbors for NIST AI RMF compliance, and carries $10K-$200K penalties. Colorado repealed and replaced its original first-in-the-nation AI Act with SB 26-189 (signed May 14, 2026, effective January 1, 2027): the duty of care, risk-management programs, and impact assessments are gone, replaced by a narrower disclosure-and-transparency regime for "covered ADMT," enforced solely by the AG under the Colorado Consumer Protection Act (60-day cure sunsetting January 1, 2030, no private right of action). [src3, src8, src9]

Misconception: California SB 53 only applies to California-based companies.
Reality: SB 53 applies to any "frontier developer" training models at 10^26+ FLOP, regardless of headquarters location, if the model is deployed or accessible in California. This potentially captures all major frontier AI developers. Penalties reach $1M per violation enforced by the California Attorney General. [src8]

Misconception: The December 2025 executive order preempts state AI laws.
Reality: The EO itself cannot preempt state law -- only Congress or the courts can do that. The EO created mechanisms for future preemption challenges (DOJ AI Litigation Task Force, FCC proceedings) and economic pressure ($42B BEAD funding conditions). By May 2026 the machinery is moving -- Commerce issued its policy document (~March 16, 2026) and the FTC issued its Section 5 AI policy statement (March 7, 2026) -- but no state AI law has actually been preempted, and a coalition of state attorneys general has urged the FCC not to issue preemptive AI rules. The EO also explicitly preserves state authority over child safety, data center infrastructure, and government procurement. [src2, src7, src10]

Comparison with Similar Rules

When This Matters

Fetch this when a user asks about AI compliance obligations in the United States, US AI executive orders, state AI laws (California SB 53, Colorado AI Act, Texas TRAIGA, Illinois HB 3773), FTC or EEOC enforcement against AI systems, whether AI hiring tools require bias audits, frontier AI model safety requirements, whether federal preemption has eliminated state AI requirements, or how to build an AI governance program for a US-based organization.