Skip to content

US AI Compliance Assessment: Navigating the Federal and State Patchwork

Sotiris SpyrouUpdated on

Share this article

LinkedInXEmail
US AI Compliance Assessment: Navigating the Federal and State Patchwork

**Published: **02 Feb 2025 **Updated: **8th July 2025 to reflect the US Senate's rejection of AI regulation moratorium.

US AI compliance means meeting a patchwork of federal guidance and state-level laws at the same time, rather than a single national AI statute. The United States presents perhaps the most complex AI regulatory landscape globally, with a fragmented patchwork of federal guidelines, agency-specific regulations, and state-level laws that organisations must navigate simultaneously. Unlike territories with unified regulatory frameworks, US AI compliance requires understanding multiple overlapping jurisdictions and enforcement mechanisms.

This complexity creates significant challenges for organisations operating across multiple US states or serving diverse customer bases. What's compliant in one state may violate regulations in another, while federal guidelines add additional layers of requirements that intersect unpredictably with state laws.

Federal AI Governance Framework

Executive Order on Safe, Secure, and Trustworthy AI

President Biden's comprehensive Executive Order establishes federal AI governance priorities across multiple domains, creating the foundation for US federal AI policy development.

Safety Testing Requirements The Executive Order mandates safety testing for powerful AI systems, particularly those that could pose risks to national security, economic security, or public health and safety. Companies developing frontier AI models must share safety test results with the federal government.

Critical Infrastructure Protection Federal agencies must implement AI-specific cybersecurity standards for critical infrastructure, creating new compliance obligations for organisations operating in energy, transportation, healthcare, and financial services sectors.

Civil Rights and Algorithmic Discrimination Prevention The Order emphasises preventing algorithmic discrimination and protecting civil rights in AI applications, establishing expectations that extend beyond existing civil rights frameworks.

NIST AI Risk Management Framework

The National Institute of Standards and Technology has developed a comprehensive voluntary framework for managing AI risks across the AI lifecycle.

Governance, Map, Measure, Manage Structure The NIST framework provides systematic approach to AI risk management through four core functions: establishing governance, mapping AI risks, measuring risk levels, and managing identified risks throughout system lifecycles.

Trustworthy AI Characteristics NIST emphasises measurable characteristics including validity, reliability, safety, security, resilience, accountability, explainability, interpretability, privacy enhancement, and fairness.

Industry Adoption and Integration While voluntary, the NIST framework increasingly serves as the foundation for federal agency AI requirements and industry best practices, making understanding and implementation strategically important.

Blueprint for an AI Bill of Rights

The White House AI Bill of Rights establishes five core principles for AI development and deployment:

Safe and Effective Systems AI systems should undergo appropriate testing, risk identification, and mitigation before deployment, with ongoing monitoring for safety and effectiveness.

Algorithmic Discrimination Protections Individuals and communities shouldn't face discrimination by algorithms, requiring proactive equity assessments and bias mitigation measures.

Data Privacy AI systems should incorporate privacy protections by design, including data collection limitations and user control over personal information.

Notice and Explanation Users should know when AI systems are being used and understand how those systems affect them, including meaningful explanations of AI decisions.

Human Alternatives and Fallback Users should have access to human consideration and alternative processes when AI systems are used for consequential decisions.

Agency-Specific AI Regulations

Food and Drug Administration (FDA) - Medical AI

The FDA regulates AI as medical devices through their established medical device regulatory framework adapted for AI-specific considerations.

Software as Medical Device (SaMD) Framework AI medical devices must comply with SaMD regulations, including clinical validation requirements, risk classification, and ongoing post-market surveillance obligations.

Adaptive Algorithm Oversight The FDA has developed specific frameworks for AI systems that continue learning after deployment, addressing unique challenges of evolving medical AI systems.

Federal Trade Commission (FTC) - Consumer Protection

The FTC enforces AI-related consumer protection through existing unfair and deceptive practices authority under Section 5 of the FTC Act.

Algorithmic Accountability The FTC expects companies to substantiate claims about AI system performance and to avoid deceptive practices in AI marketing and deployment.

Bias and Discrimination Prevention The FTC uses consumer protection authority to address discriminatory AI practices that harm consumers, complementing civil rights enforcement by other agencies.

Equal Employment Opportunity Commission (EEOC) - Employment AI

The EEOC provides guidance on avoiding discrimination in AI-based employment decisions through existing civil rights frameworks.

Hiring and Employment Decisions AI systems used in recruitment, hiring, performance evaluation, and termination decisions must comply with federal employment discrimination laws.

Accommodation Requirements Employers must consider reasonable accommodations for individuals with disabilities when using AI systems that may disadvantage protected groups.

Securities and Exchange Commission (SEC) - Financial AI

The SEC oversees AI applications in financial markets through existing securities regulations adapted for algorithmic trading and investment management.

Algorithmic Trading Oversight Investment advisers and broker-dealers using AI for trading or investment decisions must comply with existing fiduciary duties and risk management requirements.

Disclosure Requirements Financial firms must consider whether AI use requires disclosure to investors or clients under existing transparency and conflict of interest rules.

State-Level AI Regulations

California AI Requirements

California leads US state-level AI regulation with multiple overlapping frameworks affecting different aspects of AI development and deployment.

Consumer Privacy Rights Act (CPRA) CPRA provides opt-out rights for automated decision-making and requires disclosure of the logic involved in automated decisions affecting consumers.

SB 1047 - Generative AI Political Communications California requires disclosure when AI generates political communications, addressing deepfakes and synthetic media in political contexts.

AB 2089 - Healthcare Algorithm Accountability This legislation requires healthcare providers to implement bias testing and impact assessments for AI systems used in clinical decision-making.

Colorado Consumer Protection

Colorado has implemented comprehensive consumer protection rights regarding automated decision systems affecting state residents.

Automated Decision System Rights Consumers have rights to opt out of profiling and automated decision-making that produces legal or similarly significant effects.

Transparency Requirements Data controllers must provide clear information about automated decision systems, their logic, and the consequences of such processing.

New York City Employment AI

NYC Local Law 144 creates specific requirements for AI use in employment decisions within New York City jurisdiction.

Bias Audit Requirements Employers using automated employment decision tools must conduct annual bias audits by independent auditors and make results publicly available.

Candidate Disclosure Rights Job candidates must be informed when automated tools are used in hiring decisions and have rights to request alternative selection processes.

Illinois Biometric and Employment AI

Illinois maintains multiple AI-related requirements through existing privacy and employment frameworks.

Biometric Information Privacy Act (BIPA) BIPA requires informed consent for biometric information collection, significantly affecting AI systems that process biometric data.

AI Video Interview Act The Act requires transparency and consent when AI analyzes video interviews, including disclosure of how AI evaluates candidates.

Multi-Jurisdictional Compliance Strategies

Federal-State Requirement Integration

Effective US AI compliance requires coordinating federal guidelines with applicable state requirements, which often exceed federal standards or address different aspects of AI governance.

Many organisations underestimate the complexity of ensuring compliance across multiple state jurisdictions while meeting federal expectations. This complexity is particularly challenging for organisations serving customers across multiple states.

Understanding which state laws apply to your operations requires careful analysis of business activities, customer locations, and data processing activities that may trigger different jurisdictional requirements.

Sectoral Compliance Coordination

Different industry sectors face varying combinations of federal agency oversight and state regulatory requirements, creating complex compliance matrices that must be managed systematically.

Healthcare AI faces FDA medical device requirements plus state healthcare regulations, while financial services AI must comply with SEC, CFPB oversight plus state financial regulations.

Employment AI presents particularly complex challenges with EEOC federal oversight, state employment laws, and local jurisdiction requirements like NYC's bias audit mandates.

Risk-Based Compliance Prioritisation

High-Risk Application Areas

Certain AI applications face heightened scrutiny across multiple jurisdictions and should receive compliance priority:

Employment and Hiring Systems AI used in employment decisions faces federal EEOC oversight, state employment laws, and specific local requirements in jurisdictions like New York City.

Financial Services AI Credit scoring, algorithmic trading, and robo-advisory services face complex federal and state financial regulations plus consumer protection requirements.

Healthcare and Medical AI Medical device AI faces FDA oversight plus state healthcare regulations and professional licensing requirements.

Biometric Processing Systems AI processing biometric information faces state-specific requirements like Illinois BIPA plus federal privacy and security obligations.

Enforcement Pattern Analysis

Understanding enforcement priorities across different jurisdictions helps organisations allocate compliance resources effectively and anticipate regulatory attention.

State attorneys general increasingly use consumer protection authority to address AI practices, while federal agencies focus on civil rights, safety, and sector-specific requirements.

Private litigation based on state AI laws creates additional compliance risks that organisations must consider alongside regulatory enforcement patterns.

Comparison with Global Regulatory Approaches

The US patchwork approach contrasts sharply with unified frameworks like the EU AI Act or UK principles-based regulation. While this creates complexity, it also provides flexibility for organisations to demonstrate compliance through various approaches.

Understanding how US requirements relate to other territorial frameworks is essential for global organisations. Our comprehensive EU AI compliance guide and UK regulatory framework analysis provide comparative perspectives for multinational compliance strategies.

US compliance often serves as a floor rather than a ceiling, with state requirements frequently exceeding federal expectations and creating higher standards than some international frameworks.

Practical Implementation Framework

Multi-State Compliance Assessment

Organisations must systematically evaluate which state requirements apply to their operations, considering customer locations, business activities, and data processing locations.

This assessment should include current operations plus planned expansion activities that may trigger additional state jurisdiction requirements.

Many organisations discover state compliance obligations they hadn't initially recognised, particularly for online services serving customers across multiple states.

Federal Agency Engagement

Proactive engagement with relevant federal agencies can provide clarity on compliance expectations and demonstrate good faith efforts to achieve regulatory alignment.

Different agencies have different engagement mechanisms and consultation opportunities that organisations should leverage strategically.

Understanding agency enforcement priorities and guidance development processes can help organisations anticipate regulatory developments and prepare accordingly.

Compliance Monitoring and Updates

The rapidly evolving US regulatory landscape requires systematic monitoring of federal guidance updates, new state legislation, and enforcement pattern changes.

Establishing monitoring systems that track relevant developments across multiple jurisdictions is essential for maintaining ongoing compliance.

Regular compliance reviews should consider new legal developments, business changes, and evolving enforcement patterns that may affect compliance strategies.

Strategic Recommendations for US Operations

Compliance Excellence Through Systematic Approach

Organisations achieving compliance success in the US regulatory environment invest in systematic compliance frameworks that address multiple jurisdictional requirements efficiently.

The complexity of US AI regulation rewards organisations that develop sophisticated compliance capabilities rather than attempting minimal compliance approaches.

Building compliance excellence creates competitive advantages while reducing regulatory risk across the complex US landscape.

Innovation Within Compliance Frameworks

The US regulatory environment often provides more flexibility for innovative compliance approaches compared to prescriptive regulatory frameworks in other territories.

Organisations can leverage this flexibility to develop compliance solutions that demonstrate regulatory alignment while maintaining competitive advantages and innovation capabilities.

Expert Assessment and Implementation Support

At VerityAI, our analysis of US AI compliance reveals that organisations benefit significantly from systematic approaches that address federal, state, and local requirements through integrated frameworks rather than attempting to manage each jurisdiction separately.

The US regulatory complexity creates opportunities for organisations that invest in sophisticated compliance capabilities while challenging those that underestimate the coordination required for effective multi-jurisdictional compliance.

Our comprehensive compliance assessment tools help organisations understand how US requirements integrate with global regulatory frameworks, particularly important for multinational operations.

Getting Started with US Compliance Assessment

Understanding your current US compliance position requires systematic evaluation across federal guidelines, relevant state requirements, and applicable local regulations. VerityAI's US-specific assessment provides detailed gap analysis and actionable recommendations tailored to your specific AI applications and operational footprint.

Evaluate your US AI compliance readiness with our comprehensive framework covering federal, state, and local requirements. Our assessment identifies specific opportunities for regulatory alignment and compliance excellence across the complex US landscape.

The fragmented US regulatory environment requires proactive compliance management that anticipates regulatory developments while maintaining operational efficiency. Starting your comprehensive compliance assessment now positions your organisation for success across all relevant US jurisdictions.

Frequently asked questions

What are US AI compliance requirements?

US AI compliance requirements are the combined set of federal guidance, agency-specific rules, and state laws that apply to an organisation's AI systems. There's no single national AI statute, so an organisation typically has to satisfy federal expectations from bodies such as the FTC, EEOC, and SEC alongside state and even city-level rules that can differ from each other.

Is there a federal AI law in the US?

Not a single one. Federal AI governance in the US currently comes from a mix of executive direction, voluntary frameworks such as the NIST AI Risk Management Framework, and enforcement by existing agencies applying their existing authority to AI. States have moved ahead of the federal government with their own specific AI laws.

Which US states have the most developed AI laws?

California, Colorado, Illinois, and New York (particularly New York City for employment AI) currently have some of the most specific AI-related requirements. What counts as compliant in one state may not be enough in another, so organisations serving customers across multiple states need to check each relevant jurisdiction separately.

Do federal AI rules override state AI laws in the US?

Generally no. Federal guidance tends to set a baseline or address specific sectors, while state laws often go further, particularly on consumer rights and employment decisions. Organisations typically need to meet both, with the stricter requirement usually taking priority for any given activity.

More on how we approach it: board-level AI governance.

Share this article

LinkedInXEmail
Sotiris Spyrou - Author

Sotiris Spyrou

Sotiris Spyrou is the founder of VerityAI, a Responsible AI advisory for boards and AI-deploying businesses. With 27 years across agencies, global in-house roles, and the C-suite, he advises leaders on AI governance and risk, and on answer-engine visibility engineered without the dark patterns the rest of the industry is getting penalised for. He is the author of TRANSFORM, AI Moats, and Ethical AI.

Founder at VerityAI