Licentium

AI Regulation Hub

United States

The US has no comprehensive federal AI Act. Rules are split across federal policy (NIST AI RMF), sectoral federal law, state AI statutes (Colorado, California SB 53), local AI laws (NYC AEDT), agency enforcement and voluntary standards.

Key provisions

NIST AI Risk Management Framework

In force

Voluntary federal framework to identify, measure, manage and govern AI risks. Not a licensing law and imposes no penalties, but widely used as a compliance reference.

Colorado AI Act (automated decision systems)

Draft

Covers AI/automated systems affecting education, employment, housing, financial/lending services, insurance, healthcare and essential government services. Developers must provide documentation; deployers must give notices, plain-language explanations after adverse decisions, and rights of correction and human review. Enforced by Colorado AG via Colorado Consumer Protection Act. No private right of action. Applies 1 January 2027.

NYC Automated Employment Decision Tools (AEDT) Law

In force

Employers may not use an AEDT to screen candidates or employees unless a bias audit has been done within the previous year, the audit is publicly available, and required notices have been provided. Enforcement began 5 July 2023.

California SB 53 (frontier AI safety)

In force

Applies to large frontier model developers. Requires a published frontier AI framework, transparency reports at deployment, and critical safety incident reporting. Civil penalties up to USD 1,000,000 per violation.

Federal policy on AI leadership & infrastructure

In force

Federal AI policy instruments on national AI leadership, infrastructure, innovation and possible future federal AI legislation. Important for understanding policy direction but do not create a federal AI compliance code.

Detailed overview

The United States does not currently have one comprehensive federal AI Act equivalent to the EU AI Act. AI regulation is divided between federal policy, sector-specific federal law, state AI statutes, local AI laws, agency enforcement and voluntary technical standards.

Federal: NIST AI RMF + policy

At the federal level, the NIST AI Risk Management Framework is one of the most important AI governance instruments. It is voluntary and helps organisations identify, measure, manage and govern AI risks. It is not a licensing law and does not itself impose penalties, but it is widely used as a compliance reference for trustworthy AI governance.

The federal government has also issued AI policy instruments focused on national AI leadership, infrastructure, innovation and a possible national legislative framework. These materials are important for understanding U.S. policy direction, but they do not by themselves create a single federal AI compliance code for private businesses.

State and local laws

The most concrete AI obligations in the United States currently arise from state and local laws. Colorado has adopted a law regulating automated decision systems used for consequential decisions. The Colorado framework applies to certain AI or automated systems that affect areas such as education, employment, housing, financial or lending services, insurance, healthcare and essential government services. The law is scheduled to apply from 1 January 2027.

Under the Colorado framework, developers of covered automated decision systems must provide deployers with documentation about intended uses, training data categories, known limitations, instructions for use and human review. Developers and deployers must retain compliance records for three years. Deployers must provide notices to consumers, give plain-language explanations after adverse consequential decisions, and allow rights such as correction and meaningful human review or reconsideration. The Colorado Attorney General enforces the law through the Colorado Consumer Protection Act. The law does not create a private right of action.

New York City has a specific law on automated employment decision tools, commonly called AEDTs. Employers and employment agencies may not use an AEDT to screen candidates or employees unless the tool has been subject to a bias audit within the previous year, the audit information has been made publicly available and required notices have been provided to candidates or employees. Enforcement began on 5 July 2023.

California SB 53 β€” frontier AI safety

California has adopted a frontier AI safety law, commonly referred to as SB 53. It applies to large frontier model developers and focuses on catastrophic-risk management, transparency and incident reporting. The law uses concepts such as "frontier model," "large frontier developer," "catastrophic risk" and "critical safety incident." A large frontier developer must maintain and publish a frontier AI framework, issue transparency reports before or at deployment of new or substantially modified frontier models, and report critical safety incidents within specified timeframes.

California's frontier AI framework includes penalties. Failure to comply with certain requirements may lead to civil penalties of up to USD 1,000,000 per violation.

Compliance reality

U.S. AI compliance therefore depends heavily on where the business operates and what the AI does. AI used in employment, housing, credit, healthcare, insurance, consumer services, online platforms, biometric systems, financial services or frontier model development may be regulated under different federal, state or local rules. There is no single U.S. AI licence, but AI systems can still be subject to strong legal obligations.

Practical requirements & details

Sourced from NIST AI RMF 1.0 (2023) + Generative AI Profile (2024), the Colorado AI Act (SB 24-205, codified at C.R.S. Β§ 6-1-1701 et seq.), NYC Local Law 144 (AEDT), California SB 53 (Transparency in Frontier Artificial Intelligence Act, 2025), and FTC/EEOC enforcement guidance.

NIST AI Risk Management Framework

  • Voluntary framework organised around four core functions: Govern, Map, Measure, Manage.
  • The Generative AI Profile (NIST AI 600-1) extends the RMF for foundation-model risks: confabulation, dangerous capabilities, data privacy, environmental, harmful bias, human-AI configuration, information integrity, information security, IP, obscene/CSAM, and value chain.
  • Widely referenced in federal procurement, state laws (Colorado) and industry due-diligence questionnaires.

Colorado AI Act (effective 1 Feb 2026)

  • Applies to developers and deployers of high-risk AI systems used for consequential decisions (education, employment, financial/lending, essential government services, healthcare, housing, insurance, legal services).
  • Developers must give deployers a statement describing intended uses, known harmful/inappropriate uses, training-data summary, data-governance, evaluation, intended outputs, and risk-mitigation measures.
  • Deployers must implement a risk-management policy and program (aligned with ISO/IEC 42001 or NIST AI RMF), conduct annual impact assessments, give pre-decision notice to consumers, and post a public statement on AI use.
  • After an adverse consequential decision: deployer must provide a plain-language explanation, rights to correction and appeal for human review.
  • Records must be retained for at least 3 years.
  • Enforced by the Colorado Attorney General under the Colorado Consumer Protection Act. No private right of action.

NYC Local Law 144 β€” Automated Employment Decision Tools

  • Employers/agencies may not use an AEDT for hiring or promotion of NYC-based candidates unless:
  • A bias audit has been conducted by an independent auditor within the past year, using EEOC four-fifths-rule disparate-impact ratios.
  • A summary of audit results is publicly posted on the website.
  • Notice to candidates/employees at least 10 business days before AEDT use, including the job qualifications/characteristics the tool will assess and data sources.
  • DCWP fines: $500 first violation; $1,500 per subsequent violation per day per affected candidate.

California SB 53 β€” Frontier AI safety

  • Applies to large frontier model developers (developers training models above specified compute thresholds with annual gross revenue above prescribed levels).
  • Must publish a frontier AI framework describing how the developer manages catastrophic-risk thresholds, internal governance, third-party assessments and disclosure.
  • Publish transparency reports before or at deployment of a new or substantially modified frontier model.
  • Report critical safety incidents to the California Office of Emergency Services within statutory timeframes.
  • Civil penalties up to $1,000,000 per violation; enforced by the California Attorney General.

Sectoral federal overlays

  • FTC Section 5 (unfair or deceptive practices): false AI marketing, deceptive deepfakes, biased AI affecting consumers.
  • EEOC: AI in hiring/promotion subject to Title VII, ADA, ADEA β€” disparate-impact analysis applies to algorithmic tools.
  • HHS/OCR: HIPAA + Section 1557 of the ACA apply to AI in healthcare with non-discrimination requirements for predictive tools.
  • FDA: AI/ML-based Software as a Medical Device under the 510(k), De Novo or PMA pathways; predetermined change-control plans for adaptive algorithms.
  • CFPB: ECOA and FCRA apply to AI in credit; adverse-action notices must give specific principal reasons (not just "algorithm scored you low").

The United States also regulates AI at state and city level. See the dedicated entries for jurisdictions with their own AI statutes:

California β€” SB 942 + SB 53

Texas β€” HB 149

Colorado β€” ADMT law

Utah β€” SB 149

Illinois β€” Human Rights Act (AI)

New York City β€” Local Law 144

Ready to launch without the regulatory guesswork?

Book a 30-minute consultation. We'll map your AI or licensing path and tell you exactly what's required, in plain language.

Get Started