Practical AI and SaaS for Business

Which Federal Agency Regulates Your AI

US AI regulation isn't centralised in one agency, it's split across several, each with jurisdiction over a specific use case, not AI generally. This guide maps common AI use cases to the federal agency that actually has authority over them.

Last verified: 17 July 2026. References checked against current legislation.

Editorial Perspective

You're building a 10-person health-tech startup with an AI symptom-checker feature, and you know AI regulation exists but have no idea which of the many US federal agencies actually has authority over your specific product. This guide maps common AI use cases to the agency that actually regulates them, so you can have the right compliance conversation instead of a generic one. No legal background needed.

This article summarises publicly available guidance from regulators and official sources. It is general educational information only and does not constitute legal or professional advice. Requirements vary by jurisdiction. Consult your regional authority or a qualified professional for advice specific to your situation.

There's no single US federal agency with general authority over AI, jurisdiction follows the use case, not the technology. The same underlying AI model can fall under a completely different regulator depending on whether it's screening job applicants, scoring credit applications, or answering a health question, and knowing which agency actually applies to your specific product is more useful than tracking AI regulation generally.

In short: US federal AI oversight is sector-based. The FTC covers unfair or deceptive AI claims generally. The EEOC covers AI in hiring and employment decisions. The CFPB covers AI in credit and lending decisions. The FDA covers AI that diagnoses, treats, or monitors patients as a medical device. Identify which category your AI use case falls into first, that tells you which agency's rules actually apply.

The plain-English answer

Start with what your AI tool actually does, not what industry you're in generally. A health-tech company's AI symptom-checker is regulated differently from the same company's AI-powered internal scheduling tool, because one makes health-related claims about a patient's condition and the other doesn't. Map the specific function, not the company, to find the right agency.

Why this matters for your business

A 10-person health-tech startup building a symptom-checker feature is easy to imagine getting this wrong in either direction, either assuming general AI news coverage (usually about the FTC or state privacy laws) covers their situation completely, or assuming health-related regulation is so complex it's not worth engaging with specifically. Neither is right. The FDA has a defined, navigable pathway for AI-enabled medical software, and knowing that early shapes product decisions, not just a compliance afterthought bolted on before launch.

The use-case-to-agency map

General consumer-facing claims about your AI product: the FTC, under Section 5 of the FTC Act, has authority over unfair or deceptive claims about what your AI does, regardless of industry. See our guide on what makes an AI claim unfair or deceptive.

AI in hiring, screening, or employment decisions: the EEOC has authority under Title VII, focused on whether a facially neutral AI tool produces disparate impact against a protected group. See our guide on EEOC guidance on AI hiring and adverse impact.

AI in credit, lending, or financial decisions: the CFPB has authority under ECOA and Regulation B, focused on whether adverse action notices give applicants specific, accurate reasons. See our guide on CFPB guidance on AI credit adverse action notices.

AI that diagnoses, treats, monitors, or otherwise functions as a medical device: the FDA regulates AI-enabled medical devices as Software as a Medical Device (SaMD), classified by risk level (Class I, II, or III), with most AI/ML-enabled SaMD going through the 510(k) premarket pathway as moderate-risk devices. A symptom-checker that provides a diagnosis or treatment recommendation is very likely to fall into this category, one that simply routes a patient to the right department generally isn't.

What this looks like in practice

Picture the health-tech founder, aware of AI regulation in a general sense from industry news but not having mapped their specific symptom-checker feature to a specific agency. Working through the use cases, the feature's core function, taking in reported symptoms and suggesting a likely condition or next step, sits squarely in FDA's SaMD territory, not a general FTC or state-privacy question.

That reclassification changes the founder's whole approach: rather than a general privacy policy review before launch, the product roadmap now includes the FDA's risk classification process and, depending on the feature's exact function, a 510(k) submission timeline built into the launch plan from the start. Catching this early, before development is finished, avoids the far more expensive scenario of building a feature that then needs significant rework to fit a regulatory pathway nobody planned for.

What you can do about it

A practical process for identifying your real regulatory exposure:

  • List each distinct function your AI product performs, not just the product as a whole, different features can trigger different agencies.
  • For each function, ask: does this make a claim to a consumer, does it affect hiring or employment, does it affect credit or lending, does it diagnose or treat a health condition.
  • Map each function to the corresponding agency using the categories above, rather than assuming one generic "AI regulation" umbrella covers everything.
  • For anything touching health, diagnosis, or treatment specifically, engage with the FDA's SaMD framework early in development, not right before launch.
  • Revisit this mapping whenever you add a new AI feature, the agency that applies can change even within the same product.

If none of your AI use touches a specific regulated category like these, general good practice around AI risk, like the NIST AI Risk Management Framework, is still worth engaging with voluntarily.

Methodology (Real-World, Verified)

We test AI tools against real SMB workflows: the tasks a 20-person business actually uses AI for, not enterprise demos. Pricing is verified at the vendor's published rates, with local-currency conversions noted where relevant. Compliance notes reference the legislation and regulatory guidance relevant to each article's region. Every tool is judged on one question: could a business with no dedicated IT department actually pick this up and use it on Monday morning.

Related reading: our AI governance by region.

Try our free AI Compliance Checker to check whether your AI tools meet your compliance obligations.

Can more than one federal agency have jurisdiction over the same AI tool?

Yes. An AI hiring tool used by a financial services firm could touch both EEOC (the hiring decision) and other sector-specific financial regulators (depending on the role), and a health-tech company's AI feature could touch both FDA (if it functions as a medical device) and FTC (for its marketing claims about the feature) simultaneously.

What if my AI tool doesn't clearly fit any of these categories?

The FTC's general authority over unfair or deceptive practices is the broadest catch-all, most consumer-facing AI claims fall under it even without a more specific sector regulator also applying. Start there if nothing else clearly fits.

Does state law add another layer on top of federal agency jurisdiction?

Yes, state laws like California's CPRA/ADMT rules or New York City's Local Law 144 apply independently of federal agency jurisdiction, based on where your customers or candidates are, not instead of it. Check both layers, not just one.

How do I find out if the FDA considers my specific feature a medical device?

The FDA's own guidance on AI-enabled medical devices is the starting point, and for a genuinely borderline case, a pre-submission conversation with the FDA itself is a real, available option before committing to a full development path, worth doing earlier rather than later.

Find official guidance for your region

Requirements vary by jurisdiction. This article provides general information only. Consult your regional authority or a qualified professional for advice specific to your situation.

The information in this article is general in nature. It reflects a summary of publicly available guidance and does not constitute legal, privacy, or professional advice. Your obligations will depend on your specific situation, jurisdiction, and business circumstances. Do not rely on this article as a substitute for qualified legal or professional advice.

Not sure which US state laws also apply to your AI tool?

Check the state law picture