ChatGPT
Claude
Perplexity
Gemini
GrokUS schools face AI regulatory pressure from multiple directions β here is how to navigate it
The United States does not have a single federal AI law equivalent to the EU AI Act. What it has is more complex: overlapping federal guidance, accelerating state legislation, existing privacy frameworks with AI implications, and β for institutions with international students or EU presence β extraterritorial exposure to EU law.
Understanding AI risk classification is no longer optional for US higher education. Admissions offices, student services teams, and IT departments that cannot answer the question "which of our AI tools carries the highest regulatory risk?" are operating blind. This guide maps the current landscape and tells you what to do about it.
The US AI regulatory landscape: three layers that matter
Unlike the EU's single-regulation approach, US AI governance runs on three parallel tracks.
| Layer | Key Framework | Scope | Binding? |
|---|---|---|---|
| Federal | FTC Act (Section 5), Dept. of Education guidance, FERPA | Nationwide | Partially (FTC enforcement; FERPA binding) |
| State | Colorado SB 24-205, California bills, Illinois AI Video Interview Act | State-specific | Yes, where enacted |
| EU extraterritorial | EU AI Act (Regulation 2024/1689) | Schools with EU nexus | Yes, where triggered |
Federal layer: FTC, Department of Education, and FERPA
The FTC has made clear that Section 5 of the FTC Act β which prohibits unfair or deceptive acts or practices β applies fully to AI systems. Schools that deploy AI in admissions or student services and make misleading claims about how those systems work, or that use AI in ways that cause unfair harm to applicants, are exposed to FTC enforcement.
The Department of Education's AI report calls explicitly for human oversight of AI in education, transparency with students about AI use, and bias auditing for high-stakes AI applications. While not binding law, it signals the direction of federal policy and shapes what accreditation bodies will scrutinize.
FERPA is the existing framework with the most direct AI implications. Any AI system that processes education records β transcripts, grades, behavioral data, financial aid records β must comply with FERPA's use and disclosure restrictions. Feeding student data into a third-party AI vendor does not remove FERPA obligations; the institution remains responsible. Legitimate educational interest and school official exceptions must be documented in contracts.
State layer: where binding AI obligations are emerging fastest
State AI laws are the fastest-moving part of the US regulatory landscape. The most significant for higher education:
- Colorado SB 24-205 (effective February 2026): Requires deployers of high-risk AI systems β defined to include systems that make consequential decisions about education β to conduct impact assessments, notify individuals, and allow them to appeal AI-influenced decisions. Colorado institutions and any school marketing to Colorado residents should be compliant now.
- Illinois AI Video Interview Act: Already in force. Requires written consent before AI analysis of video interviews. Directly relevant to schools using AI video screening in admissions.
- California: Multiple bills advancing through the legislature targeting automated decision-making, bias audits, and transparency. Schools recruiting California students β which is most selective institutions β should monitor closely.
- Connecticut, Virginia, Texas: Active AI accountability legislation moving through state legislatures. The patchwork will not consolidate soon; compliance programs need to be state-aware.
The common thread across all state AI laws is a focus on consequential decisions about individuals. Admissions, financial aid, academic progression, and student services are precisely the domains where state regulators are looking.
Office for Civil Rights: AI and anti-discrimination
The Department of Education's Office for Civil Rights (OCR) has signaled that AI systems producing discriminatory outcomes in admissions or financial aid can violate Title VI, Title IX, and Section 504. An AI tool that produces disparate impact on protected groups β even without discriminatory intent β can trigger OCR investigations. This is not hypothetical: OCR has opened investigations into school AI practices.
When the EU AI Act applies to US schools
The EU AI Act (Regulation 2024/1689) has explicit extraterritorial reach. A US school is in scope when:
- It deploys AI systems that produce outputs used in the EU (for example, an AI admissions screening tool that evaluates EU-domiciled applicants)
- It places AI systems on the EU market
- The outputs of its AI systems affect individuals located in the EU
For large research universities, Ivy League schools, and liberal arts colleges with significant international enrollment from EU member states, this is a real exposure. An AI-powered admissions scoring tool that evaluates applications from German, French, or Spanish students falls within the scope of Annex III, which classifies as high-risk any AI system used to "determine access to or admission to educational and vocational training institutions."
Practically, US schools with more than minimal EU student enrollment should:
- Map which AI systems touch EU-domiciled applicants
- Assess whether those systems meet Annex III high-risk criteria
- Obtain conformity documentation from vendors for any high-risk system
- Implement the human oversight and logging requirements of Article 29
Risk classification for US higher education: a practical framework
Because the US lacks a single classification system, the most useful approach draws on NIST AI RMF categories alongside EU AI Act criteria.
| AI System | US Risk Profile | EU AI Act Tier (if EU nexus) | Primary Obligation |
|---|---|---|---|
| Admissions scoring/ranking algorithm | High (FTC, OCR, state AI laws) | High risk (Annex III) | Impact assessment, human oversight, documentation |
| AI exam proctoring | High (FERPA, state biometric laws) | High risk (Annex III) | FERPA compliance, consent, human review |
| AI-powered financial aid modeling | High (FERPA, Title IV) | High risk (Annex III) | Data governance, audit trail |
| Admissions chatbot (FAQ) | Low-medium (FTC transparency) | Limited risk (Art. 50) | Disclose AI to users |
| AI plagiarism detection | Medium (FERPA, due process) | High risk (Annex III) | Document decision process, right of appeal |
| Marketing content recommendation | Low | Minimal risk | No specific obligation |
| Spam filters, calendar tools | Minimal | Minimal risk | No specific obligation |
Chatbots, transparency, and the 72% threshold
Internal Skolbot data shows that 72% of student prospect questions are answerable by automated FAQ β only 7% require human intervention (Source: automated classification of 12,000 Skolbot conversations, 2025). This means the compliance overhead for chatbots is modest relative to the operational gain: a transparency disclosure at the start of a conversation fulfills the EU AI Act's Article 50 obligation and aligns with FTC best practices on AI disclosure. The disclosure does not reduce chatbot effectiveness; it reduces institutional liability.
For US schools, the FTC's guidance on AI makes clear that failing to disclose AI interactions that consumers would consider material is a deceptive practice. Schools deploying admissions chatbots should audit all touchpoints β website widget, Common App integrations, SMS, email β to confirm AI disclosure is present before the first interaction.
See AI Chatbot GDPR Data Collection in Schools for a detailed breakdown of chatbot compliance obligations and AI Bias in Student Recruitment for the audit steps relevant to OCR risk.
Practical action plan for US higher education institutions
- Build an AI inventory. List every AI system across admissions, financial aid, academic integrity, student services, and marketing. Include vendor-supplied tools and anything embedded in your SIS or CRM.
- Classify by risk. Apply the framework above. Flag any system that makes or substantially influences a consequential decision about an individual student or applicant as high-risk.
- Check state obligations. For each high-risk system, confirm whether Colorado SB 24-205, the Illinois AI Video Interview Act, or any other state law applies given your institution's footprint and student demographics.
- Assess EU exposure. If your institution enrolls EU-domiciled students, map which AI systems touch their applications and assess Annex III applicability.
- Audit vendor contracts. Require FERPA-compliant data use agreements. For EU-exposed systems, require EU AI Act conformity documentation from providers.
- Implement human oversight. For every high-risk system, define who can override an AI output, how overrides are logged, and what the student notification process looks like.
- Document everything. OCR investigations and state AG enforcement actions turn on documentation. Institutions that cannot show what their AI systems do and how humans oversee them face the highest penalties.
See The EU AI Act and Higher Education for a full treatment of EU Act obligations and Right to Erasure under GDPR for Schools for the data subject rights dimension of AI governance.
Frequently asked questions
Does the EU AI Act apply to US universities?
It applies when a US institution deploys AI systems that produce outputs affecting individuals in the EU, or when those systems are aimed at the EU market. US schools with significant EU student enrollment β particularly those actively recruiting in EU member states β should assess their Annex III exposure. Schools with minimal EU-domiciled enrollment have limited direct exposure, though vendor contracts for globally deployed AI tools may still carry EU Act implications.
What is the most immediate US regulatory risk from AI in admissions?
FERPA compliance for AI systems processing student records, OCR scrutiny of AI tools producing disparate impact on protected groups, and Colorado SB 24-205 obligations for institutions with Colorado nexus. FTC enforcement is a secondary but real risk for schools making inaccurate claims about their AI systems.
Are Common App integrations subject to AI regulation?
Common App is the provider of the application platform. If your institution applies an AI system β a scoring algorithm, a screening tool β to Common App data, you are the deployer and the regulatory obligations fall on you. Common App's own data handling is governed by its agreements with institutions, but your use of AI on that data is your responsibility.
How should we handle regional accreditation and AI?
Bodies such as SACSCOC, HLC, and MSCHE are increasingly asking institutions to demonstrate coherent AI governance frameworks. An AI risk inventory, classification rationale, and documented oversight procedures directly address the governance standards that accreditors apply. Institutions that have done this work are better positioned in comprehensive reviews and audits.
What is the penalty exposure for non-compliance with state AI laws?
Colorado SB 24-205 creates a private right of action against deployers of non-compliant high-risk AI systems, with the Colorado AG as the primary enforcement authority. Illinois penalties for AI Video Interview Act violations run per violation. California bills under development contemplate civil penalties in the range of existing privacy enforcement. The correct frame is not "what is the fine?" but "what is the cost of an OCR investigation, a state AG inquiry, or a class action?"
Test Skolbot on your school in 30 seconds
