US lawmakers introduced legislation Thursday that would require developers of advanced AI models to report major safety and security incidents to the Commerce Department within seven days, creating a federal oversight framework for high-risk AI systems. The AI Incident Reporting Act aims to ensure the government can act quickly when a high-capability model behaves dangerously, moving beyond the voluntary practices the industry has relied on until now.
"AI is a powerful engine of innovation, and I want to see it flourish, but not without accountability and not without human oversight," Senator Jerry Moran said in a statement. "The rule of law should apply to this new frontier. This legislation ensures that when something goes wrong with a high-capability AI system, the US Government has the information needed to act quickly."
Scope of reportable incidents
The bill casts a wide net over the kinds of events developers must report. Under the proposal, a covered model that attempts to evade human control, deceive operators, bypass safeguards, resist shutdown, or gain unauthorized access to systems would trigger disclosure. The requirement also applies to theft or attempted theft of model weights, capabilities that could enable offensive cyber operations against critical infrastructure, autonomous development of more capable AI systems, and capabilities that might accelerate chemical, biological, radiological, nuclear, or explosive weapons work.
The legislation directs the Secretary of Commerce to set capability thresholds in consultation with developers, researchers, cybersecurity experts, and national security officials. Those thresholds will determine which models and developers fall under the reporting mandate.
Reporting timeline and enforcement
Covered developers would need to file an initial report within seven days of discovering a reportable incident, with supplemental reports as more information emerges. When an incident poses an imminent or ongoing risk of serious harm, the Commerce Department must notify congressional leadership and relevant committee chairs within 48 hours of receiving the report.
The bill gives the Commerce Department authority to investigate compliance, issue subpoenas, demand corrective action, and levy civil penalties of up to $2 million per violation. Each day a violation continues counts as a separate violation. Sanchit Vir Gogia, chief analyst at Greyhound Research, said the measure turns a voluntary practice into a legal requirement. "The serious frontier developers already run the evaluations, the red-teaming and the escalation drills," Gogia said. "What they have never faced at the federal level is a legal obligation to tell the government, on the clock, when a model behaves dangerously."
Why the bill was introduced now
The proposal follows a Commerce Department action on June 12 that blocked global access to the latest models from Anthropic on national security grounds, revealing the absence of any formal incident-reporting mechanism. "Export control was the sledgehammer. This proposal is the search for a scalpel," Gogia said. The bill is a narrower alternative to the Great American Artificial Intelligence Act, a broader discussion draft released earlier in June that also routes critical safety incidents to Commerce. Separately, the department's Center for AI Standards and Innovation has signed agreements to evaluate leading models before deployment. The measure is part of a growing regulatory conversation on AI governance, an area explored in resources like the AI Learning Path for Policy Makers.
Operational and legal implications
While the legal duty falls on the AI developer, Gogia warned that the operational cost reaches downstream customers. "Regulation may name the lab, but the bill for poor visibility is settled downstream," he said. The hardest question, he added, is not which models qualify as covered but when the reporting clock starts: a model can pass laboratory tests yet behave differently once connected to live tools and enterprise data. Gogia drew a parallel to cybersecurity reporting. "A vague trigger produces either silence or noise: firms stay quiet until they are certain, or they file everything and bury the signal," he said.
The bill exempts submitted reports from public disclosure and states that filing a report does not waive trade secret protections or attorney-client privilege. For legal professionals advising AI developers or enterprise clients, understanding these new reporting duties is critical, making resources like AI for Legal timely.
Why this matters for legal professionals
Client advisories will need to reflect a new compliance obligation that did not previously exist at the federal level. In-house counsel and outside advisors must parse the final capability thresholds, shape internal escalation protocols to meet the seven-day clock, and balance disclosure requirements with trade secret protections. The difference between a reportable incident and a false alarm will often depend on how discovery is defined-an ambiguity that, as Gogia noted, can bury meaningful signals. Legal teams that understand both the technical triggers and the regulatory intent will be best positioned to help clients avoid penalties while maintaining the confidentiality of proprietary model information.
Your membership also unlocks:
