AI, Automation & Algorithmic Systems
Legal obligations when building or deploying AI systems
Overview
AI regulation is moving from theory to enforcement faster than most companies expected. The EU AI Act — the first comprehensive AI law anywhere — is now in force, with obligations phasing in through 2026 and 2027. In the US, Colorado passed the first comprehensive state AI law in 2025, followed by Texas's TRAIGA. A dozen more states have introduced or passed AI-related bills. The FTC has issued guidance on AI and deceptive practices. The EEOC has weighed in on AI in hiring. NIST published its AI Risk Management Framework.
The central organizing concept in most AI regulation is risk classification. Laws distinguish between AI systems that pose higher risk — because they make consequential decisions about employment, credit, housing, healthcare, or critical infrastructure — and systems that pose lower risk. Higher-risk systems face more demanding obligations: impact assessments, human oversight requirements, transparency disclosures, bias auditing. Understanding where your AI system falls on the risk spectrum is the first compliance question to answer.
Federal Laws
Federal Guidance & Frameworks
Agency guidance, executive directives, and risk frameworks shaping AI compliance expectations
Federal
EEOC Guidance on AI and Employment Decisions
EEOC AI Guidance
The EEOC has issued guidance explaining how employers may violate anti-discrimination laws when using AI hiring or workforce management tools. If your company uses or builds resume screening systems, automated interview tools, employee scoring systems, or workforce analytics platforms, this guidance outlines how existing civil rights laws apply to those tools.
Last updated May 18, 2026
Federal
NIST AI Risk Management Framework
NIST AI RMF
The NIST AI Risk Management Framework provides a widely used structure for identifying and managing AI-related risks, including bias, reliability, explainability, and governance concerns. Although voluntary, it is increasingly referenced in enterprise contracts, cybersecurity reviews, and government procurement — making it practically important for any company selling AI-powered products to larger organizations or government agencies.
Last updated May 19, 2026
Other Federal Laws
Federal
Communications Decency Act Section 230
Section 230 — 47 U.S.C. § 230
Section 230 provides significant immunity to online platforms for third-party content posted by users. It is particularly relevant to AI chat systems, social platforms, marketplaces, moderation systems, and products involving user-generated or AI-assisted content, although important limitations and ongoing legal challenges exist.
Last updated May 31, 2026
Federal
FTC Act Section 5
FTC Act — 15 U.S.C. § 45
Section 5 prohibits unfair or deceptive acts or practices in commerce and serves as the FTC's primary authority for regulating deceptive AI claims, unfair automated systems, and problematic data practices. It applies broadly to technology companies making representations about AI capabilities, automation, security, personalization, or algorithmic decision-making.
Last updated May 31, 2026
Browse by State
Browse by Country
How Jurisdictions Differ
The EU AI Act is extraterritorial — if your AI system is used in the EU or its output is used there, the law may apply regardless of where you're located. US state laws are generally narrower in scope and focus on specific use cases (hiring, consumer decisions) rather than AI broadly. The key differences across state laws are: what qualifies as "high risk," what obligations attach (audit vs. disclosure vs. impact assessment), and whether there's a private right of action or only agency enforcement.
Related Articles
More articles coming soon.