Tech Policy & Regulation Weekly — Mar 10, 2026

Three federal agencies met statutory deadlines on March 11 that could prompt lawsuits against state AI laws: the Commerce Department, the Federal Trade Commission, and the Department of Justice. The Supreme Court slammed the door on copyrighting pure AI output, and the Bureau of Industry and Security is quietly building an export-control architecture so granular that your GPU purchase order now needs a compliance lawyer. The experimentation era is over; the enforcement era just clocked in.

If your AI governance program was built around Colorado's algorithmic fairness rules, California's emerging liability framework, or Illinois's biometric laws, today is the day those foundations started to shake.

On March 11, three federal agencies delivered legally mandated reports that together could form the administration's opening brief against state AI regulation. The Commerce Department published an evaluation identifying state AI laws it considers "onerous" and conflicting with federal policy — essentially a target list. The FTC issued a policy statement arguing that state laws requiring AI models to alter outputs for fairness or bias mitigation could constitute compelled deception under Section 5 of the FTC Act (the federal prohibition on unfair and deceptive practices). And the Department of Justice formalized the operational posture of the DOJ AI Litigation Task Force, which is now resourced and positioned to start filing suits.

None of these documents is binding law by itself. The FTC statement is guidance, not a rule. The Commerce list is an evaluation, not an injunction. But together they could create the predicate for a federal litigation campaign that could challenge dozens of state AI regimes within the next 12–24 months. The administration's materials signal it will lean on First Amendment and dormant Commerce Clause theories — arguing some state rules compel speech or unduly burden interstate commerce — though these arguments are legally novel and untested.

The practical advice hasn't changed yet: state laws remain fully enforceable until a court says otherwise. But compliance teams should treat the next 90–180 days as a period of elevated litigation risk, and budget for the possibility that obligations you're building systems around could be enjoined mid-implementation.

On March 3, the Supreme Court declined to review the Thaler v. Perlmutter decision, which held that artwork generated entirely by AI — without human authorship — cannot receive copyright protection. The case involved an artist who tried to register images created by an autonomous AI system; every court that looked at it agreed the statute requires a human author, and the Supreme Court let that ruling stand.

This isn't new doctrine, but it's now a locked-in bright line: unedited AI output sits outside U.S. copyright. The same principle has been reinforced in patent law, where the USPTO treats AI as "a sophisticated tool, akin to a laboratory instrument," with conception remaining an inherently human act.

For companies using AI in creative or R&D workflows, IP ownership risk is now more crystallized. You can still protect human selection, editing, arrangement, and downstream branding — but you need to document those contributions carefully and contemporaneously. The litigation center of gravity is already shifting from "can I own this AI image?" to "did your model ingest my catalog, and are your outputs too close for comfort?" — a question the cert denial doesn't answer but makes more urgent.

While headlines chased Commerce's proposed global licensing regime, the Bureau of Industry and Security has already moved from theory to enforceable practice on a related front — and then piled on more.

The January 15 final rule shifted certain H200-class chip exports to China and Macau from blanket denial to conditional case-by-case review. The flexibility is narrow and operationally demanding: eligible shipments must meet strict conditions including U.S. supply-assurance certifications, third-party testing to verify technical capabilities, and detailed know-your-customer and remote-access disclosures. These aren't best practices — they're legal prerequisites.

Then on March 6, BIS rolled out four additional updates that expanded the Foreign Direct Product rule (which can make non-U.S.-manufactured items subject to U.S. export controls), added new Export Control Classification Numbers for advanced chip designs and AI training software, and tightened coverage of third-country production. Some of these changes took effect immediately under a national-security exemption — no comment period, no grace period. TSMC and Samsung are explicitly named in industry reporting as facing heightened downstream customer scrutiny.

Meanwhile, BIS enforcement is already producing large settlements — a recent high-profile case involving alleged circumvention through front companies in the EDA/chip-design space indicates the agency is willing to extract board-level penalties. If you touch semiconductor supply chains, audit your EDA tool exports and reseller chains now.

Export controls used to mean "don't ship to bad guys." The Commerce Department is drafting rules that would make them mean "don't ship much of anything without asking us first."

Multiple outlets reported this week that Commerce is developing a tiered licensing framework for most high-end AI accelerator exports — not just to adversaries, but globally. Smaller orders (roughly up to 1,000 latest-generation GPUs) would see streamlined review. Mid-sized clusters would require pre-clearance and operational transparency. And mega-clusters — 200,000-plus top-end GPUs in a single country — could trigger mandatory commitments by foreign buyers to invest in U.S. AI infrastructure as a condition of approval.

This is still pre-rulemaking — no Federal Register notice, no formal comment period. But Bernstein analysts warned it would act as a de facto throttle on global AI compute build-outs, not just in China but in allied markets, by inserting a regulatory gate into what had been mostly commercial channels. For cloud providers, hyperscalers, and sovereign AI projects, this moves export controls from "China problem" to "enterprise procurement constraint." Combined with BIS's already-live operational requirements, companies face a layered regime where both broad licensing and granular compliance steps apply simultaneously.

On March 4, the Midcontinent Independent System Operator (MISO) — which runs the bulk power grid across much of the U.S. Midwest — released a draft transmission expansion plan totaling $8.8 billion. The number that matters: $3.1 billion of that total, about 35% of the plan, is explicitly earmarked for data center interconnections, including AI and cloud facilities.

This isn't a federal rule. But when a regional transmission operator formally bakes data center demand into its long-term planning, it becomes the blueprint regulators use to allocate costs and judge whether utilities are doing enough. For large-load customers, that translates into higher interconnection costs, potential curtailment in constrained areas, and more scrutiny of siting and timing decisions.

The signal extends beyond MISO. PJM, the big mid-Atlantic grid operator, filed a package at FERC to reshape how data centers connect to the grid — including a framework where load growth that doesn't come with new generation can be curtailed before traditional demand-response kicks in. FERC's own Order 1920-A survived an emergency stay request and remains in force, meaning transmission-planning reforms and cost-allocation rules are present compliance realities, not proposals. Data centers are crossing the line from being just "load" to being regulated almost like power plants in how they plan, disclose, and backstop their impact on the grid.