As artificial intelligence reshapes how organizations hire, manage, and make decisions, the legal landscape is struggling to keep pace. With no federal AI statute on the books and state legislatures moving fast - 50 states have now introduced AI legislation - employers face a patchwork of obligations that is anything but simple to navigate.
Frances M. Green, JD, LL.M., is an attorney at Epstein Becker Green, a national law firm focused on health care, life sciences, and employment and workforce management. She advises boards, executives, and in-house counsel on AI governance frameworks, automated decision-making compliance, and the intersection of agentic AI deployment with multi-jurisdictional employment law.
In this Q&A, Fran breaks down what businesses need to know right now - and how to build governance structures that hold up regardless of where the regulatory landscape lands.
What Is the Single Most Important Legal Consideration for Companies Building or Deploying AI Right Now?
Short Answer: AI Governance!
Organizations are continuing to deploy artificial intelligence (AI) into their workforces and/or consumer-facing operations. My own experience with clients reflect a growing urgency among boards and executives to integrate more robustly automated and AI-infused systems to increase efficiencies. This, of course, presents its own challenges. Speed, with respect to deploying AI, is not necessarily, as the term is used, “a good thing.” Tempered integration and responsible scaling of AI systems within an organization by necessity impacts legal parameters. Generally, when lawyers speak of important legal considerations regarding AI design, development, and/or deployment, the North Star is whether the tool or system is compliant with applicable regulations or legislation within the jurisdictions or countries in which the AI will be utilized.
In the first instance, laws and regulations impacting the deployment of AI are generally woven within the AI governance fabric. Responsible AI governance aligns with a compliant organizational posture. My experience is that where companies have solid AI governance frameworks, operationalized thoughtfully and responsibly throughout the organization, such organizations are steps ahead toward compliance. With competing and varying state and local AI regulation in the United States—and beyond our borders in the European Union (EU), Asia, and South America—the foremost legal consideration is whether an operational AI governance structure is providing the necessary tools, training, and monitoring to ensure that deployed AI is ethical, explainable, safe and free from causing harm, whether that harm is bias or something else.
The plot thickens indeed with the introduction and accelerated use of agentic AI tools and systems. For boards and counsel, the imperative is to treat agentic deployment not as an incremental upgrade to existing static generative AI tools, but as a distinct governance event—one requiring calibrated human oversight, documented decision boundaries, and an auditable record of autonomous action commensurate with the risk the agent is permitted to assume.
This acceleration reshapes what AI governance has to accomplish. When a model simply drafts output for a person to review, oversight happens at the point of use. Once a system can plan, decide and execute multi-step tasks across applications and data, however, accountability moves upstream to how that autonomy was scoped, constrained, and monitored in the first place. Because agents act over time, retain context, and trigger downstream consequences, governance moves from an audit of a static model to a continuous review woven into the workflow.
That raises a more focused set of questions: Which actions may an agent complete on its own, and which require a human to sign off? Is its reasoning logged well enough to reconstruct later? And who bears responsibility when an autonomous step produces a discriminatory or otherwise non-compliant outcome? These pressures explain the growing reliance on human-in-the-loop and human-on-the-loop oversight for higher-stakes decisions.
For boards and counsel, the takeaway is that deploying agentic systems is not a routine upgrade to existing AI tools but again, a distinct governance event—one that calls for deliberate human checkpoints, clearly documented limits on what the agent may do, and an audit trail proportionate to the risk it is allowed to carry.
How is U.S. AI regulation evolving? What should businesses be paying attention to?
Short Answer: No federal comprehensive legislation, but keep an eye on the states.
The signature dynamic in mid-2026 is a head-on tension between two levels of government pulling in opposite directions. The current political administration is pushing hard to deregulate and consolidate, and there is still no comprehensive federal AI statute on the books. In its place, the administration is deploying executive orders and courtroom strategy to attempt to dismantle the growing thicket of state rules—even as state legislatures keep adding to it.
President Donald Trump’s December 11, 2025, Executive Order, “Ensuring a National Policy Framework for Artificial Intelligence” (“E.O. 14365”) does not, by itself, displace or void a single state AI law. EO 14365 set several gears in motion, and three have now turned. One, the enforcement machinery is operational: the U.S. Department of Justice (DOJ) launched its AI Litigation Task Force on January 9, 2026, to contest state laws on interstate-commerce and constitutional preemption theories. It is no longer a paper threat. When xAI moved to block Colorado’s SB 24-205—at the time one of the more stringent state laws governing AI deployment— the DOJ joined the fight with its own filing, arguing the Colorado statute forces discrimination along protected lines, and the court let the intervention proceed. (Note that Colorado’s SB-189 replaced SB 24-205 just before it was slated to take effect in June.) Having the federal government actively litigating against a state AI law in open court is a development clients should be watching.
Two, Executive Order 14365 also tasked the Secretary of Commerce with delivering, by March 11, 2026, a catalog of state laws judged excessively burdensome or at odds with federal policy—singling out measures that compel AI systems to modify “truthful outputs” or impose disclosure duties that may clash with the First Amendment—and with earmarking candidates for referral to the Task Force. Keep in mind that the document carries no legal force of its own: it signals which laws the administration finds objectionable. Voiding any of them still demands a lawsuit and a court-ordered injunction, which can stretch across many months or years. While the catalog deadline has passed, this should be considered a list of intended targets, but not changing or altering existing state regulatory schemes.
Three, the most striking substantive move is a doctrinal flip: E.O. 14365 reframes state anti-bias laws as compelling distortion of “truthful outputs” and treats that as a deceptive act under the Section 5 of the Federal Trade Commission Act’s prohibition on engaging in deceptive acts or practices affecting commerce. This overturns the FTC’s earlier stance, which had cast algorithmic bias as a source of liability rather than a shield. The result is a real bind: a state may require an organization to mitigate bias while the federal posture brands that same mitigation as deception. Indeed, to counter this federal trend, one state, Illinois, recently passed legislation banning any effort to displace disparate impact analysis from its state anti-discrimination laws:
The states, for their part, are accelerating rather than retreating. By March 2026, 45 states had introduced 1,561 AI bills, eclipsing the entire 2024 count. By June, all 50 states had done so, and laws already operative, such as those, e.g., in California and Texas, stay fully in force unless a court says otherwise.
How should U.S. employers with global operations approach AI governance in the workplace to stay compliant—as state-level AI laws continue to expand and laws in the EU continue to evolve?
Short Answers
(a) Build to the high-water mark, then localize.
The pragmatic move for multinationals is to create a baseline program calibrated to the strictest applicable regime (usually the EU AI Act for high-risk employment use cases) and then layer jurisdiction-specific obligations on top. Trying to maintain genuinely separate compliance tracks per state and country is brittle and expensive; a “Brussels effect” baseline with modular add-ons scales better.
The caveat is that this isn’t always cheapest approach where a strict default imposes obligations (e.g., bias auditing, risk assessments, transparency notices, etc.) in jurisdictions that don’t require them, so you’ll want a defensible map of where you deliberately exceed local law versus where you localize down.
Treat the patchwork as falling into recurring obligation buckets. Most of the state and EU regimes—NYC Local Law 144, Illinois, Colorado’s framework, California’s Automated Decision-Making Technology (ADMT) rules, the EU AI Act—converge on a common set of duties even when the triggers and definitions diverge:
(1) inventory and risk-classify AI/ADMT systems;
(2) bias/impact assessment and, in some cases, independent auditing;
(3) candidate/employee notice and sometimes opt-out or human-review rights;
(4) recordkeeping and documentation;
(5) vendor diligence and contractual allocation.
If you govern to those buckets rather than to individual statutes, new laws mostly become a question of “which bucket, what threshold,” not a net-new program.
(b) Anchor on a living inventory and a clear deployer/developer posture.
The foundation is an AI use inventory tied to risk classification, because nearly every obligation keys off knowing what tools touch hiring, promotion, monitoring, scheduling, and termination. Most employers sit in the “deployer” seat, which shifts a lot of the analysis to vendor management: contractual representations on bias testing and documentation, audit cooperation, indemnification, and the right to the artifacts you need to meet your own notice and assessment duties. Colorado’s developer/deployer fault-allocation framework is a useful model for how that responsibility split is increasingly being codified.
(c) Watch the U.S. preemption picture closely—it’s the live variable.
The possibility of federal preemption can create uncertainty about how durable some state obligations will be.
Bottom line: Operationalize through governance infrastructure, not just policy: cross-functional ownership (legal, human resources, IT/security, privacy), a documented review/approval gate before new AI tools go live, human-in-the-loop checkpoints for consequential employment decisions, AI literacy training, and an incident/complaint pathway. The EU AI Act’s literacy and human-oversight expectations dovetail nicely with what good U.S. employment law hygiene already wants, so there’s leverage in framing these as one program rather than competing mandates.
How should employers approach workplace AI governance in view of this evolving regulatory landscape on the federal and state levels?
Short Answer: Build flexible, documented governance frameworks adaptable across shifting multi-jurisdictional requirements.
For U.S. employers in particular, the steadiest course is to engineer compliance to the most demanding standard, rather than retrofitting to each new statute one at a time. The shared spine running through Colorado, Illinois, and California’s automated-decision rules, and New York City’s Local Law 144, is strikingly uniform: tell affected workers when AI is in play, test and monitor consequential employment tools for disparate impact on protected classes under state and federal laws, keep a real person meaningfully in charge of impactful decisions affecting an employee’s livelihood, and preserve records that survive scrutiny.
Start by cataloging every AI system that touches hiring, advancement, discipline, scheduling, or separation—including the vendor products HR may have brought in without a legal look—and assess each for the absence of bias. Make human oversight substantive rather than a rubber stamp on whatever the model produced. And because the “truthful outputs” framing now cuts both ways, characterize your bias work in the record as measurement, calibration, and governance rather than as scrubbing valid results, with counsel engaged at the decision points so the material doubles as a compliance file and a defensible exhibit that may withstand challenges as to the attorney-client privilege. That recordkeeping discipline is precisely what allows an employer to satisfy today’s enforceable state obligations while staying nimble enough to adjust whichever way the federal preemption question ultimately resolves.
The honest summary for clients: this contest will play out over years, not months. Meet the obligations that are enforceable now, construct governance sturdy enough to withstand either outcome. In the meantime, Colorado’s SB 26-189, which takes effect in January 2027, may serve as the bellwether for state legislation to come in other jurisdictions.
Even in the absence of state AI regulation, employers would be wise to review and assess AI within their organizations by conducting AI audits to ensure that the tools are functioning as intended and there is transparency and explainability on how the AI generates results. Moreover, history teaches us that by virtue of the 10th Amendment, a federal standard is de facto, absent constitutionally provided preemption, the minimum and thus the states may provide more robust protection to its citizens. Consequently, federal employment discrimination, job safety and wage and hour protections are examples of this reality.
About the Author
Frances M. Green, JD, LL.M., is an attorney at Epstein Becker Green, where she advises boards, executives, and in-house counsel on AI governance frameworks, employment law compliance, and privacy strategy. She holds the AIGP, CIPM, and IAPP certifications and counsels organizations navigating the intersection of agentic AI deployment, automated employment decision tools, and multi-jurisdictional regulatory compliance. She is a regular voice on the evolving federal-state tension in AI regulation; learn more about Epstein Becker Green's artificial intelligence practice.
Epstein Becker Green Staff Attorney Ann W. Parks contributed to the preparation of this article.
.png)