Agentic Systems Design·June 17, 2026
🇺🇸
AI in the United States
US AI demand in 2026 is being shaped less by enterprise lighthouse deals and more by the $25M–$500M mid-market operator: CFOs and COOs at retail, hospitality, financial services and professional services firms buying process automation as an operating-model upgrade. State-level AI law is now the binding floor — NYC Local Law 144 AEDT bias audits, Colorado SB 24-205 high-risk obligations from February 2026, and parallel AG enforcement in California, Connecticut, Illinois and Texas. European mid-market subsidiaries are pinning inference to US regions to sidestep cross-border AI Act friction. Consulting-led integration depth, not SaaS deployment, wins these deals.
Regulation and compliance
Federal AI Executive Order 14110 (2023) shapes safety and reporting expectations for foundation models. State-level rules are the binding floor for most companies — California (CCPA + AB 2013 training-data disclosure), Colorado (SB 24-205 high-risk AI systems), and New York (NYC Local Law 144 on automated employment decisions). HIPAA, SOX, and sector-specific frameworks apply on top.
Last reviewed: 2026-06-15
Recommended reading
Frequently asked questions
Does the US have a federal AI law?
Not a single comprehensive statute. Companies operating in the US deal with sector laws (HIPAA, SOX, GLBA), the FTC's enforcement on unfair AI practices, and state laws — most consequentially California, Colorado, and New York.
What does Colorado SB 24-205 require?
Operators of high-risk AI systems (employment, lending, insurance, education) must complete impact assessments, give consumers notice, and demonstrate reasonable care to prevent algorithmic discrimination. Effective February 1, 2026.
Where do US companies usually start with AI?
Customer support deflection and sales lead automation deliver the cleanest 90-day ROI. Document intelligence comes next once data infrastructure is in place.
What does SOC 2 mean for an AI deployment?
SOC 2 is an AICPA attestation framework covering security, availability, processing integrity, confidentiality and privacy. For an AI deployment it means three concrete things. First, the vendors in your stack — LLM provider, vector database, orchestrator, observability layer — should each hold a current SOC 2 Type II report, not Type I (which is a single-day snapshot, not an operating-period audit). Second, your own implementation needs documented access controls, change management, encryption at rest and in transit, and logging an auditor can actually inspect. Third, when the AI handles customer data, your sub-processor list has to be updated and disclosed, and any pathway by which prompts or outputs could reach a vendor's training pipeline must be explicitly carved out in the DPA.
How do data residency rules affect cross-border AI services?
Data residency rules can quietly disqualify the default cloud-and-model setup. State laws like California's CCPA and sector laws (HIPAA, GLBA) don't force US-only hosting in every case, but financial regulators (NYDFS Part 500), healthcare contracts, and most enterprise procurement teams now ask for it explicitly. If your provider silently routes a prompt through a model hosted outside the US, that may breach BAAs, customer contracts, or your own privacy notice. Practical fix: select a model and inference region from your provider — Anthropic, OpenAI, Google, AWS Bedrock — pin the routing in code, and document the data path in your DPA. EU customer data adds the GDPR Schrems II layer on top.
Operating in United States?
Let's talk about deploying AI while staying compliant with local rules and measuring ROI from quarter one.