Sector-Specific AI Regulation

United States

• FDA Software as a Medical Device (SaMD): AI that analyses medical images, predicts patient deterioration, or supports clinical decisions is regulated as a medical device. Requires pre-market submission (510(k) or De Novo), evidence of clinical performance, and post-market surveillance. As of 2025, over 950 AI/ML-enabled medical devices have received FDA clearance.
• FDA Predetermined Change Control Plan (PCCP): Allows AI medical devices to make specified modifications without additional pre-market submission, if the change protocol is pre-approved. Critical for continuously learning AI systems.
• HIPAA: AI systems processing protected health information (PHI) require a Business Associate Agreement (BAA) with the vendor; strict data use limitations; breach notification obligations.
• ONC Health Data Interoperability Rules: AI clinical decision support must meet information blocking and interoperability requirements.

European Union

• EU AI Act classifies AI in medical device management and treatment decisions as high-risk (Annex III)
• Must comply with both EU AI Act requirements AND EU MDR/IVDR medical device regulations — the more specific requirement prevails where they conflict
• GDPR special category data (health data) requires explicit consent or specific legal basis; DPIAs mandatory

• US EEOC guidance (2023): AI-based hiring tools must not produce disparate impact on race, colour, religion, sex, national origin, age, or disability. Employers are liable for discriminatory AI tools even if provided by a vendor — the "four-fifths rule" for adverse impact analysis applies to AI-assisted selection.
• NYC Local Law 144 (2023): Employers and employment agencies using AI "automated employment decision tools" must conduct annual bias audits by an independent auditor; must notify candidates before use; audit results must be publicly posted. First jurisdiction-specific employment AI audit requirement in force.
• EU AI Act: AI for recruitment, promotion, task allocation, and performance monitoring in employment contexts listed as high-risk in Annex III. Conformity assessment, registration, and worker information rights required.
• Illinois AI Video Interview Act (2020): Employers using AI to analyse video interviews must notify candidates, explain how AI is used, and obtain consent. One of the earliest AI-specific employment laws enacted.

• FERPA (US): Family Educational Rights and Privacy Act. AI systems processing student educational records must comply with FERPA access, consent, and disclosure requirements. EdTech AI vendors must be FERPA-compliant before schools can use them with student data.
• COPPA (US): Children's Online Privacy Protection Act. AI tools used with students under 13 face strict consent and data handling requirements.
• EU AI Act: AI systems that determine access to educational institutions, evaluate learning outcomes, or assess students in ways that affect their educational paths are classified as high-risk.
• Proctoring AI scrutiny: AI-powered remote proctoring systems face particular regulatory and legal scrutiny in the EU (GDPR biometric data) and multiple US states for accuracy disparities across demographics.
• GenAI academic integrity: Multiple jurisdictions and institutions are developing policy frameworks for disclosure and acceptable use of generative AI in academic work — not yet codified as regulation but rapidly evolving.