The precipitous rise of AI has left regulators and oversight committees scrambling to establish appropriate regulatory and compliance frameworks.
United States
The United States employs an innovative and sector-specific approach to AI governance. In 2025, President Trump issued Executive Order 14179, Removing Barriers to American Leadership in Artificial Intelligence, to accelerate AI innovation and promote “human flourishing, economic competitiveness, and national security”. The core tenet of the order is to ensure AI is free from “ideological bias or engineered social agendas”. It directed federal agencies to review and revise policies that could impede AI development and emphasized maintaining U.S. leadership in the increasingly competitive global AI market. Additionally, the order revoked previous AI policies that obstructed the United States’ position on American AI innovation.
The White House subsequently released America’s AI Action Plan, accompanied by three AI-related Executive Orders (EO 14318, 14319, 14320), that prioritized deregulation, national competitiveness, and rapid adoption. The Action Plan restricts federal procurement of AI systems incorporating DEI-related ideologies and advances the global export of American AI technology while reducing international dependence on systems developed by foreign adversaries, thereby enhancing U.S. leadership in the field. Additionally, it streamlines permitting to expedite the development of data centers on federal land and develop new security standards that protect against cyberattacks.
On June 2, 2026, President Trump signed Executive Order 14409, Promoting Advanced Artificial Intelligence Innovation and Security, signaling a more targeted regulatory approach to frontier AI models. Under the new order, AI companies are asked to voluntarily give the government up to 30 days to review their new AI models before releasing them to the public. The process offers the federal government oversight into AI models to identify potential vulnerabilities and mitigate risks by foreign adversaries or bad actors. It also directs the Treasury secretary to develop an AI “cybersecurity clearinghouse” to assess national security vulnerabilities associated with AI. Immediately following its release, top executives at Microsoft, OpenAI, and Google praised the order as “an important step” to balance AI safety and innovation, while other expressed concern that the order could slow development and stiffen regulation in the future.
Additionally, the National Institute of Standards and Technology (NIST) offers an important benchmark for responsible AI governance by addressing risks associated with AI. The AI Risk Management Framework (RMF) is a “voluntary, rights-preserving, non-sector-specific, use-case agnostic” guide for companies involved in the development of AI systems to manage the risks posed by the technology. The RMF is intended to provide a way to operationalize the principles outlined in the AI Bill of Rights across a range of organizations.
However, comprehensive federal privacy and AI legislation remains absent. The American Data Privacy and Protection Act failed to pass in 2021, which would have embedded strict civil rights and algorithmic accountability standards into AI regulation. Consequently, governmental oversight proceeds through state and local governments, in addition to statutory regimes, like consumer protection laws, civil rights laws, financial services regulation, employment laws, and sector-specific agency enforcement. As of June 2026, all 50 states have introduced AI-related legislation, and 38 states have adopted or enacted around 100 measures in a single year to regulate or study the technology. For example, New York City prohibits employers from employing AI-assisted hiring tools unless the product underwent independent bias audits and public notice (Local Law 144). Colorado requires developers and deployers of Automated Decision-Making Technology (ADMT) to inform users of its utilization and facilitate human review to prevent algorithmic discrimination (SB 26-189). Importantly, insurers subjected to Colorado’s existing algorithmic discrimination insurance statutes are exempt from certain obligations that govern underwriting.
Across all states, an insurer that uses an internally developed or third-party AI system remains responsible for ensuring that the system complies with applicable insurance laws, unfair trade practice statutes, privacy obligations, and anti-discrimination requirements. The NAIC Model Bulletin on the Use of Artificial Intelligence Systems by Insurers guides the regulation for evaluating insurers’ use of AI in underwriting, pricing, and claims handling, among other insurance functions.
While each state’s regulatory approach is different, a few central principles have emerged. The federal government is prioritizing innovation, national security, and global competitiveness, while state regulators are increasingly focused on transparency, bias, and consumer protection. For organizations, AI might be used to improve efficiency and risk assessment; however, it must be supported by governance and human oversight that protects users from discrimination or unlawful claims. Likewise, improved federal transparency is widely agreed upon. In September 2025, the Pew Research Center reported that six in ten Americans want greater control over the role of AI in their lives. Many lawmakers believe that when algorithms are used to inform consequential decisions, public disclosure of their use is essential for effective governance and trust. As such, a growing number of states require registration of AI systems and efforts to mitigate system bias.
Europe
For companies operating in Europe, the AI landscape is governed by the European Union Artificial Intelligence Act (EU AI Act) which launched in August 2024 and is being implemented in phases through 2027. As the first major regulator of AI, the legislation strengthens rules around data safety, ethics, and innovation by subjecting the providers and deployers to specific legal obligations. The Act adopts a risk-based approach to regulating AI, whereby the requirements for a system are relative to the level of risk it poses to the “health and safety or fundamental rights of a person.” First, applications that establish an unacceptable risk, such as social scoring systems and manipulative AI, are highly regulated and banned. Secondly, “high-risk” AI systems that pose significant threats to health, safety, or fundamental rights, like CV-scanning tools that rank job applications, are subject to rigorous regulation and testing. Additional examples of “high risk” AI include autonomous vehicles, medical devices, and critical infrastructure machinery. Under the EU AI Act, the use of AI in health and life insurance for risk assessment and pricing is also considered a high-risk activity.
“Limited risk” AI systems that interact directly with humans or generate synthetic content (chatbots) are governed by lighter transparency obligations to ensure end-users are aware that they are interacting with AI. Developers of these models are required to “apply safety checks, data governance measures and risk mitigations” before being released to the public. In addition, providers must ensure that the data used to train their systems complies with copyright and intellectual property laws. Lastly, many AI systems we interact with daily pose minimal risk to human safety and are coined “minimal risk”. They are largely unregulated and carry no extra obligations.
The following list of regulations provides additional information related to the current legislative landscape for artificial intelligence.
The Unfair Claims Settlement Practices Act
The Unfair Claims Settlement Practices Act (UCSPA) outlines minimum standards for states to regulate insurance carriers and protect policyholders from “bad faith” behavior by insurers during the claims process. While the Act predates modern AI technologies, it requires insurers to conduct reasonable investigations, communicate promptly with claimants, and base claim decisions on factual grounds – obligations that apply equally to AI-assisted decisions, too. If insurers utilize machine learning and generative AI tools to evaluate claims, detect fraud, or recommend coverage decisions, they must mitigate the risks of AI hallucinations and “black box” decision-making. Ultimate responsibility for claim decisions remains with the insurer regardless of the technology employed. Accordingly, human oversight and validation procedures are necessary when incorporating AI into the claims handling process.
NAIC Model Bulletin on the Use of Artificial Intelligence Systems by Insurers
The NAIC Model Bulletin is the leading U.S. insurance-specific AI governance framework. It directs insurers to maintain governance, risk-management, testing, monitoring, documentation, and vendor-oversight controls for AI systems used in underwriting, pricing, claims handling, fraud detection, marketing, and customer service.
NAIC AI Systems Evaluation Tool Pilot
A 12-state initiative to inform regulators on how domestic insurers use AI and assess whether their governance practices are effective in managing the risks. It empowers states to review AI systems, promote transparency, and identify areas of oversight or improvements. The pilot program will determine whether the tool helps insurers explain their AI governance systems to regulators, how regulators receive those standard governance practices, create long-term recommendations for market conduct and financial risk assessment review processes, and identify what addition regulator training may be needed in the future. The pilot program will run through September 2026.
National Artificial Intelligence Initiative Act of 2020 (“NAIIA”)
The NAIIA establishes statutory guidance for national AI development, accountability, and highlights the need for open data and best sharing practices to be incorporated into AI standards. In addition to risk management frameworks, the act authorized the National Science Foundation to fund and oversee AI research on its applications and ethical challenges. It also established the National Artificial Intelligence Advisory Committee, an interdisciplinary group of experts from academia, society, and the private sector to provide recommendations on the current state of U.S. AI innovation.
Colorado Artificial Intelligence Act (SB 24-205)
Colorado’s AI Act is the first broad U.S. state statute regulating high-risk AI systems. It requires developers and deployers to use reasonable care to prevent algorithmic discrimination and impose governance, disclosure, documentation, and impact-assessment obligations.
New York Department of Financial Services Circular Letter No. 7
NYDFS Circular Letter No. 7 governs the use of AI systems in insurance underwriting and pricing. It mandates anti-discrimination testing, actuarial validity, governance, and third-party oversight.
NHTSA Standing General Order on Crash Reporting for Automated Driving Systems and Level 2 Advanced Driver Assistance Systems
The Standing General Order requires manufacturers and operators of vehicles equipped with automated driving systems or Level 2 advanced driver-assistance systems to report certain crashes to the federal government. It is the principal federal reporting framework for autonomous and semi-autonomous vehicle safety data.
Illinois Biometric Information Privacy Act (“BIPA”)
BIPA regulates how private entities collect, store, and use biometric data. It requires companies to obtain written consent, inform individuals of what data is collected, and release policies on retention and destruction of data. With AI advancements utilizing facial recognition, identity verification, and monitorization, the protection by BIPA ensures individuals have control of their own biometric data.
Department of Defense Directive 3000.09 – Autonomy in Weapon Systems
DoD Directive 3000.09 dictates the U.S. Department of Defense policy on autonomous and semi-autonomous weapons. The directive ensures operators exercise human judgement over force and establishes the safety guidelines to minimize unintended accidents. The directive requires that all systems allow human use, undergo rigorous testing, and undergo frequent reviews before they are deployed by the U.S. military.
California AI Transparency Act (SB 942)
This consumer protection law combats the spread of generative AI by requiring developers to embed watermarks into all AI-generated content. This no-cost tool ensures users can verify whether content was altered by AI and reduces consumer deception and fraud. The statue is significant for synthetic media and Deepfake content.
TAKE IT DOWN Act
The federal TAKE IT DOWN Act criminalizes the nonconsensual sharing of intimate images developed by AI software and requires online platforms to remove reported content. Not only does the Act protect victims, but it also encourages websites to establish clear policies and removal processes to retain a safe digital space.