Regulatory Landscape for Intelligent Systems in the US

The United States governs intelligent systems through a distributed, sector-specific regulatory model rather than a single comprehensive statute. Federal authority is divided across more than a dozen agencies, each applying existing mandates to AI-driven conduct within their jurisdictions. This page maps that authority structure, explains the mechanisms through which oversight operates, identifies the deployment contexts most likely to trigger regulatory scrutiny, and clarifies the classification boundaries that determine which framework applies in a given scenario. For practitioners and organizations deploying intelligent systems in government and public sector contexts, these distinctions carry direct operational and legal consequences.

Definition and scope

The regulatory landscape for intelligent systems in the United States refers to the aggregate body of statutes, agency guidance documents, executive orders, and standards frameworks that establish obligations for organizations designing, deploying, or operating AI-enabled systems. No single federal statute currently defines a universal compliance floor for intelligent systems across all industries.

The foundational federal definition comes from the National AI Initiative Act of 2020 (15 U.S.C. § 9401), which describes AI as "a machine-based system that can, for a given set of objectives, make predictions, recommendations, or decisions influencing real or virtual environments." The National Institute of Standards and Technology (NIST) elaborates on this in the AI Risk Management Framework (AI RMF 1.0, 2023), framing AI systems along dimensions of risk, impact, and trustworthiness rather than purely by technical architecture.

Scope boundaries matter considerably in this landscape. A credit-decisioning algorithm falls under the Federal Trade Commission Act and the Equal Credit Opportunity Act simultaneously. A clinical decision-support tool may require FDA clearance under 21 C.F.R. Part 820. An autonomous vehicle sensor system intersects with National Highway Traffic Safety Administration (NHTSA) guidance. The scope of any given regulation depends on the application domain, the affected population, and whether the system produces legally consequential outputs.

The privacy and data governance for intelligent systems layer adds a parallel compliance dimension: data practices underlying intelligent systems must satisfy sector-specific rules such as HIPAA (45 C.F.R. Parts 160 and 164), GLBA (15 U.S.C. § 6801), and the Children's Online Privacy Protection Act (COPPA), regardless of which agency oversees the AI output itself.

How it works

The U.S. regulatory mechanism for intelligent systems operates through four primary channels:

  1. Existing statutory authority applied to AI conduct. Agencies such as the FTC use Section 5 of the FTC Act (15 U.S.C. § 45), which prohibits unfair or deceptive acts, to pursue enforcement actions involving algorithmic bias, false claims about AI capabilities, and deceptive data practices. The FTC published its Aiding or Abetting guidance in 2023 and has pursued enforcement in the AI space without new AI-specific legislation.

  2. Sector-specific rulemaking. The FDA's Digital Health Center of Excellence applies a risk-based classification framework to software as a medical device (SaMD), using existing device law under the Federal Food, Drug, and Cosmetic Act (21 U.S.C. § 321 et seq.) to regulate AI-powered diagnostic tools. The SEC has signaled through its 2023 proposed rules on predictive data analytics that algorithmic tools used in investment advice trigger advisor obligations under the Investment Advisers Act of 1940.

  3. Executive guidance and interagency coordination. Executive Order 14110 (October 2023), Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence, directed more than 50 agency-specific actions, including mandatory safety reporting for frontier AI models, red-teaming requirements, and watermarking guidance. The Office of Management and Budget followed with Memorandum M-24-10, which established AI governance requirements for federal agencies acquiring or deploying AI systems.

  4. NIST standards as voluntary-but-referenced baselines. The NIST AI RMF 1.0 provides a four-function structure — Govern, Map, Measure, Manage — that federal procurement and private-sector litigation increasingly cite as a due-diligence benchmark. Adherence to NIST frameworks does not confer legal immunity but establishes a documented risk management record. The companion NIST AI RMF Playbook translates each function into discrete organizational actions.

The accountability frameworks for intelligent systems page covers how these mechanisms assign responsibility across the supply chain from model developer to deployer.

Common scenarios

Intelligent system deployments most frequently encounter regulatory contact in five defined contexts:

Healthcare diagnostics and clinical support. AI tools that analyze images, recommend treatments, or flag patient risk scores are classified as Software as a Medical Device when they meet FDA criteria. The FDA's Predetermined Change Control Plan guidance (2023) allows manufacturers to submit an anticipated modification schedule rather than seeking clearance for each update. Systems operating in this space must also comply with HIPAA's minimum necessary standard and security rule (45 C.F.R. § 164.514).

Automated employment decisions. Hiring algorithms, performance-scoring tools, and workforce scheduling systems face scrutiny under Title VII of the Civil Rights Act (42 U.S.C. § 2000e) when outputs produce disparate impact along protected characteristics. The Equal Employment Opportunity Commission (EEOC) published a technical assistance document in 2023 confirming that Title VII applies to AI-assisted hiring tools. New York City Local Law 144 (2023) further mandates independent bias audits for automated employment decision tools used in the city, with penalties up to $1,500 per violation per day (NYC Local Law 144).

Consumer financial services. Credit scoring, loan underwriting, and fraud detection systems trigger the Equal Credit Opportunity Act (ECOA, 15 U.S.C. § 1691), which requires adverse action notices explaining credit denials. The Consumer Financial Protection Bureau (CFPB) issued guidance in 2022 stating that "complex algorithms" do not excuse lenders from providing specific, accurate reasons for adverse decisions — a direct constraint on black-box model deployment.

Autonomous systems in transportation. The NHTSA's Automated Vehicles for Safety program sets voluntary federal guidance rather than binding regulation for autonomous driving systems. However, state-level frameworks in California (California DMV Title 13, Division 1, Chapter 1, Article 3.7), Texas (Transportation Code Chapter 545), and Florida (Statutes § 316.85) impose separate licensing, reporting, and liability regimes that create a 50-state compliance patchwork.

Government procurement and internal use. OMB M-24-10 requires federal agencies to designate an AI Governance Lead, maintain an AI use case inventory, and conduct rights-impacting and safety-impacting use assessments before deploying or procuring covered AI systems. Agencies that contract for intelligent systems must flow these obligations to vendors through Federal Acquisition Regulation (FAR) clauses.

Decision boundaries

Determining which regulatory framework applies to a given intelligent system requires resolving three classification questions:

1. Is the system's output legally consequential?
Systems that produce outputs directly affecting rights, benefits, liberties, or safety — loan decisions, parole recommendations, medical diagnoses — face higher regulatory scrutiny than systems generating content suggestions or process optimizations. The NIST AI RMF uses the term "high-impact" to denote this category. OMB M-24-10 defines a parallel category called "rights-impacting" AI, which triggers mandatory impact assessments.

2. Which sector does the primary use case fall within?
Domain determines the lead regulator. Healthcare → FDA and HHS. Financial services → CFPB, SEC, and OCC. Employment → EEOC. Consumer protection generally → FTC. Transportation → NHTSA and state DMVs. Overlapping domains — such as a mental health app that also processes payment data — require mapping each functional component to the relevant authority rather than selecting a single regulator.

3. Does the system qualify as general-purpose or application-specific?
General-purpose AI models (large language models, foundation models) that are integrated into downstream products occupy a regulatory gray zone. Executive Order 14110 distinguished "dual-use foundation models" — defined as those trained on broad data and capable of posing serious risks — and imposed specific reporting requirements on their developers under Defense Production Act authority. Application-specific systems built on those models inherit the framework applicable to their deployment context.

A comparison clarifies the boundary: a rule-based expert system that applies fixed logical conditions to insurance eligibility differs fundamentally from a machine learning model that continuously retrains on claims data. The former's outputs are auditable and static; the latter's can shift in ways that produce disparate impact over time without deliberate design changes. This distinction affects both the applicable standard of care and the frequency of required audits under emerging state and federal guidance.

The broader intelligent systems standards and frameworks reference covers ISO/IEC 42001:2023, the international AI management system standard that provides a complementary audit structure to the NIST AI RMF. The homepage at Intelligent Systems Authority situates these regulatory questions within the full technical scope of the field, from architecture through deployment lifecycle.

Safety and risk framing for intelligent systems intersects directly with regulatory classification: systems categorized as high-risk under NIST or OMB frameworks face documentation, testing, and human-oversight requirements that lower-risk systems do not.

📜 18 regulatory citations referenced  ·  🔍 Monitored by ANA Regulatory Watch  ·  View update log

References

Read Next

Intelligent Systems in Government and Public Sector The scale of public-sector adoption — spanning more than 700 AI use cases documented by federal agencies in a single reporting... Privacy and Data Governance for Intelligent Systems Intelligent Systems Authority Privacy and Data Governance for Intelligent Systems Privacy and data governance have become... Accountability Frameworks for Intelligent Systems Intelligent Systems Authority Accountability Frameworks for Intelligent Systems Accountability frameworks for intelligent...