AI Policy

States and municipalities are increasingly taking interest in artificial intelligence and filling in the gaps left by federal inaction on algorithmic harm. States and cities have taken different approaches to addressing a multitude of AI harms, from chatbots to deepfakes to automated decisionmaking systems. Some of the recent efforts are highlighted below. 

U.S. FEDERAL STRATEGY

Federal Attempts at Preemption of State AI Laws

During the second Trump Administration, there has been a push from both the White House and Congress to preempt states from regulating AI. 

Members of Congress have made numerous attempts to include sweeping state AI preemption measures in must-pass legislation such as the budget and NDAA. Those attempts have so far failed.

In December 2025, President Trump signed an Executive Order directing agencies and officials in his administration to develop a policy framework for artificial intelligence. The Order does not establish or identify any specific policy positions on AI, other than the general goal to “remove barriers” and “encourage adoption” and a proposal to “work with Congress” to develop a “minimally burdensome national standard.” The Order alludes to many of the risks that AI systems pose—to security, to individual rights, to kids’ safety—but it offers no solutions and, instead, endorses an anti-regulation approach. 

Most of the Executive Order is focused on tasking officials across various federal agencies with trying to undermine existing state laws. The Department of Justice is called on to lead an “AI Litigation Task Force” to file cases challenging state authority. The Department of Commerce is charged with identifying states whose laws are too “onerous” on AI companies and seeking to deny broadband development funding to those states. The Federal Communications Commission is tasked with developing a new “reporting and disclosure standard” under some yet-to-be specified legal authority. And the Federal Trade Commission is charged with drafting a “policy statement” about how “State laws that require alterations to truthful outputs” might be unfair and deceptive.

Fall 2023 Executive Action: Executive Order and an Office of Management & Budget Memo

On October 30, 2023, the Biden-Harris Administration issued an Executive Order entitled “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence” that emphasized the need for regulation of high-risk AI and critically recognizes the link between privacy and AI.Notably, the order required the developers of the most powerful AI systems to share their safety test results with the government, promised federal support for development and agencies use of privacy-preserving techniques, required an evaluation of how agencies collect and use commercially available data (including from data brokers), and required increased training on how to investigate and prosecute civil rights violations related to AI.

For government use of AI, the EO required the development of guidance for agency use of AI and a faster and more efficient process for agencies to procure AI products and services. The directive also called for the rapid hiring of AI professionals and the training of employees at all levels.

EPIC has long advocated for comprehensive privacy protections, rigorous testing protocols, expanded resources for evaluation of AI systems, and a government-whole effort to fighting algorithmic discrimination.

U.S. STATE AI Laws

States have been extremely active when it comes to artificial intelligence regulations and have considered many types of frameworks aimed at a multitude of different harms. 

A primary focus has been on laws addressing deepfakes, from political or election-related deepfakes to intimate image deepfakes to deepfakes that can be used in fraud and scams. Dozens of states have passed legislation on this topic in the past few years, much of which amends existing laws to explicitly account for AI-generated content. 

Another main area of focus has been on chatbots. States including Nevada, Utah, California, New York, and Illinois have passed chatbot-specific legislation. The Utah, Illinois, and Nevada laws regulate the use of chatbots in the mental health care and therapy context, and the California and New York laws require companies to implement safeguards into companion chatbots, which have been shown to be particularly harmful, especially to kids and teens. EPIC has built on these early chatbot laws to develop the People-First Chatbot Bill, a model bill addressing chatbot harms. 

Some states have also taken a broader approach that tackles AI harms across many sectors with one comprehensive bill. Notably, Colorado passed its landmark Colorado AI Act in 2024, making it the first state to enact broad AI legislation. This law prohibits algorithmic discrimination across sectors, including housing, health care, education, employment, financial, insurance, and government services. The law requires developers and deployers of automated decisionmaking systems used in these consequential decisions about people’s lives to conduct baseline testing and disclose essential information. However, the law has not yet gone into effect amid an onslaught of criticism from the tech industry and related interests since its passage, but EPIC has urged lawmakers to retain the law’s key protections. States including Connecticut, Maryland, New Mexico, Virginia, California, and New York have also considered similar bills. 

States will likely continue considering legislation on AI harms in the coming years, and EPIC is eager to be a resource to policymakers on these issues. 

Frameworks

White House Blueprint for an AI Bill of Rights

In Fall 2022, the Office of Science and Technology Policy released a wide-ranging “Blueprint for an AI Bill of Rights.” The five major principles are Safe and Effective Systems; Freedom from Algorithmic Discrimination; Data Privacy; Notice and Explanation; Human Alternatives, Consideration, and Fallback. The document explained why these principles are critical, examples of where they are violated, and examples of how they’ve been addressed.

The Blueprint noted that individuals must be protected from abusive data practices and calls for data minimization rules, stating “[y]ou should be protected from violations of privacy through design choices that ensure such protections are included by default, including ensuring that data collection conforms to reasonable expectations and that only data strictly necessary for the specific context is collected.”

National Institute of Standards and Technology AI Risk Management Framework

Formally released on January 26, 2023, the A.I. Risk Management Framework is a four-part, voluntary framework intended to guide the responsible development and use of A.I. systems. The core of the framework are recommendations divided into four overarching functions: (1) Govern, which covers overarching policy decisions and organizational culture around A.I. development; (2) Map, which covers efforts to contextualize A.I. risks and potential benefits; (3) Measure, which covers efforts to assess and quantify A.I. risks; and (4) Manage, which covers the active steps an organization should take to mitigate risks and prioritize elements of trustworthy A.I. systems. In addition to the core Framework, NIST also hosts supplemental resources like a community Playbook to help organizations navigate the Framework.