Last updated: June 23, 2026. This is a living resource. The US AI regulations change frequently. Check back for updates.
TL;DR: The US doesn't have a single federal AI law, and that makes keeping up with compliance confusing and hard to track. What exists today is a patchwork of executive orders, sector-specific agency rules, and state laws that already are being enforced. This guide focuses on what applies to companies deploying AI right now: the key executive orders and their current status, the NIST AI Risk Management Framework, sector rules from the FTC and EEOC, and state laws including NYC Local Law 144, Illinois HB 3773, and Colorado's revised AI framework. It also covers where to get reliable updates as the rules continue to shift.
If you've been looking for a clear US federal AI law and came up empty, you're not missing anything. The US doesn't have a single federal AI law; and it doesn’t look like there will be one anytime soon. What exists instead is a patchwork of executive orders, sector rules, and state laws that determine what’s enforceable at the moment. And to be fair to everyone trying to figure this out: we're all doing it without a playbook. AI regulation is being written in real time, which makes compliance hard to keep on top of.
We created this guide to help you understand what applies to your business right now, with a place to come back as the rules continue to shift.
The executive order timeline: what changed and what it means
Federal AI policy has shifted significantly since 2023. Understanding what's currently in effect requires tracing a chain of actions rather than pointing to one document.
Biden EO 14110 (October 2023, rescinded)
President Biden's October 2023 executive order established a structured federal oversight framework for AI, including mandatory red-teaming for high-risk models, safety reporting requirements, and interagency coordination on AI risk. It was rescinded on January 20, 2025, Trump's first day in office, and replaced three days later by EO 14179.
Full text archived at federalregister.gov.
Trump EO 14179 (January 2025, in effect)
EO 14179, titled "Removing Barriers to American Leadership in Artificial Intelligence," aims to strengthen US AI leadership and promote AI development free from what it characterizes as ideological bias. It directed agencies to review and rescind Biden-era policies that could impede AI innovation, and mandated an AI Action Plan within 180 days. The Action Plan was released in July 2025.
Full text at whitehouse.gov.
Trump EO 14365 (December 2025, in effect)
This is the executive order with the most direct implications for companies navigating state AI laws. Signed December 11, 2025, EO 14365 "Ensuring a National Policy Framework for Artificial Intelligence" identifies excessive state regulation as an obstacle to US AI dominance and directs the Attorney General to establish an AI Litigation Task Force to challenge state laws inconsistent with federal policy.
The Task Force was formally established January 9, 2026 and has not yet initiated litigation against any state law as of spring 2026. That the federal government is actively working to limit state-level AI regulation is the biggest structural tension companies need to understand going into 2027.
Full text at whitehouse.gov.
Trump EO on AI innovation and security (June 2026, in effect)
Signed June 2, 2026, this executive order focuses on cybersecurity and frontier model governance. Its main provisions: a 30-day voluntary pre-release window for AI developers to share covered frontier models with the federal government before broader release, a new AI cybersecurity clearinghouse to coordinate vulnerability scanning across government and critical infrastructure, and a directive for the Attorney General to prioritize criminal enforcement against AI-enabled cybercrimes. The framework is voluntary (no mandatory licensing or pre-clearance requirement) but companies operating in critical infrastructure or working with frontier models will want to understand where this clearinghouse sits in relation to their existing security posture.
Full text at whitehouse.gov.
What this means for companies today
The federal posture has shifted from structured oversight to deregulation and industry self-governance. In practice, that means more of the responsibility for building safe, unbiased AI falls to the companies doing the building.
For some, that's a welcome reduction in compliance burden. But for others, particularly those operating in healthcare, legal, or financial services, it creates a different kind of risk that makes accountability harder to demonstrate.
There's a reasonable case that AI developed without meaningful public oversight defaults toward optimizing for profit rather than people. Homogeneous teams produce biased models. Anonymous, unaccountable training data creates systems that can't be defended to regulators, clients, or the populations they affect. Those problems don't disappear because Washington has deprioritized them. They become the responsibility of the companies making the choices.
The practical implication: in a deregulated environment, the companies that voluntarily build documented, representative, accountable AI programs are the ones best positioned when sector enforcement, state law, or enterprise procurement requirements demand answers. Three things remain true regardless of which executive order is in effect: sector agency rules from the FTC and EEOC still apply to AI, state laws already in force carry real consequences, and the NIST AI Risk Management Framework remains the most actionable voluntary standard for companies building AI programs.
The NIST AI Risk Management Framework: the closest thing to a federal standard
The NIST AI Risk Management Framework (AI RMF), released in January 2023, is a voluntary framework, not a law. But it's the reference point that FTC guidance, federal agency procurement requirements, and an increasing number of state laws point to as a benchmark for responsible AI practice.
The framework organizes AI risk management around four core functions:
Govern: Establish the policies, processes, and accountability structures for managing AI risk across the organization. This includes defining who is responsible for AI decisions and how that accountability is documented.
Map: Identify the context in which AI systems operate: who they affect, what risks they pose, and where they sit in broader organizational and societal systems.
Measure: Analyze and assess AI risks using both quantitative and qualitative methods. This includes bias testing, performance evaluation, and documentation of known limitations.
Manage: Prioritize and address identified risks, including through monitoring, incident response, and continuous improvement processes.
For any company building a formal AI risk program, the NIST AI RMF is a practical starting point. It's the framework that state laws, federal procurement requirements, and sector agency guidance keep pointing back to. And aligning to it now puts you ahead of where most compliance requirements are heading.
Sector-specific rules already in force
Regardless of the federal policy direction on AI-specific legislation, existing laws enforced by sector agencies already apply to AI systems. These aren't AI laws, but they cover AI.
FTC: deceptive AI claims and consumer harm
The Federal Trade Commission has been clear that Section 5 of the FTC Act, which prohibits unfair or deceptive acts or practices, applies fully to AI. The FTC has brought enforcement actions against companies for deceptive claims about AI capabilities and for AI-enabled consumer harm. Full guidance at ftc.gov.
For companies using AI in customer-facing applications, marketing AI capabilities, or making decisions that affect consumers, FTC exposure is real and current. No new AI law required.
EEOC: AI in hiring and employment decisions
The Equal Employment Opportunity Commission has made clear that existing employment discrimination law applies to AI-assisted hiring. Its May 2023 technical assistance document covers how Title VII, the ADA, and the ADEA apply when employers use algorithms and AI in employment decisions. Full guidance at eeoc.gov.
The core principle: if an AI hiring tool produces discriminatory outcomes, the employer is liable, regardless of whether the discrimination was intentional or whether the tool was built by a third party.
FCRA: AI in credit and background screening
The Fair Credit Reporting Act applies when AI is used in credit decisions, background screening, or other consumer reporting contexts. Adverse action notice requirements apply when an AI-assisted decision negatively affects a consumer, including an obligation to disclose the decision and provide the consumer an opportunity to dispute it. FTC guidance on FCRA and AI is at ftc.gov.
HIPAA and Section 1557: AI in healthcare
HIPAA applies to any AI system processing protected health information, covering data handling, security, and breach notification. Going further, HHS Office for Civil Rights' Section 1557 final rule (effective July 2024) explicitly prohibits health programs from discriminating against patients through AI-powered clinical decision support tools — meaning if an algorithm under-refers patients of a certain race for specialist care, the health system using it can face civil rights enforcement. HHS guidance is at hhs.gov.
State laws with teeth right now
While federal policy has moved toward deregulation, states have moved in the opposite direction. These are the laws currently in force or taking effect in 2026 and 2027 that apply to companies deploying AI.
NYC Local Law 144 (effective July 2023)
NYC Local Law 144 is the most established enforceable AI employment law in the US. It applies to any employer or employment agency using an automated employment decision tool (AEDT) for candidates or employees based in New York City, regardless of where the company is headquartered.
Requirements: an independent annual bias audit, public posting of audit results, and candidate notice at least 10 business days before the AEDT is used. Civil penalties run from $500 for a first violation to $1,500 per day for subsequent violations, with each day of non-compliant use counting as a separate violation.
A December 2025 audit by the New York State Comptroller found that enforcement by the NYC Department of Consumer and Worker Protection has been "ineffective," with the agency missing 17 of 18 instances of potential non-compliance identified by the Comptroller's team. The agency has committed to fixing those gaps, which points toward more proactive enforcement ahead. Companies that have been treating LL 144 as optional should treat 2026 as the window to get compliant before that happens.
Full text and compliance guidance at NYC Department of Consumer and Worker Protection.
Illinois HB 3773 (effective January 2026)
Effective January 1, 2026, Illinois HB 3773 amends the Illinois Human Rights Act to prohibit employers from using AI in employment decisions in ways that produce discriminatory effects based on protected characteristics. It also requires employers to notify employees and applicants when AI is used in employment decisions.
Enforcement runs through the Illinois Department of Human Rights, meaning administrative complaints and civil rights investigations, not just fines. HB 3773 doesn't require formal bias audits, unlike NYC LL 144, but the prohibition on discriminatory AI outcomes applies whether or not a bias audit was conducted. Any employer with Illinois-based employees using AI in hiring, promotion, or termination decisions is covered.
Full text at the Illinois General Assembly.
Colorado SB 26-189 (effective January 2027)
Colorado's AI regulation has had a complicated path. The original Colorado AI Act (SB 24-205), signed in May 2024, established a comprehensive duty-of-care framework for high-risk AI systems. It was delayed, challenged in court by a major AI developer with DOJ support, and ultimately replaced entirely. SB 26-189, signed May 14, 2026, repeals and replaces the original law with a disclosure-focused framework regulating automated decision-making technology (ADMT) that materially influences consequential decisions, with duties built around consumer notice, adverse-outcome explanations, and meaningful human review. It takes effect January 1, 2027, though enforcement is contingent on the Colorado Attorney General completing rulemaking, which has not yet occurred.
The duty of care, mandatory risk management programs, and annual impact assessments from the original law are gone. What remains: consumer notice requirements, 30-day adverse outcome explanations, and human review rights.
Full text at the Colorado General Assembly.
Texas TRAIGA (effective January 2026)
Texas's Responsible Artificial Intelligence Governance Act (TRAIGA), effective January 1, 2026, takes a narrower approach than Colorado or Illinois, targeting specific high-risk AI uses: child exploitation related to deepfakes, certain government use of biometric data, unlawful discrimination, and government use of AI for social scoring. Employers and companies outside those specific categories have limited direct exposure under TRAIGA, but the law signals that Texas is willing to act and its scope may expand.
Full text at the Texas Legislature.
US AI regulations at a glance
Regulation | Type | Status | Who it applies to | Key requirement |
NIST AI RMF | Federal framework | In effect (Jan 2023) | All organizations (voluntary) | Risk management across AI lifecycle |
FTC Act Section 5 | Federal law | In effect (ongoing) | All companies | No deceptive AI claims or consumer harm |
EEOC AI guidance | Federal guidance | In effect (May 2023) | Employers using AI in hiring | No algorithmic discrimination |
HIPAA / Section 1557 | Federal law | In effect (ongoing) | Healthcare AI systems | PHI protection; no discriminatory clinical AI |
NYC Local Law 144 | City law | In effect (Jul 2023) | NYC employers using AEDTs | Annual bias audit, notice, disclosure |
Illinois HB 3773 | State law | In effect (Jan 2026) | Illinois employers using AI in employment | Non-discrimination, employee notice |
Texas TRAIGA | State law | In effect (Jan 2026) | Companies developing or deploying AI in Texas | Prohibits specific high-risk AI uses |
Colorado SB 26-189 | State law | Effective Jan 2027 (enforcement pending rulemaking) | CO businesses using AI in consequential decisions | Consumer notice, adverse-outcome explanations, human review |
What regulatory readiness actually requires
Understanding what the regulations require is one thing. Building a program that holds up to scrutiny is another. Across every framework and law covered above, a few requirements appear consistently.
Documentation of who built and trained your AI systems. The NIST AI RMF, the Colorado framework, and emerging procurement standards all require traceability through the AI development lifecycle. Who made key decisions? Who produced the training data? What was their expertise?
Auditable data provenance. NYC LL 144's bias audit requirement and Illinois HB 3773's anti-discrimination prohibition both point to the same underlying question: can you show who produced the signal that trained your model, and can you demonstrate it was produced with appropriate expertise and oversight? Anonymous crowd annotation can provide volume, but it can't provide the documented provenance that regulatory scrutiny requires.
Bias testing across relevant populations. Bias audits under NYC LL 144 require statistical testing by race, ethnicity, and sex. Illinois HB 3773 and the EEOC guidance require demonstrating that AI systems don't produce discriminatory outcomes. That testing requires domain experts who understand what failure looks like in your specific application, not generalist reviewers applying surface-level criteria.
The accountability layer. When a regulator, auditor, or enterprise client asks who shaped your model's behavior, the answer needs to be specific and defensible. PowerToFly's community of 1.1M+ experts — spanning 190 countries and re-engageable across model releases — produces the documentation trail that compliance requires.
For a deeper look at how EU AI Act requirements compare and what companies operating in both markets need to know, see our companion guide to EU AI regulations.
Where to get reliable updates
The US AI regulatory landscape moves faster than most compliance teams can track. These are the primary sources worth monitoring directly.
Federal:
- White House AI actions: whitehouse.gov/presidential-actions
- NIST AI: nist.gov/artificial-intelligence
- FTC AI guidance: ftc.gov/industry/technology/artificial-intelligence
- EEOC AI resources: eeoc.gov/ai
State law tracking:
- National Conference of State Legislatures AI tracker: ncsl.org
- State AG announcements: individual state attorney general offices for enforcement updates
Legal analysis:
- Mayer Brown AI regulatory updates: mayerbrown.com
- Troutman Pepper privacy and AI blog: troutmanprivacy.com
- Tech Policy Press AI timeline: techpolicy.press
FAQ
Is there a US AI law?
There is no single comprehensive federal AI law in the US. What exists is a combination of executive orders directing federal agency action, sector-specific rules from agencies like the FTC and EEOC applying existing laws to AI, and a growing body of state laws. NYC Local Law 144, Illinois HB 3773, and Texas TRAIGA are all in force now. Colorado's revised framework takes effect January 2027.
What does the US AI executive order require?
The current primary AI executive order, EO 14179 signed January 23, 2025, directs federal agencies to remove regulatory barriers to AI innovation and mandates an AI Action Plan focused on US AI dominance. A December 2025 executive order (EO 14365) added a push to preempt state AI laws through a federal litigation task force. Neither EO directly imposes obligations on private companies, but they shape the regulatory environment in which sector agency rules and state laws operate.
Which US states have AI regulations?
Several states have enforceable AI laws right now. New York City's Local Law 144 (employment AI bias audits, effective July 2023), Illinois HB 3773 (AI anti-discrimination in employment, effective January 2026), and Texas TRAIGA (specific AI prohibitions, effective January 2026) are the most significant currently in force. Colorado's revised AI framework (SB 26-189) takes effect January 2027. More than a dozen additional states have passed narrower AI laws covering specific use cases in healthcare, consumer interaction disclosure, and deepfakes.
Does the EU AI Act apply to US companies?
The EU AI Act applies to any company whose AI systems are used within the EU, regardless of where the company is based. US companies selling AI-enabled products or services to EU customers, or operating AI systems that affect EU residents, may be subject to EU AI Act obligations. For a full breakdown of what the EU AI Act requires and its enforcement timeline, see our companion guide.
What does regulatory compliance mean for AI training data?
Across the regulatory frameworks covered above, one consistent requirement emerges: traceability. You need to know who produced your training data, with what credentials, under what oversight. Bias audit requirements (NYC LL 144), anti-discrimination rules (Illinois HB 3773, EEOC guidance), and the NIST AI RMF all point toward documented, verifiable data provenance as a baseline standard. Anonymous crowd annotation doesn't satisfy that standard. Expert cohorts with documented credentials, re-engageable across model releases, do.
Building an AI program that holds up to regulatory scrutiny starts with knowing who trained your model. PowerToFly connects companies with experts across healthcare, legal, financial services, and more with the documented credentials, auditable outputs, and re-engageable cohorts that compliance requires. Learn how PowerToFly helps companies build compliant AI programs.
Allyship & Advocacy at Work
A look at our Pride 2026 summit & job fair
- The executive order timeline: what changed and what it means
- The NIST AI Risk Management Framework: the closest thing to a federal standard
- Sector-specific rules already in force
- State laws with teeth right now
- US AI regulations at a glance
- What regulatory readiness actually requires
- Where to get reliable updates
- FAQ




