Which US Agencies Actually Enforce AI Rules

Introduction

There is no single federal AI regulator in the United States. Instead, government AI oversight is distributed across a patchwork of existing agencies, each applying its own mandate to artificial intelligence within its domain. The Federal Trade Commission pursues deceptive AI claims, the SEC scrutinizes algorithmic disclosures, and the FDA regulates AI-powered medical devices, all under different statutes with different enforcement mechanisms. For technology professionals and founders, this fragmented AI compliance landscape creates genuine confusion about who holds the authority to investigate, fine, or ban specific AI conduct. The gap between perceived risk and actual enforcement exposure is where costly mistakes happen.

The Agencies With Real Enforcement Power

Federal agencies' AI regulation in the US is not theoretical. Several agencies have already taken concrete action against companies deploying AI irresponsibly, using existing consumer protection, securities, and health safety laws as their legal basis. Understanding each agency's scope is essential for anyone building AI-powered products or integrating them into business operations.

FTC: The Broadest Jurisdiction Over AI Conduct

The Federal Trade Commission is the closest thing to a general-purpose AI enforcer the US currently has. Its authority under Section 5 of the FTC Act, which prohibits unfair or deceptive practices, gives it sweeping latitude to pursue AI-related enforcement actions across virtually any consumer-facing industry. The FTC has used this power aggressively in recent years.

• Deceptive AI claims: Companies that overstate what their AI products can do face FTC action, as seen in cases against health screening tools and surveillance products that made unsubstantiated accuracy claims.

• Algorithmic discrimination: The FTC has signaled that AI systems producing discriminatory outcomes in lending, housing, or hiring constitute unfair practices under existing law.

• Data collection for AI training: Firms scraping or misusing consumer data to build AI models without adequate consent have faced enforcement, including orders to delete both the data and the models trained on it.

• AI-generated fraud: FTC AI enforcement now extends to deepfakes, synthetic reviews, and AI-powered scam operations targeting consumers.

• Dark patterns in AI interfaces: Manipulative AI-driven design choices that trick users into subscriptions or data sharing fall under the Commission's enforcement umbrella.

SEC: AI Accountability in Financial Markets

The Securities and Exchange Commission approaches AI through the lens of investor protection and market integrity. SEC AI disclosure requirements center on whether public companies are accurately representing their use of AI to investors, or whether they are engaged in what the Commission has termed "AI washing." In 2024, the SEC settled charges against multiple investment advisors who falsely claimed their platforms used sophisticated AI to guide investment decisions. These were not complex technical prosecutions; they were straightforward fraud cases where AI served as the deceptive claim. For companies in fintech or any publicly traded firm touting AI capabilities, the SEC's message is clear: if you tell investors your product runs on AI, your disclosures had better withstand scrutiny.

Sector-Specific Regulators and Standards Bodies

Beyond the FTC and SEC, several federal agencies enforce AI rules within tightly defined sectors. These agencies matter enormously for companies building products in healthcare, critical infrastructure, and enterprise software, even though their jurisdictions are narrower.

FDA and NIST: Safety Standards and Risk Frameworks

The FDA regulates AI as a medical device when software performs diagnostic, monitoring, or therapeutic functions. As of early 2025, the agency has authorized over 1,000 AI-enabled medical devices, the vast majority in radiology and cardiology. FDA AI medical device regulation requires premarket review, and the agency has been developing a framework for continuous monitoring of adaptive algorithms that change behavior after deployment. For healthtech founders, the FDA's oversight is not optional or advisory; it carries the force of product clearance or denial.

NIST, the National Institute of Standards and Technology, operates differently. It does not enforce regulations. Instead, it produces the technical frameworks that other agencies and industries use to define compliance. The AI Risk Management Framework published by NIST has become the de facto reference document for organizations attempting to operationalize responsible AI. Companies building AI risk management requirements into their internal processes frequently start with NIST's guidance, then adapt it to the specific enforcement expectations of whichever agency governs their sector. The Department of Commerce AI guidelines, issued through NIST, also play a central role in shaping how the US government itself evaluates and procures AI systems.

Other Agencies Staking Their Claims

The EEOC has publicly stated that employers using AI hiring tools bear responsibility for discriminatory outcomes, regardless of whether a third-party vendor built the algorithm. The CFPB has taken a similar stance on AI algorithm accountability in consumer lending, requiring that credit decisions driven by AI still produce the adverse action notices mandated by federal law. The Department of Justice has prosecuted cases where AI tools were used to facilitate price-fixing in rental housing markets, treating algorithmic collusion the same as human collusion.

Each of these agencies draws on pre-existing statutory authority rather than new AI-specific legislation. This is the defining characteristic of US federal AI regulation as it currently stands: agencies are not waiting for Congress to pass a comprehensive AI law. They are applying the tools they already have. TechBriefed has tracked this pattern closely, as the practical enforcement reality often moves faster than the legislative debate suggests. For a deeper look at how this compares to emerging rules abroad, the EU AI Act enforcement timeline provides a useful counterpoint.

Conclusion

The US does not have one AI regulator. It has many, each applying existing authority to the AI products and practices within their domain. The FTC has the broadest jurisdiction and the most active enforcement posture. The SEC targets misleading AI claims in financial markets. The FDA gates healthcare AI at the product level, while NIST provides the technical blueprints everyone references. For builders and decision-makers, the practical takeaway is that compliance is not a single checkbox but a map of overlapping obligations shaped by what your AI product does and who it affects. Security and compliance considerations should be part of the architecture from day one, not an afterthought triggered by an enforcement letter. TechBriefed continues to distil these regulatory developments into actionable intelligence for teams building at the intersection of technology and policy.

Stay ahead of the AI regulatory landscape: visit TechBriefed for daily coverage that cuts through the noise.

Frequently Asked Questions (FAQs)

Which agencies are responsible for AI oversight in the US?

The FTC, SEC, FDA, EEOC, CFPB, and DOJ all exercise oversight over AI within their respective jurisdictions, using existing statutory authority rather than AI-specific legislation.

Can the FTC regulate AI companies?

Yes, the FTC uses its broad authority under Section 5 of the FTC Act to pursue AI companies engaged in deceptive claims, unfair data practices, or algorithmic discrimination affecting consumers.

Does the FDA regulate AI?

The FDA regulates AI when it functions as a medical device, requiring premarket authorization for software that performs diagnostic, monitoring, or therapeutic functions in clinical settings.

What does NIST do for AI?

NIST develops voluntary technical standards and frameworks, most notably the AI Risk Management Framework, which organizations and agencies use as a baseline for responsible AI development and procurement.

How are AI companies penalized for violations?

Penalties vary by agency but include monetary fines, consent orders requiring deletion of data and models, product bans, disgorgement of profits, and ongoing compliance monitoring obligations.