The Great American Artificial Intelligence Act (GAAIA), a draft bill announced by Representatives Jay Obernolte (R‑CA) and Lori Trahan (D‑MA), is the proposal for the first federal comprehensive AI bill tackling major artificial intelligence (AI) governance issues. The bill enacts transparency mandates, preempts some state laws, and builds state capacity for AI research and safety, education and workforce programs, cyber security, and international cooperation.
At over 300 pages, the bill is quite lengthy, but this blog will review its main provisions and explore how they could impact AI governance going forward. Future Cato work will likely examine some of these elements, such as the Free Expression implications, more closely. Additionally, it is likely this draft will evolve into multiple bills when formally introduced, and some of the policy elements may change accordingly.
Key Takeaways
Most major provisions of the bill, such as the establishment of CAISI (Center for Artificial Intelligence Standards and Innovation), the state law preemption, the transparency requirements, and the provisions on open access, have a sunset clause that ends in three years. While most of them give Congress the opportunity to reauthorize them, the bill would establish significant infrastructure and governance systems that would unwind over a relatively short period. This raises questions about the sustainability of the governance regime that such a comprehensive bill is supposed to set up.
While government-funded research faces recurrent issues, such as wasteful spending, regulatory capture, and the chilling of dissident voices, there is some upside to promoting underfunded research. There may be instances in which private R&D investments fail to reach potentially beneficial projects because those projects lack commercial viability. The research provisions can play a helpful role if they identify high-upside grant opportunities while avoiding these pitfalls.
The whistleblower protections established by the bill have a narrower focus than similar proposals at the state level. This makes them less vulnerable to potential abuse, such as where disgruntled employees could use an accusation as a shield against layoffs or firings.
The workforce protection section seems to place a higher focus on retraining and guiding potentially displaced workers. This replaces the strategies of heavy subsidy or micromanaging businesses’ staffing decisions through tax policy that others have proposed.
The cooperation among companies on safety issues, such as cybersecurity, can lead to pro-social and pro-consumer results. The extension of the antitrust liability shield on cyber-focused cooperation is a good method to promote intra-industry collaboration.
Building out CAISI, in its current shape and responsibility, could have positive impacts for the industry. It could become the backbone of voluntary cooperation agreements between the government and industry. Additionally, it will have a key role in international standard-setting and ensuring that US interests are advanced abroad. Having a team of AI experts within the government will hopefully also increase regulators’ understanding of the technology and lead to carefully considered regulatory proposals.
Provisions on Frontier AI Governance and Cybersecurity
On June 12, Anthropic announced that the government issued an export control directive suspending the use of its most recently released models, Claude Fable 5 and Mythos 5, by any foreign national, even if they reside in the US. The company thus decided, due to the complexity of the order, to suspend access to these models to all customers to ensure compliance. As some note, this was a previously uninvoked policy tool enacted after an obscure, unclear, and debatable evaluation of an alleged safety vulnerability in the Fable model. These events more closely resemble an informal, ad hoc evaluation process rather than an impartial, publicly known, pre-established governance regime that gives companies the certainty they can distribute their models after completing a clearly pre-set checklist of requirements. GAAIA seeks to lay the groundwork for a more stable regime primarily through two mechanisms. The first is a transparency reporting mandate subject to validation by independent third parties. The second is directing and funding the government to build the capacity to evaluate and validate audit results through its own body of technical experts.
Codification of CAISI
First and foremost, the bill codifies and expands funding for the Center for AI Standards and Innovation (CAISI). Under this statute, CAISI would primarily be responsible for conducting research and testing to support AI-related policymaking. Most notably, CAISI will be responsible for conducting independent, third-party evaluations of models’ capabilities, safety claims, and potential security vulnerabilities. It will also develop its own AI tools and manage the independent verification organization (IVO) regime established by the bill. The bill increases its current budget to $100 million per year, a sum that would cover forecasted operational costs while leaving a generous margin for error.
Given the government’s increasing role in AI model testing and evaluation and the decision to establish a voluntary testing regime for frontier AI models, ensuring that the government has the appropriate technical expertise is a logical step forward. CAISI will serve as the backbone of the aforementioned testing processes and will also inform any revisions or additions to the AI Risk Management Framework (RMF). As a voluntary framework created in cooperation with the private sector, the RMF has become a significant “soft law” tool to guide companies seeking to safely incorporate AI into their business processes and provide best practices for avoiding known AI-related risks. In addition to its research on domestic AI models, CAISI will also evaluate foreign models to provide policymakers with a clear picture of how the US AI sector is faring compared to its rivals in terms of capacity. Lastly, as the US and other nations discuss and negotiate international standards for AI development and deployment, CAISI will represent the US in standards-setting fora, ensuring that international standards align with the US’s interests.
Additionally, CAISI will be tasked with briefing Congress on any reports they receive from companies on catastrophic risks and critical safety incidents (more on that below), suggest any updates on the definitions of “frontier developer,” “frontier model,” and “large developer,” under GAAIA or other potential AI regulations, and identify any gaps in legal authority that impede the Center from fulfilling its mission. The bill also applies a 3‑year sunset clause to all CAISI provisions.
Cybersecurity Act Amendments and Cyber-focused Policies on Open-access Models
GAAIA introduces various amendments to the Cybersecurity Act of 2015 to bolster cybersecurity efforts and resources in response to the release of advanced capability models. GAAIA would extend the Cybersecurity Information Sharing Act, a bill that promotes information sharing on cyber threats between companies by shielding them from antitrust enforcement when collaborating on cybersecurity grounds, from 2025 to 2035. Amendments to other sections to explicitly authorize the use of cyber-focused AI models to create legal certainty that these special-use AI models are authorized under the defensive uses stipulated in the bill. These amendments also ensure that AI-related threats are monitored under the current definition of “cyber threat indicator.”
The bill raises questions in its mandate that large frontier AI developers provide model access to widely used, critical open-source software maintainers. This provision, alongside a new grant program administered by the Cybersecurity and Infrastructure Security Agency (CISA) and CAISI, does not define what the bill considers “grant access.” Programs where trusted parties are given early access to advanced capability AI models, such as Anthropic’s Project Glasswing, are a good idea with few downsides. However, if it means mandating that tech companies must provide access to their services free of charge, the bill’s provisions could become more problematic. While it is understandable that policymakers want to support maintainers who usually do not get much in the way of compensation due to the nature of open-access models, the decision to offer access to AI models free of charge remains with the tech companies that develop them. Anything else would amount to significant government overreach. These provisions will sunset three years after the bill’s enactment.
Additionally, the bill tasks the Government Accountability Office (GAO) with crafting a report on open-source models. The report must evaluate the existing protections and security in open-source models and determine whether more are needed. While a facially harmless measure, this report could signal a willingness on the part of Congress to intervene and regulate the open-source community, a constant concern within the open-source AI community.
Transparency Regime
Another major provision of the bill is the introduction of a transparency reporting mandate for “large frontier AI developers,” defined as those with over $500 million in yearly revenue. The two main documents these developers must produce are a frontier AI framework and a transparency report for each model release. The framework outlines how the lab will approach all of its frontier AI models (including how it complies with national laws and standards), the potential for their products to pose a catastrophic risk and how they plan to mitigate it, how they determine whether to deploy or use a model, the use of third parties for risk assessment, and the cybersecurity measures in place to protect non-public model weights. This will essentially serve as an operational blueprint for the public and regulators to understand how the lab handles its most advanced models. Frameworks are to be reviewed annually, but the lab still holds the decision to update—or not—the existing framework.
The other document labs must produce is a transparency report, which must be released before or at the time the lab releases a new model or makes a “substantial modification” to an existing model. The report will include basic information about the model, such as its output modality, intended use, any generally applicable restrictions or conditions, and the assessments the lab conducted in accordance with its frontier AI framework. For both documents, labs can redact information to protect their trade secrets or for national security purposes.
This transparency regime is the first major regulation on AI governance, mainly focused on large developers. At its core, a transparency disclosure regime aims to lay the foundations for an industry self-governance scheme: These reports force companies to study and test the capabilities of their models; At the same time, they disclose to the public—especially regulators—what the intended uses of the model are, what risks are associated with their models, and how they plan to curb those risks. If anything goes wrong, regulators will be able to refer to these documents to determine whether the harm resulted from a company’s negligence or unforeseeable developments. Regulators will then use this knowledge to decide whether to take any enforcement action against the company in question.
In simpler terms, the regime forces companies to “show their work” and leave a paper trail. By forcing companies to know their products and to tell the public how to use them, including any potential risks, regulators and the public can refer back to that paper trail if something goes wrong. They can judge a company’s conduct after the fact and determine whether the incident was the company’s fault or a legitimate accident unforeseeable at the time. Companies have wide latitude to build models with risk potential, as long as they plan for those risks, and regulators will have a way to punish those who fail to disclose, report, or tell the truth. This gives labs flexibility to plan around risk as they see fit, while giving the government the tools to punish bad behavior.
Part of how the GAAIA avoids pitfalls associated with government-enforced transparency regimes is by requiring large frontier developers to retain an independent third party, or IVO, to audit the documents they must produce in accordance with the bill and a lab’s risk mitigation strategy. These IVOs must hold a valid license to be recognized as authorized auditors, and the bill establishes a licensing system. Under this bill, IVOs will be primarily overseen by CAISI, which will also be tasked with drafting and promulgating the rules and regulations governing this licensing scheme.
Once licensed, labs must grant the IVO of their choice access to “unredacted materials, records, personnel, systems, and all other information reasonably necessary” to conduct the audits and assessments required by the bill. These audits will begin a year after the bill’s passage and continue on a semi-annual basis. The reports are to be delivered to the director of CAISI, but the AG, alongside state AGs, may request a copy of the report. IVOs may report any suspicion of a lab’s failure to comply with the bill to the AG or a state AG so that they can initiate an enforcement action. Once an IVO is licensed and found to have no wrongdoing, it will be immune from any lawsuit related to the audited lab’s model. They would only be liable if found to have engaged in “willful misconduct.” These provisions will sunset in 3 years, unless reauthorized by Congress.
The proposed licensing regime for these third-party auditors raises concerns about regulatory capture and other issues common to government-run licensing schemes. Nonetheless, relying on third parties provides greater independence from government interference and might serve as a stopgap against situations in which the government might cry wolf by using unfounded safety claims to block the development of models by politically disfavored companies.
Preemption of State Laws on AI Development
One of GAAIA’s most ambitious provisions is its preemption of state laws applicable to AI developers. The preemption language explicitly excludes laws of general applicability, common law remedies, or laws regulating AI use or deployment. It will sunset in 3 years unless Congress reauthorizes it.
The novelty of GAAIA’s approach to state preemption of AI laws, compared to past preemption efforts, is the segmentation of the AI stack into two: AI development becomes a federal issue, while deployment and use regulation is left to the states. As some have highlighted, this approach resembles what is already seen in the automobile industry, where car manufacturing is handled at the federal level—via car safety rules—while states regulate how cars are operated in their territories.
While this narrowed-down preemption would help curtail some of the costs of the state AI patchwork currently brewing, it still faces challenges. As with other digital technologies, state-level regulations tend to have a spillover effect, and a law passed in California or New York might still be applicable even when the user is physically located in another state. While it is theoretically reasonable to think that states could contain their regulations on deployment and use from spilling over into other jurisdictions, in reality, it is still likely that tech companies will adopt a state statute as a de facto national standard.
Provisions on Education and the Workforce
The draft does not merely seek to establish a regulatory framework, but also to prepare Americans for what they may encounter as AI is incorporated into various aspects of the economy. Technological disruption has created uncertainty; However, existing data indicate that AI is transforming and enhancing, rather than replacing, the American workforce. Even in professions most considered “at risk” of being replaced, early indications illustrate the jobs-doomsday might not be what was anticipated. With this in mind, the Obernolte-Trahan proposal seeks to prepare both students and workers for integrating this technology, not fearing it.
Educational Programs
The bill creates a wide range of educational programs to inform students, prepare educators, and ensure that higher education institutions have the infrastructure to offer AI-related programs and can attract the talent needed to support them. It tasks the National Science Foundation (NSF) with directing awards for research on preparing K‑12 students and educators for AI literacy programming, awards to increase AI-related staff in higher education, and a scholarship and fellowship program to attract students to AI higher education programs. It also tasks the NSF with establishing eight “Centers of AI Excellence,” which will serve as regional AI hubs for community colleges and technical education schools to develop workforce programs and integrate AI into their teaching.
Labor Market Monitoring
GAAIA also establishes various mechanisms to monitor the state of the economy as it adapts to AI-driven changes in job demand. It directs the Department of Labor (DOL) to initiate a request for comments to improve data collection, forecasting, and workforce tools for the study of AI’s impact on the workforce. It must also set up an initial expert workshop to discuss the suggestions received through this open comment period. 45 days after this workshop, the DOL must produce a report with suggestions for at least 5 datasets, metrics, or analyses to improve AI-related labor market monitoring, which can be produced within 2 years. Subsequent workshops should be held at least annually, with no obligation to produce a report. It also calls for additional hiring of AI experts in the DOL.
Additionally, the bill establishes an AI Workforce Research Hub that will conduct recurring analyses of AI’s workforce impact, conduct scenario planning, and generate actionable policy insights. It also establishes various grant award programs to modernize DOL’s monitoring and forecasting tools. The bill proposes a voluntary program for AI developers to share proprietary information on AI adoption, with guardrails to prevent the disclosure of trade secrets or sensitive information to the public.
Conclusion
GAAIA’s first attempt at establishing a sustainable, clear, and predictable governance system for AI seems to strike a balance between addressing most safety concerns about advanced capability models and avoiding overly prescriptive pre-release vetting regimes. As the recent Fable 5 fallout shows, this is an instance where light-touch regulation can have pro-innovation effects by replacing unpredictable, ad hoc regimes that largely rely on regulators’ discretion. GAAIA’s reliance on IVOs as the key verifier of safety claims will increase resilience against potential government overreach and public trust in both the government’s and industry’s safety claims. The bill also addresses the uncertainty and compliance costs induced by the patchwork approach by federalizing a significant part of the technological stack, but questions remain about how effective this developer-deployer division will be.
Perhaps the greatest concern is that, for a regime that aims to pave the way for the industry to evolve for years to come, most of its governance structure is set to wind down in three years. This would subject this complex governance system to the whims of volatile political winds, potentially erasing any progress achieved during the three-year period if these provisions are not reauthorized.
The bill correctly identifies areas where the government can better prepare for the further adoption of AI, including ramping up cybersecurity capabilities, preparing educators, and updating how economic data are studied. The creation of CAISI will also improve government preparedness by amassing a staff with technical expertise to accurately evaluate a model’s capabilities and to represent the country’s interests in international fora for standard-setting. Building state capacity and preparing them to properly adapt to the AI era should be a priority for policymakers, and the bill correctly identifies that need.
