{"id":8605,"date":"2026-06-26T09:53:05","date_gmt":"2026-06-26T09:53:05","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=8605"},"modified":"2026-06-26T09:53:05","modified_gmt":"2026-06-26T09:53:05","slug":"proposed-us-law-would-make-ai-risk-reporting-a-legal-obligation","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=8605","title":{"rendered":"Proposed US law would make AI risk reporting a legal obligation"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>US lawmakers on Thursday introduced a bill that would require developers of advanced AI models to report major safety and security incidents to the Commerce Department, establishing a federal oversight framework for high-risk AI systems.<\/p>\n<p>The proposed AI Incident Reporting Act would mandate that developers of designated \u201ccovered models\u201d disclose incidents within seven days of knowing, or reasonably believing, that one has occurred. For incidents posing an imminent or ongoing risk of serious harm, the Commerce Department would have to notify congressional leadership and the chairs of relevant House and Senate committees within 48 hours after receiving the report.<\/p>\n<p>The bill directs the Secretary of Commerce to establish capability thresholds to determine which AI models and developers are subject to the reporting requirements.<\/p>\n<p>\u201cAI is a powerful engine of innovation, and I want to see it flourish, but not without accountability and not without human oversight,\u201d Moran said in a <a href=\"https:\/\/moran.house.gov\/news\/documentsingle.aspx?DocumentID=2785\" target=\"_blank\" rel=\"noopener\">statement<\/a> announcing the legislation. \u201cThe rule of law should apply to this new frontier. This legislation ensures that when something goes wrong with a high-capability AI system, the US Government has the information needed to act quickly.\u201d<\/p>\n<h2 class=\"wp-block-heading\">Broad range of reportable incidents<\/h2>\n<p>The proposal identifies a broad set of incidents that would require disclosure to the Commerce Department.<\/p>\n<p><a href=\"https:\/\/moran.house.gov\/uploadedfiles\/moratx_051_xml-_final_-_ai_incident_reporting_act.pdf\" target=\"_blank\" rel=\"noopener\">According to the bill<\/a>, developers would have to report attempts by covered AI models to evade human oversight, deceive operators, circumvent safeguards, resist shutdown, or obtain unauthorized access to systems or privileges.<\/p>\n<p>The reporting requirement would also apply to theft or attempted theft of model weights, capabilities that could materially enable offensive cyber operations against important software or critical infrastructure, autonomous development of more capable AI systems, and capabilities that could accelerate the development or use of chemical, biological, radiological, nuclear, or explosive weapons.<\/p>\n<p>The legislation also directs the Commerce Department to develop the capability thresholds in consultation with AI developers, academic researchers, cybersecurity experts, national security officials, and other stakeholders before issuing implementation guidance.<\/p>\n<p>Sanchit Vir Gogia, chief analyst at Greyhound Research, said the proposal would make reporting serious AI incidents a legal obligation rather than a voluntary practice for developers of frontier AI models.<\/p>\n<p>\u201cThe serious frontier developers already run the evaluations, the red-teaming and the escalation drills,\u201d Gogia said. \u201cWhat they have never faced at the federal level is a legal obligation to tell the government, on the clock, when a model behaves dangerously.\u201d<\/p>\n<h2 class=\"wp-block-heading\">Reporting timelines and enforcement<\/h2>\n<p>The bill requires covered developers to submit an initial report within seven days of discovering a reportable incident and supplemental reports as additional information becomes available. <\/p>\n<p>The legislation also authorizes the Commerce Department to investigate compliance, issue subpoenas, require corrective action, and impose civil penalties of up to $2 million for violations. Each day of a continuing violation would constitute a separate violation, the bill states.<\/p>\n<p>Gogia said implementation could hinge on how regulators define reporting triggers.<\/p>\n<p>\u201cCapability thresholds are the visible difficulty, and not the deepest one. Thresholds decide which models enter the regime. Discovery decides whether the regime ever sees the fire,\u201d he said.<\/p>\n<p>Drawing a comparison with cybersecurity regulations, he said reporting requirements should clearly define when an incident becomes reportable.<\/p>\n<p>\u201cCyber reporting has already taught the lesson. A vague trigger produces either silence or noise: firms stay quiet until they are certain, or they file everything and bury the signal,\u201d Gogia said.<\/p>\n<h2 class=\"wp-block-heading\">Filling a gap, a recent dispute exposed<\/h2>\n<p>The bill follows a US government action that exposed the absence of any such process. On June 12, the Commerce Department took action against the latest models from Anthropic, a US AI developer, on national security grounds, prompting the company to <a href=\"https:\/\/www.computerworld.com\/article\/4186538\/anthropic-fable-dispute-suggests-export-no-longer-means-what-it-used-to-2.html\">disable global access to those models<\/a>.<\/p>\n<p>\u201cExport control was the sledgehammer. This proposal is the search for a scalpel,\u201d Gogia noted. The measure is a narrower alternative to the <a href=\"https:\/\/obernolte.house.gov\/sites\/evo-subsites\/obernolte.house.gov\/files\/evo-media-document\/the-great-american-ai-act-discussion-draft-website-compressed-compressed.pdf\" target=\"_blank\" rel=\"noopener\">Great American Artificial Intelligence Act<\/a>, a broader discussion draft released earlier in June that also routes critical safety incidents to Commerce.<\/p>\n<p>The Commerce Department\u2019s Center for AI Standards and Innovation has separately signed agreements to <a href=\"https:\/\/www.csoonline.com\/article\/4168135\/us-government-agency-to-safety-test-frontier-ai-models-before-release-2.html\">evaluate leading models before deployment<\/a>.<\/p>\n<h2 class=\"wp-block-heading\">Compliance burden falls on enterprises<\/h2>\n<p>Gogia said the legal duty falls on the developer, but the operational cost reaches the customers. \u201cRegulation may name the lab, but the bill for poor visibility is settled downstream,\u201d he said.<\/p>\n<p>He said the hardest question is not which models qualify but when a reporting clock starts. \u201cThresholds decide which models enter the regime. Discovery decides whether the regime ever sees the fire,\u201d he said, adding that a model can pass laboratory tests yet behave differently once connected to live tools and enterprise data.<\/p>\n<p>The bill exempts submitted reports from public disclosure requirements and states that submitting a report would not waive trade secret protections or attorney-client privilege.<\/p>\n<p>\u201cThe instinct behind this bill is sound, but the balance cannot be scored from a press release,\u201d Gogia said. \u201cThe wording will decide everything.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>US lawmakers on Thursday introduced a bill that would require developers of advanced AI models to report major safety and security incidents to the Commerce Department, establishing a federal oversight framework for high-risk AI systems. The proposed AI Incident Reporting Act would mandate that developers of designated \u201ccovered models\u201d disclose incidents within seven days of [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":8606,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-8605","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8605"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8605"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8605\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/8606"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8605"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8605"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8605"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}