New York enacted AI safety law on Thursday. The FTC vacated an AI consent order on Sunday. Same week. Opposite directions. Federal pullback does not mean regulatory relief. Here is every enforcement tool that actually works.
The enforcement seesaw (December 2025): Thursday: NY Governor signs RAISE Act, first major state AI safety law post-preemption executive order. Sunday: FTC votes 2-0 to vacate Rytr consent order, citing AI Action Plan. Same week. Opposite directions. Don’t mistake federal pullback for regulatory relief.
The week of December 19, 2025 captured U.S. AI enforcement in a single frame. New York enacted AI safety law the same week the FTC vacated an AI consent order. For lawyers, this is the operating reality: federal pullback does not eliminate enforcement. State enforcement advances. Agency enforcement under existing law continues through CFPB, EEOC, and SEC regardless of executive orders. Courts sanction AI misuse independently. And the FTC’s most powerful tool, algorithmic disgorgement, destroys models worth millions in a remedy no court has overturned. This article maps every enforcement mechanism available.
The Enforcement Toolkit
Federal Agency Enforcement Under Existing Law
FTC Section 5. No AI statute needed. Prohibits unfair or deceptive practices. Applied to Operation AI Comply (Sept 2024), Evolv Technologies (Nov 2024), DoNotPay (Jan 2025). Remedies: cease and desist, injunction, penalties, and algorithmic disgorgement.
Algorithmic disgorgement. The nuclear option. Delete the data AND every model trained on it. Cambridge Analytica (2019), Everalbum, Weight Watchers/Kurbo, Rite Aid (first Section 5 unfairness against discriminatory AI, Dec 2023). Tainted datasets train multiple models; one action destroys several. Authority unchallenged in court. The FTC will pursue this remedy until a court says otherwise.
CFPB (ECOA / Reg B). Existing fair lending law. Specific adverse action explanations required. AI receives no exemption. Creditors cannot use technology they cannot explain. Unaffected by AI executive orders.
EEOC (Title VII / ADA). Existing anti-discrimination law. Employers liable for AI hiring discrimination regardless of vendor. 2024 Joint Statement with DOJ, CFPB, FTC. Disparate impact theory applies without AI-specific amendment.
SEC. 2026 priorities include AI washing. Charged Delphia and Global Predictions (2024). Existing securities fraud frameworks applied to AI claims.
FDA. Existing medical device authority for AI/ML SaMD. TAKE IT DOWN Act (May 2025) is the only standalone federal AI statute (deepfake intimate images).
These enforcement pathways directly translate into real legal exposure, especially when you consider the malpractice and liability risks lawyers face when relying on AI systems.
The Enforcement Map
| Enforcer | Authority | AI Target | Remedies | Private Action? |
|---|---|---|---|---|
| FTC | Section 5 | Deceptive/unfair/discriminatory AI | Injunction, penalties, disgorgement | No. State UDAP class actions possible. |
| CFPB | ECOA / Reg B | AI credit without explainability | Examinations, penalties, consent orders | Yes. ECOA private right of action. |
| EEOC | Title VII / ADA | Discriminatory AI hiring | Charges, litigation, consent decrees | Yes. Title VII private right after admin. |
| SEC | Securities laws | AI washing | Settlements, disgorgement, injunctions | Yes. 10b-5. Shareholder derivative. |
| FDA | FD&C Act | AI medical devices | Warning letters, seizure, penalties | No. State tort claims available. |
| CO AG | Colorado AI Act | High-risk AI discrimination | UDTP penalties, injunctions, 90-day cure | Ambiguous. UDTP may allow private claims. |
| TX AG | TRAIGA | Prohibited AI uses | $10K-$200K/violation + $2K-$40K/day | No. NIST safe harbor available. |
| NYC DCWP | LL144 | Employment AI without audit | $500-$1,500/violation/day | No. Title VII parallel claims. |
| IL IDHR | HB 3773 | AI employment discrimination | Civil rights remedies | YES. Only major state AI law with private right. |
| Courts | FRCP Rule 11 | AI hallucinated filings | $5K-$100K+, brief striking, bar referral, default | Sua sponte. Opposing counsel motions. |
Private Rights of Action: Where Plaintiffs Can Sue
Most state AI laws have NO private right of action. Colorado, Texas, NYC: AG or agency enforcement with cure periods. But five private pathways exist.
Illinois HB 3773. The exception. AI employment discrimination is a civil rights violation with private right of action. The only major state AI law allowing individuals to sue directly. Massive litigation exposure for employers using AI affecting Illinois residents.
Federal civil rights applied to AI. Title VII, ECOA, ADA, FCRA all provide private rights that apply when AI is the discrimination mechanism. Established causes of action, new technology.
Colorado’s UDTP ambiguity. AI Act violations = deceptive trade practices. AG has exclusive enforcement, but Colorado CPA allows private UDTP claims. Unresolved. Cannot be dismissed.
State tort claims. Negligence, products liability, malpractice apply to AI-caused harm through existing doctrine.
Shareholder derivative suits. Caremark claims for board failure to implement AI governance. Enforcement from within the corporate structure.
Algorithmic Disgorgement: The Game-Changing Remedy
This remedy changes how lawyers should advise on governance investment. Traditional penalties are costs. Disgorgement destroys the asset itself.
The FTC’s rationale: companies that collect data illegally should not profit from it OR from any algorithm built from it. Three characteristics make it devastating: models take years and millions to build, tainted data often trains multiple models (one action cascades), and model outputs feed downstream systems (destruction propagates).
For lawyers: this transforms data governance from compliance cost to existential risk. An organization training on improperly collected data risks forced destruction of core AI assets. ISO 42001 Annex B documentation and data governance controls provide the evidentiary defense.
What survives preemption: Agency enforcement under existing law (FTC Act, ECOA, Title VII) cannot be preempted by AI-specific orders. Court sanctions authority is independent. Illinois HB 3773 amends the Human Rights Act, not an AI statute. The enforcement toolkit persists regardless of the preemption debate.
What This Means for Client Advisory
Governance is justified by enforcement reality, not future law. CFPB, EEOC, FTC, SEC enforce now under existing statutes. No new law needed.
Data governance is the highest priority. Disgorgement makes provenance existential. Document collection, consent, use. Maintain AIBOM. ISO 42001 Annex B provides the framework.
Employment AI has broadest litigation exposure. Title VII private action, EEOC enforcement, Illinois HB 3773 private action, NYC LL144 audits, Colorado AG enforcement all converge.
Contracts fill statutory gaps. Where private rights don’t exist, vendor agreements with AI provisions create breach-of-contract claims independent of any AI statute.
Safe harbors are litigation defense worth building. TRAIGA: NIST = affirmative defense. Colorado: NIST/ISO 42001 = rebuttable presumption. ISO 42001 certification = third-party evidence usable in any proceeding.
This is exactly why AI governance is rapidly emerging as a dedicated legal practice area rather than a niche add-on.
Enforcement Is Not Waiting for Legislation
No comprehensive federal law has not created an enforcement vacuum. FTC, CFPB, EEOC, SEC enforce existing law. Courts sanction independently. Illinois provides private right of action. Algorithmic disgorgement destroys millions in AI assets. The toolkit is substantial and growing. Lawyers who map every tool for every client system provide the highest-value governance service.
The practical first step: map every client AI system against the enforcement map in this article. Identify which enforcement mechanisms apply to each system. The systems exposed to multiple enforcers and private rights of action are the highest-priority governance investments.
GAICC offers ISO/IEC 42001 Lead Implementer training that covers the governance structures, documentation standards, and risk management frameworks that activate safe harbors and provide evidence of reasonable care in enforcement proceedings. Explore the program to build the credential that strengthens every client’s enforcement defense.
