Who Actually Enforces AI Rules in the US?

Introduction

The United States has no single AI regulator. Unlike the EU, which built a dedicated enforcement architecture through the EU AI Act with clear risk tiers and compliance deadlines, the US relies on a decentralized web of agencies, executive orders, and voluntary frameworks that collectively produce more ambiguity than accountability. For companies shipping AI-powered products today, that ambiguity is not a technicality. It is a real operational risk, because the agency that decides your product violated the law might not be the one you were watching, and the framework you built compliance around may carry no binding legal weight whatsoever. Understanding the actual enforcement landscape, not the theoretical one, is the starting point for any serious AI risk management strategy.

The Federal Patchwork: Which Agencies Hold Real Power

Federal AI enforcement does not flow from a single statute or authority. Instead, existing agencies have extended their existing mandates to cover AI-related conduct in their respective sectors. The result is overlapping jurisdiction in some areas and genuine enforcement voids in others.

The FTC, CFPB, and EEOC: Sector-Specific Reach

The Federal Trade Commission has emerged as one of the most active enforcers in the AI space, using its authority under Section 5 of the FTC Act to pursue deceptive AI claims and unfair practices. The FTC's position is that existing consumer protection law already covers AI-driven fraud, manipulative design, and false product claims. It does not need new AI-specific legislation to act, and it has shown willingness to use what it already has. The Consumer Financial Protection Bureau takes a parallel approach in lending and credit, applying fair lending statutes to algorithmic underwriting systems that produce discriminatory outcomes regardless of intent. The Equal Employment Opportunity Commission has issued guidance making clear that AI-driven hiring tools are subject to Title VII, meaning disparate impact liability applies even when a human never directly made the biased call.

• FTC: Pursues deceptive AI claims, manipulative design patterns, and consumer harm under Section 5 authority
• CFPB: Applies fair lending law to algorithmic credit decisions and automated underwriting systems
• EEOC: Holds employers liable for discriminatory outcomes produced by AI hiring tools under existing civil rights statutes
• FDA: Regulates AI-powered medical devices and clinical decision support software through its existing device clearance process
• DOJ: Can pursue civil rights violations tied to algorithmic discrimination in housing, policing, and public services

What These Agencies Cannot Do

The jurisdictional reach of each agency stops at its statutory mandate. The FTC can pursue consumer deception but has no authority over, say, an AI system used internally in critical infrastructure that poses no direct consumer-facing harm. The FDA regulates medical AI only when it meets the definition of a device. There is no federal body with a general mandate to assess AI risk across sectors, audit foundation models for safety, or impose pre-deployment approval requirements on high-risk AI systems the way the EU framework does. That gap is not an oversight waiting to be fixed. It is the current operating reality.

Executive Orders, NIST, and the Limits of Voluntary Frameworks

Beyond agency enforcement, the federal government has attempted to shape AI behavior through executive action and standards-setting. These tools have genuine influence on how companies build products, but they do not carry the same binding weight as statutory law, and that distinction matters enormously for AI regulatory compliance planning.

Executive Order 14110 and Its Successor Landscape

Executive Order 14110, signed in October 2023, was the most comprehensive federal AI governance directive to date. It directed agencies to develop sector-specific guidance, required safety reporting from developers of powerful foundation models, and tasked the National Institute of Standards and Technology with building out its AI risk management framework into a more operational tool. The order was revoked by the Trump administration in January 2025, which stripped out several of its mandatory reporting requirements and signaled a deliberate pivot toward deregulation at the federal level. What replaced it prioritizes AI competitiveness over precautionary governance, shifting enforcement pressure even more heavily toward sector-specific agencies and, critically, toward states.

The NIST AI RMF: Influential but Not Binding

The NIST AI Risk Management Framework is the closest thing the US has to a unified AI compliance requirements reference document. It provides a structured approach to identifying, measuring, and managing AI risk across four core functions: Govern, Map, Measure, and Manage. Its adoption is voluntary for most organizations, though federal contractors and agencies face stronger pressure to align with it. For AI companies building products for government clients, NIST alignment is effectively a market-access requirement. For everyone else, it functions as a credible best-practice baseline that may strengthen a legal defense but will not protect a company from FTC action if the underlying conduct is deceptive.

The State Layer: Where Active Enforcement Is Actually Happening

With federal legislative momentum stalled, states have moved into the gap aggressively. California, Colorado, Texas, and Illinois have all enacted or proposed meaningful AI-specific legislation, and the pace of state-level activity is accelerating faster than most companies' compliance teams can track.

California's Position at the Center

California has become the de facto driver of US AI compliance standards, largely because companies that sell into California markets must comply with its rules regardless of where they are incorporated. The California Privacy Rights Act already grants consumers rights over automated decision-making, and follow-on legislation targeting algorithmic accountability in consequential decisions, including hiring, healthcare, and housing, has moved through the legislature in successive sessions. While Governor Newsom vetoed SB 1047, the most sweeping AI safety bill, the legislative appetite for binding AI rules in California has not diminished. Companies treating California AI regulations as a future concern rather than a current operational reality are already behind.

The Multi-State Compliance Problem

Illinois' Artificial Intelligence Video Interview Act requires explicit consent before using AI to analyze job interviews, with enforcement through the state's existing employment law infrastructure. Colorado's AI Act, modeled partly on the EU approach, targets algorithmic discrimination in insurance and credit. Texas enacted the Responsible AI Governance Act. For companies tracking AI policy enforcement across jurisdictions, the compliance surface is expanding faster than any single framework can cover. The state-level acceleration is not slowing down, and without federal preemption, every new state law adds a distinct compliance obligation with its own enforcement mechanism and penalty structure.

Conclusion

The honest answer to who enforces AI rules in the US is: several agencies, depending on context, supplemented by states moving faster than Congress, operating within a voluntary framework that carries moral weight but limited legal teeth. For companies building AI-powered products, that means the compliance question is not a single checkbox but a sector-specific, jurisdiction-specific exercise that requires understanding which agency could plausibly bring an action against your product and on what statutory grounds. The FTC, CFPB, EEOC, and FDA each have real power within their lanes, and algorithmic accountability is already being tested through existing enforcement tools, not future legislation. State-level exposure, particularly in California, Illinois, and Colorado, adds another binding layer that demands attention now. If the US ever passes comprehensive federal AI legislation, it will likely clarify rather than reduce the compliance burden, and companies that have done the foundational work will be far better positioned to adapt.

Stay ahead of the regulatory shifts shaping the AI industry with sharp daily analysis at TechBriefed.

Frequently Asked Questions (FAQs)

Who enforces AI regulations in the US?

No single agency holds comprehensive AI enforcement authority; instead, the FTC, CFPB, EEOC, FDA, and DOJ each enforce AI-related conduct within their existing statutory mandates, while states increasingly fill the gaps left by federal inaction.

What happens if companies violate AI rules?

Depending on the sector and the nature of the violation, companies can face FTC enforcement actions, civil rights litigation, CFPB consent orders, or state-level penalties, each carrying distinct penalty structures and remediation requirements.

How does US AI enforcement compare to EU regulations?

The EU AI Act establishes a single, unified enforcement authority with risk-tiered obligations and mandatory pre-deployment requirements for high-risk systems, while the US relies on fragmented, sector-specific agency action with no equivalent central oversight body.

How is AI being regulated in the US right now?

AI in the US is regulated primarily through existing consumer protection, civil rights, and sector-specific statutes applied by agencies like the FTC and CFPB, supplemented by a growing body of state-level laws targeting algorithmic decision-making in hiring, credit, and healthcare.

How does AI regulation impact startups?

Startups face compounding compliance obligations because they must track sector-specific federal agency guidance, voluntary frameworks like the NIST AI RMF, and an accelerating wave of state laws that each carry independent enforcement mechanisms and penalties.