The US AI Executive Order and What It Means for Enterprise AI Governance in 2026

US AI Executive Orders — what enterprises must actually do in 2026

The US federal AI policy framework has changed substantially since January 2025. Executive Order 14179 ("Removing Barriers to American Leadership in Artificial Intelligence", 23 January 2025) revoked the prior Biden administration's Executive Order 14110 (October 2023). Subsequent executive orders — EO 14281 (April 2025), EO 14365 (December 2025) — have continued the deregulatory direction. The OMB has issued M-25-21 and M-25-22 memoranda on federal AI use. The 23 July 2025 AI Action Plan and the March 2026 White House follow-up announcements shape the operational environment.

For enterprises operating in the US — or doing business with the US federal government — understanding what the current US AI policy actually requires (and what it does not) is important. This article translates the executive order landscape into operational guidance.

What was revoked

EO 14110 (October 2023) was the comprehensive Biden-era AI executive order. It directed federal agencies to: develop AI safety standards through NIST; require companies developing AI models above certain compute thresholds to report training and safety testing to the federal government; address bias and discrimination in AI; advance equity in AI deployment; protect privacy in AI; and address AI in employment, healthcare, education, immigration, and other contexts.

EO 14179 revoked EO 14110 in January 2025, removing the federal compute-threshold reporting obligation, the federal AI safety standards development direction, and several agency-specific AI directives. The substantive consequence: most of the active federal AI regulation that had been built under EO 14110 was withdrawn or paused.

What replaced it

EO 14179 (23 January 2025) — established as the foundational AI policy of the new administration. Direction to federal agencies to remove barriers to AI development, prioritise American AI leadership, and reduce regulatory burden on AI.

The AI Action Plan (released 23 July 2025) — three pillars: (1) Remove Red Tape and Onerous Regulation; (2) Build AI Infrastructure (compute, data centres, energy); (3) Strengthen International Leadership.

EO 14281 (April 2025) — federal agency direction on AI in federal operations.

EO 14365 (December 2025) — directed federal agencies to challenge state AI rules viewed as overly burdensome and work toward a "minimally burdensome" national standard. The first reports mandated by EO 14365 were to be prepared by the FTC and Commerce Department and released 11 March 2026. As of mid-2026 these reports have not been released publicly.

OMB M-25-21 (federal agency use of AI) and M-25-22 (federal procurement of AI) — internal federal guidance with relevance for federal contractors.

What still applies — the laws executive orders did not change

Critically, executive orders cannot repeal statute or settled law. The following remain fully in force:

Title VII Civil Rights Act — applies to AI in employment. EEOC has been clear that "the algorithm did it" is not a defence under Title VII. Disparate impact liability remains. The Mobley v Workday class action (preliminary nationwide certification May 2025) and the Eightfold AI class action (January 2026) demonstrate active litigation under unchanged statutes.

ADA, ADEA, FCRA, ECOA, FHA — federal anti-discrimination and consumer protection statutes apply to AI just as they apply to non-AI decision-making.

HIPAA — health privacy obligations apply to AI processing PHI. OCR enforcement continues.

FTC Section 5 — unfair or deceptive acts. FTC has continued AI-related enforcement (Rite Aid facial recognition case, multiple AI marketing claims cases).

State law. California, Colorado, Illinois, Texas, New York, and others have enacted AI legislation that EO 14365 does not preempt without further action. California AB 489 (1 January 2026), Texas TRAIGA (1 January 2026), Colorado AI Act (postponed to 30 June 2026), Illinois HB 3773 (1 January 2026), NYC AEDT, and others remain active.

SEC disclosure obligations — material AI-related risks must be disclosed in public company filings.

SR 26-2 (17 April 2026) — Federal Reserve/OCC/FDIC supervisory guidance on model risk management for large banks (above $30bn). This is supervisory guidance, not subject to executive order revocation. Applies to AI/ML models in scope. Footnote 3 explicitly excludes generative AI and agentic AI from scope — institutions must develop separate frameworks for those.

Sector-specific regulations. FDA medical device regulation for AI as Medical Device, NHTSA for AI in vehicles, FAA for AI in aviation, CFPB for AI in consumer finance — all continue.

What enterprises should actually do

1. Don't assume federal deregulation means no AI legal obligations. The state law layer, statutory layer, and sectoral regulatory layer remain. The combination is in many ways more complex than under EO 14110, because federal coordination has been reduced.

2. Track state AI law actively. 47 states introduced AI legislation in 2025 (Manatt tracking); ~200 bills tracked in Q1 2026. State law is where most US AI regulation now lives. California, Colorado, Texas, New York, Illinois, Washington, Connecticut, Massachusetts, Virginia, and others have material AI laws or proposed laws.

3. Maintain governance frameworks built under EO 14110. NIST AI RMF was developed under EO 14110 and remains the de facto US AI governance framework. NIST IR 8596 (December 2025 preliminary draft) bridges AI RMF with the Cybersecurity Framework. The April 2026 AI RMF Profile for Critical Infrastructure concept note continues NIST's AI work.

4. Treat employment AI as litigation risk. The Mobley v Workday and Eightfold AI cases demonstrate active class action exposure. Plaintiff-side employment law firms (Towards Justice, EEOC class counsel) are actively pursuing AI hiring claims under unchanged statutes.

5. Engage with sectoral regulation. SR 26-2 for large banks, FDA for medical AI, CFPB for consumer credit AI — sectoral guidance has been developed and is enforced.

6. Build for international compatibility. EU AI Act applies to US enterprises deploying AI affecting EU residents. UK and Australian regulators have specific expectations. For multinationals, designing US AI governance to align with international expectations is often easier than designing separate frameworks.

7. Don't rely on federal preemption that hasn't happened. EO 14365 directs federal agencies to challenge state AI rules, but as of mid-2026, federal preemption legislation has not passed. State law remains in effect.

Federal contractor obligations

For US federal contractors, OMB M-25-21 and M-25-22 establish requirements for federal agency AI use and AI procurement. Contractors providing AI to federal agencies should review these for current expectations. The federal procurement environment is in transition — vendors are recalibrating to current OMB guidance.

The honest assessment

The reduction in federal AI regulation creates a misleading sense that compliance burden has decreased. In reality:

- State law has expanded substantially

- Statutory liability under existing federal statutes (Title VII, ADA, FCRA, ECOA, FTC Section 5) continues

- Sectoral regulation has continued or expanded (SR 26-2, FDA AI, CFPB)

- International obligations on US enterprises (EU AI Act, UK DUAA, Australian privacy reforms) have expanded

- Litigation risk under unchanged statutes is increasing, not decreasing

For enterprises, the practical compliance burden in 2026 is greater than under EO 14110, not less — even though the federal AI policy posture is deregulatory. The frameworks that look right on paper need to satisfy not just federal expectations but state, sectoral, statutory, international, and litigation requirements simultaneously.

Primary sources: White House Presidential Actions · NIST AI Risk Management Framework · Manatt Health AI Policy Tracker