AI Rules Fragmenting
What happened
Governments are racing to write AI rules, but the U.S. national framework looks likely to replace a patchwork of state laws without fully closing the gaps critics fear. At the same time international standards — from NIST and ISO to OECD principles — are multiplying, and experts warn regulation is struggling to keep up with the rapid rise of agentic AI systems. (lexology.com) (govtech.com) (completeaitraining.com) (securityboulevard.com)
Why it matters
The White House published a National Policy Framework for Artificial Intelligence on March 20, 2026, laying out legislative recommendations and pushing Congress to create a single federal approach to AI governance. (whitehouse.gov) That federal push builds on an Executive Order signed December 11, 2025, which directed agencies to identify and challenge state AI laws the administration views as “onerous” or inconsistent with a national policy, and it explicitly instructed the Department of Justice to pursue those challenges. (federalregister.gov) (skadden.com) At the same time, multiple technical standards bodies have produced competing rulebooks: the U.S. National Institute of Standards and Technology’s AI Risk Management Framework (a voluntary set of guidelines released in January 2023 for identifying and controlling AI risks), the ISO/IEC 42001 standard (a certifiable management‑system standard published in December 2023 that tells organizations how to set up governance processes for AI), and updated OECD AI Principles (an intergovernmental set of high‑level norms revised in May 2024). (nist.gov) (iso.org) (oecd.ai) Federal and standards bodies are now focused on “agentic” AI — systems that plan and take autonomous actions that can change real‑world systems — and NIST opened a Request for Information in January 2026 to solicit security and identity controls for those agents; the docket attracted extensive public comment as agencies try to define what measurable protections for agentic systems should look like. (nist.gov) (labs.cloudsecurityalliance.org) The practical effect for businesses is immediate: states passed a wave of AI laws in 2024–25 (one industry tracker counted 144 new AI rules in 2025 alone), and Colorado’s comprehensive AI law — which creates notice, risk‑assessment, and safe‑harbor mechanics for firms that adopt recognized frameworks like NIST’s RMF or ISO 42001 — comes into force with enforcement timelines companies are already implementing. (multistate.ai) (schellman.com) The tension between private controls and public rules is playing out in court and procurement decisions: the Pentagon’s dispute with Anthropic over usage restrictions and a cancelled contract raised questions about whether companies can enforce terms of service as governance, and a federal judge issued a preliminary injunction in late March 2026 in Anthropic’s suit challenging the government’s actions. (forbes.com) (cnbc.com)
Quick answers
What happened in AI Rules Fragmenting?
Governments are racing to write AI rules, but the U.S. national framework looks likely to replace a patchwork of state laws without fully closing the gaps critics fear. At the same time international standards — from NIST and ISO to OECD principles — are multiplying, and experts warn regulation is struggling to keep up with the rapid rise of agentic AI systems. (lexology.com) (govtech.com) (completeaitraining.com) (securityboulevard.com)
Why does AI Rules Fragmenting matter?
The White House published a National Policy Framework for Artificial Intelligence on March 20, 2026, laying out legislative recommendations and pushing Congress to create a single federal approach to AI governance. (whitehouse.gov) That federal push builds on an Executive Order signed December 11, 2025, which directed agencies to identify and challenge state AI laws the administration views as “onerous” or inconsistent with a national policy, and it explicitly instructed the Department of Justice to pursue those challenges. (federalregister.gov) (skadden.com) At the same time, multiple technical standards bodies have produced competing rulebooks: the U.S. National Institute of Standards and Technology’s AI Risk Management Framework (a voluntary set of guidelines released in January 2023 for identifying and controlling AI risks), the ISO/IEC 42001 standard (a certifiable management‑system standard published in December 2023 that tells organizations how to set up governance processes for AI), and updated OECD AI Principles (an intergovernmental set of high‑level norms revised in May 2024). (nist.gov) (iso.org) (oecd.ai) Federal and standards bodies are now focused on “agentic” AI — systems that plan and take autonomous actions that can change real‑world systems — and NIST opened a Request for Information in January 2026 to solicit security and identity controls for those agents; the docket attracted extensive public comment as agencies try to define what measurable protections for agentic systems should look like. (nist.gov) (labs.cloudsecurityalliance.org) The practical effect for businesses is immediate: states passed a wave of AI laws in 2024–25 (one industry tracker counted 144 new AI rules in 2025 alone), and Colorado’s comprehensive AI law — which creates notice, risk‑assessment, and safe‑harbor mechanics for firms that adopt recognized frameworks like NIST’s RMF or ISO 42001 — comes into force with enforcement timelines companies are already implementing. (multistate.ai) (schellman.com) The tension between private controls and public rules is playing out in court and procurement decisions: the Pentagon’s dispute with Anthropic over usage restrictions and a cancelled contract raised questions about whether companies can enforce terms of service as governance, and a federal judge issued a preliminary injunction in late March 2026 in Anthropic’s suit challenging the government’s actions. (forbes.com) (cnbc.com)
