07/15/2026 | Press release | Distributed by Public on 07/15/2026 09:01
By Paul Lekas and Bethany Abbate
For nearly four years, the AI policy debate in Washington, D.C. and in state capitols has often proceeded from a premise that artificial intelligence is a largely unregulated technology, operating in a legal void that only a sweeping new statutory framework can fill. That premise has shaped hundreds of bills, dozens of hearings, and a growing repository of state-level requirements.
At the Software & Information Industry Association (SIIA), we have spent the past several years arguing that good AI policy has to start somewhere more basic: an honest accounting of what the law already does. Before lawmakers design new obligations, they need to know where existing statutes already reach AI-enabled conduct, where courts and regulators have already extended familiar doctrines to cover it, and where real gaps remain. We identify "gaps" as places where the use of AI creates risks or harms that current law genuinely does not anticipate. SIIA has previously recommended to Congress the commissioning of a comprehensive survey of the existing legal landscape as a precondition for designing targeted, gap-filling legislation. Good policymaking requires a data-driven approach to avoid legislating in the dark, by analogy, or by untested conventional wisdom.
Years into this debate, that type of a survey still hadn't been done - yet the demand for it has only increased. In consultation with stakeholders who share our interest in this question, with a sense of urgency as the AI policy "patchwork" rapidly unfolds, SIIA decided to commission an AI legal gap analysis ourselves. We retained counsel in the San Francisco office of Manatt, Phelps & Phillips LLP to conduct an independent analysis of how current federal and state technology-neutral laws apply to AI across five domains: civil rights and algorithmic bias; informational injuries, including copyright, publicity rights, and synthetic media; consumer protection and torts; privacy and data governance; and frontier AI safety and security.
The findings make clear that the law is already in the room: existing technology-neutral laws already govern AI and provide accountability for many of the concerns that animate AI legislation at the federal and state level. Understanding the extent to which existing laws already cover a broad cross-section of AI use cases and AI-related harms should empower policymakers - both by freeing federal and state lawmakers to focus efforts where the legal system falls short and enabling regulators to allocate limited resources to address the most critical gaps. In short, our hope is that this analysis will help to refocus the AI policy debate on the concrete solutions to the most urgent challenges.
The main takeaway for policymakers in Washington, DC, and in the fifty states is that the choice in front of them is not "regulate AI" versus "leave it unregulated." It is whether new rules will be layered thoughtfully onto a legal system that already reaches AI-related harms, or drafted as if that system doesn't exist.
Anti-discrimination laws apply to AI.
Title VI and Title VII of the Civil Rights Act, the ADA, the Rehabilitation Act, the ADEA, and the Equal Pay Act all continue to apply to consequential decisions in housing, employment, lending, health care, and government services, regardless of whether a human or an algorithm made the call. Courts and regulators have repeatedly confirmed as much, and litigants are already pleading disparate-treatment and disparate-impact claims against algorithmic decision-making using doctrines that predate the transformer architecture by decades. State civil rights statutes, like California's Unruh Act, reinforce the same baseline. None of this required a single AI-specific statute.
Tort and contract law are doing real work, too.
Negligence, product liability, breach of contract, and the implied covenant of good faith and fair dealing have all already been invoked in AI-related litigation. These doctrines impose duties of care and accountability on developers and deployers alike, and they are flexible enough to absorb genuinely new fact patterns, which is precisely what common law is for.
Copyright law applies without modification.
The Copyright Act and the DMCA govern AI training and outputs today, full stop. Courts are actively working through novel fact patterns, what training on copyrighted works means for infringement analysis, and how outputs should be treated, but they are doing so inside the existing statutory framework, not outside it.
Consumer protection is already policing AI harms.
The FTC Act's prohibition on unfair or deceptive practices has supported enforcement against deceptive AI marketing claims and unreliable AI-generated outputs, backed by parallel state unfair-practices statutes. Newer rules on automated decision-making add specificity at the margins, but they are largely supplementing an existing enforcement architecture rather than replacing an absent one.
Privacy laws reach many concerns around AI.
Sector-specific federal privacy laws like HIPAA and COPPA, along with the growing array of state privacy, biometric, and wiretapping statutes do reach AI systems that touch sensitive data. As the memo makes clear, however, these statutes were written before generative AI was at the forefront. That may leave open novel questions about data provenance, consent, and retention that require further study. As we've long recommended, policymakers should approach those questions in a risk-based manner focused on use cases with demonstrable harm to privacy interests.
On frontier safety and security, existing cybersecurity law provides a foundation to build on, even where it doesn't fully cover the field. But there are still gaps.
Frontier AI safety and security is an area not fully addressed by technology-neutral law as it stands largely because it addresses AI development rather than deployment. But the memo highlights that the existing body of cybersecurity law and regulation, built over decades to govern software risk more broadly, already provides a critical foundation for AI models. That matters enormously for how Congress should think about catastrophic-risk scenarios. The industry has a direct stake in strengthening, not sidestepping, this foundation. Continued investment in AI safety and security research is itself a cybersecurity imperative, arming defenders against the same malicious actors who would misuse frontier capabilities. Lawmakers don't need to invent a new regulatory architecture for frontier risk from scratch; they need to identify precisely where the existing cybersecurity framework's assumptions break down for the most advanced models (as some states have already begun to do with frontier-model transparency obligations) and build from there. This will require a stronger framework for government-industry coordination along with mechanisms for oversight, transparency, incident reporting, and more.
The salient point, and the throughline of this entire analysis, is that even in the context of frontier safety, the United States is not starting from scratch. This is the main takeaway for policymakers in Washington, DC, and in the fifty states. Recognizing this ground truth should help in crafting targeted legislation to close real gaps, particularly around data governance and frontier security, without duplicating protections that consumers, workers, and creators already have. Assuming AI is "unregulated" is the path that leads to fifty overlapping, sometimes contradictory state approaches, each purporting to solve problems that existing federal and state laws, when applied properly, may already solve.
SIIA has long favored robust federal solutions, grounded in leveraging the expertise of institutions like NIST's Center for AI Standards and Innovation, over a fragmented state-by-state patchwork, precisely because fragmentation imposes real compliance costs without a commensurate increase in protection. This memo is offered in that spirit: not as an argument against AI regulation, but as a case for regulating with precision. Neither Congress nor the states need to build an entirely new legal system for artificial intelligence. They need to understand how the current legal system already governs AI development and use and how it provides accountability mechanisms for many areas of concern, and these policymakers should legislate where that system falls short.