Sec. 206. Risk management assessment for critical-impact artificial intelligence systems
995 words·~5 min read·
/bill/118/s/3312/rs/section-206A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
Each critical-impact AI organization shall perform a risk management assessment in accordance with this section. Each critical-impact AI organization shall— not later than 30 days before the date on which a critical-impact artificial intelligence system is made publicly available by the critical-impact AI organization, perform a risk management assessment; and not less frequently than biennially during the period beginning on the date of enactment of this Act and ending on the date on which the applicable critical-impact artificial intelligence system is no longer being made publicly available by the critical-impact AI organization, as applicable, conduct an updated risk management assessment that— may find that no significant changes were made to the critical-impact artificial intelligence system; and provides, to the extent practicable, aggregate results of any significant deviation from expected performance detailed in the assessment performed under subparagraph
(A)or the most recent assessment performed under this subparagraph. Not later than 90 days after the date of completion of a risk management assessment by a critical-impact AI organization under this section, the critical-impact AI organization shall submit to the Secretary a report— outlining the assessment performed under this section; and that is in a consistent format, as determined by the Secretary. Subject to subsection (d), the Secretary may request that a critical-impact AI organization submit to the Secretary any related additional or clarifying information with respect to a risk management assessment performed under this section. The Secretary may not prohibit a critical-impact AI organization from making a critical-impact artificial intelligence system available to the public based on the review by the Secretary of a report submitted under paragraph (3)(A) or additional or clarifying information submitted under paragraph (3)(B). Each assessment performed by a critical-impact AI organization under subsection
(a)shall describe the means by which the critical-impact AI organization is addressing, through a documented TEVV process, the following categories: Policies, processes, procedures, and practices across the organization relating to transparent and effective mapping, measuring, and managing of artificial intelligence risks, including— how the organization understands, manages, and documents legal and regulatory requirements involving artificial intelligence; how the organization integrates characteristics of trustworthy artificial intelligence, which include valid, reliable, safe, secure, resilient, accountable, transparent, globally and locally explainable, interpretable, privacy-enhanced, and fair with harmful bias managed, into organizational policies, processes, procedures, and practices; a methodology to determine the needed level of risk management activities based on the organization’s risk tolerance; and how the organization establishes risk management processes and outcomes through transparent policies, procedures, and other controls based on organizational risk priorities. The structure, context, and capabilities of the critical-impact artificial intelligence system or critical-impact foundation model, including— how the context was established and understood; capabilities, targeted uses, goals, and expected costs and benefits; and how risks and benefits are mapped for each system component. A description of how the organization employs quantitative, qualitative, or mixed-method tools, techniques, and methodologies to analyze, assess, benchmark, and monitor artificial intelligence risk, including— identification of appropriate methods and metrics; how artificial intelligence systems are evaluated for trustworthy characteristics; mechanisms for tracking artificial intelligence system risks over time; and processes for gathering and assessing feedback relating to the efficacy of measurement. A description of allocation of risk resources to map and measure risks on a regular basis as described in paragraph (1), including— how artificial intelligence risks based on assessments and other analytical outputs described in paragraphs
(2)and
(3)are prioritized, responded to, and managed; how strategies to maximize artificial intelligence benefits and minimize negative impacts were planned, prepared, implemented, documented, and informed by input from relevant artificial intelligence deployers; management of artificial intelligence system risks and benefits; and regular monitoring of risk treatments, including response and recovery, and communication plans for the identified and measured artificial intelligence risks, as applicable. The developer of a critical-impact artificial intelligence system that agrees through a contract or license to provide technology or services to a deployer of the critical-impact artificial intelligence system shall provide to the deployer of the critical-impact artificial intelligence system the information reasonably necessary for the deployer to comply with the requirements under subsection (a), including— an overview of the data used in training the baseline artificial intelligence system provided by the developer, including— data size; data sources; copyrighted data; and personal identifiable information; documentation outlining the structure and context of the baseline artificial intelligence system of the developer, including— input modality; output modality; model size; and model architecture; known capabilities, limitations, and risks of the baseline artificial intelligence system of the developer at the time of the development of the artificial intelligence system; and documentation for downstream use, including— a statement of intended purpose; guidelines for the intended use of the artificial intelligence system, including a list of permitted, restricted, and prohibited uses and users; and a statement of the potential for deviation from the intended purpose of the baseline artificial intelligence system. The obligation of a critical-impact AI organization to provide information, upon request of the Secretary, relating to a specific assessment category under subsection
(b)shall end on the date of issuance of a relevant standard applicable to the same category of a critical-impact artificial intelligence system by— the Secretary under section 207(c) with respect to a critical-impact artificial intelligence system; another department or agency of the Federal Government, as determined applicable by the Secretary; or a non-governmental standards organization, as determined appropriate by the Secretary. In adopting any standard applicable to critical-impact artificial intelligence systems under section 207(c), the Secretary shall— identify the category under subsection
(b)to which the standard relates, if any; and specify the information that is no longer required to be included in a report required under subsection
(a)as a result of the new standard. Nothing in this section shall be construed to require a critical-impact AI organization, or permit the Secretary, to disclose any information, including data or algorithms— relating to a trade secret or other protected intellectual property right; that is confidential business information; or that is privileged.