The United States has no comprehensive federal AI law, yet companies deploying artificial intelligence face intensifying enforcement pressure from federal agencies, state governments, and private lawsuits. Rather than creating a regulatory vacuum, the absence of unified federal legislation has spawned a patchwork of overlapping enforcement mechanisms that companies must navigate simultaneously. Federal agencies are repurposing existing statutes to police AI conduct, states are enacting their own AI-specific laws, and private plaintiffs are testing novel liability theories across industries .

Why Is Federal AI Legislation Stalled While Enforcement Accelerates?

Despite significant executive and congressional attention, no comprehensive federal AI statute has been enacted. However, this legislative gap has not prevented regulatory action. Federal agencies are leveraging existing authorities to regulate AI-related conduct, creating a de facto enforcement framework that applies to companies regardless of sector .

The Federal Trade Commission (FTC) relies on Section 5 of the FTC Act as its primary enforcement vehicle for allegedly unfair or deceptive AI practices, including misleading claims about AI capabilities, undisclosed use of AI tools, and data practices tied to automated decision-making. The Securities and Exchange Commission (SEC) has focused on so-called "AI washing," where public companies overstate or misrepresent the use or performance of AI in disclosures to investors. The Department of Justice has signaled willingness to pursue False Claims Act (FCA) theories where AI tools are used in government-funded programs, including healthcare reimbursement and cybersecurity compliance contexts. Antitrust enforcers at the DOJ and FTC have taken active positions in cases involving algorithmic pricing and information-sharing allegedly facilitated by AI systems .

In July 2025, the White House released "Winning the Race: America's AI Action Plan," outlining 90 federal policy actions across innovation, infrastructure, and international leadership. Subsequent executive actions signaled a push to limit what the administration views as "onerous" state-level AI regulation and challenge conflicting state laws in court. The result is a federal posture that favors innovation and centralized policy direction, while relying heavily on existing laws rather than new AI-specific legislation .

How Are States Filling the Federal Regulatory Void?

In the absence of federal preemption, states have moved aggressively to fill the perceived void. State-level activity generally falls within three categories: AI-specific statutes, expanded use of existing consumer protection and antitrust laws, and attorney general investigations coupled with multistate actions .

Several states, including California, Colorado, New York, and Texas, have enacted AI-specific statutes focused on discrete risks rather than comprehensive cross-sector regulation. New York's Algorithmic Pricing Disclosure Act requires businesses to disclose when individualized pricing is set by an algorithm using a consumer's personal data. California has adopted AI transparency measures that mandate disclosure of AI-generated content and in certain contexts require documentation regarding training data used to develop generative AI systems. California and Texas have also imposed healthcare-specific restrictions that limit the use of AI in medical necessity determinations and require meaningful human oversight in clinical decision-making. Colorado's AI Act targets so-called "high-risk" systems and imposes governance, risk assessment, and documentation obligations for AI tools used in consequential decisions such as employment, insurance, and other areas that directly affect what are deemed to be areas of heightened consumer rights or access to services .

State attorneys general are also deploying broad "unfair and deceptive acts or practices" (UDAP) statutes to investigate AI-related conduct. These statutes are powerful enforcement tools because they often permit per-violation penalties, do not require proof of individual damages, and are frequently structured in ways that make cases difficult to remove to federal court. AI-related marketing claims, disclosures, bias allegations, and data practices all fall within potential UDAP scrutiny. State AGs have taken a particularly active role in scrutinizing the use of algorithmic pricing tools, mirroring a broader national trend of heightened state AG antitrust enforcement, particularly in emerging technology sectors .

What Types of AI Litigation Are Companies Facing?

Private litigation has accelerated in step with regulatory activity. Current AI-related lawsuits fall into several recurring categories that expose companies to significant liability across multiple fronts :

• Algorithmic Pricing and Antitrust Concerns: A central feature of recent AI antitrust litigation is allegations that algorithmic pricing software can be used to facilitate a so-called "hub-and-spoke" conspiracy among competitors, where the AI vendor is characterized as the "hub" and competing firms share competitively sensitive nonpublic data through the platform.
• Copyright and Training Data Scraping: Lawsuits challenge whether companies have obtained proper permissions and licenses for data used to train AI systems, particularly generative AI models.
• AI Washing and Securities Litigation: Public companies face claims of misrepresenting AI capabilities or performance to investors and the public.
• Consumer Protection and Deceptive Marketing: Cases allege that companies make false or misleading claims about AI features, capabilities, or safety.
• Biometric and Privacy Claims: Lawsuits target the collection and use of biometric data and personal information in AI systems without adequate consent or disclosure.
• Employment Discrimination: Cases challenge AI hiring and employment decision tools for perpetuating or amplifying discrimination based on protected characteristics.
• Deepfakes and Harm-to-Children Allegations: Litigation targets AI-generated synthetic media used to create non-consensual intimate images or content exploiting minors.

Courts have reached differing conclusions on whether algorithmic pricing conduct should be evaluated under the per se rule or the rule of reason, as well as whether plaintiffs have sufficiently alleged an "agreement" amongst competitors purportedly using the same pricing software. AI litigation is shaping regulation in real time, as courts interpreting existing statutes such as copyright law, biometric privacy acts, and consumer protection laws are effectively defining guardrails for AI deployment .

Steps for Companies to Navigate the Fragmented AI Enforcement Landscape

• Conduct a Comprehensive Audit: Map all AI systems deployed across the organization and identify which federal agencies, state laws, and private litigation risks apply to each system based on its use case, data inputs, and potential impact on consumers or employees.
• Implement Transparency and Disclosure Protocols: Establish clear policies for disclosing when AI is used in pricing, hiring, healthcare decisions, and marketing, ensuring compliance with state-specific disclosure requirements such as New York's Algorithmic Pricing Disclosure Act and California's AI transparency measures.
• Document Bias Controls and Risk Assessments: Maintain detailed documentation of how AI systems are tested for bias, how training data was selected and validated, and what governance structures oversee high-risk AI applications, particularly those affecting employment, insurance, or healthcare decisions.
• Monitor Multistate Enforcement Trends: Track state attorney general investigations and enforcement actions in your industry, as state AG investigations frequently precede parallel private class actions and multistate coordinated enforcement efforts.
• Ensure Meaningful Human Oversight: Implement human review and override capabilities in AI systems used for consequential decisions, particularly in healthcare and employment contexts where state laws increasingly mandate human involvement in final decision-making.

What Risk Areas Are Likely to Intensify?

Based on enforcement signals and litigation patterns, several risk areas are likely to intensify in the coming years. Privacy and data governance represent a critical vulnerability, as AI systems depend on large volumes of personal data and state AGs are increasingly focused on privacy compliance and transparency, particularly where federal privacy legislation remains stalled. Securities and disclosure risk poses another significant threat, as public companies must carefully evaluate how they describe AI capabilities and risks, with misleading claims potentially triggering SEC scrutiny .

False Claims Act exposure in government-funded contexts is emerging as a substantial liability vector. Where AI tools are deployed in healthcare reimbursement, defense contracting, or grant-funded programs, inaccurate certifications or overstatements regarding performance, bias controls, or cybersecurity compliance may present FCA risk. Finally, multistate enforcement continues to expand, as state AGs leverage coordinated enforcement efforts, multistate investigations, and task forces. AI-related conduct, particularly involving pricing, marketing, or youth protection, will likely remain a target of these coordinated actions .

The fragmented enforcement landscape means companies cannot rely on a single compliance framework. Instead, organizations deploying AI must monitor both legislative developments and emerging case law across multiple jurisdictions, anticipate how existing statutes will be applied to novel AI conduct, and maintain flexibility to adapt governance structures as regulatory expectations evolve. The absence of comprehensive federal legislation has not reduced compliance burden; it has multiplied it.