AI Governance in the United States: Who Oversees AI and What Businesses Need to Know

This article describes the US AI governance landscape as it exists at June 2026. US AI policy has moved quickly and the regulatory posture of federal agencies has shifted significantly since 2023. Readers should verify current agency positions and any legislative developments directly with primary sources, as this is one of the fastest-moving regulatory environments globally.

This article does not provide legal advice. The FTC, NIST, and relevant state agencies are the authoritative sources for US AI governance. For legal obligations in a US context, consult a US-qualified attorney.

The US Regulatory Landscape: No Single AI Law

Unlike the European Union, which passed the EU AI Act as binding horizontal legislation, the United States has not enacted a federal AI-specific law. The current framework for AI governance at the federal level consists of:

• Existing agency enforcement powers applied to AI: The FTC, EEOC, CFPB, and other agencies use their existing mandates to address AI practices that fall within their jurisdiction. No new legislation was required for this; it uses authority these agencies already had.
• Voluntary guidance and frameworks: The NIST AI Risk Management Framework (AI RMF 1.0, published January 2023) is the primary federal framework for AI risk management. It is voluntary, not legally binding, but widely referenced in procurement, contracts, and sector guidance.
• Executive actions: Presidential executive orders have shaped federal AI policy, though these are subject to change between administrations. The regulatory posture of federal agencies on AI has evolved significantly since 2023.
• State-level laws: Individual states have enacted or proposed AI-related laws covering areas including automated decision-making, employment AI, facial recognition, and consumer privacy. California, Colorado, Texas, and Illinois are among the most active states.

Key Federal Bodies: What They Oversee

Federal Trade Commission (FTC): The FTC has the broadest AI enforcement mandate of any US federal agency. Under its authority to prevent unfair or deceptive acts and practices (Section 5 of the FTC Act), the FTC has addressed: AI-generated deceptive content and fake reviews, AI tools that discriminate against consumers in ways that constitute unfair practices, biometric data collection and AI surveillance, and claims about AI capabilities that are false or misleading. The FTC has published guidance for businesses on AI: ftc.gov.

NIST (National Institute of Standards and Technology): NIST published the AI Risk Management Framework (AI RMF 1.0) in January 2023. The framework provides voluntary guidance for organisations to manage AI-related risks across four functions: Govern, Map, Measure, and Manage. It is not a compliance requirement but is referenced in federal procurement requirements and increasingly used as a baseline for AI risk management by US businesses. The AI RMF and supporting resources are available at: nist.gov.

EEOC (Equal Employment Opportunity Commission): The EEOC has published guidance on how existing employment discrimination law applies to AI-assisted hiring and employment decisions. AI tools used in recruitment, performance assessment, and termination decisions must comply with federal non-discrimination requirements under Title VII, the ADA, and the ADEA, regardless of whether the discrimination is caused by an algorithm or a human.

CFPB (Consumer Financial Protection Bureau): The CFPB oversees AI use in credit decisions, loan approvals, and other financial services. Existing laws including the Equal Credit Opportunity Act (ECOA) and the Fair Credit Reporting Act (FCRA) apply to AI systems used in lending.

State-Level AI Laws: The Patchwork Layer

US state-level AI legislation is active and expanding. Key frameworks as at June 2026:

• California: The California Privacy Rights Act (CPRA) includes rights related to automated decision-making. California has been the most active state in proposing AI-specific legislation, with various bills addressing algorithmic accountability, AI transparency in employment, and AI safety for advanced models. The California AI legislation landscape is rapidly evolving; check the California Legislative Information database for current status.
• Colorado: Colorado's SB 23-169 (signed 2023) addressed AI use in insurance underwriting. Colorado has been an early mover on AI-specific regulation in specific sectors.
• Illinois: The Biometric Information Privacy Act (BIPA) predates current AI discussions but applies to AI systems that collect biometric data, including facial recognition. Illinois has seen significant BIPA litigation related to AI and workplace biometrics.
• Texas: Texas has enacted AI-specific laws addressing algorithmic discrimination in credit and insurance decisions.

State AI laws are multiplying rapidly. For businesses operating across multiple US states, monitoring state legislative activity is an ongoing operational requirement. The National Conference of State Legislatures (NCSL) tracks state AI legislation: ncsl.org.

Sector-Specific Frameworks

Much of the binding US AI regulation operates at the sector level, applying existing law to AI systems:

• Healthcare: AI tools used in clinical decision support, diagnosis, or medical devices are subject to FDA oversight. The FDA has published frameworks for AI-enabled medical devices. HIPAA applies to AI systems that process protected health information.
• Financial services: The CFPB, OCC, and other financial regulators have published guidance on AI in credit, lending, and financial services. Explainability requirements (right to explanation for credit decisions) apply under ECOA and FCRA.
• Employment: EEOC guidance on AI in hiring is in force. Several states have enacted additional employment AI transparency requirements.
• Education: FERPA applies to AI systems that process student educational records.

What This Means for Businesses Using AI Tools

For businesses operating in or selling to the US market, the practical AI governance questions are:

• Are your AI-related marketing claims accurate? The FTC applies its existing deceptive practices authority to claims about AI capabilities. Overstating what AI tools do, or using AI-generated content deceptively, is within FTC enforcement scope.
• Are your AI-assisted employment decisions compliant with federal and state non-discrimination law? AI tools used in hiring, performance management, or termination do not create an exemption from employment discrimination requirements. The EEOC's AI and EEO guidance is the starting point.
• Which US states do your customers or operations touch? State privacy and AI laws vary. California's CPRA automated decision-making rights are different from Illinois BIPA biometrics obligations. A single national approach is insufficient.
• What sector-specific rules apply? Healthcare, financial services, education, and other sectors have regulatory frameworks that apply to AI systems operating in those fields.

Comparing the US Approach to Other Regions

The US approach contrasts markedly with the European Union's AI Act, which imposes binding, horizontal risk-based requirements across all sectors. The UK takes a principles-based, sector-led approach similar in philosophy to the US. Canada is progressing proposed legislation that would combine privacy reform with new AI regulation. Australia's approach focuses on existing Privacy Act obligations and voluntary guidance, with reforms progressing.

For businesses operating across multiple jurisdictions, the EU AI Act is the most prescriptive and has the broadest extraterritorial reach. Our regional hub page covers all major jurisdictions in one place: AI Governance by Region.

Australian Businesses Using US AI Tools

For Australian businesses, US-hosted AI tools create a separate layer of obligation under Australian law regardless of the US regulatory picture. When personal information about Australian individuals is sent to a US-based AI service, the Privacy Act 1988 APP 8 (cross-border disclosure) applies. The OAIC has published guidance on what this requires: AI and the Privacy Act in Australia. A common starting point for Australian businesses is understanding what happens to data entered into tools like ChatGPT: What Happens to Your Customer Data in ChatGPT.

Is there a federal AI law in the United States?

As at June 2026, the United States has not enacted a single federal law specifically governing AI across all sectors. AI is regulated through existing agency powers (FTC, EEOC, CFPB, FDA, and others applying existing law), voluntary frameworks (NIST AI RMF), and a growing set of state-level laws. Federal AI legislation has been proposed and discussed but had not been enacted into comprehensive federal law as at the time of writing. Verify current legislative status directly.

What is the NIST AI Risk Management Framework?

The NIST AI Risk Management Framework (AI RMF 1.0) is a voluntary framework published by the US National Institute of Standards and Technology in January 2023. It provides guidance for organisations on how to identify, assess, and manage AI-related risks across four core functions: Govern, Map, Measure, and Manage. It is not legally binding but is widely referenced in US federal procurement requirements, enterprise AI governance programmes, and international standards discussions. The full framework is available at nist.gov.

How does the FTC regulate AI in the United States?

The FTC uses its existing authority under Section 5 of the FTC Act to address AI practices it considers unfair or deceptive. Enforcement areas have included: false or misleading claims about AI capabilities, AI-generated fake reviews and deceptive content, biometric data collection without disclosure, and AI systems used in ways that constitute unfair business practices. The FTC has also published business guidance on AI claims and responsible AI practices. The FTC does not require AI systems to be registered or approved, but businesses that use AI in ways that are deceptive or unfair are within its enforcement scope.

Do US state privacy laws apply to AI tools?

Yes. Several US states have privacy laws that include rights related to automated decision-making, profiling, and AI-driven decisions. California's CPRA is the broadest, including opt-out rights for automated decision-making. Illinois BIPA applies to biometric data collected or processed by AI systems. Colorado, Virginia, Connecticut, and other states have enacted privacy laws with varying AI-related provisions. For businesses operating across multiple states, the state law patchwork requires state-by-state analysis. The NCSL tracks state AI and privacy legislation.

How does US AI governance compare to the EU AI Act?

The EU AI Act is binding, horizontal legislation that categorises AI systems by risk level and imposes specific obligations on high-risk systems. The US has no equivalent federal law. US AI governance operates through existing agency enforcement, voluntary frameworks, and state laws. The US approach is generally described as pro-innovation and principles-based, relying on existing legal authorities rather than new AI-specific legislation. For businesses subject to both US and EU requirements, the EU AI Act's requirements tend to be the more prescriptive and require dedicated compliance attention.