Written By Gus Cavalcante

US AI Regulations in 2026: What Actually Matters and How to Stay Compliant

AI governance in the United States is accelerating, but it is not consolidating. There is still no single, comprehensive federal AI law. Instead, most organizations are dealing with three overlapping forces:

  • Federal policy signals and agency enforcement using existing authority

  • A growing set of state and local AI laws that vary by use case

  • Older privacy, consumer protection, and anti-discrimination laws that already apply to AI systems

If you operate in multiple states, the practical risk is simple: you can be compliant in one place while violating obligations somewhere else. A workable AI compliance program has to be designed for fragmentation, continuous change, and auditability.

What counts as an “AI law” in practice

AI laws and regulations are rules that govern how organizations build, deploy, and use AI systems, especially where those systems affect people’s rights, opportunities, or safety. Across most US requirements, the same themes show up repeatedly:

  • Transparency: disclose AI use, disclose AI-generated content, and clarify when decisions are automated

  • Bias prevention: test for discrimination and reduce disparate impact where AI influences outcomes

  • Privacy: control the collection and use of personal data in AI training and decisioning

  • Accountability: document decisions, maintain governance, and assign ownership for AI risk

These themes are the stable core. The exact mechanics differ by jurisdiction.

Federal AI regulation: policy signals plus enforcement, not a single law

At the federal level, AI governance is largely shaped by executive actions, agency guidance, and enforcement activity. Executive orders matter because they steer federal agencies, but they do not automatically create new private-sector legal obligations.

Congress continues to discuss broad AI legislation, including proposals that would establish clearer liability frameworks and requirements around automated decision-making, deepfake disclosures, and algorithmic accountability. As of now, the most immediate federal compliance reality is still agency enforcement using existing laws.

Key agencies to track:

  • FTC: unfair or deceptive practices, misleading AI claims, synthetic reviews, and consumer harm

  • FCC: voice cloning and AI-generated robocalls

  • SEC: AI-related fraud, risk disclosures, and investor-facing claims

  • EEOC: discrimination risks when AI influences employment decisions

If you market AI capabilities, use AI in hiring, or deploy AI in consumer-facing contexts, you are already in the enforcement zone even without a dedicated federal AI statute.

State and local AI laws: the patchwork you cannot ignore

States are moving faster than Congress. Many state bills are narrow and use-case specific, but a few are broad enough to matter for most organizations.

Colorado: the first comprehensive state AI law

Colorado’s approach is a model for where several states are heading: focus on “high-risk” AI and require reasonable care to avoid algorithmic discrimination. The expected operational burdens include transparency disclosures, impact assessment style documentation, and controls around how AI decisions are made and reviewed.

Illinois: AI and video interviews

Illinois focuses on employer use of AI in video interviews. The compliance burden is straightforward but strict: notify candidates, obtain consent, and manage retention and deletion obligations for recordings and related AI analysis.

California: transparency plus employment controls

California is attacking the problem from multiple angles, including disclosure requirements around AI-generated content and tighter controls on discriminatory use of AI in employment contexts. If you operate in California, treat AI hiring workflows as regulated processes and ensure you can defend them.

New York City: bias audits for hiring tools

NYC is still one of the clearest examples of employment-focused AI regulation. If you use automated employment decision tools in NYC, you should expect bias audit requirements and related public-facing notices.

Utah: disclosure when consumers interact with AI

Utah focuses on disclosure requirements for interactions with generative AI, plus a policy posture that includes experimentation and iterative governance. Practically, it reinforces a broad trend: if a consumer is interacting with AI, disclosure is increasingly expected.

Other states are also moving with targeted restrictions, especially around hiring, state agency use of AI, and sector-specific controls.

Existing laws already apply to AI systems

A common operational mistake is treating AI as “new” and therefore unregulated. Most risk comes from older laws applied to new technology.

Privacy laws

State privacy laws like California’s, Virginia’s, and Colorado’s already create obligations when AI processes personal data. Automated decision-making disclosures and opt-out rights can be triggered depending on the jurisdiction and use case.

Anti-discrimination statutes

Employment, housing, and lending are the highest-liability zones. If AI creates discriminatory outcomes, intent does not save you. You need controls that prevent disparate impact and demonstrate reasonable care.

Consumer protection

The FTC’s unfair or deceptive practices authority is a catch-all that matters immediately. Overstating AI capabilities, hiding automation, or allowing harmful outputs can become enforcement issues.

Industry-specific pressure points

Some sectors face layered oversight, either through explicit regulations or strong regulator attention.

  • Healthcare: HIPAA and FDA oversight can apply depending on whether the system handles protected health information or functions as a medical device or decision support tool

  • Financial services: fair lending rules apply to AI-driven credit decisions, and model risk management expectations raise the bar on documentation and testing

  • Employment: the combination of EEOC guidance, state laws, and local requirements makes hiring tools one of the most regulated AI use cases in the US

Risk tiers: how regulators tend to think about AI harm

US frameworks increasingly mirror a risk-based approach even if the labels differ by jurisdiction.

  • High-risk: AI that makes or meaningfully influences decisions in employment, credit, housing, healthcare, or legal outcomes

  • Limited-risk: chatbots, recommenders, and generative tools where disclosure is the primary obligation

  • Minimal-risk: operational AI like spam filtering or inventory forecasting, usually low regulatory focus unless data or deception risks exist

Your compliance program should start by classifying systems by risk and impact, not by vendor category or technical architecture.

A practical AI compliance program that survives the patchwork

A durable program is not built on one law. It is built on controls that satisfy multiple laws at once and can be adapted as requirements change.

1) Build a real AI inventory

Create a central registry of AI systems, including shadow AI and vendor tools. Capture:

  • purpose and use case

  • user populations impacted

  • data inputs and outputs

  • whether the system influences decisions about people

  • vendor details, model provenance, and update cycles

If you cannot list it, you cannot govern it.

2) Classify systems by risk and decision impact

Create a simple rubric:

  • Does it affect employment, credit, housing, health, or legal outcomes?

  • Does it automate decisions or strongly influence a human decision?

  • Could errors create material harm?

  • Are protected classes affected?

Label systems as high-risk, limited-risk, or minimal-risk and treat that label as a control trigger.

3) Map obligations by geography and use case

Create a requirements map that ties each AI system to:

  • states and localities where it is used

  • sector-specific overlays

  • privacy and employment law triggers

  • disclosure and audit requirements

This prevents the most common failure mode: a system designed for one state being quietly reused elsewhere.

4) Implement core controls that regulators keep asking for

For high-risk systems, establish a baseline set of controls:

  • Transparency notices: when AI is used, when content is AI-generated, and when decisions are automated

  • Impact assessments: documented analysis of harms, affected groups, mitigations, and monitoring plans

  • Bias testing: defined testing protocols, frequency, and remediation workflows

  • Human oversight: who reviews, what triggers escalation, how overrides work

  • Documentation and recordkeeping: versioning, training data descriptions where available, test results, decisions, and change logs

  • Vendor governance: contract terms, audit rights, testing evidence, update notifications, and incident handling

5) Make it continuous, not point-in-time

AI systems drift. Vendors update models. Data changes. Laws change. Add:

  • periodic reassessments

  • monitoring for performance and bias over time

  • audit trails that are easy to produce

  • a change management process that treats model updates as risk events

Common pitfalls that create avoidable liability

  • Relying on vendor marketing instead of evidence and testing

  • Treating “human in the loop” as a slogan instead of a defined control with documented decision rights

  • Failing to disclose AI use in employment workflows

  • Letting AI-generated content flow into customer communications without labeling or review

  • Building one compliance solution for one state and assuming it generalizes

Frequently Asked Questions About Artificial Intelligence Laws and Regulations

What is the “30% rule” for AI?

The “30% rule” is not a law or formal standard. It is an informal guideline people reference to describe when work is considered meaningfully human-directed, often framed as requiring roughly 30% human contribution. You will see it mentioned in conversations about disclosure and ownership, but it does not operate as a universal legal threshold.

Does the United States have one comprehensive federal AI law?

No. The United States still does not have a single, unified federal AI statute. Federal oversight is happening through a mix of agency enforcement under existing laws, executive branch policy, and voluntary frameworks, while Congress continues to consider broader AI legislation.

Which states have the most developed AI rules?

Colorado stands out for having the most comprehensive state-level AI law, with requirements aimed at high-risk AI use. California follows with multiple laws focused on transparency and employment-related AI. Illinois, New York City, and several other jurisdictions have narrower rules tied to specific scenarios such as hiring and automated screening tools.

How do U.S. AI rules compare to the EU AI Act?

The EU AI Act is a single, binding regulatory regime that applies across EU member states and imposes structured requirements, especially for high-risk systems. The U.S. approach is more fragmented, relying on state and local laws, agency actions, and voluntary standards rather than one national framework.

Gus Cavalcante
Next

California’s New AI Employment Law: What You Need to Know