Status of AI-specific legislation

1. Federal Approach to AI

Currently, there is no comprehensive federal legislation or regulations in the US that regulate the development of AI or specifically prohibit or restrict their use. Existing US federal laws have limited application to AI. A non-exhaustive list of key examples includes:

• Federal Aviation Administration Reauthorization Act, which includes language requiring review of AI in aviation.¹
• National Defense Authorization Act for Fiscal Year 2019, which directed the Department of Defense to undertake various AI-related activities, including appointing a coordinator to oversee AI activities.²
• National AI Initiative Act of 2020, which focused on expanding AI research and development and created the National Artificial Intelligence Initiative Office that is responsible for "overseeing and implementing the US national AI strategy."³

President Trump has signaled a permissive approach to AI regulation, issuing an Executive Order for Removing Barriers to American Leadership in AI ("Removing Barriers EO") in January 2025, that rescinds President Biden's Executive Order for the Safe, Secure, and Trustworthy Development and Use of AI ("Biden EO").⁴ The Removing Barriers EO calls for federal departments and agencies to revise or rescind all policies, directives, regulations, and other actions taken by the Biden Administration that are "inconsistent" with "enhanc[ing] America's global AI dominance." Many policies were already in place from the Biden EO and it remains to be seen what the extent of the changes will be.

Further, the White House Blueprint for an AI Bill of Rights, issued under Biden, asserts guidance around equitable access and use of AI systems.⁵ The AI Bill of Rights provides five principles and associated practices to help guide the design, use and deployment of "automated systems" including safe and effective systems; algorithmic discrimination and protection; data privacy; notice and explanation; and human alternatives, consideration and fallbacks. While the Removing Barriers EO did not specifically revoke the AI Bill of Rights, the Trump Administration may be less likely to pursue the development of principles set out in the AI Bill of Rights, to the extent these principles are perceived as "inconsistent" with "enhanc[ing] America's global AI dominance." Nevertheless, AI developers may keep these principles in mind when designing AI systems. Notably, several leading AI companies – including Adobe, Amazon, Anthropic, Cohere, Google, IBM, Inflection, Meta, Microsoft, Nvidia, OpenAI, Palantir, Salesforce, Scale AI, Stability AI – have voluntarily committed to "help move toward safe, secure, and transparent development of AI technology."⁶ These companies committed to internal/external security testing of AI systems before release, sharing information on managing AI risks and investing in safeguards.

AI Action Plan

In July 2025, the Trump Administration published America's AI Action Plan ("the AI Action Plan"),⁷ which identifies more than 90 federal policy actions, with an aim to secure US AI leadership in artificial intelligence and place innovation at the core of US AI policy.

The AI Action Plan has a deregulation and pro-innovation agenda. It recommends that the Office of Management and Budget work with federal agencies to assess states' AI regulatory environments when making federal funding decisions, ensuring resources are not provided to states with restrictive legal frameworks. However, it is unclear how much impact this recommendation will have or what it will look like in practice. The AI Action Plan also emphasizes the Trump Administration's key objective of enhancing the United States' AI infrastructure for geopolitical leadership while protecting against foreign adversary threats. Central to this strategy is the goal of exporting the full AI technology stack, including hardware, models, software and applications to countries willing to join a proposed "AI Alliance." While this would create opportunities for US businesses to expand into new markets, businesses may also need to reevaluate their supply chains, partnership structures and compliance programs to avoid inadvertently granting adversaries or entities of concern access to controlled AI technologies. Another notable aspect of the AI Action Plan (also set forth in the Executive Order "Preventing Woke AI in the Federal Government")⁸ is the update to the federal procurement guidelines to ensure that only "unbiased" large language models (i.e., considered free from "ideological dogmas such as DEI" and other "partisan or ideological judgments") are eligible for government use. Therefore, AI companies engaging in government contracting, or whose products may otherwise be evaluated under the forthcoming guidelines on ideological neutrality, should closely monitor developments in this area.

AI National Policy Framework

Building on the AI Action Plan, on December 11, 2025, President Trump signed an executive order titled "Ensuring a National Policy Framework for Artificial Intelligence," ("AI National Policy Framework") which establishes a federal policy aimed at addressing the growing number of state-level AI regulations governing the AI ecosystem "to sustain and enhance the United States' global AI dominance through a minimally burdensome national policy framework for AI."⁹ The AI National Policy Framework sets out a plan to curb the proliferation of state AI laws and leverage various federal tools to discourage and challenge state regulations that conflict with the Administration's policies, including:

• Directing the Attorney General to establish an AI Litigation Task Force, with the primary responsibility of challenging state AI laws that are inconsistent with the Policy
• Directing the Secretary of Commerce to publish an analysis identifying "onerous" state AI laws and those that should be referred to the AI Litigation Task Force
• Instructing executive departments and agencies to evaluate and/or condition a state's eligibility for federal funding based on whether its AI regulatory framework aligns with the federal policy
• Directing the Federal Trade Commission (FTC) to issue a policy statement on the application of the FTC Act to AI models
• Directing the Special Advisor for AI and Cybersecurity and the Assistant to the President for Science and Technology to jointly prepare legislative recommendations establishing a uniform federal AI policy framework that would preempt conflicting state laws (except for the following specific carve-outs: (i) child safety protections; (ii) AI computing and data center infrastructure; (iii) state government procurement and use of AI; and (iv) other topics as determined)

Notably, in line with its mandate under the AI National Policy Framework, the Department of Justice has recently moved to intervene in a lawsuit in the US District Court for the District of Colorado seeking to enjoin the Colorado AI Act.¹⁰ The Department of Justice argues that the Act violates the Equal Protection Clause because it (i) compels discrimination by imposing disparate-impact liability through distorting AI model outputs in a manner that effectively requires developers and deployers to discriminate based on race, sex, religion and other protected characteristics and (ii) authorizes discrimination by exempting AI systems that have the purposes of expanding an applicant, customer or participant pool to increase diversity or redress historical discrimination.

Separately, and of note, recent reports indicate that the Trump Administration is considering an executive order that would establish an AI working group composed of relevant government agencies, tasked with vetting whether new AI models meet defined safety standards. While it is unclear at this stage whether such an executive order will in fact be issued, organizations operating in the AI space should carefully monitor this development, as such a measure would represent a notable shift in the Trump Administration's otherwise noninterventionist approach to artificial intelligence.

National AI Legislative Framework

In a further effort to shape the national AI regulatory framework, on March 20, 2026, the White House released a National AI Legislative Framework outlining the Administration's key priorities for comprehensive federal AI legislation.¹¹

The National AI Legislative Framework signals the Administration's preferred approach is for Congress to establish a "minimally burdensome national standard" that would preempt state AI laws imposing undue burdens on AI innovation; and therefore, effectively favoring a unified but light-touch federal framework over a fragmented patchwork of state regulations. The White House's notable legislative recommendations to the Congress include:

• Empowering parents and guardians with robust tools to manage their children's privacy settings, screen time, content exposure, and account controls
• Requiring AI platforms and services likely accessed by minors to implement features that reduce the risks of sexual exploitation and self-harm to minors
• Augmenting existing law enforcement efforts to combat AI-enabled impersonation scams and fraud that target vulnerable populations
• Exploring a collective negotiation framework that enables intellectual property rights holders to seek compensation from AI providers for the commercial use of their IP-protected materials
• Preventing government from coercing AI providers into banning, compelling, or altering content based on partisan or ideological agendas
• Establishing regulatory sandboxes for AI applications
• Avoiding creating any new federal rulemaking body to regulate AI and instead supporting development and deployment of sector-specific AI applications
• Preempting state AI laws that impose undue burdens to ensure a minimally burdensome national standard

Executive Order on Promoting Advanced AI Innovation and Security

Notwithstanding its broader deregulatory stance on AI, the federal government has also taken targeted steps to address the cybersecurity risks posed by advanced frontier AI models, which may, for instance, rapidly identify and exploit software vulnerabilities. To that end, on June 2, 2026, President Trump signed an Executive Order on Promoting Advanced AI Innovation and Security, which, among others, directs the Secretaries of War, Homeland Security and Commerce to (i) develop a classified benchmarking process to assess the advanced cyber capabilities of AI models and determine the threshold at which a model should be designated a "covered frontier model;" (ii) establishes a voluntary framework under which AI developers can provide the federal government with access to covered frontier modes before public release. The new Executive Order also directs the Secretary of Homeland Security to provide guidance facilitating access to cybersecurity tools and services, including covered frontier models where appropriate, for federal agencies, state and local authorities, and operators of critical infrastructure. Notably, the Executive Order expressly clarifies that it does not create any mandatory governmental licensing, preclearance, or permitting requirement for the development, publication, release, or distribution of AI models, including frontier models. Nevertheless, it remains to be seen whether and how these initiatives will ultimately shape procurement standards.

Current Congressional Posture

To date, specifically in relation to AI, Congress has only enacted the TAKE IT DOWN Act,¹² which prohibits any person from knowingly publishing intimate visual depictions of minors and non-consenting adults, including deepfakes that have been edited or generated by AI. The Act requires covered platforms to implement a notice-and-removal procedure enabling victims to request the removal of unlawful images and, upon receipt of such notice, to remove the images within 48 hours. Failure to comply will be treated as a violation of the FTC Act and will be subject to FTC enforcement.

Further, consistent with the Trump Administration's direction, two major legislative proposals have been introduced in Congress: (i) the TRUMP AMERICA AI Act,¹³ a 291-page omnibus discussion draft that, among others, would repeal Section 230 of the Communications Decency Act, impose a duty of care on AI platforms to prevent and mitigate harms to users, subject certain platforms to political bias audits, and create a private right of action for child harms caused by AI systems for defective design, failure to warn, express warranty, and unreasonably dangerous or defective product claims; and (ii) the AI Foundation Model Transparency Act (H.R. 8094),¹⁴ which would require developers of large AI models to publicly disclose key information about their models, including training methodology, intended purpose, known limitations and risks, and evaluation and monitoring practices.

Notably, on April 21, 2026, a new federal privacy bill, the Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act (the "SECURE Data Act")¹⁵, has also been introduced, aimed at establishing a national framework for consumer privacy rights and the protection of personal data. Among its key provisions, the SECURE Data Act grants consumers the right to opt out of the processing of their personal data for profiling purposes in furtherance of a solely automated decision that produces a legal or similarly significant effect on the consumer. However, unlike its predecessor, the American Privacy Rights Act (APRA), which was introduced in April 2024 and included specific rules applicable to covered algorithms such as requirements to conduct design evaluations and risk impact assessments, the SECURE Data Act does not include any similar provisions.

The following is a non-exhaustive list of additional key federal legislative proposals introduced to date:

• GUARD Act,¹⁶ which aims to limit children's access to harmful and explicit content via chatbot interactions that could negatively impact their mental health and well-being and prohibits users under age 18 from interacting with AI companions.
• SANDBOX Act,¹⁷ which seeks to establish a federal "regulatory sandbox" for AI developers to apply for waivers or modifications on compliance with federal regulations in order to test, experiment with, or temporarily offer AI products and services.
• The SAFE Innovation AI Framework,¹⁸ which is a bipartisan set of guidelines for AI developers, companies and policymakers. This is not a law, but rather a set of principles to encourage federal law-making on AI.
• The REAL Political Advertisements Act,¹⁹ which aims to regulate generative AI in political advertisements.
• The Stop Spying Bosses Act,²⁰ which aims to regulate employers surveilling employees with machine learning and AI techniques.
• The Draft NO FAKES Act,²¹ which would protect voice and visual likenesses of individuals from unauthorized recreations from generative AI.
• The AI Research Innovation and Accountability Act,²² which calls for greater transparency, accountability and security in AI, while establishing a framework for AI innovation. It would create an enforceable testing and evaluation standard for high-risk AI systems and require companies that use high-risk AI systems to produce transparency reports. It also empowers the National Institute of Standards and Technology to issue sector-specific recommendations to regulate them.
• House Republicans had included a provision in the "One Big Beautiful Bill Act" (enacted July 4, 2025) proposing a 10-year moratorium on state and local AI regulations. This move purportedly aimed to establish uniform federal oversight but sparked bipartisan opposition from many state lawmakers concerned about losing the ability to address AI-related harm locally. Ultimately, on July 1, 2025, the Senate voted 99-1 to remove the proposed moratorium – there was broad agreement among lawmakers and consumer protection advocates that the provision was unreasonably vague and likely to spur a wave of litigation about its scope and impact. Various lawmakers also expressed concerns that the moratorium would undermine efforts to regulate AI for purposes such as improving children's online safety and preventing deceptive trade practices.

Insights from Federal Enforcement

The Federal Communications Commission issued a declaratory ruling stating that the restrictions on the use of "artificial or pre-recorded voice" messages in the 1990s era Telephone Consumer Protection Act include AI technologies that generate human voices, demonstrating that regulatory agencies will apply existing law to AI.²³

The FTC, under the Biden Administration, had signaled an aggressive approach to use its existing authority to regulate AI.²⁴ The FTC issued a warning to market participants that it may violate the FTC Act to use AI tools that have discriminatory impacts, make claims about AI that are not substantiated, or to deploy AI before taking steps to assess and mitigate risks.²⁵ The FTC has already taken enforcement action against various companies that have deceived or otherwise harmed consumers through AI.²⁶ The FTC has notably banned Rite Aid from using AI facial recognition technology without reasonable safeguards.²⁷ That said, as noted above, the AI Action Plan directs the FTC to review, and, where appropriate, seek to modify or set aside investigations, orders, consent decrees and injunctions from prior administration that may unduly burden AI innovation. In line with this direction, on December 22, 2025, the FTC issued an order to reopen and set aside a final consent order involving Rytr LLC.²⁸ The FTC had initially banned Rytr from providing any AI-enabled service that generates consumer or customer reviews or testimonials. Upon reviewing the final order in response to the AI Action Plan, the FTC concluded that the facts alleged in the complaint were insufficient to support a finding that Rytr had violated Section 5 of the FTC Act and that, because the order unduly burdens innovation in the nascent AI industry, setting it aside is in the public interest. It remains to be seen how aggressive the FTC will be on AI under the Trump Administration.

It is also worth noting that the Department of Justice has signaled that it may pursue criminal prosecution under the antitrust laws for certain algorithmic pricing activities, which could result in prison sentences for individual executives and substantial fines for corporations. Therefore, where competitors supply non-public, proprietary data to a shared algorithm with the knowledge that it will be used to set or influence each other's prices, the Department of Justice may consider such act as entering into a horizontal agreement that the antitrust laws are designed to prevent.

International Commitments

As for international commitments, on September 5, 2024, the United States joined Andorra, Georgia, Iceland, Norway, the Republic of Moldova, San Marino, the United Kingdom, Israel, and the European Union to sign the Council of Europe's Framework Convention on AI.²⁹ Countries from all over the world will be eligible to join and commit to its provisions. However, given changes to US AI policy under President Trump, it remains to be seen whether the US will remain a party to, and continue to adhere to, the Framework Convention on AI.

2. AI Regulation at State-Level

Absent federal legislation, state legislatures have already enacted legislation aimed at regulating AI and numerous AI-related bills continue to be introduced. The following is a categorized overview of the key legislative developments at state-level by subject matter but is not an exhaustive list.

Regulations Addressing High-Risk AI Systems and Automated Decision Making Technologies

• Colorado AI Act: On May 17, 2024, Colorado enacted the first comprehensive US AI legislation, the Colorado AI Act. The Act creates duties for developers and for those that deploy AI. Unlike certain state privacy laws, there is no revenue threshold for applicability – the Act applies to all developers and deployers of high-risk AI systems in Colorado. The Act focuses on automated decision-making systems and defines a covered high-risk AI system as one that "when deployed, makes, or is a substantial factor in making a consequential decision" that has a material legal or similarly significant effect on the provision or denial to any consumer of, or the cost or terms of: education, employment, essential government services, healthcare, housing, insurance, and legal services. There is a specific focus on bias and discrimination, and developers and deployers must use reasonable care to avoid discrimination via AI systems that make, or are a substantial factor in making a consequential decision in the above enumerated fields. Notably, a new lawsuit has been initiated by an AI company challenging the constitutionality of the Colorado AI Act and seeking to enjoin its enforcement. The company alleges that the Act's imposition of affirmative duties on AI developers to protect consumers from the risks of algorithmic discrimination amounts to compelled speech in violation of the company's First Amendment rights and the Equal Protection Clause. As noted above, the Department of Justice also intervened in the lawsuit, arguing in favor of the law being enjoined. As such, these judicial developments may impact the implementation of the Act. This uncertainty is further underscored by a federal judge's recent approval of a joint motion by the plaintiff and the Colorado Attorney General to delay enforcement of the Act, with the court noting the possibility of legislative revisions and the need for the Attorney General to undertake a rulemaking process prior to enforcement, notwithstanding the Act's planned effective date of June 30, 2026. On May 14, 2026, the Colorado AI Act was repealed and replaced by SB 189, which reorients the law's focus from high-risk AI systems to automated decision-making technology. In doing so, SB 189 eliminates several obligations that existed under the original Act, including: (i) the duty to use "reasonable care" to prevent algorithmic discrimination, (ii) mandatory risk management programs for deployers, and (iii) annual impact assessment. SB 189 will take effect on January 1, 2027, and provides developers and deployers with a 60-day notice period for developers to cure violations, failing which the Attorney General may bring an action. The right to cure will sunset on January 1, 2030.
• California Automated Decision-Making Technology Regulations: On September 23, 2025, the California Office of Administrative Law (OAL) approved the final regulations proposed by the California Privacy Protection Agency (CPPA) on July 24, 2025 related to automated decision-making technology (ADMT), privacy risk assessments, and cybersecurity audits (the "CCPA Regulations"). The CCPA Regulations impose new obligations on businesses, including providing consumers with the right to opt out of ADMT in contexts involving "significant decisions" (e.g., in housing, employment, credit, or healthcare) that replace or substantially replace human decision-making. As of January 1, 2026, businesses subject to risk assessment requirements (i.e., a business processes data that might present a significant risk to consumer's privacy, e.g., processing sensitive information, using ADMT for a significant decision concerning a consumer or using personal information to train ADMT for certain uses) must begin their compliance. Such businesses are required to submit documentation that the required assessments were completed and provide a summary of the risk assessment information by April 1, 2028. By January 1, 2027, businesses must (1) give consumers notice when using ADMT in making significant decisions, which must contain specific language and may be included within the business's CCPA notice at collection; (2) allow consumers to opt out of such processing, unless an exception applies; and (3) respond to consumers' requests to access regarding ADMT.
• Automated Decision-Making in Employment Contexts: Several states have introduced legislation regulating the use of automated decision-making tools in the context of employment settings. For instance, New York City Local Law 144,³⁰ effective since July 5, 2023, requires employers to conduct annual audits of covered automated employment decision tool (defined as "any computational process derived from machine learning, statistical modeling, data analytics, or artificial intelligence that issues simplified output, including scores, classifications, or recommendations, that is used to substantially assist or replace discretionary decision-making for making employment decisions that impact natural persons") before use and annually thereafter. It also requires employers to provide advance notice to individuals. Similarly, California's Civil Rights Council's Employment Regulations regarding Automated Decision Systems specifically prescribe that it is unlawful for an employer to use an automated decision system that results in discrimination against an applicant or employee based on a protected class.³¹ The regulations provide that anti-bias testing or similar proactive efforts to avoid unlawful discrimination can be used in defense against discrimination claims. In Illinois, the state legislature has also amended the Illinois Human Rights Act to clarify that it prohibits the use of AI that has the effect of subjecting employees to discrimination on the basis of a protected characteristic, or that uses zip codes as a proxy for a protected characteristic.³² In Connecticut, the AI Safety, Transparency and Consumer Protection Act was enacted on May 27, 2026. It imposes obligations on deployers of automated employment-related decision technologies to provide employees and applicants with written notice regarding the use of such technologies.
• Texas Responsible AI Governance Act (TRAIGA):³³ In Texas, Governor Greg Abbott signed TRAIGA into law on June 22, 2025. Although the original bill mirrored the more expansive Colorado and EU AI Acts, Texas lawmakers significantly narrowed its scope during the legislative process. The final version eliminates many private sector obligations (e.g., impact assessments and consumer disclosures) and limits most compliance obligations to government use of AI. However, TRAIGA still imposes categorical restrictions on the development and deployment of AI systems for certain purposes such as behavioral manipulation, unlawful discrimination, and infringement of constitutional rights. TRAIGA also provides that AI systems may not be developed or distributed with the sole intent of producing, assisting or aiding in producing, or distributing child pornography or unlawful deepfake videos or images. Intentionally developing or distributing an AI system that engages in explicit text-based conversations while impersonating a child under the age of 18 is also prohibited. TRAIGA took effect on January 1, 2026.

AI Transparency Regulations

• California Transparency in Frontier Artificial Intelligence Act (TFAIA):³⁴ On September 29, 2025, California enacted TFAIA which establishes a comprehensive legal framework to ensure transparency, safety and accountability in the development and deployment of advanced systems known as "frontier models." TFAIA, which is effective as of January 1, 2026, requires developers of "foundation models"³⁵ deemed to present a "critical risk" to create, follow, and publish a safety and security protocol, including catastrophic risk testing for foundation models and monitoring for critical safety incidents. Under the TFAIA, large frontier developers (frontier developers having $500 million gross annual revenue) are also required to implement and publish a comprehensive Frontier AI Framework. This framework must be updated and made public at least annually, and within 30 days of any material modification. The Frontier AI Framework must provide a detailed account of how catastrophic risks are identified, assessed and mitigated throughout the lifecycle of a frontier model.
• California Generative AI Training Data Transparency Act (AB 2013):³⁶ Effective January 1, 2026, this Act imposes significant new transparency obligations on generative AI developers. The Act targets generative AI systems, defined as AI systems capable of generating derived synthetic content, such as text, images, video, and audio, that emulates the structure and characteristics of the system's training data. Under the Act, developers of generative AI systems are required to publicly disclose detailed information about the data used to train their models, including: the sources of the datasets; a description of how the datasets further the intended purpose of the generative AI system; whether the datasets include material protected by intellectual property law or personal information; and whether the datasets were purchased or licensed by the developer. Notably, a generative AI company has filed a constitutional challenge in the United States District Court for the Central District of California, arguing that AB 2013 unconstitutionally compels developers to disclose trade secrets, constituting a taking of private property without just compensation in violation of the Fifth and Fourteenth Amendments of the US Constitution. The company further argues that the disclosure requirements compel speech in violation of the First Amendment. While the Court has thus far denied the plaintiff's motion for a preliminary injunction to block enforcement of the Act, the outcome of the ongoing litigation will be critical in determining the ultimate fate of this Act and should be closely monitored.
• California AI Transparency Act (SB 942):³⁷ California adopted the California AI Transparency Act, which requires "Covered Providers" (defined as entities that create, code or produce a generative artificial intelligence that are publicly accessible within California with more than one million monthly visitors or users) to implement comprehensive measures to disclose when content has been generated or modified by AI. The Act defines a generative artificial intelligence system as "an artificial intelligence that can generate derived synthetic content, including text, images, video, and audio, that emulates the structure and characteristics of the system's training data." Specifically, the Act imposes requirements in the following areas: (i) establishing publicly available generative AI content detection tools, (ii) providing certain disclosures (i.e., offering users the option to include a manifest disclosure in generative AI content created or altered by the covered provider's generative AI system as well as providing a latent disclosure in AI-generated content that is created by the covered provider's generative AI system), and (iii) establishing licensing practices to ensure that the license maintain the system's capability to include the required disclosures, with the covered provider obligated to revoke the license within 96 hours of discovering any action by the licensee that compromises that capability.
• California Generative Artificial Intelligence Accountability Act (SB 896):³⁸ The Act imposes two principal obligations. First, it requires the California Office of Emergency Services to conduct a risk analysis of the potential threats posed by generative AI to California's critical infrastructure and to submit a high-level summary of that analysis to the state legislature. Second, it requires any state agency or department that uses generative AI to communicate directly with individuals regarding government services and benefits to ensure that such communications include: (i) a disclaimer clearly indicating that the communication was generated by a generative AI system; and (ii) information describing how the individual may contact a human employee for assistance.
• Washington AI Content Provenance Regulation (HB 1170):³⁹ Washington's HB 1170, which will take effect on February 1, 2027, requires "covered providers" (defined as a person or entity that produces a generative AI system that has over one million monthly users and is publicly accessible in Washington) to include "provenance data" (i.e., data that is embedded into digital content or that is included in the digital content's metadata for the purpose of verifying the digital content's authenticity, origin, or history of modification) in any content created or materially altered by generative AI to the extent it is commercially and technically possible.
• New York Responsible AI Safety and Education (RAISE) Act:⁴⁰ On December 19, 2025, New York enacted the RAISE Act, which focuses on AI safety and imposes transparency obligations on large developers of advanced AI models similar to California's TFAIA. The RAISE Act defines "large developers" as persons that have (i) trained at least one frontier model with compute costs exceeding $5 million and (ii) spent more than $100 million in aggregate compute costs in training frontier models. The Act will become effective as of January 1, 2027. Under the RAISE Act, large developers must, inter alia, (i) implement and retain a written safety and security protocol, and conspicuously publish a copy of it as well as transmit a copy to the division of homeland security and emergency services; (ii) implement appropriate safeguards to prevent unreasonable risk of critical harm and prohibit them from deploying frontier models that would create an unreasonable risk of critical harm; and (iii) retain a third party to perform an independent audit of compliance with the Act.
• Connecticut AI Safety, Transparency and Consumer Protection Act: On May 27, 2026, Connecticut enacted a multi-part regulatory framework for AI systems. The Act, among others, requires (i) large frontier developers to implement internal reporting processes that enable employees to report public health or safety risks, and (ii) frontier developers to implement corresponding protections against retaliation for employees who make such reports.⁴¹

AI Chatbot Disclosure Regulations

• California Companion Chatbots Regulation (SB 243):⁴² SB 243, which is effective as of January 1, 2026, requires companion chatbot operators to issue a clear and conspicuous notification indicating that the companion chatbot is artificially generated and not human if a reasonable person interacting with it would be misled to believe they are interacting with a human. The Act also requires an operator to take certain actions with respect to minors, including (i) disclosing that the chatbot is not human; (ii) reminding the user to take a break every 3 hours; and (iii) preventing the chatbot from producing sexually explicit visual material or stating that the minor should engage in sexually explicit conduct. Further, the Act requires an operator to maintain protocols for preventing suicide or self-harm content and would require an operator to publish details about the protocol on its website. Operator must annually report to the Office of Suicide Prevention regarding protocols put in place to detect, remove, and respond to instances of suicidal ideation by users. The Office of Suicide Prevention can also post data from that report on its website. Finally, the Act creates a private right of action for injured parties.
• Other AI Companion Chatbots Regulations: Oregon,⁴³ Washington,⁴⁴ and Idaho⁴⁵ have also enacted companion chatbot laws. Oregon and Washington's laws will take effect on January 1, 2027, whereas the effective date for Idaho is July 1, 2027. In general, all laws impose several key obligations on operators of chatbots, including: (i) a clear disclosure requirement that the chatbot is artificial and not human; (ii) where an operator knows a user is a minor or the chatbot is directed toward minors, an obligation to implement reasonable measures to prevent sexually explicit content, suggestive dialogue, and manipulative engagement techniques designed to foster or prolong emotional relationships with users; and (iii) a requirement to maintain and publicly disclose protocols for detecting and responding to users who express suicidal ideation or self-harm. Notably, except in Idaho, the laws provide users with a private right of action. On May 27, 2026, Connecticut also enacted AI companion chatbot regulation where operators are prohibited from providing AI companions to users known, or reasonably believed to be, under 18, unless protective measures meeting industry standards are in place.
• Sector-Specific Regulations on Generative AI Disclosure: States have also moved to regulate the use of generative AI tools within specific sectors. For instance, in California, AB 3030 requires health care providers that use GenAI to generate patient communications to (i) disclaim that the communication was generated by a GenAI system, and (ii) provide clear instructions for how the patient can contact a human health care provider for assistance.⁴⁶ Where the GenAI communication has been reviewed by a human health care provider, the disclaimer requirements do not apply.
• In Utah, the Utah Artificial Intelligence Policy Act went into effect in May 2024,⁴⁷ and requires individuals and entities that engage in "regulated occupations" (i.e., those who must obtain a license or state certification to practice the occupation, such as lawyers or health care providers) to promptly provide the disclosure regarding the use of generative AI in communications with consumers, regardless of whether the consumer asks whether they are dealing with a GenAI system (i.e., a proactive disclosure obligation). For individuals and entities that do not engage in "regulated occupations," the disclosure must be made "clearly and conspicuously" only if the consumer asks whether they are dealing with a GenAI system (i.e., a reactive disclosure obligation).

Algorithmic Pricing Regulations

California Cartwright Act Amendment: Through the enactment of the AB 325,⁴⁸ California amends the state's primary antitrust law Cartwright Act to make the following actions unlawful: (i) using or distributing a common pricing algorithm as part of a contract, combination, or conspiracy to restrain trade or commerce; and (ii) using or distributing a common pricing algorithm when coercing another person to set or adopt a price or commercial term recommended by that algorithm.

New York Algorithmic Pricing Disclosure Laws: Similar to California, New York also amended its antitrust law by addressing algorithmic pricing. In particular, it prohibits the use of algorithms to determine rental rates, making it unlawful to "set or adjust rental prices, lease renewal terms, occupancy levels, or other lease terms and conditions (…) based on recommendations from a software, data analytics service, or algorithmic device performing a coordinating function."⁴⁹ Further, New York's Algorithmic Pricing Disclosure Act requires businesses in New York that use personalized algorithmic pricing to provide a clear and conspicuous disclosure confirming the use of algorithmic pricing, i.e., "THIS PRICE WAS SET BY AN ALGORITHM USING YOUR PERSONAL DATA."⁵⁰ Notably, this Act recently survived a First Amendment challenge.

Connecticut Algorithmic Pricing Law: Connecticut's new law, HB 8002,⁵¹ has also taken effect, making it the third state after California and New York to pass legislation restricting the use of algorithmic pricing in the rental housing market. Unlike the laws in California and New York, Connecticut's statute is unique because it only bans the use of non-public competitor data in algorithmic pricing, allowing landlords to use information that is available to the general public.

Other Notable State AI Regulations

• California enacted various AI bills relating to accountability, privacy, entertainment, election integrity and government accountability. Some of the key laws include:
  • AB 316:⁵² establishes clear accountability for harm caused by AI by preventing defendants who developed, modified, or used AI from claiming that the AI acted autonomously as a defense.
  • AB 621:⁵³ allows victims of deepfake pornography, including minors, to seek up to $250,000 in civil damages per action against third parties who knowingly facilitate or distribute nonconsensual sexually explicit material.
  • Defending Democracy from Deepfake Deception Act (AB 2655):⁵⁴ requires large online platforms to identify and block the publication of materially deceptive content related to elections in California during specified time periods before and after an election. Additionally, under this Act, large online platforms must label – within 72 hours of notice – certain content as inauthentic, fake, or false during specified time periods before and after an election in California.
  • Use of Likeness: Digital Replica Act (AB 1836):⁵⁵ establishes a cause of action for beneficiaries of deceased celebrities to recover damages for the unauthorized use of an AI-created digital replica of the celebrity in audiovisual works or sound recordings. This Act requires deployers of AI systems to obtain the consent of a deceased personality's estate before producing, distributing, or making available the digital replica of a deceased personality's voice or likeness in an expressive audiovisual work or sound recording.
    Other bills governing AI across a range of fields include:
    • AB 2602:⁵⁶ Contracts against Public Policy: Personal or Professional Services: Digital Replica Act
    • AB 2885:⁵⁷ Unified Definition of Artificial Intelligence
• Tennessee's ELVIS Act:⁵⁸ In March 2024, Tennessee enacted a bill entitled the Ensuring Likeness, Voice, and Image Security Act ("ELVIS Act") that expands personality rights by prohibiting the unauthorized use of AI to mimic a person's name, photograph, voice, or likeness, without a license.
• In Washington, SB 5395 establishes guidelines for health care providers when using AI in prior authorization processes, that is, the pre-approval processes required before administering a treatment or procedure to a patient, and prohibits AI from serving as the sole basis for denying health care services; the bill takes effect on June 11, 2026.⁵⁹ SB 5886, also effective June 11, 2026, expands Washington's right of publicity protections to cover AI-generated likenesses.⁶⁰

Other laws affecting AI

Existing legislation has been the primary way in which the US regulates AI as established law, including privacy and intellectual property laws, which are generally applicable to AI technologies.

Notably, in April 2023, the Federal Trade Commission, Equal Employment Opportunity Commission, Consumer Financial Protection Bureau, and Department of Justice issued a joint statement noting that "existing legal authorities apply to the use of automated systems and innovative new technologies."⁶¹ As cited above, in February 2024, the Federal Communications Commission applied restrictions in the Telephone Consumer Protection Act on AI-generated voices.

Several states have enacted comprehensive privacy legislation that can also regulate AI. A non-exhaustive list of notable state legislation includes:

• The California Privacy Protection Act (CPPA), which regulates automated decision-making.⁶² Most US state privacy laws (i) allow users to opt out of processing their personal data for purposes of profiling that produces legal or similarly significant effects concerning the consumer, and (ii) require covered entities to conduct and document a data protection assessment if the processing of personal data for purposes of profiling presenting a reasonably foreseeable risk of substantial injury to consumers.
• The Minnesota Consumer Data Privacy Act (which took effect on July 31, 2025) grants consumers additional rights compared to other state privacy laws, such as the ability to question profiling decisions and access the data used in those decisions. The consumer may also review their data used in the profiling and correct inaccurate data for reevaluation.
• The Biometric Information Privacy Act in Illinois (BIPA),⁶³ which is very broad and allows for extremely high damages for violations. There is currently pending litigation in the AI context, where the plaintiff alleges a company scraped copyrighted audio clips to train its music-generated AI models in violation of BIPA as it collects voiceprints and biometric voice templates without user consent or a lawful data retention schedule.

Existing intellectual property laws also apply to AI, both with respect to the data AI technologies are trained upon and the outputs of such technologies. For example, with respect to outputs, the US District Court has held that human authorship is an essential part of a valid copyright claim, and the Copyright Office will refuse to register a work unless it was created by a human being.⁶⁴ There are also numerous cases before the courts in the US alleging copyright infringement, among other things, with respect to training data. On the product liability front, there is a growing number of lawsuits against large language model developers on issues such as defective design and deceptive business practices.

Definition of “AI” 

There is no single definition of AI.

15 U.S.C § 9401(3), as referenced by the Removing Barriers EO, defines AI as "a machine-based system that can, for a given set of human-defined objectives, make predictions, recommendations, or decisions influencing real or virtual environments. Artificial intelligence systems use machine- and human-based inputs to perceive real and virtual environments; abstract such perceptions into models through analysis in an automated manner; and use model inference to formulate options for information or action."⁶⁵

California state AI regulations define (i) "artificial intelligence" as an engineered or machine-based system that varies in its level of autonomy and that can, for explicit or implicit objectives, infer from the input it receives how to generate outputs that can influence physical or virtual environments,⁶⁶ and (ii) "generative AI" as AI systems capable of generating derived synthetic content, such as text, images, video, and audio, that emulates the structure and characteristics of the system's training data.⁶⁷

Many state privacy bills have different definitions of automated decision-making technology or "profiling":

• A Texas statute establishing an AI advisory council (HB 2060) defines an "automated decision system" as "an algorithm, including an algorithm incorporating machine learning or other artificial intelligence techniques, that uses data-based analytics to make or support governmental decisions, judgments or conclusions."⁶⁸
• Connecticut's Public Act No. 22-15 defines "profiling" as "any form of automated processing performed on personal data to evaluate, analyze or predict personal aspects related to an identified or identifiable individual's economic situation, health, personal preferences, interests, reliability, behavior, location or movements."⁶⁹ Nevertheless, certain states like Florida, Indiana, Maryland, Nebraska, and Texas, limit their definitions of profiling to any form of solely automated processing, excluding, for example, profiling activities involving partial human involvement.
• The CCPA defines "profiling" as "any form of automated processing of personal information, [...] to evaluate certain personal aspects relating to a natural person and in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements."⁷⁰
  • Additionally, California's enacted AB 1008 clarifies that the CCPA applies to consumers' "personal information" regardless of its format. Specifically, AB 1008 clarifies that the CCPA encompasses "personal information" contained in "abstract digital formats" (i.e., generative AI systems that are capable of outputting consumers' personal information).⁷¹
  • Further, recently enacted California Senate Bill 1223⁷² clarifies that "sensitive personal information" under the California Privacy Rights Act (CPRA) encompasses consumers' neural data. As with AB 1008, SB 1223 aims to keep pace with emerging technology (in this case, neurotechnology) in an effort to protect information about consumers' brain and nervous system functions. While SB 1223 does not articulate a specific nexus to AI systems, if signed into law, it would constrain developers and deployers from using neural data under the CPRA.
• The CPPA's rules on cybersecurity, risk assessments and ADMT define "ADMT" as "any technology that processes personal information and uses computation to replace human decision-making or substantially replace human decision-making" (note: the rules defines "substantially replace human decision-making" as a business using the technology's output to make a decision without human involvement).

Territorial scope

As noted above, there are currently no comprehensive federal laws that have been enacted to specifically regulate AI. Accordingly, there is no specific territorial scope of federal legislation. However, many existing statutes regulate activities in which AI can be used, and those federal statutes typically apply nationally and, in some cases, extra-territorially. State legislation regulating AI generally has an extra-territorial effect as its application typically extends to entities that target its residents from within or outside the state.

Sectoral scope

As noted above, there are currently no comprehensive federal laws that directly regulate AI. Accordingly, there is no specific federal sectoral scope at this stage. Nevertheless, there are certain sector-specific frameworks that have been implemented in the US to regulate the use of AI, e.g., use of AI in employment settings as explained above.

Compliance roles

As noted above, there is currently no comprehensive federal legislation in the US that directly regulates AI. Accordingly, there are currently no specific or unique federal obligations imposed on developers, users, operators and/or deployers of AI systems. However, developers, users, operators and deployers of AI systems should anticipate that existing law will apply to any regulated activity that uses AI, and consult legal counsel about the potential liabilities that may arise. While potentially novel, the use of AI does not per se provide a shield from the application of existing law.

Core issues that the AI regulations seek to address

As noted above, there is currently no comprehensive legislation in the US that directly regulates AI. However, proposed legislation at the federal and state level generally seeks to address the following issues:

• Safety and security
• Responsible innovation and development
• Equity and unlawful discrimination
• Protection of privacy and civil liberties

Risk categorization

As noted above, there is currently no comprehensive legislation in the US that directly regulates AI. AI is also not generally classified according to risk in the relevant frameworks and principles.

Regulators

Currently, there is no AI-specific federal regulator in the US. However, in April 2023, the Federal Trade Commission, Equal Employment Opportunity Commission, Consumer Financial Protection Bureau and Department of Justice issued a joint statement clarifying that their authority applies to "software and algorithmic processes, including AI."⁷³

Similarly, state regulators that regulate privacy legislation are likely to also have the authority to regulate AI vis-à-vis existing privacy provisions. The FTC has been active in this area, and we can expect to see more from them going forward; see discussion of Rite Aid and Rytr above. Further, as noted above, pursuant to the AI National Policy Framework, the FTC is expected to provide clarity on how its authority under the FTC Act will be applied in the context of AI. It is also worth noting that the National AI Legislative Framework provides that Congress should refrain from creating any new federal rulemaking body to regulate AI, and should instead support the development and deployment of sector-specific AI applications through existing regulatory bodies with relevant subject matter expertise and through industry-led standards.

Enforcement powers and penalties

As noted above, there are currently no comprehensive federal laws or regulations in the US that have been enacted specifically to regulate AI. As such, enforcement and penalties relating to the creation, dissemination and/or use of AI are governed by application of existing law to situations involving AI, through regulatory or judicial application of non-AI-specific federal and state statutes or AI-specific state privacy legislation.

At the state level, the majority of enacted AI regulations are enforced through state attorneys general, who in certain circumstances also hold rulemaking authority, as is the case under the Colorado AI Act.  That said, there is a growing trend of state regulations also conferring a private right of action on injured parties, particularly in the context of AI companion chatbot regulations and deepfake laws.⁷⁴

Further insights from White & Case:

• AI meets the gavel: Key legal battles and regulatory trends in the United States
• State AI laws under federal scrutiny: Key takeaways from the executive order establishing federal AI policy framework
• Eyes on AI: Looking ahead to potential AI antitrust enforcement in the Trump administration
• California enacts landmark AI transparency law: The Transparency in Frontier Artificial Intelligence Act
• When every word is recorded: AI meeting tools and the new governance risks
• White House Unveils Comprehensive AI Strategy: "Winning the Race America's AI Action Plan"
• US Enforcement Agencies Intensify Scrutiny of AI Washing
• Two California District Judges Rule That Using Books to Train AI is Fair Use
• From California to Kentucky: Tracking the Rise of State AI Laws in 2025
• Evolution of AI Washing Enforcement: DOJ Enters the Picture
• Automated Decision Making Emerges as an Early Target of State AI Regulation
• SEC Will Prioritize AI, Cybersecurity, and Crypto in its 2025 Examination Priorities
• 2025 State Privacy Laws: What Businesses Need to Know for Compliance
• NYDFS Releases Artificial Intelligence Cybersecurity Guidance For Covered Entities
• Raft of California AI Legislation Adds to Growing Patchwork of US Regulation
• Newly passed Colorado AI Act will impose obligations on developers and deployers of high-risk AI systems
• Long awaited EU AI Act becomes law after publication in the EU's Official Journal (July 2024)
• Dawn of the EU's AI Act: political agreement reached on world's first comprehensive horizontal AI regulation
• Processing personal data using AI Systems (Part 1)
• The EU AI Act's extraterritorial scope (Part 2)

Burak Haylamaz (Staff Attorney, Los Angeles) and Juliann Susas (Associate, Los Angeles) contributed to this publication.

_{1 See Federal Aviation Administration Reauthorization Act
2 See National Defense Authorization Act
3 See National AI Initiative Act of 2020
4 See Removing Barriers to American Leadership in Artificial Intelligence
5 See White House fact sheet
6 See Voluntary Commitments from Leading Artificial Intelligence Companies
7 See White House, “Winning the Race: America’s AI Action Plan”
8 See Preventing Woke AI in the Federal Government
9 See Executive Order Ensuring a National Policy Framework for Artificial Intelligence
10 See United States of America's Complaint in Intervention, United States & X.AI LLC v. Weiser, No. 1:26-cv-01515-DDD-CYC (D. Colo. Apr. 24, 2026)
11 See National AI Legislative Framework
12 See Tools to Address Known Exploitation by Immobilizing Technological Deepfakes on Websites and Networks Act (TAKE IT DOWN Act).
13 See TRUMP AMERICA AI Act
14 See AI Foundation Model Transparency Act
15 See Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act (SECURE Data Act)
16 See Guidelines for User Age-verification and Responsible Dialogue Act of 2026
17 See Strengthening Artificial Intelligence Normalization and Diffusion by Oversight and eXperimentation Act (“SANDBOX Act”)
18 See SAFE Innovation AI Framework
19 See REAL Political Advertisements Act
20 See Stop Spying Bosses Act
21 See NO FAKES Act
22 See AI Research, Innovation and Accountability Act
23 See FCC declaratory ruling
24 See EEOC-CRT-FTC-CFPB-AI-Joint-Statement (final)
25 See Keep your AI claims in check
26 See FTC Announces Crackdown on Deceptive AI Claims and Schemes
27 See Rite Aid Banned from Using AI Facial Recognition
28 See FTC Reopens and Sets Aside Rytr Final Order in Response to the Trump Administration’s AI Action Plan
29 See Framework Convention on AI and Human Rights, Democracy and the Rule of Law.
30 See New York City Local Law 144.
31 See California Civil Rights Council Employment Regulations Regarding Automated Decision Systems.
32 See Illinois Human Rights Act.
33 See Texas Responsible AI Governance Act.
34 See Transparency in Frontier Artificial Intelligence Act
35 Defined as a foundation model that was trained using a quantity of computing power greater than 10^26 integer or floating-point operations.
36 See AB2013 Artificial Intelligence Training Data Transparency Act.
37 See California AI Transparency Act.
38 See California Generative Artificial Intelligence Accountability Act.
39 See Washington HB 1170.
40 See New York Responsible AI Safety and Education Act.
41 See Connecticut AI Safety, Transparency and Consumer Protection Act.
42 See California Companion Chatbots Regulation.
43 See Oregon SB 1546.
44 See Washington HB 2255.
45 See Idaho SB 1297.
46 See California AB 3030.
47 See Utah Artificial Intelligence Policy Act.
48 California AB 325.
49 See New York Section 340-B.
50 See New York Section 349-A.
51 See Connecticut HB 8002.
52 See California AB 316.
53 See California AB 621.
54 See California AB 2655 Defending Democracy from Deepfake Deception Act.
55 See California AB 1836 Use of Likeness: Digital Replica.
56 See California AB 2602.
57 See AB 2885.
58 See Tennessee Code § 47-25-1101.
59 Washington SB 5395.
60 Washington SB 5886.
61 See Joint Statement on Enforcement Efforts Against Discrimination and Bias in Automated Systems.
62 See California Consumer Privacy Act of 2018
63 See 740 ILCS 14/ Biometric Information Privacy Act
64 See THALER v. PERLMUTTER
65 See NATIONAL ARTIFICIAL INTELLIGENCE Definitions
66 See AB 316 and AB 2885.
67 See AB 2013 and SB 942.
68 See An Act relating to the creation of the AI council
69 See An Act concerning personal data privacy and online monitoring
70 See California Consumer Privacy Act of 2018
71 See California Consumer Privacy Act of 2018: personal information
72 See Consumer privacy: sensitive personal information: neural data
73 See Joint Statement
74 See Colorado AI Act}

_{White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.}

_{This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.}

_{© 2026 White & Case LLP}