US AI Governance for Enterprise: Navigating Federal Agencies, State Laws, and the Absence of Federal Legislation

The governance gap that is not actually a gap

The absence of comprehensive federal AI legislation in the United States is sometimes mischaracterised as a regulatory gap — an environment where US companies face no meaningful AI governance obligations. This characterisation is incorrect and increasingly risky. US enterprises face a complex multi-layer governance environment: federal agency enforcement under existing authorities; growing state legislation with real enforcement; sector-specific regulations from financial, health, and safety regulators; and for any company with EU customers, the EU AI Act's comprehensive requirements.

The governance challenge for US enterprises is not the absence of AI obligations but rather the fragmentation and inconsistency of those obligations across different regulators and states. Managing this environment requires a systematic approach — the same kind of structured AI governance that EU AI Act compliance requires, even if the specific US requirements are derived from different legal instruments.

Federal agency enforcement: the active players

Federal Trade Commission: The FTC has been the most active federal AI enforcement authority, using its Section 5 FTC Act authority against unfair or deceptive acts or practices. The FTC has brought enforcement actions related to AI-generated fake reviews, deceptive claims about AI capabilities, AI systems that discriminate against protected groups, and health claims made by AI wellness applications. The FTC's consent decrees in AI cases — which require ongoing compliance monitoring, algorithmic audits, and in some cases model deletion — set precedent that informs what the FTC considers acceptable AI practice across all companies.

Consumer Financial Protection Bureau: The CFPB has issued significant guidance on AI in consumer financial services. The CFPB's position on adverse action notices is particularly important: when AI is used in credit decisions, the Fair Credit Reporting Act and Equal Credit Opportunity Act require that denied applicants receive specific reasons for denial — "AI model output" is not a sufficient reason. The CFPB has made clear that the complexity of AI models is not a valid reason to withhold explanation from credit applicants.

Equal Employment Opportunity Commission: The EEOC has issued guidance on AI in employment and has made clear that Title VII's disparate impact framework applies to AI hiring tools. Employers are responsible for employment AI that produces discriminatory outcomes regardless of whether discrimination was intentional. The EEOC has settled cases involving AI hiring tools that screened out older workers and workers with disabilities.

Food and Drug Administration: The FDA regulates AI as a medical device (Software as a Medical Device) where AI is intended for medical purposes. The FDA's predetermined change control plan framework addresses how iterative AI medical devices can be modified after initial clearance — a significant practical issue for AI medical product companies.

State legislation: the patchwork that is becoming a quilt

State AI legislation has accelerated significantly from 2023 onwards. The pattern across states is broadly similar: focus on high-risk AI decisions (employment, housing, credit, insurance, healthcare, education), requirements for impact assessments or audits, consumer notice and access rights, and anti-discrimination provisions. The differences between states are in the specific scope, threshold tests, enforcement mechanisms, and exemptions.

The practical challenge for enterprises operating across multiple states is that building separate compliance programs for each state is operationally unsustainable. The pragmatic approach taken by most large enterprises is to identify the most stringent applicable requirements across all states where they operate and build a compliance program that satisfies those requirements — then verify that this program satisfies each state's specific requirements. This approach produces a more robust governance program and is more efficient than a state-by-state build.

EU AI Act: the unavoidable international dimension

US enterprises with European customers, European operations, or European users face EU AI Act obligations regardless of US regulatory choices. The Act applies to any provider placing an AI system on the EU market, any operator using AI in the EU, and any provider or operator outside the EU where AI output is used in the EU. For major US technology companies, financial institutions with European operations, and any US company with significant European customer relationships, EU AI Act compliance is not optional and not insulated by the US regulatory environment.

The silver lining for US enterprises building AI governance for EU AI Act compliance is that the same governance infrastructure — AI inventory, risk classification, documentation, human oversight, monitoring — satisfies most of the substantive requirements that US federal agencies and state laws are also moving toward. EU AI Act compliance is not a separate exercise from US AI governance; it is the most comprehensive version of the same exercise.