Transparency Report Requirements
Registered foundation model developers must publish annual transparency reports covering five areas, per Title III of the bill:
Safety testing results. Standardized format aligned with NIST AI RMF 2.0. Red teaming summaries, benchmark scores on a defined federal evaluation suite, and documented known failure modes. Companies are not required to publish raw evaluation data — only aggregate summaries.
Incident reports. Any deployment incident where the model produced outputs causing "reasonably foreseeable significant harm" must be reported to NIST within 72 hours of discovery. The definition of significant harm includes financial loss exceeding $50,000, physical injury, or systematic discrimination against a protected class. Incidents are published in a public registry after a 30-day de-identification review.
Capability updates. Model updates that "materially change capabilities" require re-disclosure within 30 days. The bill defines material change as any update that changes benchmark performance by more than 10% on the federal evaluation suite.
Third-party access for research. Registered models must provide API access to researchers designated by NIST within 180 days of registration. Access is for red teaming and safety research, subject to a standardized research use agreement.
Compute disclosure. Training compute in FLOP-equivalent, hardware type, and geographic location of training runs. This is the provision that created the most controversy in draft reviews — it gives regulators visibility into which companies are approaching the next compute threshold even before a new model ships.
High-Risk AI System Requirements
Title IV creates a separate regulatory tier for “high-risk AI systems” — AI deployed in consequential decision contexts. The initial high-risk categories defined in the bill are:
- Healthcare diagnosis or treatment recommendations
- Criminal justice (sentencing, bail, probation decision support)
- Employment screening (hiring, promotion, termination decisions)
- Educational assessment (grading, admissions)
- Credit scoring and lending decisions
- Critical infrastructure control systems
High-risk AI systems deployed in these categories by organizations with more than $10M in annual revenue must:
- Conduct and document a risk assessment before deployment
- Maintain human oversight that can override AI decisions in real time
- Provide individuals subject to high-risk AI decisions the right to request human review
- Conduct annual audits by an approved third-party auditor
The $10M revenue threshold exempts most startups but captures mid-market companies. A Series A startup building a hiring tool is exempt. A $15M ARR company is not.
What Developers Building on Foundation Models Need to Know
The compliance burden for most developers is lower than the bill’s length suggests. The registration and transparency requirements fall on foundation model developers, not application builders. The high-risk AI requirements apply only to specific deployment contexts. For a developer building a coding assistant, content generation tool, or productivity application, the direct compliance obligations are minimal.
The practical impacts for application developers:
No new consent requirements for general AI tools. Unless your application falls into the enumerated high-risk categories, the bill does not create new user consent or disclosure requirements beyond existing consumer protection law. CCPA and state privacy laws still apply.
API providers will add compliance metadata. Expect OpenAI, Anthropic, and Google to add model registration information to their API documentation within six months of enactment. This may include standardized model capability cards required under Title II disclosure standards.
Incident reporting flows upstream. If your application causes a significant harm incident through model outputs, you are likely obligated to report to the foundation model developer under API terms of service. The developer then decides whether to report to NIST. You may need to document incidents for potential disclosure even if you are not the registrant.
High-risk applications need a compliance track. If you are building in healthcare, employment screening, credit, or criminal justice, start mapping your workflow to the high-risk requirements now. The 180-day implementation timeline in the bill (if enacted this year) is tight for organizations that need to add human oversight infrastructure from scratch.
Timeline and Legislative Prospects
The bill was introduced in the House as a discussion draft, not a formally filed bill. The next steps are committee markup (likely the House Energy and Commerce Committee and the Senate Commerce Committee) followed by floor votes.
The bipartisan sponsorship is real but fragile. Obernolte and Trahan represent opposite ends of the AI regulatory spectrum — Obernolte has historically opposed heavy AI regulation; Trahan sponsored the Algorithmic Accountability Act in 2022. The bill represents genuine compromise, which means both sides of the AI policy debate have objections to specific provisions.
Current estimates from Hill staff familiar with the bill: committee markup in August 2026, potential floor vote before year-end if no major amendments derail it. A fully enacted law with implementing regulations is more likely an early-2027 outcome. The three-year preemption clock would not start until the bill is signed into law.
For developers, the practical implication: do not wait for enactment to start compliance planning for high-risk applications. The federal requirements in this bill largely track the EU AI Act’s risk-tiering approach. If you have already done EU AI Act compliance work, the incremental effort for US compliance under this framework is manageable.
How the Bill Compares to the EU AI Act
The EU AI Act entered full enforcement on August 2, 2026. A direct comparison:
| Dimension | Great American AI Act (proposed) | EU AI Act (in force) |
|---|
| Foundation model registration | Yes, NIST registry | Yes, EU AI Office |
| High-risk categories | 6 enumerated | 13 enumerated (broader) |
| State/member-state preemption | Yes, 3-year moratorium | Yes, full harmonization |
| Open-source model exemptions | Below 10^25 FLOP threshold | Limited (general-purpose model rules apply) |
| Penalties for non-compliance | Up to $15M or 2% of global revenue | Up to €30M or 6% of global revenue |
| Effective date | 2027 at earliest (if enacted) | August 2026 |
The US bill is lighter on penalties and has a narrower set of high-risk categories, reflecting the different legislative environment. It lacks the EU Act’s prohibited uses list (social scoring, real-time remote biometric surveillance in public spaces), which was the most contentious part of the EU framework.
Browse the AI compliance and developer tools at WOWHOW to find frameworks and starter kits for building compliant AI applications. The privacy policy generator covers GDPR, CCPA, and DPDPA — relevant for the data governance aspects of any AI compliance program.
People Also Ask
Does the Great American AI Act ban AI-generated content without disclosure?
No. The current draft does not include a general AI content disclosure mandate. It requires transparency reports from foundation model developers and human oversight in high-risk deployment contexts, but does not impose watermarking or labeling requirements on AI-generated text, images, or code. The Federal Synthetic Content Transparency Act (a separate bill) addresses content labeling, and the two bills may be reconciled in committee.
Would California’s AI laws actually be frozen by this bill?
Yes, if enacted as drafted. Section 14 preempts state AI-specific laws enacted after January 1, 2024. California has been the most active state AI legislature. SB 1047 (vetoed by Newsom in 2024), AB 2013 (signed), and any 2025/2026 AI safety bills would be suspended for three years. California’s Attorney General has already signaled opposition to the preemption clause, and this is the most likely point of bipartisan breakdown in Senate markup.
Does the bill apply to open-source AI models?
Models below the 10^25 FLOP training compute threshold are exempt from foundation model registration. That covers most open-source models under 70B parameters. Larger open-source models like Meta’s Llama 4 variants that exceed the threshold would be subject to registration if Meta commercially deploys them. The bill defines "commercial deployment" as making a model available to third parties for compensation — releasing weights under an open license without commercial terms could qualify for a separate open-source exemption detailed in Section 8.
When would AI startups need to be compliant if the bill passes?
The bill specifies 180-day implementation periods for most requirements after enactment. High-risk AI systems get 365 days for the annual audit requirement. Given the expected legislative timeline (floor vote late 2026 if optimistic), compliance deadlines for most provisions fall in mid-to-late 2027. Start compliance planning now for high-risk categories — the human oversight infrastructure requirement in particular takes significant lead time to build.
Comments · 0
No comments yet. Be the first to share your thoughts.