Photo by Wilmer Olano on Unsplash
- As of June 21, 2026, the U.S. has no enacted comprehensive federal AI law — only a 270-page discussion draft released June 4 and a growing patchwork of state statutes pulling in different directions.
- California's SB 53 targets only 5–8 frontier AI developers by design; Colorado's broader AI Act was repealed and replaced with a narrower statute in May 2026, with implementation delayed to January 1, 2027.
- The Trump administration's federal preemption push conflicts with active state enforcement — without enacted federal legislation, preemption claims don't override existing state obligations.
- The most immediately actionable regulatory development for most mid-market companies isn't frontier AI law — it's the FTC's March 2026 guidance on AI washing and undisclosed AI data processing, which has no revenue floor.
The Evidence: A Regulatory Map That Won't Stop Moving
What if the federal government's move to consolidate AI oversight doesn't simplify compliance — it just adds another layer on top of the ones already accumulating? As of June 21, 2026, that's the question U.S. legal teams are quietly working through, and the honest answer is that the patchwork isn't resolving. It's calcifying.
According to AI Fallback, which has tracked the full arc of this regulatory cycle, the picture breaks into two simultaneous storylines. The first is state law moving faster than Washington. California's SB 53 — the Transparency in Frontier AI Act, signed September 29, 2025 — requires developers of frontier AI models trained with more than 1026 floating-point operations (FLOPS, a measure of raw computational scale) to publish risk frameworks and report safety incidents. Penalties reach up to $1 million per violation for companies with annual revenues exceeding $500 million. The law is deliberately narrow: according to EPOCH AI projections, only 5 to 8 companies currently clear that FLOPS threshold — OpenAI, Anthropic, Google DeepMind, Meta, and Microsoft, with approximately 10 models expected at or above that threshold by end of year.
Colorado moved in the opposite direction. Its AI Act (SB 24-205), originally one of the broader state AI frameworks in the country, was repealed in May 2026 and replaced by SB 26-189 — a significantly narrower statute governing only automated decision-making technology. Governor Jared Polis had flagged publicly that the original bill "would impose high costs on State, local governments, and covered businesses," citing stakeholder concerns about breadth, ambiguous definitions, potential liability for unintentional discrimination, and operational complexity. The replacement statute doesn't take effect until January 1, 2027.
The second storyline is federal: a government trying to pull oversight back to Washington before the patchwork becomes permanent. President Trump signed Executive Order 14365 on December 11, 2025, seeking to centralize AI governance and preempt conflicting state regulations. The White House followed on March 20, 2026, with a National Policy Framework organized around seven pillars: child protection, AI infrastructure support, intellectual property rights, anti-censorship provisions, innovation enablement, workforce preparation, and — pointedly — preemption of state AI laws.
Then on June 4, 2026, Representatives Jay Obernolte (R-CA) and Lori Trahan (D-MA) released a 270-page discussion draft of the Great American Artificial Intelligence Act — the first attempt at a genuinely comprehensive federal AI statute. It proposes semi-annual third-party audits of high-risk AI systems through new Independent Verification Organizations (IVOs), and a tenfold increase in annual funding for the Center for AI Standards and Innovation (CAISI), from $15 million to $100 million. It remains a discussion draft. Not law. Not even a scheduled vote.
The Mechanism: Why "Preemption" and "Clarity" Aren't the Same Word
Here's where the second-order effect gets instructive. The Trump administration's preemption strategy rests on an assumption — that federal authority, once asserted, resolves the patchwork. But legal compliance experts have warned explicitly that "violating AI regulations will expose businesses to scrutiny by regulators, legislators, customers and the broader public, leading to serious financial, legal and brand reputation risks," and enforcement actions against AI deployers increased significantly throughout 2025. Preemption claims without enacted federal legislation don't shield companies from state enforcement actions already on the books.
The FTC sharpened this picture considerably. Its March 11, 2026, policy statement clarified that Section 5 of the FTC Act — which prohibits unfair and deceptive practices — applies directly to AI models, with particular focus on AI washing (inflated or unsubstantiated capability claims) and undisclosed AI processing of consumer data. This reaches far more companies than California SB 53's frontier-model threshold. Any business using AI to process customer data or make product claims sits inside the FTC's stated enforcement scope.
Then there's the international dimension — the one U.S. legal teams have been quietly using as an internal compass. The EU AI Act's Phase Two, covering transparency obligations and high-risk AI system rules, takes effect August 2, 2026, for U.S. companies with European market exposure. Legal teams that spent 2024 and 2025 building EU compliance programs are now better positioned in front of domestic regulators than those that waited for Washington to move. EU-aligned risk documentation functions as defensible evidence of good-faith compliance in front of both the FTC and state enforcement bodies. The moat compresses when a federal standard eventually passes — but until then, early movers hold structural advantage.
Photo by Romain Dancre on Unsplash
What It Means: The Funding Signal Is the Story
The proposed CAISI budget jump in the Great American AI Act is the single most revealing data point in the entire discussion draft — and it doesn't require 270 pages to decode.
Chart: CAISI annual funding — $15M current vs. $100M proposed under the Great American AI Act discussion draft released June 4, 2026. A tenfold increase signals that AI standards enforcement infrastructure doesn't yet exist at scale.
A tenfold funding increase signals something specific: policymakers have acknowledged, in writing, that AI standards work has been chronically underfunded and that the enforcement infrastructure needed to back up any federal AI framework simply doesn't exist yet. Companies building compliance strategies around "nobody's watching closely enough yet" are betting on a window that's been explicitly scheduled to close.
Public sentiment adds pressure on the timeline. An Annenberg Public Policy Center survey conducted in early 2026 found that 65% of Americans say the government has done too little to regulate AI — including 77% of Democrats and 53% of Republicans. Bipartisan public pressure at that scale has historically accelerated congressional timelines even when the legislative machinery is slow. The gap between a 270-page discussion draft and an enacted law is real — but it's not infinite.
In my analysis, the Great American AI Act matters less as near-term law and more as a structural vocabulary test. IVO-style third-party audits, incident reporting, and published risk frameworks are the recurring grammar of what federal AI compliance will eventually require. Organizations building toward those standards now — even voluntarily — compress their future compliance cost and compress the audit-readiness gap. Those that wait will face the compressed timeline and elevated enforcement scrutiny simultaneously.
This dynamic extends into the labor market, too. As Smart AI Trends reported in its coverage of AI's displacement of entry-level roles, organizations that moved early on structured AI governance tend to build durable institutional advantages — not just in productivity, but in regulatory positioning and stakeholder trust.
Who Gains Leverage, Who Gets Exposed
Clear winners: The 5 to 8 frontier AI developers inside California SB 53's scope have the most to gain from a single federal framework. One compliance architecture is cheaper than navigating 50 state regimes, and OpenAI, Anthropic, and Google DeepMind have the policy infrastructure to shape what that federal architecture looks like. Early engagement in the IVO framework design is also a competitive advantage — whoever helps define the audit standard gains an implicit head start on meeting it.
Also gaining: compliance technology vendors and law firms with dedicated AI regulatory practices. The Great American AI Act's IVO structure creates a mandated third-party audit market that doesn't yet exist at scale. That market will need to be built quickly once — or if — the bill advances.
Most exposed: Mid-market companies deploying AI in financial services, healthcare, and human resources carry compounding risk. Federal fair lending laws — the Equal Credit Opportunity Act and the Fair Housing Act — already apply to AI-based credit systems. The SEC's proposed rules on AI-driven investment recommendations add broker-dealer exposure. And the FTC's March 2026 guidance is not hypothetical future enforcement — it's active regulatory posture now, covering AI washing and undisclosed consumer data processing with no revenue floor. Small businesses below SB 53's $500 million threshold aren't in the clear on all fronts.
How to Act on This
The FTC's March 11, 2026, policy statement is the most immediately enforceable AI regulatory development in the U.S. right now — not the Great American AI Act, which remains a draft. Every customer-facing AI application should be reviewed for undisclosed data processing, unsubstantiated capability claims, and "AI washing" language in marketing. This is where enforcement risk is live and active, regardless of company size or what happens in Congress.
The Great American AI Act's semi-annual third-party audit requirement may not be law yet, but its structural elements — risk frameworks, incident reporting, documented human oversight protocols — are directionally stable across every credible federal proposal. Think of building toward those standards now as financial planning for a regulatory certainty with an uncertain arrival date. Early investment in documentation architecture translates directly into lower future compliance cost and stronger defensibility in front of both state and federal regulators.
If your company has any European market presence, EU AI Act Phase Two transparency requirements and high-risk AI system rules take effect August 2, 2026. U.S. legal teams that haven't mapped their AI applications against EU risk classifications have a short window as of this writing. The EU framework also serves as a practical internal compliance template for U.S. operations — both jurisdictions are working from similar conceptual vocabulary around risk tiers, transparency obligations, and human oversight requirements.
Frequently Asked Questions
What AI compliance requirements actually apply to U.S. businesses operating in multiple states right now?
As of June 21, 2026, there is no enacted comprehensive federal AI law. Multi-state businesses face a fragmented set of obligations: California SB 53 applies specifically to frontier AI developers with revenues above $500 million training models above 1026 FLOPS; Colorado's revised automated decision-making statute (SB 26-189) doesn't take effect until January 1, 2027; Illinois and Texas have sector-specific AI rules in development. The FTC's March 2026 Section 5 guidance on AI washing and undisclosed AI data processing is the broadest-reach obligation in force today — it applies to any company making AI-related claims to consumers or using AI to process consumer data, with no revenue exemption.
What are the penalties for violating California SB 53, and does it apply to companies that use AI but didn't build the model?
California SB 53 targets frontier AI model developers — companies that trained models exceeding 1026 FLOPS — with annual revenues above $500 million. Penalties reach up to $1 million per violation. According to EPOCH AI data, only 5 to 8 companies currently meet that FLOPS threshold. If your company deploys AI built by those developers rather than training frontier models itself, SB 53's direct compliance obligations don't apply. However, the FTC's March 2026 guidance covers AI deployers broadly — any company using AI in customer-facing contexts carries federal regulatory exposure regardless of whether it built the underlying model.
How does the difference between state and federal AI laws affect compliance strategy for mid-size businesses?
Mid-size businesses face the most practical complexity from the current regulatory fragmentation. The Trump administration's EO 14365 (December 11, 2025) and the March 20, 2026, National Policy Framework signal clear intent to preempt conflicting state AI laws — but intent backed by executive order is not the same as enacted preemption. Without federal legislation on the books, state enforcement actions can still proceed. Practical compliance strategy as of mid-2026 means mapping active state obligations by jurisdiction, aligning to the FTC's March 2026 guidance as baseline federal posture, and building documentation infrastructure flexible enough to scale into whichever version of federal AI requirements eventually passes.
Disclaimer: This article presents editorial commentary on publicly reported regulatory developments and does not constitute legal, financial, or investment advice. Businesses should consult qualified legal counsel regarding specific AI compliance obligations. The author did not conduct independent testing of any AI system or regulatory product discussed. Research based on publicly available sources current as of June 21, 2026.