Summary
Regulates profiling/automated decisions with significant effects.
Operational Compliance Checklist
- Identify significant decision systems.
- Conduct impact assessments.
- Implement opt-out/access workflows.
REGULATORY INTELLIGENCELast Updated: January, 2026By DeterministicAI Compliance Team
US AI Regulation & Compliance Tracker
Liability from Opaque AI Decisions
- AI decisions now create real enterprise liability.Businesses face lawsuits, regulatory action, and governance scrutiny when AI affects hiring, housing, credit, Marketing or other high-impact outcomes.
- Courts already apply existing laws to AI.Civil-rights, consumer-protection, and fairness laws are routinely used to evaluate AI-driven decisions. No new AI-specific statute is required.
- “Black box” AI increases legal risk.When an AI decision cannot be meaningfully explained, reviewed, or challenged, courts and regulators treat opacity as a fairness and accountability failure, not a technical excuse.
- Courts are allowing AI liability cases to proceed.In employment, housing, and consumer cases, courts have allowed claims to survive early dismissal when plaintiffs plausibly allege that automated decisions could not be examined or contested.
- A concrete court example already exists.In Mobley v. Workday, Inc., a federal court allowed claims challenging AI-based applicant screening to proceed, reinforcing that enterprises may face liability when automated systems materially affect employment decisions and cannot be meaningfully reviewed.
- Auditability is becoming a compliance expectation.Enterprises are increasingly expected to maintain decision-level audit trails that allow AI outcomes to be reconstructed and defended after the fact; systems that cannot do so face elevated litigation and enforcement risk.
Federal AI Rules & Enforcement Matrix
Baseline federal obligations for liability, explainability, and auditability.
| Agency | Authority | Core Requirement |
|---|---|---|
| CFPB | ECOA / Regulation B | Specific, causal reasons for decisions |
| EEOC / DOJ | ADA / Title VII | Proof AI does not screen out protected groups |
| FTC | FTC Act Section 5 | Substantiated AI claims, no deceptive AI, algorithmic disgorgement |
| HUD | Fair Housing Act | Transparent tenant screening and ad targeting |
| DOL | OFCCP regulations | Job-related validation of AI hiring tools |
| OMB | M-24-10 | Explainability, oversight, and audit documentation |
Sector-Specific Federal Guidance
Detailed breakdown of AI enforcement priorities by sector and agency.
Key Obligations
- Reasonable explainability (FTC Act §5)Marketing AI as “unbiased,” “transparent,” or “fair” without substantiation may constitute an unfair or deceptive act.
- Algorithmic disgorgement (FTC enforcement)In cases of serious non-compliance, remedies may include deletion of training data or deletion/restriction of AI models.
- NIST AI Risk Management Framework (RMF)While voluntary, NIST RMF is widely treated as the baseline federal audit standard, particularly for federal contractors and regulated industries.
Applicability & Scope
- •All enterprises deploying AI in decision-making roles
- •AI vendors making performance or fairness claims
- •Federal contractors and regulated industries
Key Obligations
- Specific adverse-action explanationsCreditors must provide concrete, principal reasons for denial. Model complexity is not a defense.
- Nontraditional data disclosureWhen AI relies on behavioral or alternative data, lenders must disclose the actual factors that caused the decision.
- Third-party AI scores treated as consumer reportsAI-generated credit, employment, or risk scores may trigger FCRA obligations (accuracy, transparency, disputes). If an AI decision cannot be causally reconstructed and explained, the deploying institution remains legally exposed.
Applicability & Scope
- •Banks and credit unions
- •Fintech lenders and BNPL providers
- •Mortgage, auto-loan, and credit-card issuers
- •Employers using AI-based background or risk scoring
Key Obligations
- HHS Section 1557 (Affordable Care Act)Effective May 1, 2025. Prohibits discrimination through AI-based patient care decision-support tools. Must identify bias-inducing variables and document review processes.
- FDA – Software as a Medical Device (SaMD)Regulated AI systems must provide transparency artifacts: Model Cards, training data descriptions, and performance metrics across subpopulations.
- Practical implicationHealthcare AI must be auditable for equity, traceability, and documented validation – not only clinical accuracy.
Applicability & Scope
- •Hospitals and health systems
- •Clinical decision-support vendors
- •Medical device and digital health companies
- •Insurers using AI in care or coverage decisions
Key Obligations
- Legal accountabilityAccountability rests with the deploying organization. AI outcomes are legally attributable to the enterprise using the system.
- No “Black Box” DefenseTechnical opacity or novelty is not a defense for non-compliance.
Applicability & Scope
- •All enterprises deploying AI that affects rights or economic opportunity
- •Organizations relying on third-party or “black box” AI tools
Key Obligations
- Americans with Disabilities Act (ADA)AI tools must not screen out qualified individuals with disabilities or fail to provide reasonable accommodations.
- Federal contractor oversight (OFCCP)AI selection procedures must be job-related, validated, and non-discriminatory.
- Worker-rights principles (DOL)Emphasize meaningful human oversight and outputs understandable by non-technical users.
Applicability & Scope
- •Employers using AI in hiring, promotion, or monitoring
- •Staffing platforms and HR technology vendors
- •Federal contractors and subcontractors
Key Obligations
- Fair Housing ActTenant screening AI must not obscure reasons for denial. Algorithmic ad targeting may constitute illegal steering.
Applicability & Scope
- •Property managers and landlords
- •Tenant-screening and rental-scoring companies
- •Real-estate platforms using targeted advertising
Key Obligations
- OMB Memorandum M-24-10 (Dec 2024)Notify individuals of adverse AI decisions, conduct impact assessments for rights-impacting AI, and maintain human oversight.
- TransparencyPublish AI use-case inventories and audit documentation.
Applicability & Scope
- •Federal agencies
- •Federal contractors and system integrators
- •Vendors supplying AI to government programs
State-Level AI Compliance Tracker
Specific adoption of AI laws across US states.
Summary
Expands “child sexual abuse material” definition to include “virtually indistinguishable depictions” created/altered/produced by digital/computer-generated means; existing criminal penalties apply.
Operational Compliance Checklist
- Content policy update: Explicitly prohibit AI-generated or “virtually indistinguishable” CSAM and attempted generation.
- Safety-by-design controls: Add guardrails for prompts/images/video that could create CSAM-like outputs (blocklists + classifier checks + human review escalation).
- Reporting & response: Document incident-response steps for suspected CSAM, including evidence preservation and escalation to legal/compliance.
- Retention controls: Ensure logs are retained securely for investigations but access-limited (privacy/security).
- Third-party tooling review: Validate safety filters for any embedded gen-AI models used in image/video generation.
Summary
Prohibits distributing materially deceptive AI-generated media falsely depicting an individual intended to influence an election; provides a disclaimer safe harbor; sets misdemeanor/felony penalties depending on repeat offenses.
Operational Compliance Checklist
- Election-content controls: If your platform distributes political ads/content, implement a workflow to detect/flag deceptive synthetic media.
- Disclosure mechanism: Provide “clear and conspicuous” labeling/disclaimer capability for synthetic or manipulated media (especially election-proximate content).
- Review + takedown SOP: Written procedures for rapid review/removal/labeling of reported deceptive election deepfakes.
- Audit trail: Preserve records of reports, determinations, and actions (label/remove), especially near elections.
- Training: Train marketing/comms teams on “materially deceptive” risk and disclaimer use.
Summary
Extends intimate-image prohibitions to include realistic pictorial representations; Class 1 misdemeanor.
Operational Compliance Checklist
- Image moderation: Expand detection/moderation to include synthetic “realistic” intimate images (not just real photos).
- Victim reporting: Streamline reporting flows for nonconsensual intimate imagery (NCII), with fast takedown SLAs.
- Upload controls: Consider hashing/known-NCII matching and “re-upload prevention.”
- Access & security: Tighten internal access to sensitive user reports and stored media.
- User notices: Publish clear policies prohibiting synthetic/realistic intimate imagery without consent.
Summary
Creates a cause of action for nonconsensual “digital impersonation” publication that isn’t obvious to a reasonable person and poses risk of harm; relief may include declaratory/injunctive relief and damages in some circumstances.
Operational Compliance Checklist
- Impersonation safeguards: Implement impersonation detection and friction (verification, warnings, rate limits) for voice/video synthesis.
- Obviousness/disclosure: Add user-facing indicators that content is synthetic where feasible.
- Complaint handling: Provide a fast path for “digital impersonation” complaints and identity verification for the complainant.
- Evidence retention: Preserve relevant content + logs when complaints are filed (legal hold workflow).
- Creator controls: Require attestations of consent for generating content depicting real persons.
Summary
Prohibits creating/distributing deceptive synthetic media of a candidate within 90 days of an election unless there’s a clear, conspicuous AI disclosure; provides civil relief and possible damages.
Operational Compliance Checklist
- Election window rule: Implement special handling for candidate-related synthetic content within the 90-day window.
- Disclosure enforcement: Require “clear and conspicuous” AI disclosure on synthetic political messages (automated checks + manual review).
- Ad review program: If you run political ads, require provenance/disclosure fields at submission time.
- Recordkeeping: Keep copies of creatives, disclosures, submission metadata, and review outcomes.
Summary
Expands child pornography statutes to include AI-generated images indistinguishable from a child engaged in sexually explicit conduct; existing criminal penalties apply.
Operational Compliance Checklist
- Same CSAM-hardening as Alabama: model guardrails, detection, human escalation, reporting/legal response.
- Synthetic-CSAM classifiers: Ensure moderation covers AI-generated “indistinguishable” imagery.
- Vendor evaluation: If using third-party generative models, require safety documentation + filter efficacy results.
NIST AI RMF & State Alignment
Compliance requires system-level design. See how NIST controls align with active state laws.
| NIST Requirement | State Law Alignment | Mandatory Controls | Regulator-Expected Evidence |
|---|---|---|---|
GOVERN- Accountability, Oversight, Responsibility Regulatory Posture:Failure here = negligence per se in most AG actions. | |||
| Defined AI governance roles | CA (AI in Gov & Employment), TX TRAIGA, CO Gov AI, DC ADS Act | Named AI owner, legal owner, risk owner | Org chart; AI governance charter |
| Clear accountability for AI outcomes | CA liability rules; TX TRAIGA (no “AI did it” defense) | Human accountability for decisions | Signed accountability attestations |
| Policies for lawful & ethical AI use | TX TRAIGA, UT AIPA, MT Gov AI | Written AI use policies | Policy documents + version history |
| Prohibited AI purposes identified | TX TRAIGA (manipulation, CSAM, discrimination) | Prohibited-use registry | Prohibited-use register |
MAP- Context, Use Case, Impact Identification Regulatory Posture:If a system is not mapped, regulators assume it was not controlled. | |||
| AI system inventory | TX Gov AI, CA Gov AI, CO Gov AI | Central AI inventory | AI system inventory (live) |
| Identification of “consequential decisions” | TX, CA ADMT, OR, TN, VA privacy laws | Decision classification | Decision impact matrix |
| User population & harm analysis | Employment (CA, IL, NY), Healthcare (TX) | Impact analysis per use case | Algorithmic Impact Assessment (AIA) |
| Election proximity risk | ~30 states (deepfake election laws) | Election-aware controls | Election calendar enforcement logs |
MEASURE- Risk Measurement, Testing, Validation Regulatory Posture:Lack of measurement = reckless deployment, especially in employment/healthcare. | |||
| Bias & discrimination testing | CA Employment, IL, NY AEDT, WA | Pre- & post-deployment testing | Bias audit reports |
| Safety & misuse evaluation | CSAM laws (20+ states), TX TRAIGA | Abuse testing & red teaming | Safety test results |
| Accuracy & reliability checks | Healthcare AI (TX SB 1188) | Validation benchmarks | Validation protocols |
| Data provenance review | CA data broker AI disclosures, privacy laws | Data lineage tracking | Data provenance documentation |
MANAGE- Controls, Monitoring, Incident Response Regulatory Posture:If logs don’t exist, regulators assume non-compliance. | |||
| Human-in-the-loop controls | CA Gov AI, MT Gov AI, TX healthcare | Mandatory human review points | Workflow diagrams |
| User disclosure of AI interaction | UT AIPA, CA chatbot law, TX TRAIGA | UI disclosures | Screenshots + UX specs |
| Logging & record retention | CA law enforcement AI, employment laws | Immutable logs | Audit logs + retention policy |
| Incident response & takedown | Deepfake & NCII laws (40+ states) | Rapid response SOP | Incident tickets & timestamps |
| Opt-out & appeal handling | OR, TN, VA, NJ, RI privacy laws | Rights request workflows | Rights request logs |
Cross-Cutting Requirements
Requirements that apply across multiple domains and state laws.
| Compliance Area | State Law Drivers | Required Artifacts |
|---|---|---|
| AI disclosure | UT, CA, TX, election laws | Disclosure text + deployment evidence |
| Consent management | Likeness laws (TN ELVIS, IL, MT) | Consent records |
| Age protection | TX HB 581, minor protections | Age-verification logs |
| Vendor & model governance | TX Gov AI, CA Gov AI | Vendor risk files |
| Change management | All AI governance laws | Model/version change logs |
Critical Compliance Gap (Regulators Are Now Noticing)
Neither NIST nor most state laws explicitly require deterministic execution, exact decision replay, or cryptographic decision proofs. Yet regulators increasingly ask:“Can you reproduce the decision that affected this person?”
CA law enforcement requires first-draft retention
Employment laws require multi-year ADS records
Privacy laws demand explainability + appealability
Why Deterministic AI Solves the Compliance Gap
The Problem: Reproducibility Gap
Most AI systems cannot replay decisions exactly. Probabilistic logs and approximations are insufficient for audits.
The Solution: Deterministic AI
Deterministic AI enables exact decision replay, provides tamper-evident logs, supports cryptographic verification of outputs, and aligns with regulator expectations for explainability and auditability.
Regulator-Ready Evidence Checklist
Essential artifacts organizations must provide during AI audits.
AI system inventory (purpose, data, risk)
Algorithmic impact assessments & bias testing
Disclosure screenshots showing AI labelling
Human oversight and review workflows
Audit logs and data retention policies (3-5 years)
Incident response records
Vendor and data governance documentation
Retention of original AI outputs for investigations
Disclaimer: This page is for informational purposes only and does not constitute legal advice.