⚠ PREVIEW/DEMONSTRATION VERSION — Accuracy-sensitive claims below are illustrative placeholders. Production publication requires verification against primary government sources (Federal Register, official agency publications, state legislative records, court filings) within the publication cycle. All [ACCURACY FLAG] notations mark claims requiring triggered review before live publication.
The United States has no comprehensive federal AI statute. That sentence is the foundation of everything else in this lesson, and it is the sentence most likely to get lost in a buyer conversation where the word "compliance" is doing a lot of work.
What exists instead is a layered structure: executive orders that direct federal agencies but create no private rights of action, voluntary frameworks that carry real procurement weight without legal authority, and a patchwork of state laws with varying enforcement mechanisms and uncertain longevity. Each layer behaves differently. Treating them as equivalent is the mistake that produces confident-sounding compliance claims that don't survive a follow-up question.
Federal Executive Orders: What They Do and Don't Do
An executive order is a directive to the executive branch. It tells agencies what to do. It does not create obligations for private companies, does not establish a right of action for injured parties, and can be revoked by the next administration without congressional action.
The Biden administration's EO 14110 (October 2023) directed agencies to develop AI safety standards, establish reporting requirements for frontier model developers, and coordinate on AI risk management across the federal enterprise. It was substantive and operationally significant for agencies implementing it. It was revoked by EO 14148 in January 2025. [ACCURACY FLAG — verify revocation status and effective date against Federal Register; corroborate via Federal News Network or Nextgov/FCW. Verification date: May 2026.]
The current federal AI policy direction flows from EO 14179 (January 2025), which reoriented federal AI posture toward removing barriers to American AI development and directed agencies to revise or rescind guidance issued under EO 14110 that was inconsistent with the new policy. [ACCURACY FLAG — verify current operative EOs and any subsequent OMB implementation guidance against Federal Register and OMB.gov. Verification date: May 2026.]
In practice, when a federal buyer tells you their agency is "compliant with the AI executive order," the first question is which one, and the second is what the agency actually did in response to it. Compliance with a directive to develop an internal risk management process is not the same as compliance with a statutory requirement. The former is an internal posture; the latter is an enforceable obligation. Most federal AI "compliance" claims right now are the former.
NIST AI RMF: Voluntary With Teeth
The NIST AI Risk Management Framework (AI RMF 1.0, January 2023) is a voluntary framework. NIST says so explicitly. It does not carry the force of law, and no federal statute currently mandates its adoption. [ACCURACY FLAG — verify against NIST AI RMF 1.0 document and NIST.gov; corroborate with current OMB AI procurement guidance. Verification date: May 2026.]
"Voluntary" is doing less work than it appears to, though. Federal procurement guidance increasingly references the AI RMF as a baseline for evaluating AI systems in agency acquisitions. Several agencies have incorporated AI RMF alignment into solicitation requirements. State AI legislation in Colorado and elsewhere explicitly references NIST frameworks as compliance pathways. [ACCURACY FLAG — verify specific agency procurement guidance citations and state law references against primary sources. Verification date: May 2026.]
This is the pattern that makes "voluntary" misleading in practice: a framework that appears in enough procurement vehicles, enough agency guidance documents, and enough state compliance pathways starts to behave like a de facto requirement even without statutory authority. The NIST AI RMF is there. NIST has also published supplementary guidance, including a Generative AI Profile (NIST AI 600-1, 2024), which addresses risks specific to large language models and has been referenced in agency AI governance discussions. [ACCURACY FLAG — verify current status and agency adoption of NIST AI 600-1 against NIST.gov and agency publications. Verification date: May 2026.]
State Laws: Enforcement Bite and Preemption Risk
Several states have enacted AI legislation with actual enforcement mechanisms. Colorado's SB 205 (signed May 2024, effective February 2026) imposes obligations on developers and deployers of high-risk AI systems, including impact assessments and disclosure requirements, enforced by the state Attorney General. [ACCURACY FLAG — verify current enforcement status, any amendments, and any pending litigation against Colorado legislative record and AG office publications; corroborate via Law360 or Reuters Legal. Verification date: May 2026.]
Other states have active AI legislation at various stages. The preemption question — whether federal AI legislation, if enacted, would displace state law — is live and unresolved. No federal AI statute currently preempts state law because no comprehensive federal AI statute exists. [ACCURACY FLAG — verify current federal legislative status, including any enacted or pending preemption provisions, against Congress.gov and credible legal press. Verification date: May 2026.] Industry groups have challenged some state AI requirements; the litigation landscape is moving. Frame any state law's enforceability as current-status, not settled.
State AI laws with enforcement mechanisms are real compliance obligations for companies operating in those states. They are also subject to change. A buyer's compliance team treating Colorado SB 205 as a hard requirement is correct to do so today. Whether that remains true in 18 months depends on litigation and federal legislative activity that is genuinely uncertain.
The Scenario You'll Encounter
A federal agency buyer says their organization is "compliant with AI regulations." The calibrated follow-up isn't skepticism — it's precision. Which framework are they referencing? Is it an internal policy aligned to the AI RMF, an agency-specific directive, or an actual statutory requirement? What does their compliance program actually require of vendors? The answer shapes what your conversation needs to cover.
Most federal AI compliance programs right now are voluntary framework alignment dressed in compliance language. That's an accurate description of where the regulatory environment stands, not a criticism of the compliance teams doing real work against real guidance. The guidance just doesn't carry the same legal weight as a BAA or a FedRAMP authorization.
Okta Concept Mapping
The current US AI regulatory structure resembles the pre-FICAM era of federal identity policy: a landscape of agency-specific guidance, voluntary frameworks, and OMB memos that carried real procurement weight without statutory authority. Where the analogy holds — voluntary frameworks with procurement leverage behave like de facto mandates even without legal teeth, exactly as HSPD-12 and early FICAM guidance did before the statutory and regulatory consolidation arrived. Where it breaks: FICAM eventually consolidated into binding FedRAMP requirements and NIST 800-63 as a hard reference in federal identity policy. US AI regulation has not made that consolidation move. Whether it does, and on what timeline, is the genuinely open question. The break is the lesson. Don't let the analogy carry the reader past it.
This lesson covers horizontal US federal and state AI regulatory structure only. EU regulation is addressed in Lesson 5. Sector-specific regimes — HIPAA, GLBA, FedRAMP — are addressed in Lesson 7.
Triggered accuracy review required upon: new federal AI executive order signed or prior order revoked; federal AI legislation enacted or materially advanced; significant state AI law enacted, enjoined, or struck down; preemption ruling issued in active AI-related litigation; material NIST AI RMF update published.