Artificial Intelligence Policy — Federal AI Governance & Regulation

Federal regulation of artificial intelligence (AI) is evolving rapidly as AI systems — including large language models, autonomous vehicles, facial recognition, algorithmic decision-making, and generative AI — transform virtually every sector of the economy and government. Unlike many technology areas, the U.S. has not enacted a comprehensive federal AI statute as of 2026. Instead, AI governance operates through a patchwork of executive orders, agency-specific regulations, voluntary frameworks, and existing laws applied to AI contexts. The most significant federal actions include: the National AI Initiative Act of 2020 (15 U.S.C. §§ 9401–9461, enacted as part of the NDAA), which established the National AI Initiative Office and directed AI research coordination across agencies; President Biden's Executive Order 14110 (October 2023) on "Safe, Secure, and Trustworthy AI," which imposed reporting requirements on developers of powerful AI systems, directed agencies to address AI risks, and established AI safety testing standards; and the NIST AI Risk Management Framework (AI RMF, published 2023), a voluntary governance framework for managing AI risks. Individual agencies regulate AI within their existing jurisdictions: the FDA governs AI in medical devices, the FTC addresses deceptive or unfair AI practices, the EEOC addresses AI-driven employment discrimination, the DOT/NHTSA regulates autonomous vehicles, and the financial regulators address AI in credit decisions and trading. The absence of a comprehensive federal AI law has left states to fill gaps — with states like Colorado, California, and others enacting AI-specific legislation. See Data Privacy Law for the related privacy framework and NIST Standards & Technology for the AI Risk Management Framework's home agency.

Current Law (2026)

Parameter	Value
Comprehensive federal AI statute	None as of 2026 — governance through executive orders, agency rules, and existing law
National AI Initiative Act	15 U.S.C. §§ 9401–9461 (2020) — research coordination, National AI Initiative Office
Key executive order	EO 14110 (Biden, October 2023) — rescinded January 2025; Trump EO "Removing Barriers to American Leadership in Artificial Intelligence" (January 2025) replaced it
NIST AI RMF	Voluntary AI Risk Management Framework (published January 2023)
Agency jurisdiction	FDA (medical AI), FTC (consumer protection), EEOC (employment), DOT (autonomous vehicles), financial regulators (credit/trading)
State action	Colorado AI Act (2024), California AI transparency bills, Illinois BIPA (biometric AI)
International context	EU AI Act (2024) — the world's first comprehensive AI regulation; U.S. takes a more sectoral approach

Legal Authority

15 U.S.C. §§ 9401–9461 — National Artificial Intelligence Initiative Act of 2020
Executive Order 14110 (October 30, 2023) — Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence
NIST AI Risk Management Framework (AI RMF 1.0, January 2023) — voluntary framework for AI governance
Existing statutes applied to AI: FTC Act (§ 5, unfair/deceptive practices), Civil Rights Act (Title VII, employment discrimination), ECOA (fair lending), FDA (medical device regulation), ADA (disability discrimination)

How It Works

Rather than enacting a single comprehensive AI statute (as the EU did with the AI Act), the U.S. applies existing agency authorities to AI within each sector. The FTC uses Section 5 authority over unfair or deceptive practices to police misleading AI claims and harmful outputs. The EEOC has issued guidance that AI hiring tools are subject to Title VII disparate impact analysis — discriminatory outcomes matter regardless of intent. The FDA regulates AI-enabled medical devices (diagnostic algorithms, imaging analysis, clinical decision support) through existing premarket pathways — over 900 AI/ML-enabled medical devices have been authorized. Financial regulators (OCC, CFPB, Federal Reserve) address AI in credit decisions; NHTSA develops AV safety standards. The most comprehensive executive action was Executive Order 14110 (October 2023), which directed reporting requirements for developers of AI models trained above certain compute thresholds, mandated red-teaming safety testing, directed every major agency to appoint Chief AI Officers and address AI risks in their sectors, and required protections against AI-enabled fraud and algorithmic discrimination — but executive orders are fragile, and EO 14110 was revoked in early 2025.

The NIST AI Risk Management Framework (published January 2023) fills part of the policy vacuum with a voluntary, flexible governance structure organized into four functions: Govern (establish AI oversight structures), Map (identify risks), Measure (assess and track), and Manage (prioritize and respond). It is not legally binding but widely adopted by industry and government and increasingly used as a benchmark by regulators. In the absence of federal legislation, states have created a compliance patchwork: Colorado's AI Act (2024) requires developers and deployers of high-risk AI to avoid algorithmic discrimination and provide transparency; Illinois' BIPA has generated thousands of lawsuits over facial recognition; California has enacted AI transparency requirements; and dozens of states are considering legislation. This fragmentation creates compliance burdens for multi-state businesses and has become the strongest political argument for federal preemptive AI legislation.

How It Affects You

If you're a consumer affected by AI in credit, hiring, insurance, or medical decisions: You have more legal rights than you may realize — but enforcing them requires knowing which law applies. For credit decisions: the Equal Credit Opportunity Act (ECOA) and Fair Housing Act prohibit AI models that produce discriminatory outcomes, regardless of intent — the CFPB has confirmed that disparate impact claims apply to algorithmic underwriting. If you're denied credit, you're entitled to an adverse action notice (Reg B) explaining the reasons. For hiring: the EEOC's 2023 guidance on AI hiring tools affirms that automated screening and assessment tools must comply with Title VII — disparate impact analysis applies. New York City's Local Law 144 (effective 2023) requires employers using automated employment decision tools to conduct annual bias audits and notify candidates. For health insurance: the ACA prohibits algorithmic discrimination based on pre-existing conditions, and CMS has issued guidance against AI-driven prior authorization denials that don't meet medical necessity standards. Practical step: if you believe an AI-driven decision was discriminatory, file a complaint with the relevant agency (CFPB for credit, EEOC for employment, HHS OCR for healthcare).

If you're a business deploying AI systems: Your existing legal obligations under sector-specific law apply fully to AI-driven decisions — "the algorithm made the decision" is not a defense. The FTC has made clear under Section 5 (unfair or deceptive practices) that companies are responsible for discriminatory, deceptive, or harmful AI outputs. The EEOC has issued guidance that AI hiring tools are subject to Title VII disparate impact analysis — if your vendor's tool produces adverse selection rates for protected groups, you may have liability even without discriminatory intent. For high-risk AI systems: the NIST AI Risk Management Framework (AI RMF, January 2023) provides voluntary governance guidance — documenting your risk assessment, testing for bias, maintaining human oversight, and transparency with users are the recommended practices that regulators will likely benchmark enforcement against. State laws are moving faster than federal: the Colorado AI Act (effective 2026 for high-risk AI in consequential decisions), Illinois AI Video Interview Act, and New York City Local Law 144 create specific obligations. Track state legislation actively — patchwork compliance is the near-term reality.

If you're developing or training AI models at scale: The Trump administration rescinded Biden's EO 14110 (AI safety reporting requirements) in January 2025, removing the mandatory safety reporting obligations for large-scale model developers. However, sector-specific regulations still apply to AI deployed in regulated industries (FDA for medical AI, OCC/CFPB for financial AI, FCC for communications). For models with potential national security implications: the Commerce Department's Bureau of Industry and Security (BIS) has issued export controls on advanced AI chips — see NIST Cybersecurity Framework for the broader technology standards context — and has authority under the AI Diffusion Rule to regulate training of frontier models. NIST's AI Safety Institute (created by EO 14110, now reorganized under the Trump administration as the AI Safety Institute Consortium) continues voluntary AI safety evaluations. For frontier model developers: voluntary commitments made to the White House in 2023 (on red-teaming, security, safety reporting) remain in place for the original signatories but are not legally binding.

If you're a worker whose job is affected by AI automation or AI-powered management: AI-driven automation is reshaping labor markets across industries — but its deployment in workplace management (productivity monitoring, scheduling algorithms, performance scoring) creates immediate legal issues distinct from long-term displacement. Workplace surveillance AI that monitors keystrokes, location, or communications must comply with state privacy laws — California, New York, and Connecticut have specific notice requirements for electronic monitoring. AI performance management systems that use output metrics to make adverse employment decisions must comply with employment discrimination law; if the metrics systematically disadvantage workers in protected categories, the employer faces disparate impact liability. For collective bargaining: the NLRB has issued guidance that employers must bargain with unions over the introduction of AI systems that affect working conditions (including monitoring and performance management systems). If you're in a union: raise AI deployment in bargaining. If you're not: document any AI-driven adverse employment actions and consult an employment attorney — the legal framework is still developing but existing anti-discrimination law applies now.

State Variations

AI regulation varies significantly by state and is rapidly evolving:

Colorado AI Act (2024) — first comprehensive state AI anti-discrimination law
Illinois BIPA — biometric privacy law generating significant AI litigation
California — multiple AI transparency and safety bills
New York City Local Law 144 — requires bias audits for automated employment decision tools

Most states have no AI-specific legislation — existing consumer protection, privacy, and anti-discrimination laws apply

Implementing Regulations

Comprehensive federal AI regulation is still emerging; OMB memorandum M-24-10 and the AI Executive Order framework guide agency-specific implementation. Key existing regulations applied to AI contexts include:

15 CFR Part 742 — BIS export controls on AI-related technologies, including dual-use AI chips and advanced semiconductors, requiring export licenses for certain high-performance computing hardware to restricted destinations
48 CFR Part 204 — Federal acquisition of AI systems, incorporating DFARS and FAR AI procurement requirements that agencies must follow when acquiring AI-enabled products and services

Pending Legislation

Multiple AI bills have been introduced in the 119th Congress. See Technology Regulation for broader legislative activity on AI governance, algorithmic accountability, and AI in federal procurement.

Recent Developments

Trump administration reversal on AI safety (January 2025): President Trump rescinded Biden's Executive Order 14110 on his first day in office and issued his own EO: "Removing Barriers to American Leadership in Artificial Intelligence." The new order directs agencies to revoke or revise any Biden-era AI policies inconsistent with a pro-innovation, deregulatory approach and tasks the Office of Science and Technology Policy (OSTP) with developing a new national AI action plan. The mandatory safety reporting requirements for large-scale AI developers — the most contentious provision of EO 14110 — were eliminated.
NIST AI Safety Institute restructured: The AI Safety Institute (AISI), created within NIST by EO 14110, was reorganized and rebranded under the Trump administration. Its focus shifted toward U.S. competitiveness and evaluating AI systems for government use, rather than the safety-testing emphasis of the Biden era. The institute's relationships with international partners (UK, EU AI safety institutes) were downgraded.
AI chip export controls: The Biden administration's "AI Diffusion Rule" — restricting exports of advanced AI chips (Nvidia H100/H200 class) to most of the world except close allies — was issued in January 2025 in the final days of the administration. The Trump administration subsequently reviewed and revised the rule, with ongoing debate over whether restrictions impede U.S. AI competitiveness or legitimately protect national security.
State AI laws going into effect: Colorado's AI Act (2024), the first comprehensive state AI anti-discrimination law, applies to high-risk AI systems in consequential decisions (credit, insurance, employment, housing) as of 2026. California enacted additional AI transparency requirements. The patchwork of state laws is intensifying industry pressure for federal preemption through a comprehensive federal AI statute — but none has passed in the 119th Congress.
EU AI Act implementation: The EU's AI Act began applying its first provisions in 2025, banning certain unacceptable-risk AI practices (mass biometric surveillance, social scoring). High-risk AI system requirements apply from 2026. U.S. companies operating in the EU face compliance obligations even as U.S. domestic requirements remain lighter — creating a de facto compliance floor for multinational AI developers.