USA - Nationwide: An Artificial Intelligence Overview

As AI adoption moves from experimentation to operational deployment, companies face an increasingly complex and uncertain legal environment. Existing legal frameworks must now be applied to AI use cases that were not contemplated when those laws were developed. At the same time, new AI-specific laws and regulatory expectations are proliferating unevenly across jurisdictions and sectors. The result is an AI regulatory landscape that is patchy, evolving, and uncertain.

Businesses typically respond to uncertainty with caution. But the rapid increase in the reliability and capability of generative AI, as well as agentic systems, has made a wait-and-see approach less attractive. Many organizations are taking calculated risks, relying on cross-functional teams to assess which risks are real and which are theoretical, and how AI-related risks can be mitigated without undermining the value of the use case. The central governance question has shifted from whether employees may experiment with AI to how the business will deploy and supervise AI use in production at scale.

Recent Trends and Developments With AI

The most important market development is the move from pilots to production. AI is being embedded into drafting, summarization, software development, customer support, fraud detection, underwriting, procurement, contract review, and workflow automation. Once AI systems are connected to enterprise data, integrated into business processes, or permitted to initiate multi-step workflows, questions of authorization, oversight, logging, data access, and accountability become operational issues, not just abstract governance themes.

Good governance can accelerate AI adoption. Companies with effective governance programs are better able to identify high-value, low-risk uses, scale successful deployments, and avoid repeating the same failures in different parts of the organization. But AI governance is maturing from having a short policy into implementation of a complex AI operating framework. Companies are increasingly developing intake processes, risk classifications, testing requirements, human-review triggers, escalation pathways, role-specific training, vendor diligence, and senior-management reporting.

Regulators are encouraging that approach. Across financial services, employment, housing, healthcare, consumer protection, and public-facing communications, government agencies are applying existing statutes to AI-related conduct and focusing on governance, testing, monitoring, substantiation, bias, supervision, and recordkeeping. Sectoral regulators generally do not accept the proposition that responsibility can be delegated to a model provider. Businesses remain accountable for the outcomes of AI systems they deploy, particularly where those systems affect consumers, employees, investors, patients, or other legally protected interests.

Data rights have become a central AI bottleneck. As model access becomes more commoditized, much of the value comes from connecting AI tools to high-quality non-public internal and third-party data. But that data may be subject to contractual limits, confidentiality obligations, privacy restrictions, data-use covenants, segregation requirements, destruction obligations, or intellectual property constraints. Contract review increasingly needs to occur at the beginning of an AI project, not after an AI product has already been built.

Despite the increased adoption of licensed enterprise AI tools, maintaining confidentiality of sensitive information when using AI remains an important consideration. AI-assisted legal, compliance, and investigative work can create sensitive prompts, outputs, summaries, and draft analyses. Companies should consider which tools may be used for privileged or confidential work and ensure that enterprise settings prohibit training on user data, assess who can access logs of AI inputs and outputs, and determine how AI-generated work product is stored, distributed, and deleted.

Intellectual property and cybersecurity remain critical risks for AI adoption. AI-generated images, audio, video, and text can assist with marketing and creative production, but can also create copyright, trademark, consumer-protection, and reputational risks. Deepfakes and synthetic media are now important considerations for various kinds of fraud. Indeed, AI can increase the scale and persuasiveness of social engineering attacks, accelerate vulnerability discovery and make synthetic impersonation more effective. Businesses should update incident-response plans for AI-enabled fraud and prompt-related attacks and consider additional training in these areas.

Key Legislative and Regulatory Changes

The United States still has no single, generally applicable AI statute. AI is governed primarily through existing law, including contract, tort, product liability, privacy, intellectual property, anti-discrimination, consumer-protection, securities, employment, healthcare, cybersecurity, and sector-specific rules. Federal policy has shifted over time, but the more durable practical trend is the use of existing agency authority. The Federal Trade Commission (FTC), SEC, U.S. Equal Employment Opportunity Commission (EEOC), Consumer Financial Protection Bureau (CFPB), U.S. Department of Housing and Urban Development (HUD), U.S. Food and Drug Administration (FDA), Federal Communications Commission (FCC), Commodity Futures Trading Commission (CFTC), Financial Industry Regulatory Authority (FINRA), and other regulators have all approached AI through their traditional mandates.

Like privacy, state AI laws are becoming more fragmented and inconsistent. Colorado has revised its approach to AI by turning its algorithmic discrimination law into an automated decision-making law, with fewer obligations. Texas also dramatically pared back the obligations in its final AI law. Utah’s law focuses on chatbots and emphasizes transparency, while California and New York have adopted frontier-model transparency and safety measures. Other states are pursuing laws on employment tools, insurance, child safety, public-sector use, biometric technologies, political deepfakes, and synthetic media. For companies, the consequence is that compliance cannot be reduced to checking one AI statute. It requires a matrix that combines existing law being applied to AI with a growing set of new AI-specific overlays at the federal, state, and local levels.

AI enforcement and litigation are also developing. Regulators have pursued cases involving AI washing and deceptive claims under existing authorities. Courts are addressing AI issues through laws relating to copyright, trade secrets, privilege, professional responsibility, discrimination, privacy, and evidentiary doctrines. In particular, copyright disputes over training data remain very active. In short, judges and regulators are not waiting for a new body of AI law to emerge; they are applying existing rules to the new technology.

Practical Insights

AI governance programs should focus on finding high-value, lower-risk use cases and avoiding low-value, higher-risk use cases. Companies should define criteria for fast-tracking lower-risk uses and consider requiring cross-functional review of higher-risk uses, as well as identifying senior business sponsors for AI deployments that may materially affect customers, employees, regulated decisions, or public-facing communications.

AI vendor oversight should be treated as a core governance control. AI procurement should address data rights, model changes, security, confidentiality, training on user data, audit rights, indemnities, incident notice, logging, and contractual exit rights. Agentic systems require additional attention to quality control, data access, and auditability for consequential actions.

Looking Ahead

Pressure to deploy AI at scale will continue to grow. Durable advantage is unlikely to belong to companies that simply purchase access to powerful models. Rather, the organizations that will obtain substantial returns from their investments in AI will be the ones that operationalize AI responsibly by ensuring that they have all the necessary rights to utilize high-quality data, implementing responsible AI supervision, preserving confidentiality, managing cybersecurity risks, and retaining an audit trail that is sufficient to explain and defend how AI was used. In a fragmented U.S. legal environment, governed AI enablement is becoming the optimal middle ground between the too-cautious “wait and see” approach and the too-risky path of uncontrolled adoption.