Market Research · United States · Regulated Industries

Deregulated Federally, Regulated Everywhere Else: The US Enterprise AI Landscape in 2026

Flaredog Research ·

United States — new york manhattan financial district skyline
Photo: Luca Bravo / Unsplash

Enterprise AI buyers in the United States are navigating a contradiction. At the federal level, the policy signal is unmistakably pro-acceleration: barriers are being removed, not added. At the sector level — banking, healthcare, government contracting — the compliance burden is getting more specific, not less. For a bank, hospital system, or agency deploying AI in 2026, “the government is deregulating AI” is only half true, and the half that isn’t true is the half that determines whether a model can go into production.

Washington reversed course, then reversed course on the reversal

President Trump rescinded Biden’s Executive Order 14110 on his first day back in office, and on January 23, 2025 replaced it with “Removing Barriers to American Leadership in Artificial Intelligence”, which directed agencies to identify and unwind Biden-era AI safeguards inconsistent with an innovation-first posture (Skadden; Wiley). That was followed in July 2025 by “Winning the Race: America’s AI Action Plan”, a 90-plus-action blueprint organized around innovation, infrastructure, and international diplomacy — explicitly framed as reducing federal regulatory friction on AI development (White House).

What didn’t disappear is NIST’s AI Risk Management Framework. With no binding federal AI statute and the prior executive branch’s rulemaking machinery dismantled, the voluntary NIST RMF — organized around Govern, Map, Measure, and Manage — has become the default reference point that examiners, auditors, and enterprise risk teams cite when a formal regulation doesn’t exist. It is doing more work as a governance baseline now than it did when EO 14110 was still in force, precisely because it’s one of the few stable artifacts left standing.

Then, in December 2025, Washington intervened again — this time against the states. The December 11, 2025 executive order “Ensuring a National Policy Framework for Artificial Intelligence” established an AI Litigation Task Force inside the Department of Justice tasked with challenging state AI laws the administration views as unconstitutional, preempted, or otherwise unlawful, and directed Commerce to identify target statutes by March 11, 2026 — with noncompliant states put on notice that federal broadband funding could be at stake (Sidley; White & Case). Colorado’s AI Act — the first comprehensive state algorithmic-discrimination law — was named as a target. Its Attorney General has since delayed enforcement, and on May 14, 2026 Governor Polis signed SB 189, pushing the effective date to January 1, 2027 and stripping out the original risk-management-program and impact-assessment obligations in favor of narrower disclosure requirements (Hunton; Littler). California and other states remain active, so the patchwork isn’t gone — it’s under active federal litigation pressure, which is a different kind of uncertainty for compliance planning, not less uncertainty.

Banking: the model-risk rulebook just got rewritten

For financial institutions, the operative document changed in 2026. On April 17, the OCC, Federal Reserve, and FDIC jointly issued SR 26-2, superseding the 2011-vintage SR 11-7 / OCC Bulletin 2011-12 model risk guidance that had governed bank model validation for fifteen years (Sullivan & Cromwell). The revised guidance is explicitly risk-based — a community bank under $30 billion in assets isn’t expected to run the same validation apparatus as a global systemically important bank — but it notably carves generative and agentic AI systems out of its current scope, with dedicated guidance still pending (Databricks). That gap is exactly where deployment risk concentrates today: banks are told to apply “model risk management principles consistent with the underlying risk” to LLM-based systems without a finalized rulebook for what that means.

Meanwhile the SEC’s 2026 examination priorities fold AI oversight into cybersecurity, emerging technology, and operational resiliency reviews across virtually every examination — not just firms marketing AI capabilities. Financial services is also the sector moving fastest: PYMNTS reports that 85% of financial firms surveyed increased AI budgets, putting the sector ahead of peers on production deployment even as governance obligations tighten in parallel.

Healthcare: FDA has a track record; HIPAA doesn’t yet

The FDA is the one regulator in this landscape with an established, growing AI-specific rulebook. It finalized guidance on Predetermined Change Control Plans for adaptive AI devices in December 2024, and published draft Total Product Lifecycle guidance for AI-enabled devices in January 2025 covering design, validation, premarket submission, and postmarket monitoring. By early 2026 the FDA had authorized more than 1,350 AI-enabled devices — roughly double the 2022 count.

HIPAA is the opposite case: the statute predates modern AI, and OCR has not yet issued binding AI-specific rules for protected health information, leaving organizations to apply general Security and Privacy Rule obligations — business associate agreements, minimum-necessary use, de-identification standards — to AI vendors and training pipelines by analogy (see the legal primer by Tovino, 2025). Health systems building or buying clinical AI are effectively operating ahead of the rulebook on the privacy side while operating inside a mature one on the device-clearance side.

What this means for enterprise buyers

The federal deregulatory push does not reduce what a regulated enterprise has to build — it removes a single national floor and replaces it with sector-specific, still-evolving obligations layered on top of state law that is itself in litigation. For a bank, that means designing model governance to SR 26-2’s risk-tiering now while assuming agentic-AI-specific guidance is coming. For a health system, it means FDA clearance pathways are relatively well-mapped, but PHI handling in AI pipelines needs to be built to the strictest plausible reading of HIPAA until OCR clarifies it. For any regulated enterprise, the NIST AI RMF is the closest thing to a common denominator across examiners and remains the most defensible internal governance baseline regardless of which state or federal court eventually settles jurisdiction. Systems built to be audited — with lineage, validation, and human-review controls documented from day one — are the ones that will survive whichever rulebook lands.

enterprise-aiusafinancehealthcareai-governance

← Back to blog