US AI Regulation Looks Like the Patchwork You Know. It Runs in Reverse.

The United States does not have an AI law. It has a stack of instruments with wildly different legal force: executive orders that set policy direction but create no vendor obligations, OMB memoranda that bind federal agencies but not you, a voluntary risk framework under revision with no publication date, and a handful of state statutes the federal government is actively trying to kill in court. The seller's job is distinguishing what's legally binding from what's posture, and knowing which instrument your specific buyer operates under. A federal CAIO and a Colorado state agency CIO are living in almost unrelated regulatory realities.

You already carry a mental map of compliance patchworks. State breach notification. State privacy law. You know the shape. The AI regulatory structure borrows that shape but reverses the polarity: the federal layer is deregulatory, the state layer is regulatory, and your compliance instincts will mislead you in exactly the ways that matter in a buyer conversation.

The federal layer, deregulatory by design

The current federal AI posture took shape through two executive orders and one rescission.

On January 20, 2025, the administration rescinded Biden's EO 14110. That order had established AI safety reporting requirements, directed NIST to develop red-teaming standards, and imposed watermarking and transparency obligations on federal AI procurement. All of that is gone. The replacement, EO 14179 ("Removing Barriers to American Leadership in Artificial Intelligence"), framed AI regulation as a competitiveness obstacle. It created no new compliance obligations.

On December 11, 2025, EO 14365 established the framework that's currently operative. It did three things worth tracking. It directed the Commerce Department to evaluate state AI laws the administration considers "potentially unconstitutional." It created a DOJ AI Litigation Task Force to challenge those laws in federal court. And it directed NIST to revise the AI Risk Management Framework, specifically to remove references to misinformation, DEI, and climate change.

Those directives stand in various stages of completion as of today. The Commerce Department's evaluation was due March 11, 2026. It hasn't been published. Multiple legal analyses confirm this, including Holland & Knight (March 27) and Jenner & Block (May 7), both of which note the missed deadline without any public explanation. The DOJ Task Force became operational January 9, 2026, when AG Pam Bondi issued the establishing memorandum. Baker Botts' analysis provides useful context on the Task Force's scope and legal theories. The NIST AI RMF revision? Per NIST's own language in IR 8596, the framework is "currently in revision." No revised version has been published. AI RMF 1.0 (January 2023) and the Generative AI Profile AI 600-1 (July 2024) remain current, still containing the provisions the directive targeted.

The administration also released a National Policy Framework for AI on March 20, 2026. Legislative recommendations to Congress. Not binding. Does not create obligations. Your buyer may reference it. Know it exists. Know it doesn't do anything yet.

The net effect: requirements were removed, nothing replaced them, and the voluntary framework everyone references is mid-revision with no publication date. If your buyer is a federal agency, the executive orders shaped their policy environment. The compliance checklist came from the OMB memos.

• Rescission: Biden's EO 14110 is gone. Its safety reporting, red-teaming, and watermarking requirements went with it. No federal replacement exists.
• Current EOs: EO 14179 (January 2025) removed barriers. EO 14365 (December 2025) directed state law challenges and NIST RMF revision. Neither creates vendor compliance obligations.
• NIST AI RMF: Revision directed but unpublished. AI RMF 1.0 and AI 600-1 remain the de facto voluntary standard. The framework organizes AI risk management around four core functions: Govern, Map, Measure, Manage, across 19 categories and 72 subcategories. When your buyer says "we're mapping to the AI RMF," that's the structure they mean. No federal enforcement mechanism exists, but it's the risk management vocabulary agencies use because nothing else is available.

The OMB layer, where obligations actually live

Three OMB memoranda are active and create real obligations for federal agencies. These are the instruments your federal buyers are working under right now, and they generate the procurement requirements you'll encounter in RFPs.

Memo	Issued	Focus	What it does
M-25-21	Apr 3, 2025	Governance	CAIO designation, AI governance boards, agency AI strategies, high-impact AI risk management, annual use case inventories
M-25-22	Apr 3, 2025	Acquisition	Standardized AI procurement, documentation requirements, risk assessments, transparency disclosures in solicitations after Oct 1, 2025
M-26-04	Dec 11, 2025	Bias principles	Unbiased AI requirements supplementing M-25-21 governance; shapes high-impact AI evaluation criteria

M-25-21 ("Accelerating Federal Use of AI through Innovation, Governance, and Public Trust") is the governance memo and the heaviest of the three. It requires agencies to designate a Chief AI Officer, stand up AI governance boards, develop agency AI strategies, implement minimum risk management practices for high-impact AI, and publish AI use case inventories annually. It created a single "high-impact AI" category, replacing the previous administration's multi-tiered classification. The 2025 Federal Agency AI Use Case Inventory shows 56 agencies submitted 3,611 use cases, with 445 designated high-impact. DHS published its M-25-21 compliance plan in September 2025, with the CIO serving as Chief AI Officer. Agencies had until spring 2026 to bring every high-impact system into compliance or shut it down. ML Strategies and PilieroMazza both provide useful secondary analysis of the memo's requirements.

M-25-22 ("Driving Efficient Acquisition of Artificial Intelligence in Government") is the procurement companion. It standardizes AI acquisition requirements across federal agencies, promotes American-made AI technologies, and applies to solicitations issued after October 1, 2025. Concretely: if you're responding to a federal AI-related RFP issued after that date, expect requirements for AI system documentation, risk assessments, and transparency disclosures that weren't in the template before. This memo is why those sections appeared in your solicitation.

M-26-04 ("Increasing Public Trust in Artificial Intelligence Through Unbiased AI Principles") is narrower than the other two. It adds bias-related governance requirements, directing agencies to ensure AI systems operate without improper bias. Think of it as a focused supplement to M-25-21's broader governance framework rather than a standalone compliance regime. Your buyer is less likely to reference it by name, but its principles show up in how agencies evaluate AI systems for the high-impact designation.

All three remain active on the OMB memoranda page as of this writing. None have been superseded.

When your federal buyer mentions their CAIO, their AI governance board, or their high-impact AI inventory, they're referencing M-25-21 compliance. When they mention procurement requirements for AI systems, they're in M-25-22 territory. These memos bind agencies, not vendors directly. They define the procurement environment you're selling into, though, which means they constrain you whether or not they technically apply to you.

• Binding on agencies: M-25-21 (governance), M-25-22 (acquisition), and M-26-04 (bias principles) create real obligations. CAIO designation, governance boards, use case inventories, high-impact AI risk management, standardized procurement language.
• Not binding on vendors: But they shape every federal AI procurement conversation you'll have. Your buyer's compliance requirements flow from these memos, and their RFP language reflects them.

The state layer, regulatory and under federal attack

While the federal government was removing AI requirements, states were creating them.

Colorado's SB 24-205 is the most significant and the most contested. It imposes duties on developers and deployers of "high-risk AI systems" to prevent algorithmic discrimination. Enforcement was originally set for February 2026, then delayed to June 30, 2026. Texas passed the Texas Responsible AI Governance Act (TRAIGA). Illinois enacted HB 3773, targeting AI in employment decisions. Each creates distinct compliance obligations within its jurisdiction.

Then the federal government started litigating against them.

On April 9, 2026, xAI filed suit in U.S. District Court for the District of Colorado challenging SB 24-205's constitutionality on First Amendment, Commerce Clause, vagueness, and Equal Protection grounds. On April 24, the DOJ filed a Complaint in Intervention (Case No. 1:26-cv-01515-DDD-CYC), alleging the law violates the Equal Protection Clause by effectively compelling developers and deployers to discriminate based on protected characteristics. This is the primary court filing and worth reading if you want to understand the federal argument. The court ordered enforcement paused. Colorado's AG agreed not to initiate enforcement pending a ruling on preliminary injunction. Jenner & Block's analysis (May 7, 2026) provides the clearest reconstruction of the DOJ's intervention and its relationship to the EO 14365 directive.

Meanwhile, Colorado's legislature is negotiating a replacement bill (SB 26-189) that would substantially rewrite the law, replacing broad algorithmic discrimination duties with narrower disclosure-and-transparency requirements. As Bloomberg Law reported, no bill has been formally introduced with the session scheduled to close May 13, 2026.

Something that matters for your account planning: the executive order directing preemption does not itself preempt anything. As Baker Botts noted in January 2026, until courts rule on federal preemption challenges, state laws remain fully enforceable. A bipartisan coalition of state attorneys general has formally opposed broad preemption. The legal fight will take years. State laws that aren't specifically enjoined by a court remain on the books and enforceable.

I want to be precise about what I don't know here: the Colorado replacement bill's final text, whether it will pass before session closes, how the preliminary injunction ruling will go, and whether DOJ will pursue similar challenges against Texas and Illinois. These are genuinely unsettled. Anyone who tells you they know how this resolves is guessing.

• State laws are real: Colorado, Texas, and Illinois have enacted AI-specific statutes with compliance obligations. More states are considering them.
• Federal challenge is real but slow: The DOJ is litigating, not legislating. Court outcomes are months or years away. Unenjoined state laws remain enforceable.
• Colorado is in active flux: Enforcement paused by court stipulation, replacement bill under negotiation, legislative session closing May 13, 2026. This will look materially different within weeks.

In the room

Your federal civilian buyer's CAIO mentions they're finalizing M-25-21 compliance and working through their high-impact AI inventory. They ask how your platform supports AI governance requirements.

You know what they're referencing. M-25-21 requires CAIO designation, governance boards, risk management for high-impact AI, and published use case inventories. They're using NIST AI RMF as their risk management vocabulary because OMB memos point to it and nothing else exists. The revised version hasn't shipped. They're working from AI RMF 1.0. At its root, their question is an identity question: which AI systems are authorized, who authorized them, what data are they accessing, and where's the governance trail? Their high-impact AI inventory is only as good as their ability to answer those questions for each system on it.

They are not thinking about Colorado's law. That belongs to a different buyer.

If you're across the table from a state agency or a company operating across state lines, the conversation flips entirely. That buyer may be tracking Colorado (paused but not dead), Texas, Illinois, and whatever their own legislature is considering. They want to know how you help them demonstrate compliance with algorithmic discrimination requirements, transparency obligations, or bias auditing duties that vary by jurisdiction. The identity question here is provenance and accountability: who deployed this AI system, what decisions did it make, what data did it touch, and can you produce that record when a regulator asks? The audit trail is the mechanism by which compliance gets demonstrated or doesn't. Full stop.

The governance question lands on identity infrastructure regardless of which regulatory layer is driving it. The federal buyer building an AI use case inventory and the state-regulated buyer preparing for an algorithmic discrimination audit need the same answers at the infrastructure level, even if they'd never describe it that way.

• Federal buyers: Operating under OMB memos, referencing NIST AI RMF, building governance structures. Ask about their CAIO, their high-impact AI inventory, their M-25-21 compliance timeline.
• State/local buyers: Tracking state-specific AI laws, assessing algorithmic discrimination liability, watching the preemption litigation. Ask which laws apply to their jurisdiction and whether they're planning for compliance even while litigation is pending. The ones who say "we're waiting to see what happens" are the ones who'll be scrambling when a court rules.
• Both rooms, same infrastructure question: Who authorized this AI system to do what it did, and where's the audit trail?

This article reflects the US AI regulatory landscape as of May 8, 2026. Colorado's legislative session closes May 13. The NIST AI RMF revision remains in progress with no publication date. Federal preemption litigation is in early stages. Each of these will change, and this piece will be updated when they do.