This past August, the European Union Artificial Intelligence Act ("EU AI Act") became effective in the European Union ("EU"). Proposed in 2021, the EU AI Act is the first comprehensive law of its kind. It follows a prescriptive, risk-based approach to regulation and provides a pragmatic legal structure for artificial intelligence ("AI") systems. This legislation is and will continue to be an important milestone within the legal framework surrounding AI technology and is likely to significantly influence legislation here in the U.S. and worldwide.
In the U.S., there currently is no federal AI legislation. In October 2023, the Biden administration issued Executive Order 14110 on “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence” ("EO"), which proposed an AI framework instructing federal agencies on the use of AI. Many of its requirements trickled down to the private sector through regulation by federal agencies such as the Federal Trade Commission ("FTC"), Food and Drug Administration ("FDA"), Department of Health and Human Services ("HHS"), and Department of Defense ("DOD"). Trump rescinded the Biden EO on January 20, 2025, day one of the Trump administration.
In May 2024, Colorado became the first U.S. state to enact its own comprehensive AI legislation when Colorado Governor Jared Polis signed into law SB 24-205 ("Colorado AI Act"). The Colorado AI Act adopts many regulatory concepts similar to the EU AI Act. This is only the first legal step surrounding AI regulation as a whole in the U.S. In the absence of federal legislation, and in addition to Colorado and Utah, which have enacted AI legislation, there have been at least 447 state proposals considered in 45 different state legislatures to regulate AI in the past year, notably in Connecticut and California. As more states are likely to adopt similar legislative
models, the use, category, and level of risk factor will continue to spur heavy debate for both government officials and the growing number of businesses using AI technologies across the country, as well as throughout the world.
At the same time, many U.S. businesses seeking to develop AI compliance programs have developed policies, procedures, and governance in accordance with the National Institute of Standards and Technology ("NIST") AI Risk Management Framework ("RMF"). Like the EU AI Act and the Colorado AI Act, the RMF is focused on identifying and managing unique risks posed by the development or deployment of AI.
AI legislation and regulatory activity are likely to continue apace in 2025. This article examines the requirements of current comprehensive legislation and significant U.S. state proposals, reviews the RMF as a compliance tool, and outlines litigation and insurance considerations and certain best practices for companies to stay ahead in a rapidly changing legal environment.
To read the full article, please click here (subscription required).
"From over the Pond: The European Union’s Comprehensive AI Legislation Comes to America," by Sharon R. Klein and Lisa M. Campisi was published in The Brief, Volume 54, Number 2, Winter 2025. © 2025 by the American Bar Association.
