What is AI regulation in the United States?
Global AI regulation
As of 4 June 2026, AI regulation in the United States is not built around one federal AI Act. It is a layered federal model made up of White House and OMB policy for government use and procurement, NIST's voluntary standards, FTC enforcement under existing consumer protection and competition law, and sector regulators applying existing rules in areas such as health, credit and employment. In practice, US AI regulation is a patchwork of statutes, guidance, standards and enforcement.
What this means
In the United States, "AI regulation" usually means a mix of old and new rules applied to AI systems, not a single code written just for AI. Federal policy tells agencies how they may use or buy AI. Federal regulators then apply existing law when AI affects consumers, workers, borrowers, patients or competition.
That makes the US model both flexible and hard to read. A company may face no single federal AI licence or registration duty, yet still have serious exposure under advertising law, unfair practice rules, civil rights law, credit law, medical device law, procurement terms or platform obligations. NIST also matters because its framework is voluntary, but widely used as the practical language of AI governance.
Why it matters
This matters because the biggest US compliance mistake is often the simplest one: assuming that if there is no federal omnibus AI law, there is no real federal AI regulation. That is wrong. The federal government already uses existing law, contract terms, agency guidance and standards to shape how AI is marketed, bought, deployed and supervised.
For organisations, the practical stakes are immediate. A misleading AI product claim can trigger FTC action. A credit model still has to generate legally adequate reasons for adverse action. An AI-enabled medical device still has to fit FDA pathways and lifecycle expectations. A company selling AI to the federal government may face procurement terms on transparency, data use and testing. At the same time, boards, buyers and public sector customers increasingly expect evidence of governance modelled on NIST, even where the framework is not itself mandatory.
So the live question is rarely "Is AI regulated in the US?" It is usually "Which federal rules attach to this specific use case, which agency cares, what evidence do we need, and how does this interact with state law?"
How it works
As of June 2026, the federal model is layered, not omnibus
The federal position is best understood as a layered system. Congress has enacted framework laws for federal coordination and government use, the White House has used executive action to set policy direction, OMB has issued binding memoranda for executive agencies, NIST has built voluntary standards and implementation tools, and agencies such as the FTC, FDA, CFPB and EEOC apply their existing powers to AI use cases. That is why the United States is usually described as a sectoral and horizontal model rather than a single-code regime.
This also means the legal status of any one piece of policy varies. Some rules come from statute. Some come from executive orders and memoranda that can change with administrations. Some are draft guidance. Some are voluntary standards. A practical reading must therefore separate enacted law from executive policy, final guidance from draft guidance, and binding duties from influential but non-binding practice.
The White House and OMB mainly govern federal use and procurement
The most important current federal executive shift happened in January 2025. On 20 January 2025, President Trump revoked Executive Order 14110, Biden's 2023 AI executive order. On 23 January 2025, Executive Order 14179 set a new policy direction focused on US AI leadership, economic competitiveness and national security. It also ordered revision of Biden-era OMB AI memoranda and the creation of a new AI Action Plan.
OMB then replaced the Biden administration's main agency AI memoranda with two new memoranda dated 3 April 2025. M-25-21 governs how executive agencies use AI. M-25-22 governs how they buy AI. Together, they are the core operating rules for federal agency AI governance as of June 2026.
M-25-21 requires covered agencies to retain or designate a Chief AI Officer, convene an AI governance board, publish AI strategies, maintain annual inventories of AI use cases and apply extra controls to "high-impact" AI. In this context, high-impact AI means agency use where AI output is a principal basis for decisions or actions with serious effects on rights, access, safety, critical services or strategic assets. Before deploying such uses, agencies must test them, document risk mitigation and complete an AI impact assessment. If a high-impact use is not compliant with minimum practices, the agency must discontinue the AI function.
M-25-22 applies this governance logic to procurement. It tells agencies to use cross-functional acquisition teams, assess whether a purchase is likely to support high-impact uses, address privacy, civil rights and civil liberties, control data rights and data use, and in some cases require vendors to disclose AI used in contract performance. For suppliers into government, this matters because federal AI regulation is often felt first through contract language rather than through a general AI licence.
A crucial boundary: these OMB memoranda are mainly about federal agencies' own use and acquisition of AI. They do not create a general set of private-sector duties for every business using AI in the economy.
NIST provides the common governance language
NIST is central because it supplies the standards layer. Its AI Risk Management Framework, released in 2023, remains the best known federal reference point for practical AI governance. The framework is expressly voluntary, rights-preserving, non-sector specific and use-case agnostic. That matters. It is not an AI statute, but it gives organisations a common method for identifying, mapping, measuring and managing AI risk.
NIST has also built implementation material around the framework. The AI RMF Playbook provides suggested actions and practical steps. In July 2024 NIST released a generative AI profile for the framework, aimed at genAI-specific risks. In April 2026 it released a concept note for a critical infrastructure profile. Taken together, these materials make NIST more than a standards publisher. It acts as the federal reference point for how organisations document governance, testing, controls and assurance.
In practice, many organisations use NIST because it travels well across legal contexts. It helps with internal governance, buyer due diligence, procurement responses, vendor questionnaires and board reporting. It also gives regulated organisations a way to show they are not improvising.
The FTC is the main horizontal market enforcer
For private companies, the FTC is the clearest federal horizontal regulator in the AI space. Its relevance does not come from a special AI statute. It comes from the FTC Act and related consumer protection and competition powers. The agency's message has been consistent across administrations and cases: AI marketing, data practices, design choices and competitive conduct are judged under existing law.
That has several practical consequences. If a company makes capability claims about an AI product, it needs evidence. If it uses AI in ways that are unfair or deceptive to consumers, the FTC can act. If it changes terms or privacy commitments to feed AI development without adequate disclosure, that can also trigger scrutiny. The agency has also used AI cases to reinforce ordinary advertising substantiation rules, not to create a separate AI-only doctrine.
The FTC's recent matters show the point. In 2025 it finalised an order against DoNotPay over deceptive "AI lawyer" claims. In 2025 it also finalised an order against Workado over unsupported accuracy claims for an AI-content detector. The lesson is practical and durable: federal AI enforcement often starts with ordinary false claims, unfairness, privacy or competition analysis.
Sector regulators apply existing law to AI use cases
The federal model becomes stricter when AI sits inside a regulated sector. Here the key question is usually not whether the tool is "AI". It is whether the use falls inside an existing regulated activity.
In healthcare, the FDA regulates AI-enabled medical devices through its existing device pathways, including 510(k), De Novo and premarket approval routes where relevant. The FDA has been explicit that adaptive or changing AI software does not fit neatly into the old device paradigm, which is why it has issued lifecycle and change-control guidance. As of June 2026, organisations dealing with clinical AI should treat the FDA as an active AI regulator in substance, even though it is using medical device law rather than a separate AI statute.
In consumer finance, the CFPB has made clear that creditors cannot rely on complex or "black-box" models if that prevents them from giving the specific reasons required for adverse action notices. In other words, an uninterpretable model does not excuse non-compliance with the Equal Credit Opportunity Act and Regulation B.
In employment, the EEOC has said existing anti-discrimination law applies when AI is used in recruiting, screening, monitoring, wage-setting, promotion and dismissal decisions. This is not framed as optional ethics. It is framed as ordinary discrimination law applied to new tools.
Federal agencies have also spoken jointly. The FTC, DOJ, CFPB and EEOC issued a joint statement in 2023 saying that automated systems and AI remain subject to existing laws on discrimination, bias, consumer protection and fair competition. That joint view still captures how the federal model works in practice.
Congress has built institutions and targeted rules, but not a general private-sector AI code
Congress has not enacted a single all-purpose federal AI act for private-sector use. Instead, it has passed narrower measures that matter in different ways.
At the institutional level, the National AI Initiative Act created the National Artificial Intelligence Initiative and the National AI Initiative Office, which support federal coordination on AI research, standards engagement, workforce and public input. The AI in Government Act authorised an AI Center of Excellence in GSA. The Advancing American AI Act added principles and inventory requirements for federal agency use. These laws are important, but they mainly organise government capability and accountability rather than impose one cross-economy compliance regime on every AI developer.
Congress has also enacted targeted law that touches AI harms directly. The clearest current example is the TAKE IT DOWN Act, signed in May 2025. By May 2026 the FTC had begun enforcing its platform notice-and-removal provisions, which apply to nonconsensual intimate imagery including AI-generated digital forgeries. That is a real federal AI-relevant rule, but it is narrow and harm-specific, not an omnibus framework.
So the federal picture is neither "nothing is regulated" nor "the US has its own EU AI Act". It is a targeted, modular system.
What compliance looks like in practice
For most organisations, the federal compliance task starts with classification. First identify whether the use case is consumer-facing, workplace-facing, credit-facing, health-facing, public-sector-facing or infrastructure-facing. Then identify whether the organisation is dealing with a regulator, a government buyer, a platform duty, or ordinary commercial risk.
From there, evidence becomes the central operational issue. Organisations need to know what claims they are making, what testing supports those claims, what human review exists, what documentation explains intended use and limits, what data commitments have been made, and which law governs notices, appeals, explanations, safety review or post-deployment monitoring.
That is why the US model often pushes companies toward governance before a formal AI-specific law tells them to do so. NIST gives the operating language. Regulators give the legal trigger. Procurement gives the commercial pressure. Together, they create a de facto federal AI governance baseline even without one federal AI code.
Examples
A consumer AI company markets its service as a substitute for human legal expertise. In February 2025, the FTC finalised an order against DoNotPay over deceptive "AI lawyer" claims. The practical lesson is that US federal law does not require a dedicated AI advertising code for regulators to act. If a company cannot substantiate what its AI can do, ordinary deception rules may be enough.
A vendor sells an AI-content detector and advertises very high accuracy. In August 2025, the FTC approved a final order against Workado after alleging the company lacked adequate support for the accuracy claims it made about its detector. For operators and buyers, that is a reminder that performance claims about AI tools need defensible evidence, not just marketing language.
A platform hosts harmful synthetic media. On 19 May 2026, the FTC began enforcing the TAKE IT DOWN Act's platform notice-and-removal duties. Covered platforms must provide a process for valid reports and remove covered imagery, including AI-generated digital forgeries, within 48 hours. That is a concrete federal AI-relevant obligation, but it applies to a specific harm and a defined class of platforms, not to all AI systems.
A health technology company develops AI-enabled software for clinical use. The FDA continues to route these products through existing medical device pathways and has added AI-specific lifecycle and change-control guidance. That means a medical AI product is not only a software question or a governance question. It may also be a regulated product question from day one.
Common misunderstandings
Misunderstanding: "The US has a federal AI Act like the EU."
Correction: It does not. As of 4 June 2026, the federal model is a mix of statutes, executive policy, standards, enforcement and sector law.
Misunderstanding: "NIST AI RMF is binding law."
Correction: It is voluntary. Its influence is real, but it is a framework, not a statute or regulation.
Misunderstanding: "If my product is not in a specially regulated sector, federal AI law does not touch it."
Correction: The FTC can still act on misleading claims, unfair practices, weak data commitments and other unlawful conduct involving AI.
Misunderstanding: "White House AI memos regulate every private company."
Correction: OMB's core AI memoranda mainly govern executive agencies' own use and procurement of AI. Private firms feel them most directly when they sell into government.
Misunderstanding: "If we cannot explain a credit model, that is just a technical problem."
Correction: In some settings it is also a legal problem. In credit, the CFPB has made clear that black-box modelling does not excuse adverse action notice duties.
Risks and boundaries
The biggest boundary is constitutional and institutional. Much of the current federal AI posture is executive policy, not permanent statute. That means the federal direction can move quickly with a change of administration. The sharp shift from Biden's Executive Order 14110 to Trump's Executive Order 14179 in January 2025 is the clearest recent example.
Another boundary is scope. OMB memoranda are important, but they mostly bind executive agencies. They do not by themselves impose a general compliance code on every private AI developer, deployer or buyer. Independent regulators and sector agencies still act through their own authorities.
There is also uncertainty in guidance status. Some agency materials are final, while others remain draft. In healthcare, for example, the FDA's January 2025 lifecycle guidance for AI-enabled device software functions is still draft guidance, so organisations should not confuse it with a final rule.
A further limit is that federal law is only part of the US picture. State legislatures and state regulators are active, and they can add disclosure, discrimination or sector-specific duties on top of the federal baseline. Federal pre-emption is not the default answer here.
Finally, the absence of an omnibus law creates interpretation risk. Organisations must translate general statutes to AI-specific facts. That gives regulators flexibility, but it also means many edge cases are resolved by guidance, enforcement posture, procurement practice or litigation rather than by one clean statutory checklist.
What to do next
Treat US AI regulation as a use-case mapping exercise, not as a search for one master rulebook. Start by identifying where your AI touches consumers, workers, credit, health, public services, children, safety-critical activity or government procurement.
Build your internal governance around evidence. Know what the system is for, what claims you make about it, how it has been tested, where human review sits, what data commitments apply, and which documents you could show to a regulator, buyer or board if challenged.
Use NIST AI RMF as your operating language even where it is not mandatory. It gives teams a practical structure for governance, testing, documentation and monitoring that travels well across legal, procurement and assurance contexts.
If you sell to the federal government, review AI procurement terms early. OMB's current memoranda mean federal buyers may ask for transparency, data-use restrictions, documentation, testing information and, in some cases, disclosure of AI used during contract performance.
Keep a live watch on fast-dating federal developments. In the US, executive direction, agency guidance and targeted statutes can move faster than a static policy document. For many organisations, a six-month review cycle is sensible.
FAQs
Does the United States have one federal AI law?
No. As of 4 June 2026, it does not have one general federal AI act covering all private-sector AI. The federal model is a mix of executive policy, existing statutes, sector rules, standards and enforcement.
Is NIST AI RMF mandatory?
No. It is voluntary. But it is influential because regulators, buyers and governance teams use it as a common structure for AI risk management.
Who is the main federal AI regulator?
There is no single federal AI regulator. The FTC is the main horizontal market enforcer, while sector regulators such as the FDA, CFPB and EEOC apply their own laws to AI use cases.
Do White House AI memos apply directly to private companies?
Usually no. They mainly govern executive agencies' own use and procurement of AI. Private companies encounter them most directly when selling AI products or services to the federal government.
Can the FTC regulate misleading AI claims even without a special AI statute?
Yes. The FTC uses existing unfair and deceptive practices law, along with related authorities, to challenge unsupported or misleading AI marketing and harmful conduct.
Does the FDA regulate AI in healthcare?
Yes, where the product falls within medical device regulation or related FDA authority. The FDA uses existing product pathways and has issued AI-specific guidance materials for device lifecycle and change control.
Does federal law stop states from making their own AI rules?
Not generally. Federal and state requirements can sit alongside each other, so organisations often need a federal-state view rather than a federal-only one.