Sectoral AI Regulation and Your Roadmap

TL;DR

By industry, the AI rule that bites first:

Industry	Primary AI rule	Enforcer
Financial services	Model risk management (SR 11-7), CFPB / OCC AI guidance	Fed, CFPB, OCC, state regulators
Healthcare	FDA AI/ML SaMD framework, HHS / OCR	FDA, HHS, OCR, state DOH
Insurance	NAIC AI model law, state DOI bulletins	State DOIs
Employment / HR	EEOC AI guidance, NYC Local Law 144, Illinois AIVID	EEOC, state AGs, city agencies
Education	FERPA-AI guidance, state-specific rules	DOE, OCR, state
Children’s products	COPPA-AI, state youth AI laws	FTC, state AGs

The federal layer is light; the sectoral and state layers are where the obligations actually are. Map your industry first, your jurisdictions second.

---

The federal layer is light; the sectoral and state layers are where the obligations live. The map by industry.

The “we’re waiting for federal AI law” framing miscasts the regulatory reality of 2026. Federal law exists in narrow sectors, state law is rapidly expanding, and sectoral regulators have been issuing AI guidance for several years. For most US enterprises, the binding rules are sectoral and state-level, not federal. This piece is the map by industry.

The general regulatory frame

Three levels.

1. Federal sectoral. Specific to industries — banking, healthcare, transportation. Enforcer is the sectoral regulator (Fed, FDA, NHTSA). Strong in financial services and healthcare; weaker elsewhere.

2. State. Increasingly comprehensive. NYC, Colorado, Illinois, California, Texas all have specific AI rules. Other states are following. Enforcer is the state AG or specialized agency.

3. Federal cross-sectoral. FTC for deceptive AI, EEOC for employment AI, CFPB for consumer financial AI. Authority is real but typically reactive (case-by-case enforcement) rather than rule-making.

For most enterprises, the binding obligations stack: sectoral rules for the industry, state rules for the jurisdictions, plus the cross-sectoral overlays.

Industry-by-industry

Financial services

Primary obligations:

• Model Risk Management (SR 11-7 + 2023 OCC guidance) for any AI used in lending, fraud, credit decisions.
• CFPB AI guidance: discrimination prevention in consumer-facing AI; required explainability for adverse actions.
• State-level: NY Department of Financial Services AI rules; California DOI for credit decisions.

Key practical implication: AI in lending or fraud detection requires model validation, ongoing monitoring, and adverse-action explanation. Without these, the AI can’t be deployed in production.

Healthcare

Primary obligations:

• FDA AI/ML SaMD framework: AI as medical device requires FDA clearance for many use cases. Includes 510(k) pathway and emerging predetermined change control plans.
• HIPAA: applies to AI processing PHI. Customer-facing AI in healthcare contexts is often a HIPAA covered entity or business associate.
• OCR enforcement: AI-driven privacy violations.
• State-specific: California, New York, Illinois with healthcare AI rules.

Key practical implication: clinical AI requires FDA clearance; administrative AI (scheduling, billing) requires HIPAA controls.

Insurance

Primary obligations:

• NAIC Model Bulletin on Use of AI: adopted by ~30 states, requires governance, testing, documentation.
• State DOI bulletins: California, New York, Colorado, others with specific rules.
• Discrimination testing required for many use cases.

Key practical implication: AI in underwriting, claims, pricing requires documented governance and bias testing. Audit risk is high.

Employment / HR

Primary obligations:

• EEOC AI guidance (2024+): Title VII applies to AI hiring tools; disparate impact testing required.
• NYC Local Law 144: bias audit required for automated employment decision tools; candidates must be notified.
• Illinois AI Video Interview Act: notice and consent for AI in video interviews.
• California: AI hiring rules effective 2024.
• Texas Data Privacy Act: AI rights including opt-out.

Key practical implication: HR AI is one of the most regulated AI categories. Bias audit, notice, and human review obligations stack across jurisdictions.

Education

Primary obligations:

• FERPA: applies to AI processing student records.
• State-specific: California SOPIPA, New York Education Law 2-d, Texas student data privacy.
• Children’s Online Privacy Protection Act (COPPA) for under-13 services.

Key practical implication: AI in K-12 and higher ed has data-privacy obligations that don’t apply elsewhere. Specific consent and notice requirements.

Children’s products

Primary obligations:

• COPPA: parental consent for under-13.
• California Age-Appropriate Design Code: AI affecting under-18s.
• Multiple state youth privacy laws emerging in 2026.

Key practical implication: AI in any product reaching minors has materially higher regulatory burden than adult-only products.

How to plan compliance work

Three steps.

1. Map the obligations specific to your industry and jurisdictions. Every industry has 2–3 binding regimes; every jurisdiction adds layers. Build the matrix.

2. Sequence the most-likely-to-bite first. EEOC HR AI rules, FDA SaMD, SR 11-7 for banks — these have active enforcement. The matrix without sequencing produces paralysis.

3. Track regulatory changes quarterly. The space is changing fast. Quarterly review of sectoral and state rule changes is the minimum cadence.

What to do this quarter

1. Build the regulatory map for your specific business. Industry × jurisdictions × use cases. Document.
2. Identify the most-likely-to-bite obligation in 2026. Sequence compliance work.
3. Engage sectoral counsel. General privacy counsel often doesn’t have the depth on industry-specific AI rules.
4. Set up the quarterly review cadence. Subscribe to relevant agency RSS, attend trade-association updates.

FAQ

Will federal AI law subsume the sectoral rules? Eventually, perhaps partially. Through 2026 and likely 2027–2028, the sectoral rules remain authoritative. Plan for a multi-regulator world, not a single-regulator world.

Are sectoral regulators well-staffed for AI enforcement? Increasingly so. Most major agencies hired AI specialists in 2024–2025 and are running active enforcement programs in 2026. Don’t assume capacity gaps will protect non-compliance.

What about smaller states? Most state-level AI law is concentrated in NY, CA, IL, CO, TX. But smaller states are following; the lag is shrinking. Plan for ~20 states with material AI rules by 2027.

Should we comply at the strictest standard or the per-jurisdiction minimum? Most enterprises use a “highest common denominator” approach for cost reasons. Pure per-jurisdiction compliance is expensive and operationally complex.

How do we handle conflicts between regulators? Real conflicts (where one regulator requires what another forbids) are rare. More common: differing requirements that can be reconciled. When real conflicts arise, engage counsel; sometimes carve-outs by jurisdiction are necessary.

---

Working with JAIN on sectoral AI compliance? We help executive teams build the regulatory map and sequence compliance work for the most-likely-to-bite obligations. Book a 30-minute call.

Related reading:

• AI Governance: The Operating System for Responsible AI
• The EU AI Act for Non-EU Companies
• Why Responsible AI Is a P&L Issue
• Which AI Agents Should I Build for HR?