The NIST AI Risk Management Framework was published to minimal fanfare outside policy circles. No mandatory compliance deadlines. No enforcement agency. No fines.
And yet within months, major corporations were rewriting their AI governance policies to align with its structure. Voluntary can still be powerful — if the vocabulary becomes universal.
While the EU chose binding law, the United States historically chose a different path: voluntary frameworks, sector-specific guidance, and the principle that innovation should not be blocked by preemptive regulation. This isn't the absence of governance — it's a different governance theory. The underlying bet: that industry, if given clear frameworks and incentives, will self-regulate more effectively and adaptively than legislation can.
Whether that bet is paying off is the central debate in US AI policy.
Published in January 2023, the NIST AI RMF is the primary federal voluntary framework for managing AI risk. It organizes AI risk management into four core functions: Govern (establishing organizational accountability and culture), Map (identifying context, stakeholders, and risk categories), Measure (assessing, analyzing, and tracking AI risks), and Manage (prioritizing and treating identified risks).
The RMF is deliberately non-prescriptive — it tells organizations what to think about, not what to do. This is intentional: different industries, use cases, and risk profiles require different controls. A one-size-fits-all prescription would be impossible to follow meaningfully across contexts ranging from hospital scheduling to content moderation.
The AI RMF has been widely adopted by Fortune 500 companies, federal agencies, and international organizations. It has also influenced the EU AI Act's structure and ISO international AI standards. Voluntary doesn't mean unimportant — the RMF shapes how US companies think about AI risk even without legal force.
The NIST AI RMF identifies seven properties of trustworthy AI: Accountable, Explainable, Interpretable, Privacy-Enhanced, Reliable, Safe, and Secure and Resilient. These properties form a vocabulary for AI risk assessment that has become influential beyond the RMF itself — appearing in corporate AI principles documents, government procurement requirements, and international standards discussions.
Choose an AI system in a specific organizational context (hospital triage, bank fraud detection, school content filter, social media recommendation).
Walk through all four NIST AI RMF functions for that system: Govern, Map, Measure, Manage. For each, identify what the organization should specifically be doing — not what the framework says in general.
In October 2023, President Biden signed Executive Order 14110 on AI. Major news coverage followed. AI safety advocates praised it. Companies began preparing compliance processes.
Less than two years later, President Trump revoked it. This is the fundamental instability of governing a transformative technology through executive orders alone.
Without comprehensive legislation, US AI policy has been shaped significantly by Executive Orders — directives from the President that apply to federal agencies and, through procurement requirements, influence the private sector. Three EOs stand out:
EO 13960 (2020, Trump): Directed federal agencies to use AI in ways consistent with trustworthy AI principles — fairness, transparency, accountability. Created a framework for AI in government but with limited enforcement.
EO 14110 (2023, Biden): The most comprehensive US AI EO to date. Required safety testing and sharing of results for the most powerful AI models, directed NIST to develop safety standards, instructed agencies to develop guidance on AI use in their sectors, and created reporting requirements for AI-related national security risks.
EO 14179 (2025, Trump): Revoked EO 14110. Directed agencies to develop an AI Action Plan focused on AI leadership and competitiveness, with explicit skepticism toward regulations that could impede AI development.
Executive orders are inherently fragile policy instruments. They bind executive agencies but not Congress, courts, or private companies beyond procurement. They can be revoked by the next administration — as the 2025 revocation of EO 14110 demonstrated. They cannot create the legal certainty that investors and compliance professionals need. And they can create inconsistency: federal agencies may receive different AI governance directives from different administrations within a single decade.
Multiple comprehensive AI bills have been introduced in Congress without passage. The political dynamics are complex: tech companies lobby intensively, different constituencies prioritize different risks, and legislators lack technical expertise to evaluate competing claims. The US has passed narrower AI provisions in defense and appropriations bills — but not the comprehensive framework the EU created.
Compare the governance goals of Biden's EO 14110 and Trump's EO 14179. What did each prioritize? What assumptions about AI risk and regulation underlie each approach?
Then assess: for the specific AI policy goal you care most about (safety, competitiveness, civil rights, innovation), which approach is more likely to achieve it — and what would make either approach more durable?
Before there was an AI Act, before executive orders, before most AI policy debates — there was the FDA clearing AI medical devices, the FTC pursuing unfair AI pricing, and the CFPB writing credit explainability guidance.
The US governance story isn't only about what Congress hasn't done. It's also about what existing regulators have quietly built.
While Congress has not passed comprehensive AI legislation, existing sector-specific regulators have extended their authority into AI. This creates a patchwork of rules that differs dramatically by industry — sophisticated in some areas, largely absent in others.
FDA (Food & Drug Administration): Has regulated AI/ML-based software as medical devices for years. Approximately 700 AI-enabled medical devices have been cleared. The FDA requires clinical validation, post-market surveillance, and — increasingly — transparency about algorithm change management. It's the most mature US AI regulatory framework for any sector.
FTC (Federal Trade Commission): Has enforcement authority over unfair and deceptive trade practices, which extends to AI. Has taken action against companies for AI bias in pricing and credit, unlawful use of biometric data, and deceptive AI claims. The FTC's AI-related enforcement has accelerated since 2022, but it is reactive — responding to harms after they occur rather than requiring pre-deployment review.
CFPB (Consumer Financial Protection Bureau): Has issued guidance on AI in credit decisions, requiring that adverse action notices explain AI-driven credit denials in terms consumers can understand. Financial regulators more broadly have been aggressive on model risk management — requiring banks to document, validate, and monitor AI models used in credit, fraud, and risk decisions.
EEOC (Equal Employment Opportunity Commission): Has issued guidance on AI hiring tools, clarifying that employers using AI that discriminates based on protected characteristics face liability under existing civil rights law — regardless of whether the employer built the algorithm or purchased it.
Sector-specific regulation means significant domains have limited oversight. General-purpose consumer AI applications, political advertising AI, AI in entertainment and media, and AI in small business operations largely lack specific regulatory frameworks. These aren't necessarily low-risk domains — they simply lack sector regulators with clear AI jurisdiction.
Choose an AI system operating in the United States that you believe may fall through the gaps of existing sector-specific regulation.
Make the case: which regulators have potential jurisdiction? What are the limits of that jurisdiction? What specific harms does the regulatory gap enable?
Voluntary frameworks or binding rules. Industry-led or government-mandated. The debate recurs across every domain of technology governance, and AI is no different.
What is different is the scale of potential harm, the speed of deployment, and the growing body of evidence about what both approaches actually achieve in practice.
The debate between voluntary and mandatory AI governance frameworks is not simply a regulatory philosophy dispute — it reflects genuinely different empirical predictions about how companies behave, how harms emerge, and how governance achieves its goals.
Proponents argue that voluntary frameworks like the NIST AI RMF enable faster adoption — companies can move at their own pace rather than waiting for legal timelines. They allow for experimentation — companies try different approaches and share what works. They avoid regulatory capture — detailed prescriptive rules can be written by industry for industry. And they enable adaptation — as AI capabilities change, voluntary frameworks update more easily than enacted law.
The empirical question: do companies actually implement voluntary frameworks substantively, or do they treat compliance as a box-checking exercise with no meaningful risk reduction?
Proponents argue that voluntary frameworks create a race to the bottom — companies that invest heavily in AI governance face higher costs than competitors who implement frameworks superficially. Mandatory requirements create a level playing field. They also create accountability — voluntary commitments are unkept commitments. And they protect against collective action problems: a company might want to invest in safety but face investor pressure not to if competitors are not.
The empirical question: do mandatory frameworks meaningfully change company behavior, or do they generate documentation-heavy compliance exercises with no real risk reduction?
We do not yet have strong empirical evidence that either approach systematically achieves better AI safety outcomes. The EU AI Act is too new for meaningful outcome data. US voluntary frameworks have been insufficiently monitored to assess real compliance quality. Governance debates often rely more on theoretical predictions about behavior than observed outcomes.
In the absence of federal AI legislation, states have moved. California has passed multiple AI transparency and accountability bills. Illinois requires notice and consent for AI in hiring. Colorado has passed AI insurance accountability legislation. Texas, Florida, and others have passed bills focused on government AI use. This creates a patchwork that companies with national operations must navigate — and that some argue provides the missing accountability layer while federal action stalls.
Choose a specific AI domain: hiring AI, medical diagnosis AI, or AI content moderation on social platforms.
First, make the strongest case FOR voluntary governance frameworks in that domain. Then make the strongest case FOR mandatory requirements. Push for specifics — not general arguments.