Federal vs State AI Law — How They Interact

The United States regulates AI through layers: voluntary federal frameworks, sector-specific federal guidance, executive actions, and an expanding patchwork of state laws. Understanding how these layers interact is essential for compliance teams setting strategy.

The federal layer

Voluntary frameworks

• [NIST AI Risk Management Framework](/framework/nist-ai-rmf) (AI RMF 1.0 + Generative AI Profile NIST AI 600-1) — voluntary risk-management framework. Adopting it does not directly satisfy state-law obligations but substantially supports them.
• [ISO/IEC 42001](/framework/iso-42001) — international AI management system standard, certifiable through accredited bodies.

Sector-specific federal guidance

• HHS / FDA: AI in medical devices and clinical decision support. Premarket pathways and post-market surveillance.
• CFPB: AI in lending, credit reporting, and adverse action notices. Existing Equal Credit Opportunity Act and Fair Credit Reporting Act apply.
• EEOC: AI in employment decisions. Title VII and ADA obligations apply.
• FTC: deceptive practices and unfair-design enforcement under Section 5 of the FTC Act. Recent enforcement priorities have included AI claims and algorithmic pricing.
• DOJ Civil Rights Division: housing, lending, and employment AI under existing civil rights statutes.

Executive actions

• EO 14110 (Biden, October 2023) — broad federal AI policy direction, NIST guidance commissioning, agency reporting obligations. Status uncertain post-2025 administration changes.
• December 2025 Executive Order "Eliminating State Law Obstruction of National AI Policy" — directs federal agencies to identify state AI laws that obstruct federal AI objectives. The order has triggered ongoing litigation; state AI laws have not been universally preempted as of April 2026.

The state layer

See the US State AI Regulation Overview for the full list. Currently effective: Colorado, Texas, NYC LL 144, Illinois, Utah, California (3 laws), Washington Task Force.

Preemption — current state of play

No comprehensive federal AI law exists. Without explicit federal preemption language, state AI laws operate in their own jurisdictional space. The December 2025 EO targets specific state laws as obstructing federal policy, but EOs cannot directly nullify state laws — they can only direct federal agencies' behavior and trigger litigation challenges.

Existing federal law preempts state law in narrow areas:

• Federal communications and broadcasting: limits state authority over certain digital communications
• Federal trade secret law: complementary to state law, generally not preemptive
• Federal banking law: national-bank charters can preempt some state consumer-protection rules in lending

When federal and state requirements conflict, conflict-preemption analysis applies — the more demanding requirement typically governs unless explicit federal preemption removes state authority.

Operational implications

Adopt a federal framework as your control baseline

NIST AI RMF and ISO/IEC 42001 are voluntary at the federal level but are widely referenced as the substantive control framework satisfying due-care expectations. Most state-law obligations map to specific framework controls — for example:

• Colorado AI Act § 6-1-1703(3) impact assessment ↔ NIST AI RMF MAP function + ISO 42001 Annex A.5
• NYC LL 144 bias audit ↔ NIST AI RMF MEASURE 2.11 + ISO 42001 Annex A.5
• California SB 53 frontier AI safety framework ↔ NIST AI RMF GOVERN function + GenAI Profile

See the framework × law mappings for the full matrix.

Build for the most stringent jurisdiction

If you operate in multiple states, build your compliance program for the most demanding applicable law. Practically:

• Colorado AI Act sets the U.S. floor for high-risk AI documentation and impact assessments — building for Colorado typically covers Texas, Illinois, Utah, and most California requirements
• NYC LL 144 sets the floor for hiring AI bias audits — if you hire in NYC, you bias-audit annually
• California SB 53 sets the floor for frontier AI safety frameworks — if you train at scale, you publish the framework

Watch federal preemption activity

Compliance teams should track:

• The fate of EO 14110 under successive administrations
• Litigation following the December 2025 preemption EO
• Any federal AI legislation moving in Congress
• FTC and DOJ enforcement actions that effectively set federal standards

The Atlas news log tracks enactments, court rulings, EO activity, and enforcement actions.

What if federal preemption succeeds

If state AI laws are partially or fully preempted in the future:

• Federal frameworks (NIST, ISO) remain unaffected — these are voluntary standards, not state laws
• Sector-specific federal guidance remains — CFPB, EEOC, FDA, etc. continue to enforce their domains
• State consumer-protection law (UDAP) remains — even if AI-specific laws are preempted, broad state UDAP and civil rights statutes still apply to AI-driven harms

The Atlas's pivot toward federal frameworks as primary tier (alongside state laws) reflects this risk: federal-framework adoption is preemption-proof.

Cross-references

• NIST AI RMF detail
• ISO/IEC 42001 detail
• State law overview
• News log