Detailed overview
The United States does not currently have one comprehensive federal AI Act equivalent to the EU AI Act. AI regulation is divided between federal policy, sector-specific federal law, state AI statutes, local AI laws, agency enforcement and voluntary technical standards.
Federal: NIST AI RMF + policy
At the federal level, the NIST AI Risk Management Framework is one of the most important AI governance instruments. It is voluntary and helps organisations identify, measure, manage and govern AI risks. It is not a licensing law and does not itself impose penalties, but it is widely used as a compliance reference for trustworthy AI governance.
The federal government has also issued AI policy instruments focused on national AI leadership, infrastructure, innovation and a possible national legislative framework. These materials are important for understanding U.S. policy direction, but they do not by themselves create a single federal AI compliance code for private businesses.
State and local laws
The most concrete AI obligations in the United States currently arise from state and local laws. Colorado has adopted a law regulating automated decision systems used for consequential decisions. The Colorado framework applies to certain AI or automated systems that affect areas such as education, employment, housing, financial or lending services, insurance, healthcare and essential government services. The law is scheduled to apply from 1 January 2027.
Under the Colorado framework, developers of covered automated decision systems must provide deployers with documentation about intended uses, training data categories, known limitations, instructions for use and human review. Developers and deployers must retain compliance records for three years. Deployers must provide notices to consumers, give plain-language explanations after adverse consequential decisions, and allow rights such as correction and meaningful human review or reconsideration. The Colorado Attorney General enforces the law through the Colorado Consumer Protection Act. The law does not create a private right of action.
New York City has a specific law on automated employment decision tools, commonly called AEDTs. Employers and employment agencies may not use an AEDT to screen candidates or employees unless the tool has been subject to a bias audit within the previous year, the audit information has been made publicly available and required notices have been provided to candidates or employees. Enforcement began on 5 July 2023.
California SB 53 — frontier AI safety
California has adopted a frontier AI safety law, commonly referred to as SB 53. It applies to large frontier model developers and focuses on catastrophic-risk management, transparency and incident reporting. The law uses concepts such as "frontier model," "large frontier developer," "catastrophic risk" and "critical safety incident." A large frontier developer must maintain and publish a frontier AI framework, issue transparency reports before or at deployment of new or substantially modified frontier models, and report critical safety incidents within specified timeframes.
California's frontier AI framework includes penalties. Failure to comply with certain requirements may lead to civil penalties of up to USD 1,000,000 per violation.
Compliance reality
U.S. AI compliance therefore depends heavily on where the business operates and what the AI does. AI used in employment, housing, credit, healthcare, insurance, consumer services, online platforms, biometric systems, financial services or frontier model development may be regulated under different federal, state or local rules. There is no single U.S. AI licence, but AI systems can still be subject to strong legal obligations.