North American AI Compliance in 2025: What Professional Services Businesses Need to Know

If you operate in professional services and have any clients, suppliers, or data flows touching the United States or Canada, North American AI compliance is no longer someone else's problem. The regulatory landscape across both countries is shifting faster than most businesses have anticipated, and the consequences of being caught unprepared are becoming increasingly concrete.

This briefing cuts through the noise and explains what is actually happening, why it matters to accountants, solicitors, HR consultancies, and marketing agencies operating internationally, and what you should be doing about it now.

The United States: A Patchwork That Still Has Teeth

The US has no single federal AI law. In January 2025, President Trump revoked the Biden administration's 2023 AI Executive Order and replaced it with new directives focused on innovation and establishing a unified national AI policy. One stated ambition is pre-empting state-level legislation, which would simplify the compliance picture considerably — but that outcome remains uncertain and contested.

In the meantime, the states are not waiting. Between 2023 and 2025, 27 AI-related laws were passed across 14 states, with the majority taking effect in 2026. These cover a wide range of issues: transparency obligations for AI-powered companion chatbots, prohibitions on non-consensual intimate deepfakes, and substantive regulations for frontier AI models. California's SB 53 and New York's RAISE Act, both effective 2026, signal that major commercial jurisdictions are prepared to act independently of Washington.

For professional services firms, the more immediate concern is enforcement at the federal level — specifically, the Federal Trade Commission.

The FTC Is Already Enforcing — Hard

The FTC has made AI a core enforcement priority, and it is using existing statutory powers to act without waiting for new legislation. Under the FTC Act, COPPA, and civil rights laws, the Commission is actively pursuing cases involving deceptive claims about AI capabilities, algorithmic bias, and consumer harm.

Recent enforcement actions paint a clear picture of where the risks lie. Rite Aid faced action over facial recognition misuse in 2023. Amazon's Alexa service was targeted for mishandling children's voice data. Evolv Technology was sanctioned in 2024 for misrepresenting AI performance. These are not edge cases — they reflect a deliberate enforcement strategy.

The FTC's 2023 "AI and Your Business" guidance explicitly warns against unsubstantiated claims about what AI systems can do. The Commission has a specific term for this: AI-washing. It means overstating AI capabilities to clients, investors, or regulators — and it is treated as a form of deceptive trade practice. Potential fines reach approximately $50,000 USD per day.

Notably, the FTC is now using its own AI systems to detect truth-in-advertising violations. The agency is, in effect, deploying the technology it regulates to police how businesses describe that same technology. The Securities and Exchange Commission is taking a similar line on AI-washing in corporate disclosures.

For marketing agencies, this has direct implications for how you describe AI-driven services to clients. For solicitors and accountants, it raises questions about due diligence obligations when advising businesses that deploy or procure AI tools.

Canada: No Federal Framework, But Compliance Obligations Remain

Canada was on track to introduce comprehensive federal AI legislation through the Artificial Intelligence and Data Act (AIDA), part of Bill C-27. That legislation died on the order paper in January 2025 following political upheaval and widespread criticism that its scope and requirements were insufficiently defined. Canada now has no binding federal AI framework.

That does not mean anything goes. The Personal Information Protection and Electronic Documents Act (PIPEDA) continues to govern AI systems that process personal information, and its obligations are substantive. Organisations must demonstrate accountability, limit data collection to what is genuinely necessary, obtain meaningful consent, maintain accuracy, implement robust safeguards, and operate transparently. When an AI-related data breach creates a real risk of significant harm to individuals, specific notification obligations are triggered.

The compliance picture is further complicated by provincial legislation. Quebec's Law 25 imposes some of the strictest privacy requirements in North America. Alberta and British Columbia each have their own private sector privacy laws. For any organisation handling Canadian personal data — including UK firms using SaaS platforms or AI services that route data through Canadian entities — this multi-layered environment demands careful attention.

Cross-border data transfers present a particular risk. Many UK and European businesses use US-based AI services to process data that may include information about Canadian individuals. The requirement under PIPEDA to ensure comparable protection in third countries can conflict with the US CLOUD Act, which permits US authorities to compel access to data held by American companies regardless of where that data is stored. This is not a theoretical concern — it is an active compliance gap that organisations need to address.

What This Means If You Operate Internationally

The North American regulatory environment creates specific obligations for professional services businesses operating across borders, even if you are headquartered in London, Dubai, Sydney, or Singapore.

If your firm markets AI-powered services to US clients, or makes claims about AI capabilities in US-facing materials, FTC guidance applies to how you describe those services. If you process personal data relating to Canadian individuals, PIPEDA's requirements attach regardless of where your business is registered. If you use US-based AI vendors to process client data, you need to understand who can access that data and under what legal authority.

The broader pattern matters too. The EU's AI Act, the UK's emerging sector-led approach, and now the proliferating state laws in the US are converging on a common set of concerns: transparency, accountability, data minimisation, and the prevention of discriminatory outcomes. Organisations that build compliance frameworks around these principles now will be better positioned as new requirements crystallise, wherever they operate.

The Compliance Fundamentals You Cannot Afford to Skip

Regardless of jurisdiction, professional services businesses using or advising on AI systems should be working through the following:

Audit your AI use. Know which tools you are using, what data they process, where that data goes, and what claims you are making about what those tools can do.

Review your client-facing language. AI-washing enforcement is real and active. Any marketing copy, pitch document, or service description that overstates AI capabilities is a liability.

Map your data flows. If personal data crosses borders — particularly between the UK, EU, US, and Canada — you need to understand the legal basis for each transfer and whether protections are genuinely equivalent.

Document your governance. Regulators on both sides of the Atlantic are increasingly asking for evidence of internal accountability. Policies, records, and designated responsibility matter.

Stay current. Twenty-six US state AI laws take effect in 2026. Canada will re-introduce federal AI legislation. The compliance baseline will shift.

At Ops Intel, we help professional services businesses navigate AI compliance obligations across multiple jurisdictions — practically, without unnecessary complexity, and with a clear understanding of how the rules apply to your specific business model.

If you are unsure where your obligations begin and end, or want an independent review of your current AI governance position, get in touch with our team to discuss how we can help.