Last week, a bipartisan group of House lawmakers released a draft proposal that could prohibit states from regulating the development of artificial intelligence (AI) models while preserving a state’s ability to regulate how AI systems can be used.
Rep. Lori Trahan (D-Mass.) and Rep. Jay Obernolte (R-Calif.) introduced the “Great American Artificial Intelligence Act” (GAAIA), which is intended to create a national framework for AI governance and avoid a patchwork of state-level rules. The bill proposes preempting states from issuing their own laws regulating the development of AI models for three years, and instead seeks to establish a single federal standard.
It also follows recent White House efforts focused on AI and cybersecurity.
“The proposed Great American Artificial Intelligence Act fundamentally shifts the regulatory burden for security leaders by establishing a sharp division between AI model development and deployment,” explained John Carberry, solution sleuth at AI cybersecurity provider Xcape, Inc.
By introducing a federal preemption window that bars states from requiring pre-release testing, the draft legislation protects frontier model developers from a fractured regulatory landscape, Carberry told ClearanceJobs, adding that it could still leave downstream enterprise deployers fully exposed to local compliance mandates.
“Security executives must recognize that while centralized federal oversight stabilizes the development pipeline, the operational responsibility for secure deployment, fraud prevention, and usage compliance still rests squarely on corporate infrastructure.”
Creation of Center for AI Standards And Innovation
The GAAIA would formally codify the Center for AI Standards and Innovation (CAISI) within the Department of Commerce, and authorize $100 million per fiscal year to develop voluntary security guidelines and to evaluate future AI systems.
Moreover, it would require large frontier developers to report critical safety incidents to the federal government, and require the establishment of a testbed for public-private AI evaluation. It would enforce penalties for using AI to impersonate government officials.
However, some consumer advocates have argued it could limit states’ ability to address AI-related harms in the process.
“The creation of the Center for AI Standards and Innovation makes a lot of sense,” said Steven Swift, managing director of cybersecurity provider Suzu Labs.
Swift told ClearanceJobs that there “should absolutely” be a funded organization that is charged with creating voluntary standards and recommendations, to provide guidelines, guidance, and advisory to the AI industry.
“One of the reasons that technology laws and regulations are so difficult to get right is that the technology moves faster than government,” Swift added. “Government-funded advisory agencies are one of the few areas where government is better able to keep up, due to the nature of these organizations having a narrower mission statement.”
Risky Business
Frontier AI companies face pressure to deploy, and the industry’s focus remains on rapid scale and efficiency over safety, systemic security and catastrophic risk mitigation.
“The requirement for large frontier developers to publish an AI framework covering their approach to risk, cybersecurity, and incident response seems low value,” warned Swift. “It provides additional compliance overhead with little to no meaningful impact. Especially since this data is intended to be public, organizations will release conservative statements that say ‘of course we try to do well’ without it having any meaningful impact on how well they handle these topics internally.”
However, there are concerns that GAAIA could be too overreaching, and that could impact AI development.
“So long as this only impacts the largest AI model developers, it is minimally intrusive,” suggested Swift. “Larger organizations are more easily able to field a team of compliance personnel to handle their compliance tasks, without it having a large impact on production. I would caution against applying the same requirements to small organizations, to which the compliance cost can be a much higher proportion of their cost of doing business.”
By contrast, Swift further warned that the whistleblower protections as proposed are too weak, telling ClearanceJobs that it is common for whistleblower protections generally.
“This is one area where regulation should be stronger, would materially benefit society, and would be reasonable for regulators to keep pace with the technology,” Swift continued.
State’s Rights
There is also the belief that it should be the federal government that oversees the development of AI, as it is something that impacts residents across the country and should not be stopped at the state line. This can prevent a chaotic patchwork of conflicting state laws and establish a uniform national safety standard.
The White House has already argued that such a centralized approach could also ensure consistent consumer protections and secure critical infrastructure. It could further prevent regulatory arbitrage where developers would also seek to relocate to a state with fewer guardrails.
However, we’ve already seen that several states, including California, Colorado, and New York, have enacted their own AI laws, which creates a complicated compliance landscape that has driven up legal costs. As Swift noted, it has disproportionately harmed smaller startups and developers.
“The proposed ban on states regulating the development of models makes sense to me,” Swift explained. “Model development is not really a state issue. What really matters is how models are used once they have been developed and released. States would be better served by focusing regulation on consumer protection, and on how the resulting AI-powered software is used, and how it treats data of their citizens. This covers a mix of privacy, security, and trade.”
In the short-term, there will likely be a system with regulations at both the state and federal level. That is likely to cause a burden to the developers, and will be their responsibility to address the emerging regulations.
“To prepare for this dual-track regulatory environment,” said Carberry, “organizations must formalize internal risk validation frameworks that mimic federal pre-release testing guidelines, audit deployment pipelines to detect and mitigate AI-enabled fraud vectors, and establish robust logging and baseline tracking to ensure compliance with localized usage restrictions.”
