America’s AI Governance Fracture: How the Federal Preemption Fight Will Reshape the Entire Industry
A bipartisan House bill dropped this week that could eliminate more than 40 state-level AI laws in a single stroke. One day after the White House issued an executive order demanding pre-release federal model reviews, Congress is racing to decide whether Washington or Sacramento gets to write the rules that govern the most consequential technology in a generation. The answer will determine compliance costs for every AI lab, the liability exposure for every enterprise deploying models, and whether the United States ends up with a coherent national framework or a patchwork of contradictory mandates that makes the EU AI Act look streamlined by comparison. The clock is running.
TL;DR
- The “Great American AI Act of 2026,” introduced June 4 by Reps. Obernolte and Trahan, would preempt all state AI regulations and establish a single federal standard — with a December 2026 midterm deadline already shaping its political viability.
- President Trump’s June 2 executive order requiring 30-day pre-release model reviews creates a parallel federal enforcement track that sits in tension with the preemption bill’s lighter-touch framing.
- The EU AI Act becomes fully applicable August 2, 2026, meaning US-headquartered labs face binding GPAI obligations in Europe even as domestic rules remain unsettled, creating a compliance asymmetry that disadvantages every American company competing globally.
The Bill That Just Landed on the Hill
On June 4, Reps. Jay Obernolte (R-Calif.) and Lori Trahan (D-Mass.) published a discussion draft of the Great American Artificial Intelligence Act of 2026. The text, which Politico described as “Republicans’ last realistic chance to craft federal rules before the midterms,” does two things simultaneously: it creates a light federal framework centered on transparency and risk disclosure, and it explicitly preempts any state law that “establishes requirements, prohibitions, or standards applicable to the development, deployment, or use of artificial intelligence systems.”
The preemption clause is where the real fight lives. At least 40 states have enacted or are advancing AI-related legislation as of mid-2026, ranging from Colorado’s comprehensive AI Act — which imposes substantial obligations on high-risk system developers — to Illinois’s biometric data rules to Texas’s Responsible AI Governance Act. California, which alone would constitute the world’s fifth-largest economy, has been the most aggressive, with Governor Newsom signing a wave of AI bills in 2025 despite vetoing SB 1047 the prior cycle. California Senator Scott Wiener told Bloomberg on June 5 that federal preemption without a strong floor standard would amount to “deregulation dressed up as governance.”
The bipartisan framing is deliberate but fragile. Trahan, a Democrat from Massachusetts with a tech-policy background, gives the bill cover against charges of pure industry capture. But progressive AI advocacy groups are already organizing opposition. Public Knowledge opposed the draft within hours of its release, arguing that preemption without enforceable federal minimums would strip consumers of the only protections that currently exist in practice.
What the Obernolte-Trahan Draft Actually Says
The discussion draft is, for now, exactly that: a conversation-starter rather than a finalized bill. But its structural choices reveal a clear philosophy. Rather than a sectoral approach — treating medical AI differently from hiring AI, for instance — the draft applies a horizontal risk classification system loosely analogous to the EU’s tiered model. High-risk applications require impact assessments, documentation of training data provenance, and human oversight mechanisms. General-purpose AI systems must publish capability disclosures and maintain incident reporting pipelines to a newly designated federal coordinator housed within the Department of Commerce.
Notably absent are hard bans on specific use cases. The EU AI Act’s Article 5 prohibited practices — real-time biometric surveillance in public spaces, social scoring, certain manipulative subliminal techniques — have no direct analog in the current draft. This is not an oversight. Obernolte has been explicit in prior hearings that bright-line prohibitions “stifle use cases we haven’t imagined yet,” a framing that tracks closely with the industry positions of Microsoft, Meta, and Google parent Alphabet, all of which have lobbied for federal preemption while opposing categorical bans.
The enforcement mechanism is a further area of contention. The draft empowers the Federal Trade Commission to pursue civil actions for violations, but does not create a private right of action — meaning individuals harmed by a non-compliant AI system would have no direct legal recourse, only the FTC’s discretionary enforcement agenda. Given the FTC’s current resource constraints and the sheer volume of AI deployments, critics argue this makes the law effectively optional for well-resourced companies willing to litigate.
Trump’s Executive Order Cuts Across the Grain
Whatever Congress eventually passes, President Trump’s June 2 executive order — “Promoting Advanced Artificial Intelligence Innovation and Security” — is already law. The order requires that AI developers submit frontier models to federal review at least 30 days before public release. OpenAI has publicly stated it will comply, with George Osborne, the company’s head of countries, backing the review process.
The order also instructs federal agencies to prioritize AI procurement from companies with demonstrated safety records, and directs the National Institute of Standards and Technology to update its AI Risk Management Framework within 180 days. On its face this sounds complementary to the congressional effort. In practice, the two tracks create structural tension.
The executive order’s review mandate assumes federal agencies have the technical capacity to evaluate frontier models in 30-day windows. That assumption is contested. Researchers at Georgetown’s Center for Security and Emerging Technology have noted that meaningful model evaluations — covering capability elicitation, misuse potential, and emergent behaviors — routinely take longer than 30 days even for well-resourced labs with full model access. A 30-day mandatory review with under-resourced reviewers could become a rubber stamp, or worse, a litigation chokepoint that delays beneficial deployments without providing genuine safety guarantees.
There is also a federalism wrinkle. The executive order sets federal prerogatives over model releases, but the Obernolte-Trahan bill preempts state laws while simultaneously not codifying the executive order’s review requirements into statute. If a future administration rescinds the order, there would be no statutory fallback. Civil liberties groups have flagged this gap as a deliberate feature rather than a bug: keeping enforcement powers in the executive branch, where they can be expanded or contracted by presidential discretion, rather than entrenching them in law.
The State-Level Landscape That Preemption Would Erase
Understanding what preemption would actually eliminate requires a tour of the legislative terrain that has accumulated since 2022. This is not a homogeneous body of law. State AI regulations break into roughly four categories: consumer protection and transparency mandates (algorithmic disclosure, explanation rights); sector-specific rules (healthcare AI, hiring AI, tenant screening AI); biometric and surveillance restrictions (often bundled with existing biometric privacy statutes); and the more ambitious comprehensive frameworks modeled loosely on the EU approach.
Colorado’s AI Act, signed into law in May 2024 and effective February 2026, is the most structurally ambitious state law in the country. It requires developers of “high-risk AI systems” to conduct and document impact assessments, disclose AI involvement in consequential decisions, and provide meaningful human override mechanisms. The law explicitly covers decisions about employment, housing, credit, education, and healthcare. Anthropic, OpenAI, and enterprise software vendors including Salesforce and ServiceNow have all had to audit their Colorado-facing deployments for compliance.
California’s approach has been more fragmented but no less consequential. AB 2013 requires AI developers to publish training data summaries. SB 942 mandates disclosure when AI generates content. SB 1120 imposes healthcare AI guardrails. Taken together, California’s bills amount to a de facto national standard for any company with US market ambitions — the same dynamic that has made California’s environmental and privacy rules effectively nationwide for decades.
Wiener’s comment about the “wild west of AI” — made to Bloomberg on June 5 — captures the frustration driving the state-level push. In the absence of federal action for years, states filled the vacuum. Now the federal government wants to reclaim the territory while offering, in critics’ view, a weaker substitute. The negotiating dynamic mirrors GDPR versus US state privacy laws, except that AI moves faster and the stakes for misaligned incentives are higher.
How the EU AI Act Changes the Calculation for US Labs
While Washington debates preemption, Brussels is executing. The EU AI Act entered into force August 1, 2024, and becomes fully applicable August 2, 2026 — just weeks away. For US-headquartered AI labs with European users or enterprise customers, this is not a future consideration. It is present-tense compliance infrastructure.
The Act’s most commercially significant requirements fall on General Purpose AI (GPAI) models above the 10^25 FLOP training threshold — the tier that includes OpenAI’s GPT series, Anthropic’s Claude 3 family, Google DeepMind‘s Gemini line, and Meta’s Llama 4 flagship. These models must maintain and publish technical documentation covering training data, capabilities and limitations, and known risks. Systemic-risk GPAI providers — those above the 10^25 FLOP cutoff — must also conduct adversarial testing, report serious incidents to the European AI Office within 72 hours of discovery, and implement cybersecurity safeguards commensurate with the risks identified.
The enforcement mechanism has teeth the US draft currently lacks. National competent authorities in each EU member state can impose fines up to 35 million euros or 7% of global annual turnover for the most serious violations. Prohibited practice violations (Article 5 bans) carry the highest penalties. Non-compliance with GPAI documentation requirements falls in the middle tier: up to 15 million euros or 3% of turnover. And critically, per Article 57, every EU member state must establish at least one AI regulatory sandbox by August 2, 2026 — meaning enforcement infrastructure is being built in parallel with compliance deadlines.
The compliance asymmetry this creates for US labs is stark. A company like Anthropic must maintain GPAI documentation and incident reporting pipelines for European regulatory authorities by August, while simultaneously navigating a domestic environment where the rules are still a discussion draft. The result is that European obligations are setting the effective floor for sophisticated AI governance practices across American companies — not because US policymakers chose that outcome, but because European regulators got there first.
The Revenue Concentration Problem Behind the Policy Fight
The governance debate does not occur in a vacuum. It is being shaped by a power structure in the AI industry that is more concentrated than at any previous point in the technology’s commercial history. The Information reported this week that Anthropic and OpenAI now jointly account for 89% of top AI startup revenues, with leading AI startups collectively generating nearly $80 billion in annualized revenue. That concentration gives the two frontier labs outsized influence over policy outcomes — and outsized exposure to whatever those outcomes turn out to be.
The same report noted that OpenAI projected spending approximately $235 billion on costs to train and run its AI models through 2028, while Anthropic’s internal projections showed a pathway to outpacing OpenAI on server efficiency by leveraging its custom silicon partnerships and inference optimization work. At those cost levels, regulatory compliance is a non-trivial line item — but also a moat. Larger, better-resourced labs can absorb compliance overhead that smaller competitors cannot, which is one reason industry observers have noted that both OpenAI and Anthropic have been publicly supportive of federal frameworks while being careful about which specific provisions they endorse.
The capex environment amplifies this dynamic. Amazon leads 2026 datacenter investment with a $200 billion plan, per Futurum Group analysis. Goldman Sachs has modeled approximately $7.6 trillion in aggregate AI capital expenditure between 2026 and 2031 across compute, datacenters, and infrastructure. Bloomberg New Energy Finance estimates that capex from the largest datacenter firms alone approaches $750 billion in 2026, with IT capacity under construction exceeding 23 gigawatts. Companies deploying capital at that velocity need regulatory clarity. Uncertainty is not neutral — it is a cost, and a cost that benefits incumbents who can wait it out over challengers who cannot.
Where the SemiAnalysis Signal Points on Infrastructure Stakes
The infrastructure dimension of the regulatory debate is underappreciated in most policy commentary. SemiAnalysis’s recent reporting on Nvidia’s GTC 2026 event, which it headlined the “Inference Kingdom Expands,” frames the current moment as a transition from training-dominated compute spending to inference-dominated spending. That transition matters for regulation because inference — running models against user queries at scale — is where most consumer harms actually occur. Training is where capability is created; inference is where it is applied.
A regulatory framework focused primarily on training-time documentation and pre-release reviews, as both the executive order and the Obernolte-Trahan draft effectively are, may be architecturally misaligned with where the risk actually lives. SemiAnalysis’s analysis of Claude Code, which it argued could account for more than 20% of all daily code commits by end of 2026, illustrates the point. The risks from AI-assisted software development — introducing subtle bugs, encoding security vulnerabilities, automating away human code review — are inference-time risks, not training-time risks. They are not captured by pre-release model reviews.
The same logic applies to AI agents. Meta’s ARE (Agent Research Environments) platform, released earlier this year, is explicitly designed to scale up agentic evaluation environments — a recognition from one of the frontier labs that the agent deployment surface is growing faster than evaluation methodology can track. The Obernolte-Trahan draft does not specifically address agentic deployments, which is a significant omission given that both OpenAI and Anthropic are actively developing AI “co-workers” intended to operate autonomously within enterprise environments over extended time horizons.
The Midterm Clock and What It Actually Means
Politico’s characterization of the Obernolte-Trahan bill as “Republicans’ last realistic chance” before midterms is worth unpacking, because it explains the pace and shape of the legislative push in ways that pure policy analysis obscures.
US midterm elections in November 2026 will redistribute Congressional power in ways that are difficult to predict but likely to complicate AI legislation. If Democrats gain seats — historically the pattern for the opposition party in a presidential midterm — the appetite for a deregulatory preemption framework shrinks. If Republicans expand their majority, the calculus shifts, but so might the specific provisions. Either outcome produces legislative discontinuity. The discussion draft released this week is therefore as much a negotiating document and a record of Republican governance priorities as it is a serious near-term legislative vehicle.
That said, the window is not completely closed. The executive order already provides a degree of federal coordination that lowers the immediate urgency of state-level action in some areas, potentially creating space for a more deliberate legislative process post-midterms. There are historical precedents — the Gramm-Leach-Bliley Act, HIPAA — where federal preemption of state financial and health privacy rules produced frameworks that, whatever their flaws, provided the baseline predictability that allowed sectors to operate at scale.
The companies most anxious about the midterm clock are not necessarily the frontier labs but the enterprise software vendors and the mid-market AI startups that have built products on top of foundation models and now face compliance obligations in multiple jurisdictions simultaneously. For a startup building an AI-assisted hiring product, Colorado’s Act, Illinois’s biometric rules, and potential EU obligations represent three distinct compliance regimes with overlapping but non-identical requirements. Federal preemption, even an imperfect version, would reduce that multiplicity. The question is whether the federal standard it replaces them with offers any meaningful protection to the people those state laws were written to protect.
The Open Source Dimension Nobody Is Legislating
One constituency conspicuously absent from the main policy debate is the open-source AI ecosystem, which has grown substantially in 2026. Hugging Face’s State of Open Source AI: Spring 2026 documents a landscape that has shifted dramatically from 2023, with open-weight models from Meta, Mistral, and a growing cohort of Chinese labs now competitive with proprietary frontier models on a meaningful range of tasks.
The Obernolte-Trahan draft, like most AI legislation globally, struggles with open-source models. The EU AI Act carved out a partial exemption for open-weight models, a provision that Meta lobbied hard for given its Llama releases, while still imposing GPAI obligations on models above certain capability thresholds regardless of license. The US draft’s compliance and documentation requirements, if applied uniformly, would effectively be unenforceable against open-weight model releases distributed through Hugging Face or direct download — there is no corporate entity to fine, no deployment pipeline to regulate.
This creates a predictable dynamic: proprietary labs bear compliance costs that open-source competitors do not, potentially incentivizing regulatory arbitrage where the most capable models migrate toward open-weight distribution. Conversely, enterprise customers who need vendor accountability may gravitate toward proprietary offerings specifically because they come with compliance paper trails. Neither outcome is clearly intended by the legislation’s authors, but both are foreseeable consequences of a framework designed around the proprietary lab model that dominated the industry in 2023 and has been losing ground since.
Meta’s continued investment in open Llama releases, most recently Llama 4 with its mixture-of-experts architecture, is simultaneously a competitive strategy and a structural complication for governance frameworks. Regulation that cannot reach the models it most needs to reach is not regulation — it is a competitive subsidy for the least accountable distribution channel.
What Enterprises Should Do While Washington Figures This Out
For enterprise buyers and deployers of AI systems, the regulatory uncertainty has practical consequences that do not wait for legislative resolution. The EU AI Act’s August 2 applicability date is fixed regardless of what Congress does. The Trump executive order’s 30-day review requirement is already in effect for frontier model releases. And state laws like Colorado’s are live now.
The most defensible posture — and the one that SemiAnalysis, legal advisors, and enterprise AI teams are converging on — is to build to the highest applicable standard in your actual deployment context and document everything. That means: if you have EU customers or employees, audit your AI systems against GPAI obligations now, not in August. If you deploy AI in hiring, housing, credit, or healthcare in Colorado, you are already under binding state law. If you are building agentic systems with autonomous action capabilities, invest in human oversight infrastructure before regulators specify it, because every major framework globally is converging on that requirement.
The compliance infrastructure built for the highest standard is almost always portable downward — documentation prepared for the EU AI Act satisfies most US state transparency mandates as well. The inverse is not true. Companies that built minimally compliant postures for the least demanding jurisdictions are finding that retrofitting documentation, audit trails, and oversight mechanisms into deployed systems is substantially more expensive than building them in from the start.
The broader message for enterprise AI strategy is that the governance landscape, however unresolved at the federal level, is not going to get simpler. The preemption debate is a contest over which regulator gets to set the floor, not a debate about whether there will be a floor. Any enterprise planning on the assumption that AI will remain effectively unregulated in the United States is misreading both the political momentum and the direction of travel from every major trading partner.
Conclusion
The Great American AI Act of 2026 is less a finished product than a forcing function. Its actual significance lies not in the text of the current draft but in what it reveals about the competing pressures now converging on US AI governance simultaneously: an industry that has consolidated revenues to a degree unprecedented in the technology sector’s history, a White House that wants both to accelerate deployment and to maintain federal control over the most powerful systems, states that have filled a regulatory vacuum and are now being asked to vacate it, and a European framework that is about to become enforceable regardless of anything Washington decides.
The labs most capable of shaping this outcome — OpenAI, Anthropic, Google DeepMind, Meta — have every incentive to support a federal framework that displaces state laws, creates documentation standards they can satisfy at scale, and avoids the categorical bans that would require product changes. They will get a version of what they want. The question is whether the version they get retains the provisions — private rights of action, enforceable incident reporting, meaningful human oversight mandates — that make the framework more than a compliance checkbox exercise.
The EU AI Act, whatever its implementation friction, has done something the current US debate has not: it specified the floor. August 2 will test whether European enforcement infrastructure can match European legislative ambition. That test will be watched closely in Washington, and its results will shape what the next iteration of US AI governance looks like after the midterms reset the board.
—
