Skip to content

US Bill Mandates AI Risk Reporting as Legal Obligation

The Point: The proposed U.S. federal law makes reporting of severe AI security incidents a legal requirement with a seven-day deadline and penalties up to $2 million per violation.

The proposed “AI Incident Reporting Act” requires developers of high-performance AI models to report serious security incidents to the U.S. Department of Commerce within seven days. The regulation establishes for the first time a federal control framework for high-risk AI systems with fines of up to $2 million per violation.

The bill obligates developers of so-called “covered models” (models above certain performance thresholds to be determined) to report incidents as soon as they become aware of them or reasonably should be aware of them. Where immediate risks of serious harm exist, the Department of Commerce must inform congressional leadership and relevant committees of the House and Senate within 48 hours.

Reportable incidents include, among others, attempts by the AI to evade human control, deceive operators, circumvent security measures, resist shutdown, or gain unauthorized system access. Also included are theft or attempted theft of model weights, capabilities specifically enabling cyberattacks on critical infrastructure, autonomous development of more capable systems, and techniques that could accelerate the development or deployment of weapons with weapons of mass destruction potential.

Sanchit Vir Gogia of Greyhound Research emphasizes: This regulation establishes for the first time a legal reporting obligation rather than voluntary practice. Leading AI developers have already conducted evaluations and security tests — but not under federal legal obligation and time constraints.

The Department of Commerce receives authority to conduct compliance inspections, issue subpoenas, order remedial measures, and impose fines up to $2 million. Each further violation is treated as a separate offense. The performance thresholds are to be set by the Department in consultation with developers, academic researchers, cybersecurity experts, and national security officials.

A critical point is the definition of reporting thresholds themselves: vague categories either lead to underreporting or to massive, uninformative reports — a known problem in cybersecurity regulation. Practical effectiveness depends on how precisely regulators decide when an incident crosses the threshold.


Source: www.csoonline.com · Published June 26, 2026
Lumi AI News — AI-assisted curation pursuant to Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.

Share on: