AIRiskAware
US Sector Guides Americas
πŸ‡ΊπŸ‡ΈFTCCFPBEEOCOCCFDAState AGs

US AI governance for enterprise.

No federal AI law, but FTC, CFPB, EEOC, and sector regulators are all active. States are moving fast. And if you have EU customers, the EU AI Act applies regardless of where you're based.

State AI laws: the active patchwork

Six states with active or developing AI requirements, and more coming.

Colorado
Repealed & replaced
Colorado AI Act (SB 24-205 β†’ SB 189)
Scope: Original SB 24-205 (high-risk AI in employment, housing, credit, insurance, education, healthcare) never took effect, enforcement was stayed (xAI v. Weiser, April 27, 2026) and SB 189 repealed and replaced it on May 14, 2026 with a narrower disclosure-based law.
Requirements: Replacement (SB 189) drops impact assessments and risk programmes in favour of notice-and-disclosure; effective January 1, 2027
Enforcer: Colorado AG
Connecticut
Signed; effective Oct 2026
AI Responsibility & Transparency Act (SB 5)
Scope: Multi-part framework: frontier-model developers, AI "companion" systems, generative-AI synthetic content, automated employment-decision technology, and youth online safety
Requirements: Category-specific disclosure and internal-process duties, not a high-risk impact-assessment regime. Most provisions effective Oct 1, 2026, phasing through Jan 2028
Enforcer: CT AG (no private right of action)
New York City
Enforced
Local Law 144
Scope: Employers using automated employment decision tools for NYC job candidates/employees
Requirements: Annual bias audits by independent auditors, public results publication, candidate notification
Enforcer: NYC DCWP
Illinois
Active
AEIA + HB 3773
Scope: Employers using AI in video interviews; broad employer AI obligations under AEIA
Requirements: Video interview AI disclosure and data destruction; employment AI non-discrimination
Enforcer: Illinois AG
Texas
In force
TRAIGA (HB 149)
Scope: Intent-based prohibitions (no Colorado-style impact assessments); governs state-agency AI use; disclosure duties for government bodies and healthcare providers
Requirements: Prohibits AI used to intentionally discriminate, enable certain unlawful conduct, or unlawfully capture biometrics; 60-day notice-and-cure; civil penalties up to $200k per uncurable violation; regulatory sandbox
Enforcer: Texas AG (exclusive; no private right of action)
California
In force
SB 53 (TFAIA) + AB 2013, AB 2885
Scope: Large frontier-model developers (SB 53); generative-AI training-data disclosure (AB 2013); standardised statewide AI definition (AB 2885)
Requirements: SB 53 (effective Jan 2026): publish safety frameworks and report critical safety incidents; AB 2013: disclose training-data sources
Enforcer: CA AG

Federal agency AI enforcement

No AI law, but existing authorities, actively used.

FTC
Federal Trade Commission
Authority: Section 5 FTC Act, unfair or deceptive acts or practices

AI-generated fake reviews, deceptive AI capability claims, AI discrimination, health AI claims. Consent decrees require algorithmic audits and in some cases model deletion.

CFPB
Consumer Financial Protection Bureau
Authority: FCRA, ECOA, UDAAP

Adverse action notice requirements for AI credit decisions; CFPB position that AI model complexity does not excuse failure to provide specific denial reasons to applicants.

EEOC
Equal Employment Opportunity Commission
Authority: Title VII, ADA, ADEA

Disparate impact of AI hiring tools on protected groups; employer liability regardless of intent; guidance on AI hiring assessment tools.

OCC/Fed/FDIC
Prudential Banking Regulators
Authority: Safety and soundness, SR 26-2

Model risk management requirements apply to AI models. SR 26-2 (April 2026) superseded SR 11-7, examiners assess ML-specific MRM practices under the revised guidance.

FDA
Food and Drug Administration
Authority: Medical device regulation, FDCA

AI as Software as a Medical Device; predetermined change control plan for iterative AI medical products; De Novo and 510(k) pathways.

US AI governance articles

11 min read

The US State AI Law Patchwork Is Now Your Problem

Read
13 min read

US AI Governance for Enterprise: Navigating Federal Agencies, State Laws, and the Absence of Federal Legislation

Read
11 min read

AI Governance in US Financial Services: Fed SR 11-7, OCC, CFPB, and the Emerging Federal Framework

Read
10 min read

The US AI Executive Order and What It Means for Enterprise AI Governance in 2026

Read
11 min read

US AI Compliance for Enterprise: Federal Enforcement, State Laws, and the Sector Regulator Map

Read
9 min read

AI in US Healthcare: Your Rights as a Patient When Algorithms Influence Your Care

Read
8 min read

AI Denied My Credit or Insurance in the US. What Are My Rights?

Read
10 min read

AI Governance for US Healthcare Organisations: FDA, HIPAA, CMS, and State Requirements

Read
10 min read

AI in Hiring and Employment: A Compliance Guide for US Employers

Read
9 min read

AI at Work in the US: Your Rights When Employers Use AI in Hiring, Monitoring, and Performance

Read
8 min read

AI Governance for US Small Businesses: FTC, State Privacy Laws, and What You Need to Do

Read
10 min read

AI in US Insurance: NAIC Model Bulletin, State Regulators, and the Governance Framework for Insurers

Read
9 min

The Colorado AI Act Just Got Frozen: What This Means for US State AI Regulation

Read
10 min read

Washington vs the States: Where US AI Regulation Stands in June 2026

Read
9 min read

Colorado Repeals and Replaces Its AI Act: What SB 26-189 Actually Changes

Read
8 min read

The June 2026 US AI Executive Order: Cybersecurity, Frontier Models, and What It Means

Read
AI risk transfer

The US is the front line of AI insurance exclusions

ISO/Verisk generative-AI exclusion endorsements took effect in January 2026, and carriers are adding AI carve-outs to general-liability, D&O, and E&O policies β€” while a standalone AI-liability market emerges. See how the coverage gap works.

AI insurance guide