Federal vs State AI Law — How They Interact

The United States regulates AI through layers: voluntary federal frameworks, sector-specific federal guidance, executive actions, and an expanding patchwork of state laws. Understanding how these layers interact is essential for compliance teams setting strategy.

The federal layer

Voluntary frameworks

[NIST AI Risk Management Framework](/framework/nist-ai-rmf) (AI RMF 1.0 + Generative AI Profile NIST AI 600-1) — voluntary risk-management framework. Adopting it does not directly satisfy state-law obligations but substantially supports them. Operational guidance lives in the NIST AI RMF Playbook — NIST's companion resource of suggested actions per subcategory.
[ISO/IEC 42001](/framework/iso-42001) — international AI management system standard, certifiable through accredited bodies.

Sector-specific federal guidance

HHS / FDA: AI in medical devices and clinical decision support. Premarket pathways and post-market surveillance.
CFPB: AI in lending, credit reporting, and adverse action notices. Existing Equal Credit Opportunity Act and Fair Credit Reporting Act apply.
EEOC: AI in employment decisions. Title VII and ADA obligations apply.
FTC: deceptive practices and unfair-design enforcement under Section 5 of the FTC Act. Recent enforcement priorities have included AI claims and algorithmic pricing.
DOJ Civil Rights Division: housing, lending, and employment AI under existing civil rights statutes.

Executive actions

EO 14110 (Biden, October 2023) — broad federal AI policy direction, NIST guidance commissioning, agency reporting obligations. Status uncertain post-2025 administration changes.
December 11, 2025 Executive Order "Ensuring a National Policy Framework for Artificial Intelligence" — directs federal agencies to identify state AI laws that may conflict with the federal AI policy framework. State AI laws have not been universally preempted as of May 8, 2026.

The state layer

See the US State AI Regulation Overview for the full list. Currently effective or scheduled: Texas, NYC LL 144, Illinois, Utah, California (3 laws), Washington Task Force, and Colorado (SB 24-205 requirements extended to June 30, 2026 by SB25B-004).

Defeated and pending bills also matter for compliance planning. Virginia HB 2094 — a Colorado-modeled comprehensive AI bill — was vetoed by Governor Youngkin on March 24, 2025, and the 2026 General Assembly tabled comprehensive successors to the 2027 session, leaving Virginia organizations on a VCDPA-plus-federal-frameworks footing. Florida regulates AI through narrow topic-specific statutes (HB 919 political deepfakes, HB 757 sexual deepfakes) rather than a single comprehensive act, illustrating an alternative state model that some southern legislatures may follow if Colorado-style bills continue to face vetoes.

Preemption — current state of play

No comprehensive federal AI law exists. Without explicit federal preemption language, state AI laws operate in their own jurisdictional space. The December 2025 EO targets state AI laws that may obstruct federal policy, but EOs cannot directly nullify state laws — they can only direct federal agencies' behavior and trigger litigation challenges.

Existing federal law preempts state law in narrow areas:

Federal communications and broadcasting: limits state authority over certain digital communications
Federal trade secret law: complementary to state law, generally not preemptive
Federal banking law: national-bank charters can preempt some state consumer-protection rules in lending

When federal and state requirements conflict, conflict-preemption analysis applies — the more demanding requirement typically governs unless explicit federal preemption removes state authority.

Operational implications

Adopt a federal framework as your control baseline

NIST AI RMF and ISO/IEC 42001 are voluntary at the federal level but are widely referenced as the substantive control framework satisfying due-care expectations. Most state-law obligations map to specific framework controls — for example:

Colorado AI Act § 6-1-1703(3) impact assessment ↔ NIST AI RMF MAP function + ISO 42001 Annex A.5
NYC LL 144 bias audit ↔ NIST AI RMF MEASURE 2.11 + ISO 42001 Annex A.5
California SB 53 frontier AI safety framework ↔ NIST AI RMF GOVERN function + GenAI Profile

See the framework × law mappings for the full matrix.

Build for the most stringent jurisdiction

If you operate in multiple states, build your compliance program for the most demanding applicable law. Practically:

Colorado AI Act is the U.S. benchmark for high-risk AI documentation and impact assessments once the SB 24-205 requirements become operative; designing to that level typically covers Texas, Illinois, Utah, and most California requirements
NYC LL 144 sets the floor for hiring AI bias audits — if an employer hires in NYC, annual AEDT bias-audit workflows apply
California SB 53 sets the floor for frontier AI safety frameworks — if a developer trains at scale, it publishes the framework

Watch federal preemption activity

Compliance teams should track:

The fate of EO 14110 under successive administrations
Litigation following the December 2025 preemption EO
Any federal AI legislation moving in Congress
FTC and DOJ enforcement actions that effectively set federal standards

The Atlas news log tracks enactments, court rulings, EO activity, and enforcement actions.

What if federal preemption succeeds

If state AI laws are partially or fully preempted in the future:

Federal frameworks (NIST, ISO) remain unaffected — these are voluntary standards, not state laws
Sector-specific federal guidance remains — CFPB, EEOC, FDA, etc. continue to enforce their domains
State consumer-protection law (UDAP) remains — even if AI-specific laws are preempted, broad state UDAP and civil rights statutes still apply to AI-driven harms

The Atlas's pivot toward federal frameworks as primary tier (alongside state laws) reflects this risk: federal-framework adoption is preemption-proof.