US AI Regulation Has No Rulebook: Export Bans, State Lawsuits, and Voluntary Frameworks Fill the Void

The United States has no transparent, consistent framework for regulating artificial intelligence. That sentence has been true for years. What changed in June 2026 is that everyone noticed at the same time.

CNN reports that the Anthropic export control saga, which NCT has covered extensively over the past week, has surfaced a problem larger than any single company or model: the federal government makes consequential AI safety decisions without published standards, without consistent methodology, and sometimes without giving companies more than 90 minutes of warning.

Three Regulatory Tracks, Zero Coordination

The current US approach to AI oversight operates on three disconnected tracks, none of which talk to each other.

Federal executive action has been the primary tool. The Trump administration rolled back Biden-era mandatory safety reporting thresholds in favor of voluntary frameworks and state law preemption. A national AI policy framework issued in March recommended sector-specific regulation through existing agencies rather than a single rule-making body. An executive order earlier this month asked AI companies to voluntarily share frontier models with the government for cybersecurity vetting before public release. That order was delayed at the last minute after Trump said he worried it would “get in the way” of American AI innovation, according to CNN.

State-level legislation is filling the federal vacuum. California passed a law requiring AI companies to issue risk frameworks, report safety issues, and protect whistleblowers. Florida opened a criminal investigation into OpenAI, alleging ChatGPT may have aided and abetted the mass shooting at Florida State University last year, according to CNN. OpenAI has rejected those allegations.

Ad hoc enforcement is what happens when the other two tracks move too slowly. The Anthropic export ban on Fable 5 and Mythos 5 followed this pattern: the government identified a jailbreak vulnerability, classified the model as a national security risk, and gave Anthropic roughly 90 minutes to pull access. No published criteria. No formal evaluation process. No public explanation of the specific vulnerability, per CNN.

The Expert Consensus: Process, Not Outcomes

The criticism from policy experts centers not on the intervention itself, but on the complete absence of any rules governing when or how the government intervenes.

“The problem is not that the government exercised discretion; national security demands such latitude,” Jessica Tillipman, associate dean for government procurement law at George Washington University, wrote in an essay cited by CNN. “What is striking is the absence of any meaningful process.”

Brad Carson, head of Public First, a bipartisan pro-AI safety super PAC, put it more bluntly: “Right now, you have an ad hoc, personalized, opaque, possibly lawless approach,” he told CNN.

Dozens of cybersecurity researchers, AI entrepreneurs, and corporate executives signed an open letter on Monday criticizing the government’s approach and calling for “an open, scientific and transparent process of handling AI risk assessments in the future,” according to CNN.

The Infrastructure Deployment Problem

For teams building on AI models, regulatory unpredictability lands as a concrete infrastructure planning constraint — far from an abstract policy debate.

When the government can restrict access to a frontier model on 90 minutes’ notice, with no published criteria for what triggers a restriction, every deployment decision carries undocumented risk. Which models are safe to build production systems on? Which geographic regions are viable for deployment? What level of model capability triggers government scrutiny? None of these questions have public answers.

The March policy framework’s recommendation for sector-specific regulation means a healthcare agent builder, a financial services agent builder, and a defense contractor agent builder could face three entirely different regulatory regimes, administered by three different agencies, with three different definitions of “safety.”

Trump told Axios on Friday that he no longer views Anthropic as a national security threat, and negotiations between the company and the administration are reportedly progressing. But the resolution of one company’s case does not resolve the structural problem. The next jailbreak vulnerability, in any company’s model, will be evaluated under the same process: no process at all.