Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · BILL · 118th Congress · S. 4495 (Reported in Senate) — To enable safe, responsible, and agile procurement, development, and use of artificial intelligence by the Federal Go... · Sec. 8

Sec. 8. Agency requirements for use of artificial intelligence

1,813 words·~8 min read·/bill/118/s/4495/rs/section-8

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

Not later than 180 days after the effective date in section 7(b), the Chief Artificial Intelligence Officer of each agency, in coordination with the Artificial Intelligence Governance Board of the agency, shall develop and implement a process for the identification and evaluation of risks posed by the deployment of artificial intelligence in agency use cases to ensure an interdisciplinary and comprehensive evaluation of potential risks and determination of risk classifications under such section.
The risk evaluation process described in paragraph (1), shall include, for each artificial intelligence use case— identification of the risks and benefits of the artificial intelligence use case; a plan to periodically review the artificial intelligence use case to examine whether risks have changed or evolved and to update the corresponding risk classification as necessary; a determination of the need for targeted impact assessments to further evaluate specific risks of the artificial intelligence use case within certain impact areas, which shall include privacy, security, civil rights and civil liberties, accessibility, environmental impact, health and safety, and any other impact area relating to high risk classification under section 7(a)(2)(D) as determined appropriate by the Chief Artificial Intelligence Officer; and if appropriate, consultation with and feedback from affected communities and the public on the design, development, and use of the artificial intelligence use case.
With respect to each use case that an agency is planning, developing, or using on the date of enactment of this Act, not later than 1 year after such date, the Chief Artificial Intelligence Officer of the agency shall identify and review the use case to determine the risk classification of the use case, pursuant to the risk evaluation process under paragraphs
(1)and (2). Beginning on the date of enactment of this Act, the Chief Artificial Intelligence Officer of an agency shall identify and review any artificial intelligence use case that the agency will plan, develop, or use and determine the risk classification of the use case, pursuant to the risk evaluation process under paragraphs
(1)and (2), before procuring or obtaining, developing, or using the use case. For any use case described in clause
(i)that is developed by the agency, the agency shall perform an additional risk evaluation prior to deployment in a production or operational environment. Risk classification of an artificial intelligence use case shall be accompanied by an explanation from the agency of how the risk classification was determined, which shall be included in the artificial intelligence use case inventory of the agency, and written referencing the model template developed by the Director under section 5(f)(1)(D). Beginning on the date that is 180 days after the date of enactment of this Act, any time during developing, procuring or obtaining, or using artificial intelligence, an agency shall require, as determined necessary by the Chief Artificial Intelligence Officer, that the deployer and any relevant developer submit documentation about the artificial intelligence, including— a description of the architecture of the artificial intelligence, highlighting key parameters, design choices, and the machine learning techniques employed; information on the training of the artificial intelligence, including computational resources utilized; an account of the source of the data, size of the data, any licenses under which the data is used, collection methods and dates of the data, and any preprocessing of the data undertaken, including human or automated refinement, review, or feedback; information on the management and collection of personal data, outlining data protection and privacy measures adhered to in compliance with applicable laws; a description of the methodologies used to evaluate the performance of the artificial intelligence, including key metrics and outcomes; and an estimate of the energy consumed by the artificial intelligence during training and inference. Beginning on the date that is 270 days after the date of enactment of this Act, with respect to use cases categorized as medium risk or higher, an agency shall require that the deployer of artificial intelligence, in consultation with any relevant developers, submit (including proactively, as material updates of the artificial intelligence occur) the following documentation: Detailed information on the model or models used in the artificial intelligence, including model date, model version, model type, key parameters (including number of parameters), interpretability measures, and maintenance and updating policies. A detailed description of training algorithms, methodologies, optimization techniques, computational resources, and the environmental impact of the training process. A detailed description of the training and testing data, including the origins, collection methods, preprocessing steps, and demographic distribution of the data, and known discriminatory impacts and mitigation measures with respect to the data. Detailed information on data handling practices, including compliance with legal standards, anonymization techniques, data security measures, and whether and how permission for use of data is obtained. A comprehensive disclosure of performance evaluation metrics, including accuracy, precision, recall, and fairness metrics, and test dataset results. Documentation demonstrating compliance with the most recently updated version of the framework developed and updated pursuant to section 22A(c) of the National Institute of Standards and Technology Act ( 15 U.S.C. 278h–1(c) ). Not later than 1 year after the date of enactment of this Act, the Comptroller General shall conduct a review of the documentation requirements under paragraphs
(1)and
(2)to— examine whether agencies and deployers are complying with the requirements under those paragraphs; and make findings and recommendations to further assist in ensuring safe, responsible, and efficient artificial intelligence. The head of each agency shall ensure that appropriate security measures and access controls are in place to protect documentation provided pursuant to this section. Information provided to an agency under subsection (b)(3) is exempt from disclosure under section 552 of title 5, United States Code (commonly known as the Freedom of Information Act ) and may be used by the agency, consistent with otherwise applicable provisions of Federal law, solely for— assessing the ability of artificial intelligence to achieve the requirements and objectives of the agency and the requirements of this Act; and identifying— adverse effects of artificial intelligence on the rights or safety factors identified in section 7(a)(2)(D); cyber threats, including the sources of the cyber threats; and security vulnerabilities. Beginning on the date that is 1 year after the date of enactment of this Act, the head of an agency shall not deploy or use artificial intelligence for a high risk use case prior to— collecting documentation of the artificial intelligence, source, and use case in agency software and use case inventories; testing of the artificial intelligence in an operational, real-world setting with privacy, civil rights, and civil liberty safeguards to ensure the artificial intelligence is capable of meeting its objectives; establishing appropriate agency rules of behavior for the use case, including required human involvement in, and user-facing explainability of, decisions made in whole or part by the artificial intelligence, as determined by the Chief Artificial Intelligence Officer in coordination with the program manager or equivalent agency personnel; and establishing appropriate agency training programs, including documentation of completion of training prior to use of artificial intelligence, that educate agency personnel involved with the application of artificial intelligence in high risk use cases on the capacities and limitations of artificial intelligence, including training on— monitoring the operation of artificial intelligence in high risk use cases to detect and address anomalies, dysfunctions, and unexpected performance in a timely manner to mitigate harm; lessening reliance or over-reliance on the output produced by artificial intelligence in a high risk use case, particularly if artificial intelligence is used to make decisions impacting individuals; accurately interpreting the output of artificial intelligence, particularly considering the characteristics of the system and the interpretation tools and methods available; when to not use, disregard, override, or reverse the output of artificial intelligence; how to intervene or interrupt the operation of artificial intelligence; limiting the use of artificial intelligence to its operational design domain; and procedures for reporting incidents involving misuse, faulty results, safety and security issues, and other problems with use of artificial intelligence that does not function as intended. The Chief Artificial Intelligence Officer of each agency shall— establish a reporting system, consistent with section 5(g), and suspension and shut-down protocols for defects or adverse impacts of artificial intelligence, and conduct ongoing monitoring, as determined necessary by use case; oversee the development and implementation of ongoing testing and evaluation processes for artificial intelligence in high risk use cases to ensure continued mitigation of the potential risks identified in the risk evaluation process; implement a process to ensure that risk mitigation efforts for artificial intelligence are reviewed not less than annually and updated as necessary to account for the development of new versions of artificial intelligence and changes to the risk profile; and adhere to pre-deployment requirements under subsection
(d)in each case in which a low or medium risk artificial intelligence use case becomes a high risk artificial intelligence use case. The Chief Artificial Intelligence Officer of each agency— may designate select, low risk use cases, including current and future use cases, that do not have to comply with all or some of the requirements in this Act; and shall publicly disclose all use cases exempted under paragraph
(1)with a justification for each exempted use case. The requirements under subsections
(a)and
(b)shall not apply to an algorithm software update, enhancement, derivative, correction, defect, or fix for artificial intelligence that does not materially change the compliance of the deployer with the requirements of those subsections, unless determined otherwise by the agency Chief Artificial Intelligence Officer. The head of an agency, on a case by case basis, may waive 1 or more requirements under subsection
(d)for a specific use case after making a written determination, based upon a risk assessment conducted by a human with respect to the specific use case, that fulfilling the requirement or requirements prior to procuring or obtaining, developing, or using artificial intelligence would increase risks to safety or rights overall or would create an unacceptable impediment to critical agency operations. A waiver under this subsection shall be— in the national security interests of the United States, as determined by the head of the agency; submitted to the relevant congressional committees not later than 15 days after the head of the agency grants the waiver; and limited to a duration of 1 year, at which time the head of the agency may renew the waiver and submit the renewed waiver to the relevant congressional committees. The head of an agency, in consultation with the agency Chief Artificial Intelligence Officer, Chief Information Officer, Chief Data Officer, and other relevant agency officials, shall reevaluate infrastructure security protocols based on the artificial intelligence use cases and associated risks to infrastructure security of the agency. Not later than 270 days after the date of enactment of this Act, the requirements of subsections
(a)through
(i)of this section shall apply with respect to artificial intelligence that is already in use on the date of enactment of this Act.
Connections1 off-index
1 reference not yet in our index
  • 15 USC 278h–1(c)
Citation graph
cites case law
Sec. 8
Agency requirements for use of artificial intelligence
Cite15 USC 278h–1(c)
Cites 1Cited by 0 across 0 sources
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.