AI Compliance in the US: What to Know

“Is AI compliant?” is the wrong question — the right one is “does our use of AI comply with the rules that apply to us?” In the US, those rules are mostly sector-based, and the principles are consistent. Here’s what to know, and how dgm helps. (dgm implements osFoundry, a separate company’s platform — we build controls; your legal/compliance team owns the determinations.)

There’s no single US AI law

US AI regulation is largely sector-based and technology-neutral — meaning existing laws apply to AI as to any tool, rather than one overarching “AI law.” And federal AI policy is evolving (executive orders and OMB guidance have shifted between administrations), so treat current specifics as something to verify, not assume.

The cross-cutting principles

Whatever your sector, the same expectations recur:

• Human accountability for consequential decisions — AI informs, people decide and answer for it.
• Explainability — being able to explain AI-driven decisions (critical in credit, insurance, hiring).
• Documented governance — policies, controls, and oversight you can show.
• Auditability — a record of what the AI accessed and did.
• Data protection — controlling where data goes and who can see it.

Build to these and you’re aligned with the spirit of most US AI rules.

Know your sector’s rules

The specifics depend on your industry and what the AI does:

• Healthcare — HIPAA and BAAs.
• Credit/lending — ECOA/Regulation B fair lending (specific, accurate adverse-action reasons; no “black box”).
• Financial data — GLBA; securities firms also face SEC/FINRA expectations and “AI washing” scrutiny.
• Education — FERPA and COPPA.
• Hiring — anti-discrimination/fair-employment law (biased automation is a legal risk).
• Legal — professional ethics and verification duties.

Our industry guides go deeper per sector; confirm specifics with qualified counsel.

Who’s responsible

Ultimately, you are. A vendor or integrator can build the technical controls and help you meet requirements, but the regulatory determinations and accountability stay with your business and its legal/compliance advisors. dgm is explicit about that division: we build the system to support compliance; your experts certify the obligations.

How dgm helps

dgm builds the technical controls that support compliance — access controls, audit trails, data protection, human oversight — into the implementation, on a platform that keeps your data under your control (see AI security & governance consulting). If you’d rather explore the platform yourself first, go straight to osFoundry; if you want AI built to support your compliance obligations, that’s where dgm comes in.