The US AI regulatory landscape as of May 2026 consists of one active federal executive order with limited implementing mechanism, one voluntary framework with significant procurement teeth, and a set of state-level regimes whose enforceability is actively contested in court. Nothing at the federal level constitutes comprehensive AI legislation. That single fact shapes every governance conversation you will have with a federal buyer, a CISO, or agency counsel — and the distinction that anchors all of it is this: executive orders direct federal agencies; they do not create legal obligations for private companies, and they do not preempt state law.
The Federal Layer: What Directs, What Governs, What Remains
EO 14110 is gone. The Biden administration's October 2023 executive order on AI — which directed agencies to develop risk assessments, required developers of dual-use foundation models to share safety test results with the federal government, and tasked NIST with developing evaluation standards — was revoked on January 20, 2025, the first day of the Trump administration's second term. Its provisions are not operative. Do not treat them as a compliance baseline.
The replacement, Executive Order 14179, signed January 23, 2025 and titled "Removing Barriers to American Leadership in Artificial Intelligence," directed the Office of Science and Technology Policy to develop an AI Action Plan within 180 days, rescinded the prior administration's AI governance infrastructure, and established a policy preference for innovation over precautionary regulation. The OSTP Action Plan was published in July 2025. It is a policy document. It does not create enforceable obligations for federal contractors or private entities.
EO 14179 does not establish a compliance framework, does not create reporting requirements, and does not preempt state AI laws. An executive order cannot do any of those things without congressional authorization. When a buyer asks whether their agency is "required" to follow the Trump AI policy, the honest answer is that federal agencies are directed to align with it; contractors are not legally required to comply with it as a standalone matter, though agency-specific implementing guidance may create contractual obligations in individual procurements.
NIST AI RMF 1.0 is the framework that survived the transition intact, because it was never an executive order provision — it's a voluntary framework published by the National Institute of Standards and Technology in January 2023. "Voluntary" means it carries no independent legal mandate. Procurement weight is another matter. OMB guidance issued in 2024 referenced the AI RMF as a preferred framework for federal agency AI governance, and that reference has persisted in agency AI acquisition language even as the broader Biden-era EO structure was dismantled. If a federal contract includes AI governance requirements, there is a reasonable probability that the RMF's core functions — Govern, Map, Measure, Manage — appear in the statement of work or evaluation criteria. Contractual, not regulatory. In practice, harder to ignore.
The State Layer: Three Active Fronts, Different Enforceability
Colorado is the furthest along. SB 24-205, the Colorado AI Act, was signed in May 2024 and became effective February 1, 2026. It applies to developers and deployers of high-risk AI systems and requires impact assessments, disclosure obligations, and bias audit mechanisms for covered systems. It is currently in force. Industry groups filed suit in the District of Colorado in March 2026 challenging the law on dormant Commerce Clause grounds, arguing that Colorado cannot effectively regulate AI systems that operate across state lines. As of this writing, no preliminary injunction has been granted; the law's requirements apply to covered entities unless and until a court orders otherwise. [Verification note: litigation status as of May 5, 2026 — requires primary court record confirmation before publication.]
California presents a more fragmented picture. SB 1047, the sweeping foundation model safety bill, was vetoed by Governor Newsom in September 2024. What followed was not a retreat but a disaggregation: the legislature passed several narrower bills in 2025 addressing specific AI applications — automated decision systems in employment, synthetic media disclosure, and AI use in healthcare triage. These are in force. California does not currently have a comprehensive AI governance law equivalent to Colorado's, but the sector-specific bills create real obligations in covered contexts. The preemption question in California is less about a single law and more about whether the accumulation of sector-specific requirements creates de facto comprehensive regulation that federal courts might eventually address.
Texas passed HB 1709 in its 2025 legislative session, establishing disclosure requirements for AI-generated content in political advertising and requiring state agencies to publish AI use inventories. The law is in force for its covered provisions. Texas has not enacted a broad private-sector AI governance regime comparable to Colorado's, and the current legislative posture suggests it is unlikely to do so in the near term. The preemption exposure in Texas is lower than in Colorado or California precisely because the scope is narrower.
What a Federal Buyer Actually Asks
A federal agency CISO, three weeks before contract award, asks which AI governance framework the vendor is "required" to follow. There is no single legally mandated framework for federal AI contractors at the general level — compliance obligations flow from specific contract language, not from the executive order. If the contract references the NIST AI RMF, that reference is enforceable as a contractual term, not as independent regulation. And if the vendor operates in Colorado or California, state-level obligations may apply regardless of the federal contract's framework requirements — two regimes that are not fully harmonized with each other.
The CISO who asks this question is not confused. They are testing whether the vendor knows the difference between a directive and a mandate. Vendors who conflate the two rarely get a second chance to clarify.
Okta Concept Mapping
NIST AI RMF functions like an identity governance policy document: it defines what good practice looks like, it gets referenced in audits and procurement questionnaires, and it carries real weight in vendor evaluations — but it does not technically enforce anything. The analogy holds up to a point. In identity governance, you can eventually close the gap between policy and enforcement through technical controls — deny the access request, revoke the token, block the login. The NIST AI RMF has no equivalent gate. Compliance is demonstrated through documentation and attestation, not through a system that blocks a non-compliant model from deploying. The enforcement mechanism is procurement consequence — lose the contract, fail the audit — not access control. When a buyer asks whether their AI governance framework is "enforced," the honest answer is: by contract, not by architecture.
This piece is a preview/demonstration. All regulatory status claims require verification against primary government sources — Federal Register entries, official agency publications, and court records — before publication. Time-sensitive claims about executive order status, agency guidance standing, and state law enforceability are subject to triggered accuracy review upon any major federal or state development.