Trump Admin Approach to Federal AI Policy
May 9, 2026
By Tracey Birkenhauer, journalist and Chief Impact Officer, STACK Cybersecurity
Last Updated: June 13, 2026
Artificial intelligence regulation in the United States has split into two parallel tracks. At the state level, lawmakers are moving quickly to impose requirements around transparency, discrimination, and consumer protection. At the federal level, the approach has been markedly different, focused on limiting regulatory fragmentation, maintaining global competitiveness, and increasingly, addressing the cybersecurity risks associated with advanced AI systems. The result is not a single regulatory framework but a collision between competing priorities that now shapes how businesses evaluate AI risk and compliance.
This page breaks down the federal AI policy landscape, including the failed moratorium effort, the TAKE IT DOWN Act, the administration's AI Action Plan, both 2025 and 2026 executive orders, the National Institute of Standards and Technology (NIST) standards approach, and the international frameworks that directly impact U.S. businesses operating across borders.
On June 2, 2026, the federal government expanded its approach with a new executive order focused on artificial intelligence security rather than traditional regulation. The order emphasizes voluntary collaboration with AI developers, prioritizes AI-driven cyber defense, and directs federal agencies to treat advanced AI systems as a national security and cybersecurity concern. This marks a shift in federal policy from primarily managing regulatory authority to actively addressing the security risks posed by increasingly capable AI systems.
Quick Navigation
Federal Moratorium Debate • TAKE IT DOWN Act • AI Action Plan • Executive Order • NIST Standards • Federalism Debate • International • Michigan Businesses
The Federal Moratorium Debate
A particularly contentious proposal that dominated AI policy discussions in 2025 was an attempt to impose a 10-year moratorium on state AI regulations. Initially introduced as part of President Trump's One Big Beautiful Bill budget reconciliation package, the provision would have prevented states from enforcing their own AI laws for a decade.
The moratorium, championed by Republican Sen. Ted Cruz of Texas, was designed to prevent what supporters called a "regulatory cacophony" of conflicting state policies. Proponents argued that navigating 50 different regulatory frameworks would stifle innovation, create compliance burdens particularly harmful to smaller companies, and potentially hamper America's competitive position against China in AI development. Tech industry leaders, including OpenAI CEO Sam Altman, expressed support for federal preemption, with Altman noting it would be "very difficult to imagine us figuring out how to comply with 50 different sets of regulation."
However, the proposal faced overwhelming bipartisan opposition from state officials. In a remarkable display of unity, a coalition of 17 Republican governors led by Arkansas Gov. Sarah Huckabee Sanders sent a letter to congressional leadership opposing the moratorium, arguing that "AI is already deeply entrenched in American industry and society; people will be at risk until basic rules ensuring safety and fairness can go into effect." A bipartisan group of 40 state attorneys general also sent a letter to Congress voicing objections to the proposal as violative of state sovereignty and their efforts to protect consumers.
After significant pushback, lawmakers attempted to modify the proposal by shortening the timeframe to five years and exempting certain categories of state laws. Despite these concessions, the revised version still faced criticism for containing language that would undermine state laws deemed to place an "undue or disproportionate burden" on AI systems. Ultimately, in a decisive 99-1 Senate vote, the moratorium was stripped from the budget bill, with even Sen. Cruz joining the overwhelming majority. The outcome was a significant victory for states' rights advocates but left unresolved the question of how to balance national interests in AI development with state concerns about protecting citizens.
The TAKE IT DOWN Act: First Federal AI Harm Law
While the moratorium debate played out, Congress managed to pass one significant piece of AI-related legislation with near-unanimous support. The TAKE IT DOWN Act (Tools to Address Known Exploitation by Immobilizing Technological Deepfakes on Websites and Networks Act) was signed into law on May 19, 2025, after passing the House 409-2 and clearing the Senate unanimously. It stands as the first federal law directly addressing harm caused by AI-generated content.
The law criminalizes the knowing publication of nonconsensual intimate images, including AI-generated deepfakes, and requires covered platforms to establish notice-and-removal processes allowing victims to request takedowns. The platform compliance deadline is May 19, 2026. Upon receiving a valid request, a platform must remove the content within 48 hours. Enforcement falls to the Federal Trade Commission, which may pursue civil penalties for noncompliance. The law also extends FTC enforcement authority to nonprofit entities, which are ordinarily outside the FTC Act's scope.
For a full breakdown of federal and state deepfake laws and compliance requirements, see our Deepfake Legislation Tracker.
America's AI Action Plan
On July 23, 2025, the White House released "Winning the Race: America's AI Action Plan," fulfilling a mandate from Trump's January 2025 executive order on removing barriers to American AI leadership. The Plan outlines more than 90 federal policy actions organized around three pillars: accelerating innovation, building American AI infrastructure, and leading in international AI diplomacy and security.
The Plan's deregulatory posture signals the administration's broader approach to AI governance, prioritizing speed and competitive dominance over precautionary regulation. Accompanying the Plan, Trump signed three executive orders on the same day: one promoting the export of American AI technology, one streamlining federal permitting for data center construction, and one directing federal agencies to procure only AI systems deemed ideologically neutral and "truth-seeking."
One provision carries direct implications for state-level compliance. The Plan recommends that OMB assess states' AI regulatory environments when making federal funding decisions, effectively creating a financial incentive for states to align with federal policy rather than maintain stricter local requirements. For defense contractors and other businesses that rely on federal funding, this adds another layer of uncertainty to an already complex compliance picture.
Free Download
Deepfake Compliance Checklist
TAKE IT DOWN Act requirements, 30-state election disclosure obligations, and internal controls for every business type.
Trump Administration Executive Order
On Dec. 11, 2025, President Trump signed an executive order aimed at blocking state AI laws, arguing that state-by-state regulation creates a burdensome patchwork that threatens American AI leadership. The order encourages the attorney general to challenge what it characterizes as onerous and excessive state laws and calls for development of a national AI framework.
The administration specifically criticized laws like Colorado's anti-discrimination requirements, claiming they may force AI models to produce false results to avoid differential impact on protected groups. The executive order states that state-by-state regulation "by definition creates a patchwork of 50 different regulatory regimes that makes compliance more challenging, particularly for start-ups." It also claims that some state laws impermissibly regulate beyond state borders, impinging on interstate commerce.
The order establishes an AI Litigation Task Force to coordinate federal challenges to state laws and directed the Secretary of Commerce to publish an evaluation identifying burdensome state AI laws by March 11, 2026. The DOJ's subsequent intervention in xAI's lawsuit against Colorado's AI Act represents the task force's first major enforcement action. On March 20, 2026, the White House released a broader legislative framework urging Congress to formally preempt conflicting state AI laws while preserving state authority over child safety, consumer protection, and government AI procurement.
New York Assemblymember Alex Bores, sponsor of the RAISE Act, argues his bill does not fit the category of onerous regulation. He notes the RAISE Act was largely based on voluntary commitments that AI companies already made and pledged to follow, simply ensuring those rules stayed in law and that companies couldn't backslide. "I don't think it's onerous to require companies to do the things that they're already saying they're going to do," Bores said in a recent NPR interview.
Several Democratic governors, including Colorado's Jared Polis, Connecticut's Ned Lamont, and New York's Kathy Hochul, have expressed concern about the challenges posed by varying state regulations. As Governor Lamont noted, "I just worry about every state going out and doing their own thing, a patchwork quilt of regulations," and the potential burden this creates for AI development. Republican Senator Marsha Blackburn of Tennessee has taken a different view, arguing that states must retain their ability to protect citizens until comprehensive federal legislation is in place: "Until Congress passes federally preemptive legislation like the Kids Online Safety Act and an online privacy framework, we can't block states from making laws that protect their citizens."
On the legislative front, Sen. Blackburn introduced the TRUMP AMERICA AI Act in December 2025. Formally, it's the Republic Unifying Meritocratic Performance Advancing Machine Intelligence by Eliminating Regulatory Interstate Chaos Across American Industry Act. This legislation would codify the executive order into statute and establish a single federal rulebook for AI. Additional congressional proposals are expected throughout 2026 as lawmakers seek to formalize the administration's deregulatory approach. The FTC faced a March 11, 2026, deadline to publish a policy statement describing how the FTC Act applies to AI and when state laws that require alteration of AI outputs may be preempted under federal law, a ruling that could have immediate consequences for several state transparency mandates.
June 2, 2026 Executive Order: AI as a Cybersecurity Priority
On June 2, 2026, the Trump administration issued a second executive order titled Promoting Advanced Artificial Intelligence Innovation And Security, shifting the federal government's focus from regulatory preemption to cybersecurity risk. Unlike the December 2025 order, which centered on limiting state oversight, this directive treats advanced AI systems as a potential national security concern and emphasizes defensive capabilities.
The order establishes a voluntary framework for AI developers to provide the federal government with early access to certain high-capability "frontier models" prior to public release, allowing agencies to evaluate potential security risks. It also directs federal agencies, including the Cybersecurity and Infrastructure Security Agency (CISA), to expand the use of AI-enabled tools to detect vulnerabilities, strengthen federal systems, and coordinate response efforts across critical infrastructure sectors.
A central component of the order is the creation of an AI cybersecurity clearinghouse designed to identify software vulnerabilities discovered by advanced AI systems and distribute remediation guidance. The directive also prioritizes enforcement against AI-enabled cybercrime, including fraud, identity theft, and unauthorized system access.
Taken together, federal executive actions reflect a consistent strategy: limit fragmented regulation, encourage rapid innovation, and address risks through enforcement and cybersecurity rather than broad prescriptive rules. While Congress continues to debate comprehensive legislation, executive authority is currently the primary mechanism shaping federal AI policy.
Free Download
AI Business Tips E-Book
When implemented incorrectly, any technology with access to sensitive data can create security risks. Because AI systems rely on large volumes of proprietary data, companies must prioritize security from the outset when evaluating AI implementation or selecting AI solutions. When used responsibly and securely, AI can streamline operations, help solve critical business challenges, and build client trust. Understanding real examples and their impact can help you make informed decisions about adopting AI.
The NIST Standards Approach
A more promising federal pathway has emerged in recent congressional hearings, with growing bipartisan support for leveraging the National Institute of Standards and Technology (NIST) to develop technical standards for AI systems. This approach has proven successful in adjacent domains like cybersecurity and privacy, where the NIST Cybersecurity Framework has achieved widespread voluntary adoption across industries without imposing heavy-handed regulation.
NIST has already developed the AI Risk Management Framework (AI RMF 1.0), which provides a common vocabulary and methodology for identifying, assessing, and mitigating AI risks. The framework emphasizes a flexible, context-specific approach that can accommodate rapid technological changes while still establishing important guardrails. NIST also released a preliminary draft of the Cybersecurity Framework Profile for Artificial Intelligence (NISTIR 8596) in December 2025, offering guidelines for using the NIST Cybersecurity Framework (CSF 2.0) to accelerate secure AI adoption.
For companies already familiar with NIST frameworks for cybersecurity and privacy compliance, particularly in regulated sectors like healthcare, defense, and financial services, this approach provides natural continuity with existing governance structures. Defense contractors subject to CMMC requirements will find the NIST AI RMF integrates directly with their current programs.
The Federalism Debate: National Strategy or Californication?
A House Judiciary Subcommittee hearing on Sept. 18, 2025, AI at a Crossroads: A Nationwide Strategy or Californication? examined how the current patchwork of state regulations might impact innovation and impose costs on the AI industry. The state-by-state approach, sometimes called "Californication" due to California's outsized influence, raises questions about whether companies operating nationally will effectively be forced to comply with the strictest state standards regardless of where they are based.
The Artificial Intelligence Research, Innovation, and Accountability Act of 2024 addresses governance frameworks for high-impact AI systems, requiring risk assessments and management practices. This bipartisan effort signals that despite the state patchwork, there is movement at the federal level toward establishing baseline standards. Many industry stakeholders have implemented voluntary commitments and self-regulation frameworks that complement formal regulations, showing that governance can advance even without formal mandates.
Whether federal courts will ultimately allow the Trump administration to preempt state laws remains uncertain and will likely be determined through litigation in 2026 and beyond. The DOJ's intervention in the Colorado xAI lawsuit is a preview of that legal fight. Until comprehensive federal legislation emerges, states will continue serving as laboratories of democracy, testing different approaches to managing AI's risks while fostering its benefits.
International Approaches to AI Regulation
While U.S. states navigate their regulatory approaches, other nations have taken more coordinated action. The contrast highlights fundamental differences in regulatory philosophy that carry direct compliance implications for U.S. businesses operating internationally.
Artificial Intelligence Readiness Evaluation (AIRE)
STACK Cybersecurity developed a custom evaluation tool for businesses of all sizes to gauge their AI readiness. Our comprehensive assessment offers you a custom score. Select the button below to start your evaluation.
Whether you're a small business owner, a team leader, or simply curious about the technology, this guide explains what AI can (and can't) do, how businesses are using it today, and how to adopt AI tools more safely and effectively. According to recent industry research, more than 75% of organizations now use AI in at least one business function, yet only a small percentage consider their AI adoption fully mature. That means businesses still have time to implement AI thoughtfully, securely, and strategically without falling behind competitors.
European Union: The AI Act
The EU has established the most comprehensive regulatory framework globally through its AI Act, which became legally binding on Aug. 1, 2024. The legislation takes a risk-based approach, categorizing AI systems into four tiers: unacceptable risk (prohibited), high risk (stringent requirements), limited risk (transparency obligations), and minimal risk (no additional obligations).
Key compliance milestones include Feb. 2, 2025, when prohibitions on certain AI practices took effect; Aug. 2, 2025, when rules for general-purpose AI models became applicable; Aug. 2, 2026, when the core framework becomes broadly operational for high-risk systems; and Aug. 2, 2027, when remaining provisions take full effect. Penalties for noncompliance are substantial: up to EUR 35 million or 7% of worldwide annual turnover for prohibited practices, up to EUR 15 million or 3% for other violations, and up to EUR 7.5 million or 1% for supplying incorrect information to authorities.
The Act's extraterritorial reach means American businesses must comply with EU requirements regardless of where they are headquartered. For U.S. companies serving European customers, partnering with EU-based firms, or operating within the European market, compliance planning should be underway now rather than waiting for U.S. federal action. Companies already familiar with GDPR compliance will find some conceptual overlap, though the AI Act introduces entirely new categories of requirements around risk management, transparency, and prohibited uses.
For a detailed compliance guide including high-risk system requirements, ISO 42001 alignment, and practical steps for U.S. companies, see our EU AI Act Compliance Guide for U.S. Businesses.
Other International Approaches
The United Kingdom has pursued a more flexible approach with its National AI Strategy and a policy white paper titled "AI Regulation: A Pro-Innovation Approach," emphasizing sector-specific regulation through existing regulators rather than creating new AI-specific laws. Canada has implemented the Artificial Intelligence and Data Act (AIDA), which takes a similar risk-based approach to the EU but with lighter requirements for lower-risk systems. China has taken a more assertive regulatory stance, requiring AI service providers to register algorithms with the government and conduct security assessments before deployment. Japan has pursued voluntary guidelines and principles, emphasizing human-centric AI development while monitoring developments for potential future intervention.
The EU AI Act creates a unified framework across 27 member states with clear categories, timelines, and enforcement mechanisms. That model stands in direct contrast to the U.S. state-by-state patchwork and the federal government's ongoing effort to replace it with a single national standard makes the international comparison an increasingly relevant data point in the domestic debate.
Federal, Global Considerations for Michigan Firms
For Michigan-based companies, particularly those in defense contracting and healthcare, several federal and international considerations warrant attention alongside the state compliance picture.
Federal funding implications are an emerging concern. America's AI Action Plan directs OMB to factor states' AI regulatory environments into federal funding decisions. Defense contractors and other federally funded businesses should monitor how this recommendation develops into formal guidance, as it could affect grant and contract eligibility. The DOJ's active challenge to Colorado's AI law signals how seriously the administration is pursuing this strategy.
The June 2026 executive order introducing AI-focused cybersecurity measures suggests that enforcement and expectations around AI will increasingly align with existing cybersecurity frameworks rather than standalone AI regulations. For small and midsize businesses, this means risks associated with AI use will likely be evaluated through the same lens as cyber threats, particularly in areas such as vulnerability management, incident response, and third-party risk.
CMMC compliance intersections exist with AI governance. Defense contractors already familiar with NIST frameworks will find the NIST AI Risk Management Framework integrates naturally with existing cybersecurity and compliance programs. As AI tools become more embedded in defense contractor workflows, expect CMMC assessors to scrutinize AI governance practices more closely.
EU AI Act considerations apply if you serve European customers, have EU operations, or partner with NATO allies. Defense contractors and healthcare providers with international reach should assess whether their AI systems fall under EU jurisdiction. The Aug. 2, 2026, effective date for high-risk system requirements is approaching. See our EU AI Act Compliance Guide for detailed requirements and preparation steps.
For most small and midsize businesses, the immediate risk is not direct federal AI regulation but how AI use intersects with existing cybersecurity, compliance, and contractual obligations. As vendors, customers, and regulators begin to evaluate AI through a security lens, treating AI governance as part of your broader cybersecurity program will better position you to meet emerging expectations.
Need Help Implementing AI Solutions?
STACK Cybersecurity provides comprehensive AI readiness assessments, including licensing analysis, security implementation, and ongoing monitoring for Shadow AI. Check out our AI Hub.
Email: info@stackcyber.com
Phone: (734) 744-5300