US AI Regulation: Executive Order Updates, NIST Framework, and the State-Level Patchwork

The United States continues to take a fundamentally different approach to AI regulation than the European Union. Where the EU AI Act creates a comprehensive, binding framework, the US strategy is a layered combination of executive orders, voluntary frameworks, and state legislation. As of March 2026, this approach has produced a regulatory environment that is simultaneously more permissive than Europe's and more unpredictable.

This month brought three developments that practitioners need to understand: updates to the federal executive order on AI, the release of NIST AI Risk Management Framework 2.0, and a wave of state-level AI bills that are creating a patchwork of obligations.

What changed at the federal level?

The executive order on AI, originally signed in October 2023 and updated in January 2026, expanded reporting requirements for frontier model developers. Companies training models above 10^26 FLOP (roughly the scale of GPT-4's training run) must now report not just the training run but also the safety evaluation results, red-team findings, and any capability thresholds exceeded during evaluation. The threshold was lowered from the original 10^26 to 10^25.5, capturing more models.

The practical impact is narrow — this applies to perhaps a dozen organisations worldwide. But the signalling effect is broader: the US government is establishing the principle that frontier model development is a regulable activity, even if the current regulations are light.

More consequentially, the update introduces mandatory incident reporting for AI systems deployed in critical infrastructure — energy, water, telecommunications, financial services, and healthcare. If an AI system causes or contributes to an operational disruption in these sectors, the operator must report to CISA within 72 hours. This mirrors cybersecurity incident reporting requirements and represents a genuine new compliance obligation for AI deployers in regulated sectors.

What is NIST RMF 2.0?

The NIST AI Risk Management Framework 2.0 is the most substantive US contribution to AI governance so far. Unlike the executive order, which is a top-down mandate, the NIST framework is a voluntary standard — but 'voluntary' is somewhat misleading. Major enterprise procurement processes increasingly require NIST RMF compliance, and federal agencies use it as a baseline for AI acquisitions. In practice, it is becoming a de facto requirement for anyone selling AI products to large organisations.

RMF 2.0 introduces four key additions over the original framework. First, it adds specific guidance for generative AI and foundation models, acknowledging that these systems present risks not covered by the original framework (hallucination, prompt injection, training data memorisation). Second, it introduces a tiered assessment approach — lightweight assessment for low-risk applications, comprehensive assessment for high-risk ones — that reduces compliance burden for most deployments. Third, it provides concrete metrics and measurement methodologies for AI risks, moving beyond the vague 'identify and mitigate' language of version 1.0. Fourth, it addresses supply chain risk for AI models, recognising that most organisations deploy models they did not train.

The framework is 124 pages. For practitioners, the most useful sections are the measurement profiles in Appendix C, which provide task-specific evaluation templates for common AI deployment scenarios: customer service, document processing, decision support, and content generation.

What is happening at the state level?

This is where the complexity lives. According to tracking by the National Conference of State Legislatures, 38 states introduced AI-related bills in 2025, and 19 enacted at least one. The pace is accelerating in 2026, with 42 states having active AI legislation as of March.

The state bills cluster around several themes: algorithmic discrimination in employment and housing decisions (15 states), disclosure requirements for AI-generated content (12 states), restrictions on AI in education (8 states), and consumer protection for AI-powered products (11 states). Colorado's SB 205 is the most comprehensive — it creates a risk-based classification system that echoes the EU AI Act in structure, if not in specifics.

The practical problem is that these laws are not harmonised. An AI system that is compliant in California may not be compliant in Colorado, which may have different requirements than Illinois. For companies deploying AI nationally, the compliance matrix is rapidly becoming unmanageable.

What does this mean for practitioners?

If you deploy AI in critical infrastructure, the incident reporting obligation is immediate and real. Establish an incident response process now. Define what constitutes an AI-related operational disruption in your context, designate who reports to CISA, and ensure your AI monitoring can detect and attribute incidents with sufficient granularity to file a meaningful report.

Adopt NIST RMF 2.0 as your baseline. Even if you do not sell to the federal government, NIST RMF alignment will increasingly be expected by enterprise customers, insurers, and auditors. The tiered assessment approach means compliance is not prohibitively expensive for most applications. Start with the self-assessment profiles in Appendix C and work outward.

Track state legislation or hire someone who does. If your AI product serves users in multiple US states, you need a regulatory monitoring capability. The state-level patchwork is evolving too quickly for annual compliance reviews. Quarterly is the minimum cadence; monthly is prudent for high-risk applications.

What should you watch for?

The federal preemption question will define the next phase of US AI regulation. If Congress passes a comprehensive federal AI law that preempts state legislation, the patchwork resolves. If it does not — and the current political dynamics suggest it will not, at least in 2026 — the state-level fragmentation will accelerate. For practitioners, this means planning for complexity rather than hoping for simplification.

The US approach has one clear advantage over the EU: it is less likely to stifle innovation through over-regulation. It has one clear disadvantage: the compliance costs of navigating an inconsistent patchwork may ultimately exceed the costs of complying with a single comprehensive framework. The optimal regulatory answer is probably somewhere between the two — but that is not the regulatory environment we have.