⚠️ Time-sensitive content. Claims about executive order status, agency guidance standing, and state law enforceability reflect conditions as of May 2026. This lesson requires triggered accuracy review on any major federal or state development — executive order revocation or replacement, new agency rulemaking, or significant preemption ruling. Verify all claims against primary government sources before use in buyer conversations.
Three Categories, Three Different Legal Weights
Most buyer conversations collapse these categories, and that's where the confusion enters.
Executive orders are directives from the President to the executive branch. They bind federal agencies and their contractors to the extent the order specifies, but they carry no force against private entities unless implemented through agency rulemaking. They can be revoked by the next administration without congressional action — and they have been. An EO is not law. It is the President's instruction to the people who work for the President.
Agency guidance — OMB memos, NIST frameworks, agency-issued AI policies — is softer still. Guidance documents tell agencies how to interpret their existing authority. They are not legally binding on private parties and, in most cases, are not even binding on the agencies themselves in the way a regulation is. Courts have consistently held that guidance documents cannot create new legal obligations. They can, however, shape procurement requirements, which is where they acquire practical teeth in the federal market.
Enacted law — statutes passed by Congress and signed by the President, or state legislation signed by a governor — is the only category that creates enforceable legal obligations on private entities without the mediation of a procurement relationship. The United States currently has no comprehensive federal AI statute. That absence is the structural fact that explains everything else about this landscape.
The Current Federal Picture
[⚠️ Verify: EO status as of publication date]
The Biden administration's Executive Order 14110 (October 2023), which established broad AI safety and security requirements for federal agencies and directed agencies to develop sector-specific guidance, was revoked by Executive Order 14148 in January 2025. The current governing federal EO is Executive Order 14179, signed January 23, 2025, which directs agencies to develop AI action plans oriented toward removing barriers to AI deployment rather than imposing safety mandates. The policy orientation changed. The mechanism, executive direction to agencies, stayed the same.
OMB Memorandum M-25-21, issued April 2025, replaced the Biden-era M-24-10. Where M-24-10 required agencies to conduct impact assessments and implement minimum risk practices before deploying AI in high-impact contexts, M-25-21 emphasizes agency discretion and speed of adoption. The practical effect: federal agencies are no longer operating under a uniform minimum-floor framework for AI risk management. Individual agency policies now vary more than they did under the prior administration.
[⚠️ Verify: OMB memo status and any subsequent agency implementation guidance]
NIST AI RMF: The Framework That Survived
The NIST AI Risk Management Framework (AI RMF 1.0), published January 2023, is the one federal AI governance artifact that has survived the administration transition intact. It is voluntary, creates no legal obligations, and does not bind private entities. The structured vocabulary it provides — Govern, Map, Measure, Manage — has been adopted by enough agencies, procurement offices, and industry bodies that it functions as the de facto reference standard for AI risk management in the federal market.
It survived because it is a NIST publication issued under the agency's statutory mandate, not an artifact of any particular administration's policy agenda. It is also genuinely useful — which is rarer than it sounds in this space. Agencies reference it in RFIs and acquisition frameworks. Vendors reference it in capability statements. When a federal CISO asks whether a vendor's AI system is "compliant," they usually mean: does your documentation map to the AI RMF? The question has no legal answer, only a procurement one.
[⚠️ Verify: Current NIST AI RMF version; NIST has signaled updates and sector-specific profiles may be in development]
IDAM Concept Mapping
This landscape resembles a federated identity architecture with no root CA. You have multiple authorities — federal EOs, agency guidance, state statutes — each issuing "tokens" of varying validity, with no agreed trust hierarchy above them. The analogy holds for understanding why the landscape is fragmented: absent a root authority (enacted federal law), trust decisions get made locally. Where it breaks: in PKI, the chain of trust is mathematically verifiable and revocation propagates through defined mechanisms. In AI regulation, revocation is political and legal, and it does not propagate automatically. An agency that built procurement requirements around M-24-10 does not automatically update those requirements when M-25-21 replaces it. The endpoints don't self-update. That gap between policy change and operational reality is where your buyers are living.
The State Layer: Where Enforcement Bite Currently Lives
[⚠️ Verify: State law status, effective dates, and preemption litigation outcomes as of publication date]
In the absence of federal law, states have moved. The patchwork is uneven in both scope and enforceability.
Colorado SB 24-205 (the Colorado AI Act) is the most structurally significant state AI law currently in effect. Signed in 2024 with an effective date of February 1, 2026, it imposes obligations on developers and deployers of "high-risk AI systems" — defined by consequential decisions in employment, housing, credit, and similar domains. Enforcement sits with the Colorado Attorney General. This is binding law with an enforcement mechanism. Vendors selling AI-enabled systems to Colorado state agencies or private entities subject to the Act need to understand it as a compliance requirement, not a posture document.
Illinois enacted the Artificial Intelligence Video Interview Act earlier and has since expanded AI-related obligations through its AI Accountability Act. Enforcement is active.
Utah's AI Policy Act requires disclosure when consumers interact with AI systems but carries lighter enforcement weight than Colorado's framework.
California is the notable absence. SB 1047, which would have imposed broad safety obligations on foundation model developers, was vetoed by Governor Newsom in September 2024. California's AI regulatory activity since then has been sector-specific and fragmented rather than comprehensive.
Preemption status: As of this writing, no federal AI preemption statute has been enacted. Multiple legislative proposals in the 119th Congress include preemption language that would displace state AI laws, and litigation over the scope of implied preemption is active in at least two circuits. The outcome is genuinely pending. [⚠️ Flag for triggered update: any enacted federal preemption provision or significant circuit court ruling on AI preemption]
Colorado and Illinois currently have the most enforcement-credible state AI regimes. If your buyer is a state agency in either jurisdiction, or a vendor subject to those states' definitions of covered deployers, those laws are not posture — they are compliance requirements with AG enforcement authority behind them. A pending preemption claim does not void existing law.
What to Do With This Before Tuesday
When a federal agency CISO asks whether your AI product is "compliant," the honest answer is: compliant with what, specifically? There is no enacted federal AI law. NIST AI RMF attestation is a procurement signal, not a legal certification. If they mean agency-specific policy, that varies by agency and has shifted with the current OMB memo. Asking which framework they're using for their own AI governance will tell you more than any capability statement you could offer.
When a state government buyer cites a specific state AI law, treat it as you would any enacted statute — because that's what it is. Colorado and Illinois have real enforcement mechanisms. The preemption question is live but unresolved, which means those laws are operative now.
The map is fragmented because the root authority — federal statute — doesn't exist yet. Everything else is filling that gap with varying degrees of durability.