Bottom line: The “AI Incident Reporting Act” draft makes reporting of critical AI incidents a legal obligation instead of voluntary practice, with penalties of up to two million dollars.
US lawmakers have introduced a draft law requiring developers of advanced AI models to report serious security incidents to the Commerce Department within seven days. This creates the first federal regulatory framework for high-risk AI systems.
The “AI Incident Reporting Act” draft requires developers of so-called “covered models” to disclose incidents no later than seven days after they become aware of an incident or should reasonably have become aware of one. The US Commerce Department must in turn notify the leadership of Congress and relevant committees of the House and Senate within 48 hours of receiving notification when incidents pose immediate or ongoing risks of serious harm.
The draft law directs the Secretary of Commerce to define capability thresholds that determine which AI models and developers are subject to the reporting requirement. Reportable incidents include attempts by AI models to circumvent human oversight, deceive operators, bypass safeguards, resist shutdown, or gain unauthorized access to systems. Additionally, theft or attempted theft of model weights, capabilities that could enable offensive cyber operations against critical infrastructure, autonomous development of more capable AI systems, and capabilities to accelerate the development or deployment of chemical, biological, radiological, nuclear, or explosive weapons must be reported.
The Commerce Department is granted authority to investigate compliance, issue subpoenas, order corrective measures, and impose fines of up to two million dollars for violations. Each day of a continuing violation constitutes a separate violation. The legislature also instructs the Commerce Department to establish capability thresholds in consultation with AI developers, academic researchers, cybersecurity experts, security officials, and other stakeholders before issuing concrete implementation requirements.
For CDOs and compliance officers, the regulation means a new reporting infrastructure and clear documentation obligations similar to cybersecurity regulation. The challenge lies in the fact that vaguely defined thresholds could lead to either under-reporting or over-reporting. Experts such as Sanchit Vir Gogia of Greyhound Research point out that while frontier AI developers already conduct red-teaming and evaluations, they have not previously faced federal legal obligations to immediately report dangerous behavior.
Source: www.csoonline.com · Published June 26, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.