When a CISO says "we need to comply with federal AI requirements," the first question isn't what to do. It's what they mean. Because "federal AI requirements" could describe a legally binding obligation, a voluntary framework with real procurement consequences, or a revoked executive order that agencies are still citing out of institutional inertia. All three exist in the current US landscape, and conflating them in a buyer conversation will cost you credibility fast.
The United States has no comprehensive federal AI statute as of May 2026. What exists instead is a layered system of executive directives (time-limited, revocable, not law), voluntary frameworks (durable, influential, and increasingly embedded in procurement language), and state-level legislation (patchy, contested, and in some cases actively litigated). Buyers routinely overestimate what's actually binding. Sellers routinely underestimate how much the voluntary layer has calcified into procurement requirements. The state layer is where the genuine legal exposure currently lives.
Layer One: Executive Orders — What's Standing and What Isn't
[Time-sensitive claim. Verified against Federal Register and White House EO archive. Requires triggered update on any new federal AI directive.]
The Biden administration's Executive Order 14110 on Safe, Secure, and Trustworthy AI — issued October 2023 and widely cited as the foundational federal AI governance framework — was revoked by Executive Order 14148 on January 20, 2025. The Trump administration subsequently issued its own AI directive focused on removing regulatory barriers to domestic AI development and positioning the United States competitively against foreign AI programs. That order did not establish new compliance mandates for federal agencies or contractors; it directed agencies to revise or rescind rules that "unduly burden" AI development.
Any agency still referencing EO 14110 requirements in procurement documents or internal governance frameworks is operating on inertia, not current legal authority. This matters because you will encounter it. Federal IT shops move slowly, and policy documents referencing the Biden EO continue to circulate in agency corridors well past its revocation. When a buyer cites "EO compliance" without specifying which EO, that's a clarifying question worth asking — gently, because the answer may reveal that their compliance posture is built on a foundation that no longer exists at the federal level.
Executive orders also carry a structural limitation worth naming plainly: they bind the executive branch, not private entities. An EO directing agencies to assess AI risk doesn't create a legal obligation for a contractor or vendor unless it flows through a contract clause or agency rule. Most of EO 14110's vendor-facing provisions never made it through the rulemaking process before revocation.
Layer Two: NIST AI RMF — Voluntary With Teeth
The NIST AI Risk Management Framework, released in January 2023 and supplemented by a Generative AI Profile in 2024, is the surviving de facto standard for AI governance in the federal market. It is explicitly voluntary. It is also, in practice, unavoidable.
"Voluntary" in the NIST context means there is no statute requiring compliance and no regulatory penalty for ignoring it. What it doesn't mean is consequence-free. The AI RMF has been incorporated by reference into agency AI strategies, OMB guidance memos, and — increasingly — solicitation language in federal AI procurements. When an agency's AI strategy says it will "align with the NIST AI RMF," that alignment becomes a de facto requirement for any vendor trying to win that agency's business. The framework shapes what questions get asked in source selection, what documentation buyers expect, and what "responsible AI" means in the room where decisions get made.
The four core functions of the AI RMF — Govern, Map, Measure, Manage — map reasonably well onto the risk management vocabulary that federal CISOs already speak. NIST designed it to integrate with existing risk frameworks like the Cybersecurity Framework, and the seam shows in a good way. For your buyers, the RMF is the common language of AI governance conversations, regardless of whether it's legally required. Knowing it well enough to discuss it fluently is the baseline.
Layer Three: State Regimes — Who Has Enforcement Bite
[Time-sensitive claim. State legislative status subject to change. Requires triggered update on Colorado enforcement activity, California legislative developments, and federal preemption litigation outcomes.]
Colorado's AI Act (SB 205, signed May 2024, effective February 2026) is currently the most significant state AI law with active enforcement provisions. It applies to developers and deployers of "high-risk" AI systems — defined by consequential decision domains including employment, housing, credit, and government services — and requires documented risk assessments, bias audits, and consumer disclosure. The Colorado Attorney General has enforcement authority. That's a real obligation, not a policy aspiration.
California's legislative trajectory is more complicated. SB 1047, which would have imposed broad safety obligations on large AI model developers, was vetoed by Governor Newsom in September 2024. Subsequent California AI bills have been narrower in scope, targeting specific use cases rather than foundation models. As of publication, California has active AI transparency and automated decision-making bills in various stages, but no comprehensive enacted law with the enforcement profile of Colorado's.
The preemption question is live and unresolved. Several states with pending AI legislation have faced industry-backed arguments that federal law should preempt state AI regulation — mirroring the preemption battles fought over state privacy laws. Federal preemption legislation has been introduced in Congress but has not advanced to a floor vote. Until that changes, the state-by-state patchwork is the operative reality, and Colorado's law is the clearest example of what enforcement-capable AI regulation actually looks like in the US market.
Okta Concept Mapping
The US AI regulatory landscape maps most cleanly to a federated identity architecture with no authoritative root CA. Multiple issuers — federal EOs, NIST, state legislatures — are each asserting governance authority, and there's no single trust anchor to resolve conflicts between them. The analogy holds up to a point: like federated identity, each layer has its own scope and its own enforcement mechanism. Where it breaks is that federated identity at least has a protocol for resolving trust conflicts. US AI regulation doesn't. When Colorado's requirements conflict with a future federal standard, there's no SAML assertion that settles it — there's litigation.
What This Means Before Tuesday
When a buyer's general counsel asks whether your AI product is "federally compliant," the honest and useful answer has three parts: compliant with what specific requirement, because the EO landscape has changed materially in the past 18 months; aligned with NIST AI RMF, which is the voluntary standard that procurement language is increasingly built around; and subject to state-level obligations that vary by where the system is deployed and what decisions it influences.
The buyer who asks this question is usually trying to understand their exposure, not test your knowledge. Binding, voluntary, and contested carry different weight, and drawing those distinctions accurately is what makes you useful to a buyer who needs to brief their own legal team. A confident answer that collapses under the first follow-up question from their GC is worse than a careful one.
This lesson requires triggered accuracy review on any major federal AI directive, Colorado enforcement action, or federal preemption legislative development. Verification date: May 2026.