Just Four Pages Govern the Most Powerful Technology in History
On March 20, the White House released what it calls a "National Policy Framework for Artificial Intelligence." It's supposed to be the blueprint for how America governs AI. The document that tells Congress what to legislate, what to protect, and how to keep up with a technology moving faster than any regulation ever has.
It's FOUR pages.
Four pages to cover kids' safety, copyright, job displacement, community impact, federal oversight, censorship concerns, and state preemption. If you've ever written a college essay, you've put more words on paper about less important topics.
But the page count isn't the real problem. The real problem is what those four pages actually say. And more importantly, what they don't.
The framework's biggest ask isn't a rule. It's an eraser.
The centerpiece of the White House framework isn't a new protection. It's preemption. The document explicitly calls on Congress to override state AI laws that "impose undue burdens" on AI development. It says states shouldn't regulate model development. It says developers shouldn't face liability for what third parties do with their systems.
Read that again. The federal government's primary AI policy recommendation is that states should stop making AI policy.
This would be fine if the federal government were offering something better. It isn't. The framework proposes no new regulatory body. It creates no enforcement mechanism. It establishes no reporting requirements for AI companies. It suggests "regulatory sandboxes," which is a polite way of saying "let companies experiment without consequences for a while."
The framework is a wishlist, not a policy. And the thing it wishes for most is less regulation.
States are the only ones actually doing anything
While the White House was drafting its four pages, states were doing the work.
Washington just passed two AI bills. HB 1170 tackles data provenance, requiring transparency about where AI training data comes from and how it's used. HB 2225 regulates AI chatbots. Both are on the governor's desk right now.
Oregon passed SB 1546, addressing AI companions. New York passed a GenAI disclosure bill and amendments to the RAISE Act. Colorado advanced bills on surveillance pricing, AI in healthcare, and AI in psychotherapy. Virginia passed three AI-related bills covering fraud and abuse.
That's five states with concrete, specific legislation moving through their systems in March alone. Not frameworks. Not wishlists. Laws. With definitions, requirements, and consequences for violations.
The White House argument is that this patchwork creates compliance chaos for businesses operating across state lines. And sure, a patchwork isn't ideal. But you know what's worse than a patchwork? A vacuum. A patchwork at least tells you what the rules are in each state. The federal framework tells you... wait and see.
"Don't regulate model development" is a policy choice, not a neutral position
The framework's most revealing line is its call to preclude states from regulating AI model development. Think about what that means in practice.
Right now, if a company trains an AI model on personal data scraped from the web without consent, a state like Colorado or Washington could hold them accountable. The White House framework says Congress should take that power away.
This isn't some technicality. Model development is where the privacy decisions happen. It's where companies decide whose data gets ingested, how consent is handled (or ignored), whether PII ends up baked into model weights. By the time a model is deployed and someone files a complaint, the privacy violation already happened during training. Telling states they can't touch the development phase is like saying you can regulate restaurants but not kitchens.
The framework preserves states' ability to enforce "generally applicable laws" for child protection, fraud, and consumer safety. But AI governance doesn't fit neatly into those buckets. An AI system that processes personal data without consent isn't fraud in the traditional sense. It might not harm a specific child. It's a new category of harm that requires new rules. And the federal framework offers none.
The business case for clarity (not deregulation)
Here's where I'll push back on both sides. Businesses genuinely need clarity. I run one. I talk to compliance teams and legal departments every day at Osano who are trying to figure out what rules apply to their AI deployments. A patchwork of state laws does create real operational friction.
But the answer to "too many rules" isn't "no rules." It's better rules. A federal framework that actually defined requirements and set minimum standards for AI transparency would be worth celebrating. One that gave businesses a single compliance target instead of fifty. That's not what this is.
This framework asks businesses to trust that Congress will eventually pass something meaningful. If you've watched Congress try to pass privacy legislation over the past decade, you know how that story ends. We still don't have a comprehensive federal privacy law. We've been waiting since the GDPR passed in 2018. Eight years. And the White House is asking states to stop filling the gap while we wait some more.
For any company that cares about doing AI responsibly, the honest move right now is to build your governance program around the strictest state standards. That's what we tell our clients at Osano. Because if you're compliant with Colorado's AI transparency requirements and Washington's data provenance rules, you'll be ready for whatever federal legislation eventually shows up. If you build to the federal framework's current standard, you're building to nothing.
What happens next actually matters
Here's what's worth watching. House leadership immediately signaled support for the framework, which means some version of federal AI legislation is coming. The question is whether it's meaningful or cosmetic.
The EU is struggling with its own timeline. The AI Act's high-risk rules, originally set for August 2026, are looking at a delay of over a year thanks to the Digital Omnibus package. Missing technical standards and delayed codes of practice for general-purpose AI have pushed everything back. So even Europe, which had a multi-year head start, can't get this right on schedule.
Meanwhile, states keep legislating. Over 30 states introduced AI-related bills in 2026. The FTC was directed to issue a policy statement by March 11 describing how existing consumer protection law applies to AI. The machinery of actual governance keeps grinding forward at every level except the one that just released a four-page framework.
If Congress does pass preemption legislation, it will be the most consequential AI policy decision the US has made. Not because of what it creates, but because of what it destroys. Every state-level AI protection on the books would disappear overnight. And if the federal replacement is as thin as the framework suggests? Companies and consumers would be left in a world where the most powerful technology in a generation has less oversight than your local restaurant.
Build for the strictest standard. Hope for something better.
I'm not anti-federal regulation. A single, strong national standard would be better for everyone: businesses, consumers, and the AI companies themselves. But "strong" is the operative word. A federal standard that preempts state laws while imposing nothing meaningful in return isn't a standard. It's a hall pass.
The companies that will win in the long run are the ones building governance now, not the ones waiting for permission to skip it. Privacy and AI accountability aren't obstacles to growth. They're the foundation for trust. And trust is the only thing that scales as fast as AI does.
States know this. That's why they're writing laws. The White House should take notes.