President Donald Trump on December 11, 2025, issued executive order number 14365 (EO) proposing a reset of U.S. AI policy aimed at “promoting national and economic security and dominance.” The EO seeks to establish a national framework for AI policy that minimally burdens industry and promotes innovation.
With insights from several expert practitioners of AI law, this article examines various components of the EO and potential enforcement targets, and discusses how companies should proceed with compliance in view of sometimes conflicting federal and state policy.
See “Navigating Ever-Increasing State AI Laws and Regulations” (Jan. 15, 2025).
Seeking AI Dominance Through Minimal Burden
The EO announces that U.S. AI policy is to “sustain and enhance the United States’ global AI dominance through a minimally burdensome national policy framework for AI.” In furtherance of this policy, it commands the Department of Commerce (DOC), the FCC, the FTC and other agencies to take concerted action that the president says is necessary to “check the most onerous and excessive laws emerging from the States that threaten to stymie innovation.”
“The [EO] attempts by executive action what Congress has failed to do by legislation, which is to preempt or place a moratorium on state AI laws,” Matthew Ferraro, a partner at Crowell & Moring, told the Cybersecurity Law Report. It comports with the administration’s deregulatory philosophy, however, it is “likely not fit for purpose,” he said. “Presidencies typically don’t rely on executive orders to enact sweeping national policy because they are thin reeds on which to lean” and lack the force of law. Though much depends on how administrative agencies implement its directives, the EO will “most likely have limited efficacy” and be susceptible to “colorable” legal challenge, he predicted.
“The EO is more political signaling than legal implementation,” agreed Jason Loring, partner at Jones Walker. “Executive orders cannot preempt state law,” he explained. “The real goal may be creating uncertainty to deter future action rather than achieving actual preemption.”
Criticism of State Law “Patchwork”
The EO criticizes existing state AI laws as a regulatory “patchwork” that complicates compliance, especially for start-ups. It also accuses states of “impinging” on interstate commerce by regulating beyond their borders. It further faults state laws for causing companies to “embed ideological bias within models” and singles out Colorado’s AI law, which bans algorithmic discrimination, as particularly problematic.
The EO is at best an imperfect remedy for the alleged shortcomings of the state AI laws. “The EO doesn’t solve the problems that it identifies,” like replacing “fragmented” state regulation with a federal alternative, Loring said. Some of its criticisms of state law are not well-founded, he opined. Federal law already prohibits disparate impacts, with state laws merely extending those protections to algorithmic decision-making, he explained. Regulating beyond state borders is “generally how consumer protection laws work,” he added.
See “How to Address the Colorado AI Act’s ‘Complex Compliance Regime’” (Jun. 5, 2024).
Forthcoming Scrutiny of and Challenges to State AI Laws
In the absence of a national law governing AI standards, the EO takes a multi-pronged approach to setting a federal AI standard by directing the DOC, the DOJ and regulatory agencies to act.
New Litigation Task Force
The EO mandates that the DOJ create an AI Litigation Task Force dedicated to challenging state AI laws that are inconsistent with federal AI policy on the grounds existing federal regulations preempt them or they violate the dormant commerce clause by unconstitutionally regulating interstate commerce. The task force is to consult with, among others, David Sacks, the Special Advisor for AI and Crypto (Special Advisor), regarding which state laws to challenge.
The task force faces an “uphill battle,” according to Loring. There is no current federal AI statute on which to base preemption claims. A 2022 Supreme Court decision – National Pork Producers Council v. Ross – makes dormant commerce clause challenges more difficult, he explained.
It is difficult to say that the state AI laws discriminate against out-of-state AI companies, so it is not clear how a dormant commerce clause argument would work, said Ferraro.
DOC Evaluation of State AI Laws
The EO requires the secretary of commerce to publish within 90 days of the order – approximately March 11, 2026 – an evaluation of state AI laws that conflict with federal AI policy and to refer them to the litigation task force. The EO singles out laws that “require AI models to alter their truthful outputs” or that would “compel AI developers or deployers to disclose or report information in a manner that would violate the First Amendment or any other provision of the Constitution.
The administration takes a “very expansive” view of what constitutes an AI bill, reflected in an assertion in the EO fact sheet that states have introduced over 1,000 such bills, Ferraro pointed out. The EO tasks the secretary of commerce with drawing up a target list but does not define what constitutes an “onerous and excessive” law, which makes divining what laws could be targeted more difficult, he explained.
The one law singled out in the EO is Colorado SB 205, which aims to protect consumers from algorithmic discrimination. This focus indicates that the administration is likely to target state requirements for impact assessments, risk management and those for reasonable care to prevent algorithmic discrimination, Loring surmised. Illinois’ HB 3773 also addresses AI and disparate impacts in employment and could be a potential target.
The administration might challenge state laws’ consumer notice and opt-out requirements on the grounds that they are “overly burdensome,” Loring noted.
California’s SB 53 (Transparency in Frontier Artificial Intelligence Act), which concerns safety plans and critical incident reporting, might be another target. The administration may use a First Amendment theory that state laws directing the production of safety reports compel speech in violation of the Constitution, Ferraro noted.
The FCC’s Determination About AI Model Disclosures
The EO further requires the FCC chairman to initiate, within 90 days of the publication of the secretary of commerce’s evaluation, a proceeding to determine whether to adopt a federal reporting or disclosure standard for AI models that would preempt conflicting state laws.
If the FCC adopts a disclosure standard, it likely will reflect the administration’s focus on innovation and competitiveness, Jocelyn Aqua, a partner at HWG old the Cybersecurity Law Report. There is existing sentiment that too much transparency could be seen as beneficial to foreign competitors, said Aqua, who noted that a “big factor” in what the administration finds objectionable about the E.U. AI Act is that it may require U.S. companies to provide proprietary information to other governments.
Any argument for preempting state AI disclosure laws is complicated because the FCC regulates telecommunications services and has limited authority over information services. AI likely falls into the latter category where FCC authority is minimal, Loring explained.
The FCC’s attempts to regulate will be further constrained by the U.S. Supreme Court’s 2024 decision in Loper Bright Enterprises v. Raimondo, which overturned the long-held rule that courts must defer to executive agency interpretations, he continued.
Some laws that the administration might target on FCC preemption grounds are California’s SB 53 and AB 2013 (Generative Artificial Intelligence: Training Data Transparency law), Utah’s SB‑149 (Artificial Intelligence Policy Act) and Colorado’s SB 205, according to Loring.
See “Jarkesy and Loper: Bombshells or Busts?” (Aug. 7, 2024).
The FTC’s Preemption Assessment
Within 90 days, the FTC chairman must, in consultation with the Special Advisor, issue a policy statement on how the FTC Act’s prohibition on unfair and deceptive practices applies to AI models. The statement must address how the FTC Act preempts the state law provisions that require parties to alter “the truthful outputs” of AI models.
The FTC Act’s applicability seems predicated on a “right to be biased” theory holding that mitigating AI bias alters “truthful outputs,” and is thus a prohibited deceptive act, Loring observed. Weakening the argument is that AI outputs are not truth, but probabilistic predictions based on training data that might reflect historical discrimination, he pointed out.
Furthermore, the FTC Act addresses misleading commercial communications and is not designed to preempt state civil rights laws, Loring said. The EO’s characterizing of anti-discrimination law as “compelling deceptive acts inverts the actual purpose and effect” of those laws, he noted.
The FTC Act predates the advent of AI, making any preemption argument challenging, Ferraro said. “There are lots of court cases in which attempts by the executive to use regulatory power to preempt state law have failed because the courts have determined that Congress did not delegate authority in those circumstances to federal agencies,” he noted.
Laws that could be targeted under the FTC Act are California’s AI laws, Colorado’s SB 205 and Illinois HB 3733, Loring surmised. Another potential “major battleground” is state laws that restrict the processing of sensitive data inferred from non-sensitive inputs, such as inferring a health condition from spending patterns, he said. The administration’s emphasis on guaranteeing “truthful outputs” might result in the targeting of such restrictions on the grounds that they “limit a model’s unfiltered utility,” he noted.
Proposed Legislative Recommendations and Exemptions
In addition to the agency mandates, the EO requires the Special Advisor and the assistant to the president for science and technology to prepare a legislative recommendation for a uniform federal AI policy framework that preempts state laws. The mandate carves out state laws relating to child safety protections, AI compute and data center infrastructure, and state government procurement and use of AI.
The legislation directive is a “noticeable” step toward establishing a national framework that would be less susceptible to legal challenge, Ferraro emphasized. “Absent legislation, the contested state and federal landscape will continue to impose significant and shifting regulatory burdens,” he said.
However, debates would likely persist even after any national law is enacted. There will still be questions about the “metes and bounds” of the federal and state laws, Ferraro added.
There will be “hot debates” over whether Congress is able to enact a national AI law, Aqua said. “It’s not clear whether there is the right capacity at the federal government level to enforce,” she opined.
See our two-part series on how to manage AI procurement: “Leadership and Preparation” (Sep. 18, 2024), and “Five Steps” (Oct. 2, 2024).
Cybersecurity and Privacy Laws Under Scrutiny
Cybersecurity laws and privacy laws (such as the CCPA) that implicate AI may also be subject to challenge, but will be “secondary battlegrounds,” predicted Loring. “It’s more likely that the [DOC] will focus on how state AGs enforce privacy and cybersecurity provisions in AI contexts rather than challenging comprehensive privacy or cybersecurity statutes themselves,” he added. Specific provisions that may face “pressure or scrutiny” include those addressing opt-out rights for automated decision-making, disclosure requirements about profiling in privacy policies and data minimization applied to AI training, he said. However, challenging general privacy opt-out rights would be “politically difficult,” he added.
It is possible that the federal government might target some state privacy laws as unduly burdensome, suggested Aqua. Consent requirements, purpose limitations and data minimization requirements in the context of AI models have caused a lot of confusion for companies, she said. There could also be a reevaluation of state privacy laws with respect to the use of sensitive personal information in automated decision-making, she said.
See “Transforming Security and Privacy Workloads With Generative AI: A Comprehensive Framework” (Feb. 19, 2025).
Compliance Considerations
The EO’s goal of targeting state laws that violate federal AI policy raises the question of what companies should do to stay compliant while the federal government mounts its challenges.
Stay the Course but Remain Alert
Companies should continue to comply with state AI laws, Loring said. “The EO does not change current legal obligations and state AI laws remain legally enforceable until courts issue injunctions or Congress passes preemptive legislation,” he emphasized. “Courts are unlikely to grant injunctions without stronger findings than provided in the EO,” he opined.
The “complete invalidation of state AI laws is unlikely,” Loring stated. The DOJ has a greater chance to persuade courts to narrow some state law AI provisions, but the laws’ “most substantive protections, such as anti-discrimination, consumer notification and human oversight requirements, should survive,” he predicted.
For now, companies should “stay the course,” with the caveat that a company must monitor what happens with federal actions, Aqua agreed.
Watch for Conflicts Between Federal and State Laws
Where federal and state laws impose conflicting obligations, companies should document the conflict specifically, Loring advised. These reports should analyze the legal authorities seemingly at conflict, explain the company’s approach and rationale for its resolution, and “preserve evidence of good-faith decision-making,” he explained.
Consider Effects on E.U. Compliance
The different regulatory approaches of the U.S. and E.U. – with the U.S. focused on minimal regulation, rapid deployment and competitive advantage, and the E.U. emphasizing fundamental rights, risk management and transparency – may leave companies struggling to comply, Loring said. “The challenge is maintaining robust E.U. compliance while navigating U.S. federal policy,” he noted.
Companies may struggle to enact geographic segmentation in their operations, according to Loring. Instead, the “best approach” for most companies is “building to the highest standard,” he recommended. Since E.U. requirements generally exceed U.S. requirements, following the former will leave companies with the necessary compliance mechanisms if state laws survive, he said. “Companies cannot use U.S. policy changes to justify weakening E.U. compliance.”
Logistically, a company should record explanations of how it reconciled conflicts and decided which requirements apply to which deployments, Loring advised. Human oversight is “likely to be critical,” as well, he noted.
See our three-part series answering top questions about the E.U. AI Act: “Reach and Unique Requirements” (Apr. 24, 2024), “Risk Tiers and Big-Player Transparency” (May 1, 2024), and “Practical Steps and What’s Next” (May 8, 2024).
Maintain Good AI Governance
With the regulatory uncertainty created by the EO, companies should continue to build and maintain good AI governance frameworks, Aqua emphasized. “I don’t see a difference in how you run your day-to-day activities in this space,” she said. “Aligning your programs to NIST or ISO standards is not something that is going to go away,” she noted.
The first step that a company should take is to conduct an assessment to understand how it uses AI, especially including any high-impact uses, Aqua said. Since vendors increasingly embed AI in their toolkits, it is also important to review procurement practices and carry out due diligence on vendors, she advised. In addition, to foster innovation, a company should encourage strong and responsible use of AI by employees at all levels of the company, she stressed, noting that maintaining accountability and transparency with respect to AI use is also important. Finally, a company should ensure that it has a robust cybersecurity practice, and it should keep compliant with applicable privacy laws so that it only uses lawfully acquired data, she recommended.
See “AI Governance Strategies for Privacy Pros” (Apr. 17, 2024).