AI Governance for US Marine Industry Businesses and Maritime Operators

A US marine business adopting AI in 2026 operates across three layers of obligation at once. The federal layer is deliberately light on AI-specific rules. The state layer is dense, fast-moving, and the dominant near-term compliance driver. And the maritime layer, cyber and autonomy rules from the US Coast Guard, the IMO, and the classification societies, sits on top of both. Understanding which layer applies to which AI use is the practical task this report sets out to help with.

The United States has no comprehensive federal AI statute. The 2025 and 2026 federal posture is explicitly deregulatory, shaped by Executive Order 14179 of 23 January 2025, the America's AI Action Plan of 23 July 2025, and Executive Order 14365 of 11 December 2025, which targets state AI laws and stands up a Department of Justice litigation task force. At the same time, existing sectoral laws continue to apply directly to marine operators, and the US Coast Guard's Cybersecurity in the Marine Transportation System final rule took effect on 16 July 2025.^[1][2][3][4]

The federal government is rolling AI rules back. The states are building them up. For a US marine operator, the state patchwork is the dominant compliance driver in 2026.

The state-law patchwork is where marine businesses face the real near-term risk. California's CCPA automated decision-making, risk-assessment, and cybersecurity-audit regulations took effect on 1 January 2026. Texas's Responsible AI Governance Act took effect the same day. Illinois amended its Human Rights Act to cover employment AI from 1 January 2026, New York City's bias-audit law is already enforced, and Colorado's law is the most volatile in the country, repealed and replaced in May 2026 by a new framework effective 1 January 2027. Federal preemption of these laws is being attempted but is not yet in force.^[5][6][7][8]

For globally trading US-flag operators, the EU AI Act reaches outward. Its high-risk obligations were postponed by the Digital Omnibus agreement of 7 May 2026, with the standalone high-risk deadline moving to 2 December 2027 and the product-embedded deadline, which expressly covers watercraft, to 2 August 2028. Maritime-specific instruments operate alongside all of this: the IMO cyber resolution embedded in safety management systems since 2021, the IACS cyber resilience requirements for newbuilds, and the non-mandatory IMO MASS Code adopted at MSC 111 in May 2026.^[9][10]

This report maps each layer to the AI now entering US marine organisations, sets out the enforcement exposure, and gives a staged set of steps an operator can take now.

Federal AI policy in 2025 and 2026 is pro-innovation and deregulatory, and it runs through executive action rather than a horizontal statute.

The executive orders

Executive Order 14179, Removing Barriers to American Leadership in Artificial Intelligence (23 January 2025), revoked the prior administration's AI order and directed agencies to suspend, revise, or rescind actions seen as inconsistent with sustaining American AI dominance. The America's AI Action Plan (23 July 2025) set more than ninety federal actions across innovation, infrastructure, and international diplomacy and security. Executive Order 14365 (11 December 2025) went further, directing the Attorney General to establish an AI Litigation Task Force to challenge state AI laws, directing Commerce to evaluate state laws and condition Broadband Equity, Access and Deployment funding, and directing the FCC and FTC to advance a federal preemption strategy.^[1][2][3]

Two attempts at a federal preemption moratorium, one through the budget reconciliation bill in mid-2025 and one through the FY26 defence authorisation in late 2025, both failed. As at June 2026, Executive Order 14365 does not by itself override existing state law. Federal preemption typically flows from an Act of Congress, and several agency deadlines under the order had passed without the directed actions being published. State attorneys general have signalled litigation, with a coalition urging the FCC to stand down. Colorado is the only state named in the final order.^[3]

The de facto baseline

The voluntary frameworks carry the practical weight. The NIST AI Risk Management Framework (26 January 2023) and its Generative AI Profile (26 July 2024) remain the de facto US baseline, organised around four functions, Govern, Map, Measure, and Manage. Texas names the NIST framework as an express safe harbour, and several state laws reference it as the technical standard. Most US organisations run the NIST framework inside an ISO/IEC 42001 AI management system. NIST released a critical-infrastructure profile concept note in April 2026 that is directly relevant to maritime operational technology.^[11][18]

Federal privacy is sectoral

There is no comprehensive federal privacy law. The sectoral statutes most relevant to the marine sector are HIPAA for crew and passenger health information, GLBA for marine finance, insurance brokerage, and yacht financing, COPPA for child-directed services, and the FTC Act for general fairness and deception. CISA's cyber-incident reporting regime and Commerce export controls on advanced AI and compute may apply selectively, for example to shipyards using export-controlled simulation tools.^[12]

The single most consequential federal AI-adjacent rule for the US marine sector is the US Coast Guard's Cybersecurity in the Marine Transportation System final rule. It governs the operational and information technology that AI increasingly runs on, and its compliance clock is already running.

What it is and who it covers

The rule sits at 33 CFR Part 101 Subpart F, published at 90 FR 6298 on 17 January 2025, and took effect on 16 July 2025. It covers owners and operators of US-flagged vessels, facilities, and Outer Continental Shelf facilities required to hold a security plan under the Maritime Transportation Security Act regime in 33 CFR Parts 104, 105, and 106. Foreign-flagged vessels are addressed through Captain of the Port authority.^[4]

The core duties

The rule requires an organisation to designate a Cybersecurity Officer, develop and maintain a Cybersecurity Plan covering account, device, and data security, network segmentation, supply chain, training, drills, incident response, and recovery, conduct a Cybersecurity Assessment, complete annual personnel training, run two cybersecurity drills each year, report reportable cyber incidents to the National Response Center, and maintain compliance documentation.^[4]

AI-driven operational technology, the systems handling crew and passenger data, and remote-access vendor connections all fall inside the Cybersecurity Plan. This is where AI governance and the Coast Guard rule meet.

The compliance clock

The phasing matters, because parts of it have already passed. National Response Center reporting has been required since 16 July 2025. All personnel who access IT or OT systems were required to complete training by 12 January 2026, and annually after that, with new hires trained within thirty days. The Cybersecurity Officer designation, the Cybersecurity Assessment, and the Cybersecurity Plan submission are due by 16 July 2027.^[4]

The penalties

Civil penalties under the Port Security provision at 46 U.S.C. 70119 are inflation-indexed to US$43,527 per violation and US$78,210 per day for a continuing violation, the figures set in the January 2025 adjustment and carried into the December 2025 update. The Captain of the Port may also issue control and compliance measures, including vessel detention.^[4]

Why AI sits inside it

AI-driven operational technology, including engine and propulsion controls, dynamic positioning, navigation aids, and autonomous terminal equipment, IT systems handling crew and passenger personal information, predictive-maintenance and route-optimisation platforms, AI-enabled vessel traffic services, and remote-access vendor connections all fall in scope and are addressed in the Cybersecurity Plan. For an MTSA-regulated operator, the rule is the practical place where AI governance and federal obligation already converge.

State law applies based on where customers, employees, or data subjects are located, not where the marine business is incorporated. A Florida brokerage selling to a California buyer, an Alaskan ferry collecting Virginia resident data, and a Texas shipyard with Illinois employees each trigger out-of-state law. The patchwork below is the dominant compliance driver in 2026.

California

California carries the densest set of obligations. The CCPA automated decision-making, risk-assessment, and cybersecurity-audit regulations took effect on 1 January 2026, with phased compliance. Risk assessments for high-risk processing begin in 2026, with carryover activities assessed by 31 December 2027 and a first attestation to the CPPA due 1 April 2028. ADMT obligations for significant decisions, covering lending, housing, education, employment, and healthcare, require compliance by 1 January 2027 for existing systems, with pre-use notice, opt-out, access, and human-appeal rights. Cybersecurity audits are tiered by revenue, with the largest businesses audited by 1 April 2028.^[5]

California also enacted the AI Transparency Act (SB 942), whose operative date moved to 2 August 2026; a training-data transparency law (AB 2013) effective 1 January 2026; and the Transparency in Frontier Artificial Intelligence Act (SB 53), in effect from 1 January 2026, which requires frontier developers to publish a safety framework and report critical safety incidents, enforced by the Attorney General with penalties up to US$1 million per violation.^[13]

Texas

The Texas Responsible AI Governance Act (HB 149) took effect on 1 January 2026. It prohibits AI developed or deployed for behavioural manipulation, intentional discrimination, unlawful deepfakes, and infringement of constitutional rights, on an intent-based liability standard where disparate impact alone is insufficient. It creates a regulatory sandbox and an AI council, is enforced only by the Attorney General with a sixty-day cure period and no private right of action, and preempts local AI ordinances. Penalties run from US$10,000 to US$200,000 per violation plus daily amounts for continuing violations, and compliance with the NIST AI framework is an express safe harbour.^[6]

Colorado, the most volatile area

Colorado passed the first comprehensive US high-risk AI law (SB 24-205) in 2024, then delayed it, then replaced it. A federal challenge brought by xAI, which the Department of Justice moved to intervene in during April 2026, paused the original law, and on 14 May 2026 Governor Polis signed SB 26-189, repealing and replacing it effective 1 January 2027. The new framework drops the duty of care and impact-assessment model in favour of automated decision-making disclosure: a pre-use notice before ADMT influences a consequential decision, a post-adverse-outcome notice within thirty days, consumer rights to access, correct, and request human review, and three-year recordkeeping. Enforcement is by the Attorney General only, with penalties up to US$20,000 per violation, and implementing rules are due by 1 January 2027.^[7]

Illinois and New York City

Illinois carries two exposures. The Biometric Information Privacy Act provides statutory damages of US$1,000 for negligent and US$5,000 for intentional or reckless violations per person, with a 2024 amendment capping recovery at one violation per person per method, which the Seventh Circuit held applies retroactively in April 2026. And HB 3773 amended the Illinois Human Rights Act from 1 January 2026 to prohibit employment AI that discriminates against protected classes, bar the use of ZIP codes as proxies, and require employee notice. New York City's Local Law 144 requires annual independent bias audits of automated employment decision tools, public audit summaries, and candidate notice, with penalties of US$500 to US$1,500 per violation per day.^[8][14]

Utah and the wider map

Utah's AI Policy Act requires disclosure when a consumer asks or when AI is used in high-risk interactions in regulated professions such as law, finance, and medicine. Comprehensive consumer privacy laws are now in effect across more than twenty states, most including profiling and automated-decision opt-out rights. The practical consequence for marine businesses is that the relevant law follows the customer, the employee, and the data, wherever they sit.

Even without a federal AI statute, enforcement is active and bipartisan. The FTC applies Section 5's prohibition on unfair or deceptive practices to AI, on the principle that there is no AI exemption from the laws on the books. Its Operation AI Comply, launched in September 2024, continued through 2025 with further actions, confirming that the posture survived the change of administration. The FTC's most distinctive remedy is algorithmic disgorgement, the ordered deletion of models trained on improperly obtained data, imposed in a line of cases that includes the first use of Section 5 unfairness against a discriminatory AI deployment.^[15]

On employment, the EEOC removed its 2023 technical assistance on AI in hiring in January 2025, and the Department of Labor flagged related guidance as potentially outdated. The underlying statutes, Title VII, the ADA, the ADEA, and the FLSA, continue in full effect, and the EEOC has continued to act where AI tools produce discriminatory outcomes. The withdrawal of guidance changed the commentary, not the law.^[16]

The composite picture is the one to plan against. State attorneys general are active across party lines, the plaintiffs' bar continues to use the Illinois biometric law aggressively, and FTC algorithmic disgorgement combined with state enforcement is the most acute risk for AI vendors selling into the marine sector.

A US marine business that touches the EU, carries EU passengers or crew, or processes EU data is reached by European law regardless of where it is incorporated.

The EU AI Act

The EU AI Act (Regulation (EU) 2024/1689) has applied since 1 August 2024 and reaches extraterritorially to providers placing AI on the EU market, deployers established in the EU, and providers or deployers whose AI outputs are used in the EU. That sweeps in US operators carrying EU-domiciled passengers or charter guests, employing EU crew, or selling AI-enabled services into the EU. Article 5 prohibitions have applied since 2 February 2025 and general-purpose AI obligations since 2 August 2025.^[9]

The Digital Omnibus agreement of 7 May 2026 postponed the high-risk obligations. Standalone Annex III high-risk systems, covering recruitment, credit scoring, and similar uses, now apply from 2 December 2027, and product-embedded Annex I systems, a category that expressly includes watercraft, from 2 August 2028. The watermarking obligation for AI-generated content under Article 50(2) was deferred only three months, to 2 December 2026, and a new Article 5 prohibition on non-consensual intimate imagery and AI-generated child sexual abuse material was added. Formal adoption is expected before the original 2 August 2026 deadline, which remains the legal date until then.^[10]

The watermarking obligation bites on 2 December 2026 and needs implementation work now. The high-risk deadlines moved, but the inventory and classification work did not.

GDPR and ISO/IEC 42001

The GDPR reaches US marine businesses handling EU personal data, with penalties up to the greater of EUR 20 million or four per cent of global turnover, and is most relevant to cruise lines, superyacht management, and marine insurers with EU exposure. ISO/IEC 42001, the certifiable AI management system standard, is increasingly used as evidence of reasonable care under state AI laws and as the documentation backbone above the NIST framework.^[17][18]

The maritime-specific instruments operate alongside the federal and state layers, and they govern the cyber foundations that AI runs on as well as the emerging rules for autonomy.

• IMO Resolution MSC.428(98). Cyber risks have been required in safety management systems since the first annual verification of the Document of Compliance after 1 January 2021. This applies to SOLAS vessels and to voluntarily compliant superyachts, and it is the natural place to record AI components that enter the safety management chain.^[19]
• IACS UR E26 and E27. Cyber resilience requirements for ships and onboard systems, effective for new ships contracted on or after 1 July 2024. They are mandatory for cargo ships of 500 gross tonnes and above, passenger ships carrying more than twelve passengers, and self-propelled mobile offshore drilling units, and they cover both operational and information technology through the five functions of identify, protect, detect, respond, and recover.^[20]
• MLC 2006 and STCW. Both are relevant where AI-enabled crew monitoring, wearables, or fatigue and biometric systems are used, with 2025 STCW amendments on violence and harassment expected to enter force in 2028.
• IMO MASS Code. The non-mandatory International Code for Maritime Autonomous Surface Ships was adopted at MSC 111, held from 13 to 22 May 2026, and takes effect on 1 July 2026 for cargo ships on international voyages. A framework for an Experience-Building Phase is to be developed at MSC 112 in December 2026, with a mandatory Code targeted for adoption by 1 July 2030 and entry into force on 1 January 2032. The US Coast Guard is engaged in the IMO working group. The Code keeps a human master responsible for the ship, able to intervene whether or not on board.^[21]

Each segment of the US marine industry carries a different AI footprint, and therefore a different combination of obligations. The recreational sector alone is large: the NMMA's economic study reports around US$230 billion in annual economic impact, 812,000 jobs, and 36,000 businesses, with new powerboat unit sales of 215,237 in 2025, an 8.8 per cent decline on the prior year. The table maps the main segments to their characteristic AI uses and the obligations those uses trigger.^[22]

The table consolidates the live enforcement exposure across the regimes that reach US marine businesses, as at June 2026.

The dates below consolidate the milestones that shape AI governance for the US marine industry. Rows marked Active are in force now.

The steps below move an operator from visibility to readiness across the federal, state, and maritime layers.

Stage 1, do now (mid-2026)

Stage 2, before 1 January 2027

Stage 3, maritime-specific governance

Thresholds that would change these recommendations

If Congress enacts a federal preemption statute, the state ADMT laws above could be displaced; until then, plan against the state regimes. If the FCC opens a preemptive AI disclosure proceeding, expect immediate litigation and do not pause state compliance. And if the EU Digital Omnibus is not formally adopted by 2 August 2026, the original high-risk dates apply on that date as a matter of law.

This is a first-edition report, written for a fast-moving landscape. The positions below are accurate as at early June 2026 and carry the qualifications noted.

Federal preemption is the most fluid area. Executive Order 14365 does not by itself override state law. Any displacement will come from FCC or FTC rulemaking, DOJ litigation, conditional federal funding, or new legislation, and state attorneys general have signalled litigation.

Colorado remains in motion. As at June 2026, the original law is paused and the replacement, SB 26-189, takes effect on 1 January 2027 but awaits Attorney General rulemaking due by that date.

California SB 942 moved from a 1 January 2026 operative date to 2 August 2026; some industry summaries still cite the original date.

EU AI Act dates reflect the 7 May 2026 political agreement. Formal adoption is expected but not certain, and if it slips past 2 August 2026 the original high-risk obligations apply on that date.

EEOC guidance removal in January 2025 did not change the underlying anti-discrimination statutes, and private litigation against AI hiring tools continues.

USCG penalty figures are the 2025 inflation-adjusted amounts, carried into the December 2025 update. Future-year adjustments will update them.

The MASS Code is non-mandatory and applies to cargo ships of 500 gross tonnes and above on international voyages. It does not yet reach US-domestic ferry, passenger, or recreational fleets. The IACS cyber requirements apply only to ships contracted on or after 1 July 2024, with existing fleets governed by MSC.428(98).

Federal AI regulation could change quickly in the second half of 2026 if the Commerce evaluation, FCC proceedings, an FTC policy statement, or Congressional preemption legislation move forward. This briefing reflects the position as at early June 2026.

This report is open to peer review, industry feedback, and correction. If you identify positions that would benefit from refinement, I welcome hearing from you.

AI is already operating across the US marine industry, in bridge decision support, predictive maintenance, port automation, passenger and biometric systems, underwriting, dealer financing, and the everyday content and document work that surrounds all of it. The governance question is which of three layers each use touches, and whether that use is documented, governed, and matched to the obligations it activates.

The federal layer is light, the state layer is dense, and the maritime layer sits on top of both. The operator's task is to know which layer each AI use touches.

Two points carry the most weight. The first is that the federal pullback does not reduce exposure, it relocates it. With no federal AI statute and an active preemption attempt that is not yet law, the state patchwork and the maritime cyber rules are where compliance lives in 2026, and the relevant state law follows the customer, the employee, and the data wherever they sit. The second is that the maritime layer is concrete and dated: the USCG rule's clock is running, the IACS requirements bind newbuilds, and the MASS Code arrives on 1 July 2026.

The federal pullback does not reduce exposure. It relocates it to the states and to the maritime rules that were already there.

The practical route is the same one that serves any operator facing a moving target: build an AI inventory, map the data flows that drive which laws apply, accelerate the Coast Guard cyber work that is already due, and adopt a recognised framework and document it. The US marine sector has long treated safety and security as disciplines. Extending that discipline to how AI is governed is the natural next step, and the operators that do it now will be the ones ready when the federal picture finally settles.

1. [1]Executive Order 14179, Removing Barriers to American Leadership in Artificial Intelligence (23 January 2025)
2. [2]America's AI Action Plan (23 July 2025), The White House
3. [3]Executive Order 14365, Ensuring a National Policy Framework for Artificial Intelligence (11 December 2025); analysis, Sidley Data Matters
4. [4]USCG Cybersecurity in the Marine Transportation System final rule, 33 CFR Part 101 Subpart F, 90 FR 6298 (17 January 2025), effective 16 July 2025
5. [5]California CCPA ADMT, risk assessment, and cybersecurity audit regulations (effective 1 January 2026), CPPA
6. [6]Texas Responsible AI Governance Act (HB 149, effective 1 January 2026), Texas Legislature
7. [7]Colorado SB 26-189 (signed 14 May 2026, effective 1 January 2027), Colorado Attorney General
8. [8]Illinois HB 3773 (Public Act 103-0804, effective 1 January 2026) and Biometric Information Privacy Act (740 ILCS 14)
9. [9]EU AI Act, Regulation (EU) 2024/1689
10. [10]EU Digital Omnibus AI agreement (7 May 2026); analysis, Hogan Lovells
11. [11]NIST AI Risk Management Framework (26 January 2023) and the Generative AI Profile (NIST AI 600-1, 26 July 2024)
12. [12]CISA, Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA); FTC Act privacy authorities
13. [13]California AI Transparency Act (SB 942), AB 2013, and Transparency in Frontier AI Act (SB 53), California Legislative Information
14. [14]New York City Local Law 144, Automated Employment Decision Tools, NYC DCWP
15. [15]FTC, Operation AI Comply and algorithmic disgorgement actions
16. [16]EEOC, AI and algorithmic fairness in employment
17. [17]GDPR, Regulation (EU) 2016/679
18. [18]ISO/IEC 42001:2023, AI management system
19. [19]IMO Resolution MSC.428(98), Maritime Cyber Risk Management in Safety Management Systems (16 June 2017)
20. [20]IACS UR E26 and E27, cyber resilience for new ships contracted on or after 1 July 2024, ClassNK
21. [21]IMO adopts the non-mandatory MASS Code at MSC 111 (13 to 22 May 2026)
22. [22]NMMA recreational boating economic data and 2025 unit sales (January 2026), National Marine Manufacturers Association