How to build an AI compliance programme in the US with no federal law
US AI compliance 2026: what to do when there are no clear rules
The companies that will have the hardest time when the rules are clarified are the ones that used the uncertainty as a reason to do nothing.
If you’re running a business in the US and trying to build a sensible AI compliance programme, you’re working without a stable target. The rules keep shifting, and they’re shifting in different directions at the same time.
There’s no federal AI law. The Biden administration’s 2023 executive order, which at least gave companies something concrete to work toward, was revoked on the first day of the Trump administration in January 2025. The replacement executive order, signed in December 2025, is primarily focused on telling states to back off rather than telling companies what to do. And the White House’s March 2026 legislative framework, which outlines what a federal AI law might eventually look like, is a recommendation to Congress, not a law.
Meanwhile, states are moving fast. Colorado, California, Texas, Illinois, and others have passed or are implementing AI-specific statutes, and more are coming. The federal government is actively trying to preempt some of those laws, but courts haven’t settled the question of whether executive orders can actually do that. So you may be complying with a state law that the federal government is simultaneously trying to nullify, and no one knows yet who wins.
This is not a comfortable place to build a compliance programme. But it’s the place you’re in, and waiting for the picture to clear is not an option. Companies that haven’t started are already behind.
Understand what enforcement actually looks like right now
The absence of a federal AI law doesn’t mean there’s no federal enforcement.
The FTC has been bringing AI-related enforcement actions since 2024 under Section 5 of the FTC Act, which prohibits unfair or deceptive acts or practices. It doesn’t need an AI-specific law to do this. Its Operation AI Comply campaign brought five cases in September 2024 alone, targeting companies that made false claims about AI capabilities, used AI to generate fake reviews, or misrepresented what their AI products could actually do. In 2025, the agency brought at least a dozen more cases along the same lines, covering companies that overstated AI sophistication, attributed capabilities to AI systems that the technology couldn’t support, and made earnings claims tied to AI tools without substantiation. The FTC’s position has been consistent across administrations: there is no AI exemption from existing consumer protection law.
The same logic applies across the regulatory stack. The CFPB has applied existing credit and consumer financial protection rules to AI-driven decision-making. The EEOC has issued guidance on AI in hiring, and the SEC has pursued AI-washing cases against public companies. State attorneys general are using broad unfair and deceptive acts and practices statutes to investigate AI-related conduct, and those statutes are powerful tools because they often allow per-violation penalties without needing to prove individual harm.
The picture is the same regardless of which agency you’re looking at: even with no federal AI law, you face real enforcement exposure from multiple directions, under legal authorities that have been in place for decades.
Keep reading with a 7-day free trial
Subscribe to The AI Governance Playbook to keep reading this post and get 7 days of free access to the full post archives.
