[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[S. 3312 Introduced in Senate (IS)]

<DOC>






118th CONGRESS
  1st Session
                                S. 3312

   To provide a framework for artificial intelligence innovation and 
                accountability, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                           November 15, 2023

 Mr. Thune (for himself, Ms. Klobuchar, Mr. Wicker, Mr. Hickenlooper, 
 Mr. Lujan, and Mrs. Capito) introduced the following bill; which was 
  read twice and referred to the Committee on Commerce, Science, and 
                             Transportation

_______________________________________________________________________

                                 A BILL


 
   To provide a framework for artificial intelligence innovation and 
                accountability, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Artificial Intelligence Research, 
Innovation, and Accountability Act of 2023''.

SEC. 2. TABLE OF CONTENTS.

    The table of contents for this Act is as follows:

Sec. 1. Short title.
Sec. 2. Table of contents.
        TITLE I--ARTIFICIAL INTELLIGENCE RESEARCH AND INNOVATION

Sec. 101. Open data policy amendments.
Sec. 102. Online content authenticity and provenance standards research 
                            and development.
Sec. 103. Standards for detection of emergent and anomalous behavior 
                            and AI-generated media.
Sec. 104. Comptroller General study on barriers and best practices to 
                            usage of AI in government.
            TITLE II--ARTIFICIAL INTELLIGENCE ACCOUNTABILITY

Sec. 201. Definitions.
Sec. 202. Generative artificial intelligence transparency.
Sec. 203. Transparency reports for high-impact artificial intelligence 
                            systems.
Sec. 204. Recommendations to Federal agencies for risk management of 
                            high-impact artificial intelligence 
                            systems.
Sec. 205. Office of Management and Budget oversight of recommendations 
                            to agencies.
Sec. 206. Risk management assessment for critical-impact artificial 
                            intelligence systems.
Sec. 207. Certification of critical-impact artificial intelligence 
                            systems.
Sec. 208. Enforcement.
Sec. 209. Artificial intelligence consumer education.

        TITLE I--ARTIFICIAL INTELLIGENCE RESEARCH AND INNOVATION

SEC. 101. OPEN DATA POLICY AMENDMENTS.

    Section 3502 of title 44, United States Code, is amended--
            (1) in paragraph (22)--
                    (A) by inserting ``or data model'' after ``a data 
                asset''; and
                    (B) by striking ``and'' at the end;
            (2) in paragraph (23), by striking the period at the end 
        and inserting a semicolon; and
            (3) by adding at the end the following:
            ``(24) the term `data model' means a mathematical, 
        economic, or statistical representation of a system or process 
        used to assist in making calculations and predictions, 
        including through the use of algorithms, computer programs, or 
        artificial intelligence systems; and
            ``(25) the term `artificial intelligence system' means an 
        engineered system that--
                    ``(A) generates outputs, such as content, 
                predictions, recommendations, or decisions for a given 
                set of objectives; and
                    ``(B) is designed to operate with varying levels of 
                adaptability and autonomy using machine and human-based 
                inputs.''.

SEC. 102. ONLINE CONTENT AUTHENTICITY AND PROVENANCE STANDARDS RESEARCH 
              AND DEVELOPMENT.

    (a) Research.--
            (1) In general.--Not later than 180 days after the date of 
        the enactment of this Act, the Under Secretary of Commerce for 
        Standards and Technology shall carry out research to facilitate 
        the development and standardization of means to provide 
        authenticity and provenance information for content generated 
        by human authors and artificial intelligence systems.
            (2) Elements.--The research carried out pursuant to 
        paragraph (1) shall cover the following:
                    (A) Secure and binding methods for human authors of 
                content to append statements of provenance through the 
                use of unique credentials, watermarking, or other data 
                or metadata-based approaches.
                    (B) Methods for the verification of statements of 
                content provenance to ensure authenticity such as 
                watermarking or classifiers, which are trained models 
                that distinguish artificial intelligence-generated 
                media.
                    (C) Methods for displaying clear and conspicuous 
                statements of content provenance to the end user.
                    (D) Technologies or applications needed to 
                facilitate the creation and verification of content 
                provenance information.
                    (E) Mechanisms to ensure that any technologies and 
                methods developed under this section are minimally 
                burdensome on content producers.
                    (F) Such other related processes, technologies, or 
                applications as the Under Secretary considers 
                appropriate.
                    (G) Use of provenance technology to enable 
                attribution for content creators.
            (3) Implementation.--The Under Secretary shall carry out 
        the research required by paragraph (1) as part of the research 
        directives pursuant to section 22A(b)(1) of the National 
        Institute of Standards and Technology Act (15 U.S.C. 278h-
        1(b)(1)).
    (b) Development of Standards.--
            (1) In general.--For methodologies and applications related 
        to content provenance and authenticity deemed by the Under 
        Secretary to be at a readiness level sufficient for 
        standardization, the Under Secretary shall provide technical 
        review and assistance to such other Federal agencies and 
        nongovernmental standards organizations as the Under Secretary 
        considers appropriate.
            (2) Considerations.--In providing any technical review and 
        assistance related to the development of content provenance and 
        authenticity standards under this subsection, the Under 
        Secretary may--
                    (A) consider whether a proposed standard is 
                reasonable, practicable, and appropriate for the 
                particular type of media and media environment for 
                which the standard is proposed;
                    (B) consult with relevant stakeholders; and
                    (C) review industry standards issued by 
                nongovernmental standards organizations.
    (c) Pilot Program.--
            (1) In general.--The Under Secretary shall carry out a 
        pilot program to assess the feasibility and advisability of 
        using available technologies and creating open standards to 
        facilitate the creation and verification of content governance 
        information for digital content.
            (2) Locations.--The pilot program required by paragraph (1) 
        shall be carried out at not more than 2 Federal agencies the 
        Under Secretary shall select for purposes of the pilot program 
        required by paragraph (1).
            (3) Requirements.--In carrying out the pilot program 
        required by paragraph (1), the Under Secretary shall--
                    (A) apply and evaluate methods for authenticating 
                the origin of and modifications to government-produced 
                digital content using technology and open standards 
                described in paragraph (1); and
                    (B) make available to the public digital content 
                embedded with provenance or other authentication 
                provided by the heads of the Federal agencies selected 
                pursuant to paragraph (2) for the purposes of the pilot 
                program.
            (4) Briefing required.--Not later than 1 year after the 
        date of the enactment of this Act, and annually thereafter 
        until the date described in paragraph (5), the Under Secretary 
        shall brief the Committee on Commerce, Science, and 
        Transportation of the Senate and the Committee on Science, 
        Space, and Technology of the House of Representatives on the 
        findings of the Under Secretary with respect to the pilot 
        program carried out under this subsection.
            (5) Termination.--The pilot program shall terminate on the 
        date that is 10 years after the date of the enactment of this 
        Act.
    (d) Report to Congress.--Not later than 1 year after the date of 
the enactment of this Act, the Under Secretary shall submit to the 
Committee on Commerce, Science, and Transportation of the Senate and 
the Committee on Science, Space, and Technology of the House of 
Representatives a report outlining the progress of standardization 
initiatives relating to requirements under this section, as well as 
recommendations for legislative or administrative action to encourage 
or require the widespread adoption of such initiatives in the United 
States.

SEC. 103. STANDARDS FOR DETECTION OF EMERGENT AND ANOMALOUS BEHAVIOR 
              AND AI-GENERATED MEDIA.

    Section 22A(b)(1) of the National Institute of Standards and 
Technology Act (15 U.S.C. 278h-1(b)(1)) is amended--
            (1) by redesignating subparagraph (I) as subparagraph (K);
            (2) in subparagraph (H), by striking ``; and'' and 
        inserting a semicolon; and
            (3) by inserting after subparagraph (H) the following:
                    ``(I) best practices for detecting outputs 
                generated by artificial intelligence systems, including 
                content such as text, audio, images, and videos;
                    ``(J) methods to detect and understand anomalous 
                behavior of artificial intelligence systems and 
                safeguards to mitigate potentially adversarial or 
                compromising anomalous behavior; and''.

SEC. 104. COMPTROLLER GENERAL STUDY ON BARRIERS AND BEST PRACTICES TO 
              USAGE OF AI IN GOVERNMENT.

    (a) In General.--Not later than 1 year after the date of enactment 
of this Act, the Comptroller General of the United States shall--
            (1) conduct a review of statutory, regulatory, and other 
        policy barriers to the use of artificial intelligence systems 
        to improve the functionality of the Federal Government; and
            (2) identify best practices for the adoption and use of 
        artificial intelligence systems by the Federal Government, 
        including--
                    (A) ensuring that an artificial intelligence system 
                is proportional to the need of the Federal Government;
                    (B) restrictions on access to and use of an 
                artificial intelligence system based on the 
                capabilities and risks of the artificial intelligence 
                system; and
                    (C) safety measures that ensure that an artificial 
                intelligence system is appropriately limited to 
                necessary data and compartmentalized from other assets 
                of the Federal Government.
    (b) Report.--Not later than 2 years after the date of enactment of 
this Act, the Comptroller General of the United States shall submit to 
the Committee on Commerce, Science, and Transportation of the Senate 
and the Committee on Science, Space, and Technology of the House of 
Representatives a report that--
            (1) summarizes the results of the review conducted under 
        subsection (a)(1) and the best practices identified under 
        subsection (a)(2), including recommendations, as the 
        Comptroller General of the United States considers appropriate;
            (2) describes any laws, regulations, guidance documents, or 
        other policies that may prevent the adoption of artificial 
        intelligence systems by the Federal Government to improve 
        certain functions of the Federal Government, including--
                    (A) data analysis and processing;
                    (B) paperwork reduction;
                    (C) contracting and procurement practices; and
                    (D) other Federal Government services; and
            (3) includes, as the Comptroller General of the United 
        States considers appropriate, recommendations to modify or 
        eliminate barriers to the use of artificial intelligence 
        systems by the Federal Government.

            TITLE II--ARTIFICIAL INTELLIGENCE ACCOUNTABILITY

SEC. 201. DEFINITIONS.

    In this title:
            (1) Appropriate congressional committees.--The term 
        ``appropriate congressional committees'' means--
                    (A) the Committee on Energy and Natural Resources 
                and the Committee on Commerce, Science, and 
                Transportation of the Senate;
                    (B) the Committee on Energy and Commerce of the 
                House of Representatives; and
                    (C) each congressional committee with jurisdiction 
                over an applicable covered agency.
            (2) Artificial intelligence system.--The term ``artificial 
        intelligence system'' means an engineered system that--
                    (A) generates outputs, such as content, 
                predictions, recommendations, or decisions for a given 
                set of human-defined objectives; and
                    (B) is designed to operate with varying levels of 
                adaptability and autonomy using machine and human-based 
                inputs.
            (3) Covered agency.--the term ``covered agency'' means an 
        agency for which the Under Secretary develops an NIST 
        recommendation.
            (4) Covered internet platform.--
                    (A) In general.--The term ``covered internet 
                platform''--
                            (i) means any public-facing website, 
                        consumer-facing internet application, or mobile 
                        application available to consumers in the 
                        United States; and
                            (ii) includes a social network site, video 
                        sharing service, search engine, and content 
                        aggregation service.
                    (B) Exclusions.--The term ``covered internet 
                platform'' does not include a platform that--
                            (i) is wholly owned, controlled, and 
                        operated by a person that--
                                    (I) during the most recent 180-day 
                                period, did not employ more than 500 
                                employees;
                                    (II) during the most recent 3-year 
                                period, averaged less than $50,000,000 
                                in annual gross receipts; and
                                    (III) on an annual basis, collects 
                                or processes the personal data of less 
                                than 1,000,000 individuals; or
                            (ii) is operated for the sole purpose of 
                        conducting research that is not directly or 
                        indirectly made for profit.
            (5) Critical-impact ai organization.--The term ``critical-
        impact AI organization'' means a non-government organization 
        that serves as the deployer of a critical-impact artificial 
        intelligence system.
            (6) Critical-impact artificial intelligence system.--The 
        term ``critical-impact artificial intelligence system'' means 
        an artificial intelligence system that--
                    (A) is deployed for a purpose other than solely for 
                use by the Department of Defense or an intelligence 
                agency (as defined in section 3094(e) of the National 
                Security Act of 1947 (50 U.S.C. 3094(3))); and
                    (B) is used or intended to be used--
                            (i) to make decisions that have a legal or 
                        similarly significant effect on--
                                    (I) the real-time or ex post facto 
                                collection of biometric data of natural 
                                persons by biometric identification 
                                systems without their consent;
                                    (II) the direct management and 
                                operation of critical infrastructure 
                                (as defined in section 1016(e) of the 
                                USA PATRIOT Act (42 U.S.C. 5195c(e))) 
                                and space-based infrastructure; or
                                    (III) criminal justice (as defined 
                                in section 901 of title I of the 
                                Omnibus Crime Control and Safe Streets 
                                Act of 1968 (34 U.S.C. 10251)); and
                            (ii) in a manner that poses a significant 
                        risk to rights afforded under the Constitution 
                        of the United States or safety.
            (7) Deployer.--The term ``deployer''--
                    (A) means an entity that uses or operates an 
                artificial intelligence system for internal use or for 
                use by third parties; and
                    (B) does not include an entity that is solely an 
                end user of a system.
            (8) Developer.--The term ``developer'' means an entity 
        that--
                    (A) designs, codes, produces, or owns an artificial 
                intelligence system for internal use or for use by a 
                third party as a baseline model; and
                    (B) does not act as a deployer of the artificial 
                intelligence system described in subparagraph (A).
            (9) Generative artificial intelligence system.--The term 
        ``generative artificial intelligence system'' means an 
        artificial intelligence system that generates novel data or 
        content in a written, audio, or visual format.
            (10) High-impact artificial intelligence system.--The term 
        ``high-impact artificial intelligence system'' means an 
        artificial intelligence system--
                    (A) deployed for a purpose other than solely for 
                use by the Department of Defense or an intelligence 
                agency (as defined in section 3094(e) of the National 
                Security Act of 1947 (50 U.S.C. 3094(3))); and
                    (B) that is specifically developed with the 
                intended purpose of making decisions that have a legal 
                or similarly significant effect on the access of an 
                individual to housing, employment, credit, education, 
                healthcare, or insurance in a manner that poses a 
                significant risk to rights afforded under the 
                Constitution of the United States or safety.
            (11) NIST recommendation.--The term ``NIST recommendation'' 
        means a sector-specific recommendation developed under section 
        22B(b)(1) of the National Institute of Standards and Technology 
        Act, as added by section 204 of this Act.
            (12) Secretary.--The term ``Secretary'' means the Secretary 
        of Commerce.
            (13) Significant risk.--The term ``significant risk'' means 
        a combination of severe, high-intensity, high-probability, and 
        long-duration risk of harm to individuals.
            (14) TEVV.--The term ``TEVV'' means the testing, 
        evaluation, validation, and verification of any artificial 
        intelligence system that includes--
                    (A) open, transparent, testable, and verifiable 
                specifications that characterize realistic operational 
                performance, such as precision and accuracy for 
                relevant tasks;
                    (B) testing methodologies and metrics that enable 
                the evaluation of system trustworthiness, including 
                robustness and resilience;
                    (C) data quality standards for training and testing 
                datasets;
                    (D) requirements for system validation and 
                integration into production environments, automated 
                testing, and compliance with existing legal and 
                regulatory specifications;
                    (E) methods and tools for--
                            (i) the monitoring of system behavior;
                            (ii) the tracking of incidents or errors 
                        reported and their management; and
                            (iii) the detection of emergent properties 
                        and related impacts; and
                    (F) and processes for redress and response.
            (15) Under secretary.--The term ``Under Secretary'' means 
        the Director of the National Institute of Standards and 
        Technology.

SEC. 202. GENERATIVE ARTIFICIAL INTELLIGENCE TRANSPARENCY.

    (a) Prohibition.--
            (1) In general.--Subject to paragraph (2), it shall be 
        unlawful for a person to operate a covered internet platform 
        that uses a generative artificial intelligence system.
            (2) Disclosure of use of generative artificial intelligence 
        systems.--
                    (A) In general.--A person may operate a covered 
                internet platform that uses a generative artificial 
                intelligence system if the person provides notice to 
                each user of the covered internet platform that the 
                covered internet platform uses a generative artificial 
                intelligence system to generate content the user sees.
                    (B) Requirements.--A person providing the notice 
                described in subparagraph (A) to a user--
                            (i) subject to clause (ii), shall provide 
                        the notice in a clear and conspicuous manner on 
                        the covered internet platform before the user 
                        interacts with content produced by a generative 
                        artificial intelligence system; and
                            (ii) may provide an option for the user to 
                        choose to see the notice described in clause 
                        (i) only upon the first interaction of the user 
                        with content produced by a generative 
                        artificial intelligence system.
    (b) Enforcement Action.--Upon learning that a covered internet 
platform does not comply with the requirements under this section, the 
Secretary--
            (1) shall immediately--
                    (A) notify the covered internet platform of the 
                finding; and
                    (B) order the covered internet platform to take 
                remedial action to address the noncompliance of the 
                generative artificial intelligence system operated by 
                the covered internet platform; and
            (2) may, as determined appropriate or necessary by the 
        Secretary, take enforcement action under section 208 if the 
        covered internet platform does not take sufficient action to 
        remedy the noncompliance within 15 days of the notification 
        under paragraph (1)(A).
    (c) Effective Date.--This section shall take effect on the date 
that is 180 days after the date of enactment of this Act.

SEC. 203. TRANSPARENCY REPORTS FOR HIGH-IMPACT ARTIFICIAL INTELLIGENCE 
              SYSTEMS.

    (a) Transparency Reporting.--
            (1) In general.--Each deployer of a high-impact artificial 
        intelligence system shall--
                    (A) before deploying the high-impact artificial 
                intelligence system, and annually thereafter, submit to 
                the Secretary a report describing the design and safety 
                plans for the artificial intelligence system; and
                    (B) submit to the Secretary an updated report on 
                the high-impact artificial intelligence system if the 
                deployer makes a material change to--
                            (i) the purpose for which the high-impact 
                        artificial intelligence system is used; or
                            (ii) the type of data the high-impact 
                        artificial intelligence system processes or 
                        uses for training purposes.
            (2) Contents.--Each transparency report submitted under 
        paragraph (1) shall include, with respect to the high-impact 
        artificial intelligence system--
                    (A) the purpose;
                    (B) the intended use cases;
                    (C) deployment context;
                    (D) benefits;
                    (E) a description of data that the high-impact 
                artificial intelligence system, once deployed, 
                processes as inputs;
                    (F) if available--
                            (i) a list of data categories and formats 
                        the deployer used to retrain or continue 
                        training the high-impact artificial 
                        intelligence system;
                            (ii) metrics for evaluating the high-impact 
                        artificial intelligence system performance and 
                        known limitations; and
                            (iii) transparency measures, including 
                        information identifying to individuals when a 
                        high-impact artificial intelligence system is 
                        in use;
                    (G) processes and testing performed before each 
                deployment to ensure the high-impact artificial 
                intelligence system is safe, reliable, and effective;
                    (H) if applicable, an identification of any third-
                party artificial intelligence systems or datasets the 
                deployer relies on to train or operate the high-impact 
                artificial intelligence system; and
                    (I) post-deployment monitoring and user safeguards, 
                including a description of the oversight process in 
                place to address issues as issues arise.
    (b) Developer Obligations.--The developer of a high-impact 
artificial intelligence system shall be subject to the same obligations 
as a developer of a critical impact artificial intelligence system 
under section 206(c).
    (c) Considerations.--In carrying out subsections (a) and (b), a 
deployer or developer of a high-impact artificial intelligence system 
shall consider the best practices outlined in the most recent version 
of the risk management framework developed pursuant to section 22A(c) 
of the National Institute of Standards and Technology Act (15 U.S.C. 
278h-1(c)).
    (d) Noncompliance and Enforcement Action.--Upon learning that a 
deployer of a high-impact artificial intelligence system is not in 
compliance with the requirements under this section with respect to a 
high-impact artificial intelligence system, the Secretary--
            (1) shall immediately--
                    (A) notify the deployer of the finding; and
                    (B) order the deployer to immediately submit to the 
                Secretary the report required under subsection (a)(1); 
                and
            (2) if the deployer fails to submit the report by the date 
        that is 15 days after the date of the notification under 
        paragraph (1)(A), may take enforcement action under section 
        208.
    (e) Avoidance of Duplication.--
            (1) In general.--Pursuant to the deconfliction of 
        duplicative requirements under paragraph (2), the Secretary 
        shall ensure that the requirements under this section are not 
        unnecessarily burdensome or duplicative of requirements made or 
        oversight conducted by a covered agency regarding the non-
        Federal use of high-impact artificial intelligence systems.
            (2) Deconfliction of duplicative requirements.--Not later 
        than 90 days after the date of the enactment of this Act, and 
        annually thereafter, the Secretary, in coordination with the 
        head of any relevant covered agency, shall complete the 
        deconfliction of duplicative requirements relating to the 
        submission of a transparency report for a high-impact 
        artificial intelligence system under this section.
    (f) Rule of Construction.--Nothing in this section shall be 
construed to require a deployer of a high-impact artificial 
intelligence system to disclose any information, including data or 
algorithms--
            (1) relating to a trade secret or other protected 
        intellectual property right;
            (2) that is confidential business information; or
            (3) that is privileged.

SEC. 204. RECOMMENDATIONS TO FEDERAL AGENCIES FOR RISK MANAGEMENT OF 
              HIGH-IMPACT ARTIFICIAL INTELLIGENCE SYSTEMS.

    The National Institute of Standards and Technology Act (15 U.S.C. 
278h-1) is amended by inserting after section 22A the following:

``SEC. 22B. RECOMMENDATIONS TO FEDERAL AGENCIES FOR SECTOR-SPECIFIC 
              OVERSIGHT OF ARTIFICIAL INTELLIGENCE.

    ``(a) Definition of High-Impact Artificial Intelligence System.--In 
this section, the term `high-impact artificial intelligence system' 
means an artificial intelligence system--
            ``(1) deployed for purposes other than those solely for use 
        by the Department of Defense or an element of the intelligence 
        community (as defined in section 3 of the National Security Act 
        of 1947 (50 U.S.C. 3003)); and
            ``(2) that is specifically developed with the intended 
        purpose of making decisions that have a legal or similarly 
        significant effect on the access of an individual to housing, 
        employment, credit, education, health care, or insurance in a 
        manner that poses a significant risk to rights afforded under 
        the Constitution of the United States or to safety.
    ``(b) Sector-Specific Recommendations.--Not later than 1 year after 
the date of the enactment of the Artificial Intelligence Research, 
Innovation, and Accountability Act of 2023, the Director shall--
            ``(1) develop sector-specific recommendations for 
        individual Federal agencies to conduct oversight of the non-
        Federal, and, as appropriate, Federal use of high-impact 
        artificial intelligence systems to improve the safe and 
        responsible use of such systems; and
            ``(2) not less frequently than biennially, update the 
        sector-specific recommendations to account for changes in 
        technological capabilities or artificial intelligence use 
        cases.
    ``(c) Requirements.--In developing recommendations under subsection 
(b), the Director shall use the voluntary risk management framework 
required by section 22A(c) to identify and provide recommendations to a 
Federal agency--
            ``(1) to establish regulations, standards, guidelines, best 
        practices, methodologies, procedures, or processes to 
        facilitate oversight of non-Federal use of high-impact 
        artificial intelligence systems; and
            ``(2) to mitigate risks from such high-impact artificial 
        intelligence systems.
    ``(d) Recommendations.--In developing recommendations under 
subsection (b), the Director may include the following:
            ``(1) Key design choices made during high-impact artificial 
        intelligence model development, including rationale and 
        assumptions made.
            ``(2) Intended use and users, other possible use cases, 
        including any anticipated undesirable or potentially harmful 
        use cases, and what good faith efforts model developers can 
        take to mitigate the use of the system in harmful ways.
            ``(3) Methods for evaluating the safety of high-impact 
        artificial intelligence systems and approaches for responsible 
        use.
            ``(4) Sector-specific differences in what constitutes 
        acceptable high-impact artificial intelligence model 
        functionality and trustworthiness, metrics used to determine 
        high-impact artificial intelligence model performance, and any 
        test results reflecting application of these metrics to 
        evaluate high-impact artificial intelligence model performance 
        across different sectors.
            ``(5) Recommendations to support iterative development of 
        subsequent recommendations under subsection (b).
    ``(e) Consultation.--In developing recommendations under subsection 
(b), the Director shall, as the Director considers applicable and 
practicable, consult with relevant covered agencies and stakeholders 
representing perspectives from civil society, academia, technologists, 
engineers, and creators.''.

SEC. 205. OFFICE OF MANAGEMENT AND BUDGET OVERSIGHT OF RECOMMENDATIONS 
              TO AGENCIES.

    (a) Recommendations.--
            (1) In general.--Not later than 1 year after the date of 
        enactment of this Act, the Under Secretary shall submit to the 
        Director, the head of each covered agency, and the appropriate 
        congressional committees each NIST recommendation.
            (2) Agency responses to recommendations.--Not later than 90 
        days after the date on which the Under Secretary submits a NIST 
        recommendation to the head of a covered agency under paragraph 
        (1), the head of the covered agency shall transmit to the 
        Director a formal written response to the NIST recommendation 
        that--
                    (A) indicates whether the head of the covered 
                agency intends to--
                            (i) carry out procedures to adopt the 
                        complete NIST recommendation;
                            (ii) carry out procedures to adopt a part 
                        of the NIST recommendation; or
                            (iii) refuse to carry out procedures to 
                        adopt the NIST recommendation; and
                    (B) includes--
                            (i) with respect to a formal written 
                        response described in clause (i) or (ii) of 
                        subparagraph (A), a copy of a proposed 
                        timetable for completing the procedures 
                        described in that clause;
                            (ii) with respect to a formal written 
                        response described in subparagraph (A)(ii), the 
                        reasons for the refusal to carry out procedures 
                        with respect to the remainder of the NIST 
                        recommendation described in that subparagraph; 
                        and
                            (iii) with respect to a formal written 
                        response described in subparagraph (A)(iii), 
                        the reasons for the refusal to carry out 
                        procedures.
    (b) Public Availability.--The Director shall make a copy of each 
NIST recommendation and each written formal response of a covered 
agency required under subsection (a)(2) available to the public at 
reasonable cost.
    (c) Reporting Requirements.--
            (1) Annual secretarial regulatory status reports.--
                    (A) In general.--On the first February 1 occurring 
                after the date of enactment of this Act, and annually 
                thereafter until the date described in subparagraph 
                (B), the head of each covered agency shall submit to 
                the Director a report containing the regulatory status 
                of each NIST recommendation.
                    (B) Continued reporting.--The date described in 
                this subparagraph is the date on which the head of a 
                covered agency--
                            (i) takes final regulatory action with 
                        respect to a NIST recommendation; and
                            (ii) determines and states in a report 
                        required under subparagraph (A) that no 
                        regulatory action should be taken with respect 
                        to a NIST recommendation.
            (2) Compliance report to congress.--On April 1 of each 
        year, the Director shall--
                    (A) review the reports received under paragraph 
                (1)(A); and
                    (B) transmit comments on the reports to the heads 
                of covered agencies and the appropriate congressional 
                committees.
            (3) Failure to report.--If, on March 1 of each year, the 
        Director has not received a report required under paragraph 
        (1)(A) from the head of a covered agency, the Director shall 
        notify the appropriate congressional committees of the failure.
    (d) Technical Assistance in Carrying Out Recommendations.--The 
Under Secretary shall provide assistance to the heads of covered 
agencies relating to the implementation of the NIST recommendations the 
heads of covered agencies intend to carry out.
    (e) Regulation Review and Improvement.--The Administrator of the 
Office of Information and Regulatory Affairs of the Office of 
Management and Budget, in consultation with the Under Secretary, shall 
develop and periodically revise performance indicators and measures for 
sector-specific regulation of artificial intelligence.

SEC. 206. RISK MANAGEMENT ASSESSMENT FOR CRITICAL-IMPACT ARTIFICIAL 
              INTELLIGENCE SYSTEMS.

    (a) Requirement.--
            (1) In general.--Each critical-impact AI organization shall 
        perform a risk management assessment in accordance with this 
        section.
            (2) Assessment.--Each critical-impact AI organization 
        shall--
                    (A) not later than 30 days before the date on which 
                a critical-impact artificial intelligence system is 
                made publicly available by the critical-impact AI 
                organization, perform a risk management assessment; and
                    (B) not less frequently than biennially during the 
                period beginning on the date of enactment of this Act 
                and ending on the date on which the applicable 
                critical-impact artificial intelligence system is no 
                longer being made publicly available by the critical-
                impact AI organization, as applicable, conduct an 
                updated risk management assessment that--
                            (i) may find that no significant changes 
                        were made to the critical-impact artificial 
                        intelligence system; and
                            (ii) provides, to the extent practicable, 
                        aggregate results of any significant deviation 
                        from expected performance detailed in the 
                        assessment performed under subparagraph (A) or 
                        the most recent assessment performed under this 
                        subparagraph.
            (3) Review.--
                    (A) In general.--Not later than 90 days after the 
                date of completion of a risk management assessment by a 
                critical-impact AI organization under this section, the 
                critical-impact AI organization shall submit to the 
                Secretary a report--
                            (i) outlining the assessment performed 
                        under this section; and
                            (ii) that is in a consistent format, as 
                        determined by the Secretary.
                    (B) Additional information.--Subject to subsection 
                (d), the Secretary may request that a critical-impact 
                AI organization submit to the Secretary any related 
                additional or clarifying information with respect to a 
                risk management assessment performed under this 
                section.
            (4) Limitation.--The Secretary may not prohibit a critical-
        impact AI organization from making a critical-impact artificial 
        intelligence system available to the public based on the review 
        by the Secretary of a report submitted under paragraph (3)(A) 
        or additional or clarifying information submitted under 
        paragraph (3)(B).
    (b) Assessment Subject Areas.--Each assessment performed by a 
critical-impact AI organization under subsection (a) shall describe the 
means by which the critical-impact AI organization is addressing, 
through a documented TEVV process, the following categories:
            (1) Policies, processes, procedures, and practices across 
        the organization relating to transparent and effective mapping, 
        measuring, and managing of artificial intelligence risks, 
        including--
                    (A) how the organization understands, manages, and 
                documents legal and regulatory requirements involving 
                artificial intelligence;
                    (B) how the organization integrates characteristics 
                of trustworthy artificial intelligence, which include 
                valid, reliable, safe, secure, resilient, accountable, 
                transparent, globally and locally explainable, 
                interpretable, privacy-enhanced, and fair with harmful 
                bias managed, into organizational policies, processes, 
                procedures, and practices;
                    (C) a methodology to determine the needed level of 
                risk management activities based on the organization's 
                risk tolerance; and
                    (D) how the organization establishes risk 
                management processes and outcomes through transparent 
                policies, procedures, and other controls based on 
                organizational risk priorities.
            (2) The structure, context, and capabilities of the 
        critical-impact artificial intelligence system or critical-
        impact foundation model, including--
                    (A) how the context was established and understood;
                    (B) capabilities, targeted uses, goals, and 
                expected costs and benefits; and
                    (C) how risks and benefits are mapped for each 
                system component.
            (3) A description of how the organization employs 
        quantitative, qualitative, or mixed-method tools, techniques, 
        and methodologies to analyze, assess, benchmark, and monitor 
        artificial intelligence risk, including--
                    (A) identification of appropriate methods and 
                metrics;
                    (B) how artificial intelligence systems are 
                evaluated for trustworthy characteristics;
                    (C) mechanisms for tracking artificial intelligence 
                system risks over time; and
                    (D) processes for gathering and assessing feedback 
                relating to the efficacy of measurement.
            (4) A description of allocation of risk resources to map 
        and measure risks on a regular basis as described in paragraph 
        (1), including--
                    (A) how artificial intelligence risks based on 
                assessments and other analytical outputs described in 
                paragraphs (2) and (3) are prioritized, responded to, 
                and managed;
                    (B) how strategies to maximize artificial 
                intelligence benefits and minimize negative impacts 
                were planned, prepared, implemented, documented, and 
                informed by input from relevant artificial intelligence 
                deployers;
                    (C) management of artificial intelligence system 
                risks and benefits; and
                    (D) regular monitoring of risk treatments, 
                including response and recovery, and communication 
                plans for the identified and measured artificial 
                intelligence risks, as applicable.
    (c) Developer Obligations.--The developer of a critical-impact 
artificial intelligence system that agrees through a contract or 
license to provide technology or services to a deployer of the 
critical-impact artificial intelligence system shall provide to the 
deployer of the critical-impact artificial intelligence system the 
information reasonably necessary for the deployer to comply with the 
requirements under subsection (a), including--
            (1) an overview of the data used in training the baseline 
        artificial intelligence system provided by the developer, 
        including--
                    (A) data size;
                    (B) data sources;
                    (C) copyrighted data; and
                    (D) personal identifiable information;
            (2) documentation outlining the structure and context of 
        the baseline artificial intelligence system of the developer, 
        including--
                    (A) input modality;
                    (B) output modality;
                    (C) model size; and
                    (D) model architecture;
            (3) known capabilities, limitations, and risks of the 
        baseline artificial intelligence system of the developer at the 
        time of the development of the artificial intelligence system; 
        and
            (4) documentation for downstream use, including--
                    (A) a statement of intended purpose;
                    (B) guidelines for the intended use of the 
                artificial intelligence system, including a list of 
                permitted, restricted, and prohibited uses and users; 
                and
                    (C) a statement of the potential for deviation from 
                the intended purpose of the baseline artificial 
                intelligence system.
    (d) Termination of Obligation To Disclose Information.--
            (1) In general.--The obligation of a critical-impact AI 
        organization to provide information, upon request of the 
        Secretary, relating to a specific assessment category under 
        subsection (b) shall end on the date of issuance of a relevant 
        standard applicable to the same category of a critical-impact 
        artificial intelligence system by--
                    (A) the Secretary under section 207(c) with respect 
                to a critical-impact artificial intelligence system;
                    (B) another department or agency of the Federal 
                Government, as determined applicable by the Secretary; 
                or
                    (C) a non-governmental standards organization, as 
                determined appropriate by the Secretary.
            (2) Effect of new standard.--In adopting any standard 
        applicable to critical-impact artificial intelligence systems 
        under section 207(c), the Secretary shall--
                    (A) identify the category under subsection (b) to 
                which the standard relates, if any; and
                    (B) specify the information that is no longer 
                required to be included in a report required under 
                subsection (a) as a result of the new standard.
    (e) Rule of Construction.--Nothing in this section shall be 
construed to require a critical-impact AI organization, or permit the 
Secretary, to disclose any information, including data or algorithms--
            (1) relating to a trade secret or other protected 
        intellectual property right;
            (2) that is confidential business information; or
            (3) that is privileged.

SEC. 207. CERTIFICATION OF CRITICAL-IMPACT ARTIFICIAL INTELLIGENCE 
              SYSTEMS.

    (a) Establishment of Artificial Intelligence Certification Advisory 
Committee.--
            (1) In general.--Not later than 180 days after the date of 
        enactment of this Act, the Secretary shall establish an 
        advisory committee to provide advice and recommendations on 
        TEVV standards and the certification of critical-impact 
        artificial intelligence systems.
            (2) Duties.--The advisory committee established under this 
        section shall advise the Secretary on matters relating to the 
        testing and certification of critical-impact artificial 
        intelligence systems, including by--
                    (A) providing recommendations to the Secretary on 
                proposed TEVV standards to ensure such standards--
                            (i) maximize alignment and interoperability 
                        with standards issued by nongovernmental 
                        standards organizations and international 
                        standards bodies;
                            (ii) are performance-based and impact-
                        based; and
                            (iii) are applicable or necessary to 
                        facilitate the deployment of critical-impact 
                        artificial intelligence systems in a 
                        transparent, secure, and safe manner;
                    (B) reviewing prospective TEVV standards submitted 
                by the Secretary to ensure such standards align with 
                recommendations under subparagraph (A);
                    (C) upon completion of the review under 
                subparagraph (B), providing consensus recommendations 
                to the Secretary on--
                            (i) whether a TEVV standard should be 
                        issued, modified, revoked, or added; and
                            (ii) if such a standard should be issued, 
                        how best to align the standard with the 
                        considerations described in subsection (c)(2) 
                        and recommendations described in subparagraph 
                        (A); and
                    (D) reviewing and providing advice and 
                recommendations on the plan and subsequent updates to 
                the plan submitted under subsection (b).
            (3) Composition.--The advisory committee established under 
        this subsection shall be composed of not more than 15 members 
        with a balanced composition of representatives of the private 
        sector, institutions of higher education, and non-profit 
        organizations, including--
                    (A) representatives of--
                            (i) institutions of higher education;
                            (ii) companies developing or operating 
                        artificial intelligence systems;
                            (iii) consumers or consumer advocacy 
                        groups; and
                            (iv) enabling technology companies; and
                    (B) any other members the Secretary considers to be 
                appropriate.
    (b) Artificial Intelligence Certification Plan.--
            (1) In general.--Not later than 1 year after the date of 
        enactment of this Act, the Secretary shall establish a 3-year 
        implementation plan for the certification of critical-impact 
        artificial intelligence systems.
            (2) Periodic update.--The Secretary shall periodically 
        update the plan established under paragraph (1).
            (3) Contents.--The plan established under paragraph (1) 
        shall include--
                    (A) a methodology for gathering and using relevant, 
                objective, and available information relating to TEVV;
                    (B) a process for considering whether prescribing 
                certain TEVV standards under subsection (c) for 
                critical-impact artificial intelligence systems is 
                appropriate, necessary, or duplicative of existing 
                international standards;
                    (C) if TEVV standards are considered appropriate, a 
                process for prescribing such standards for critical-
                impact artificial intelligence systems; and
                    (D) an outline of standards proposed to be issued, 
                including an estimation of the timeline and sequencing 
                of such standards.
            (4) Consultation.--In developing the plan required under 
        paragraph (1), the Secretary shall consult the following:
                    (A) The National Artificial Intelligence Initiative 
                Office.
                    (B) The interagency committee established under 
                section 5103 of the National Artificial Intelligence 
                Initiative Act of 2020 (15 U.S.C. 9413).
                    (C) The National Artificial Intelligence Advisory 
                Committee.
                    (D) Industry consensus standards issued by non-
                governmental standards organizations.
                    (E) Other departments, agencies, and 
                instrumentalities of the Federal Government, as 
                considered appropriate by the Secretary.
            (5) Submission to certification advisory committee.--Upon 
        completing the initial plan required under this subsection and 
        upon completing periodic updates to the plan under paragraph 
        (2), the Secretary shall submit the plan to the advisory 
        committee established under subsection (a) for review.
            (6) Submission to committees of congress.--Upon completing 
        the plan required under this subsection, the Secretary shall 
        submit to the relevant committees of Congress a report 
        containing the plan.
            (7) Limitation.--The Secretary may not issue TEVV standards 
        under subsection (c) until the date of the submission of the 
        plan under paragraphs (5) and (6).
    (c) Standards.--
            (1) Standards.--
                    (A) In general.--The Secretary shall issue TEVV 
                standards for critical-impact artificial intelligence 
                systems.
                    (B) Requirements.--Each standard issued under this 
                subsection shall--
                            (i) be practicable;
                            (ii) meet the need for safe, secure, and 
                        transparent operations of critical-impact 
                        artificial intelligence systems;
                            (iii) with respect to a relevant standard 
                        issued by a non-governmental standards 
                        organization that is already in place, align 
                        with and be interoperable with that standard;
                            (iv) provide for a mechanism to, not less 
                        frequently than once every 2 years, solicit 
                        public comment and update the standard to 
                        reflect advancements in technology and system 
                        architecture; and
                            (v) be stated in objective terms.
            (2) Considerations.--In issuing TEVV standards for 
        critical-impact artificial intelligence systems under this 
        subsection, the Secretary shall--
                    (A) consider relevant available information 
                concerning critical-impact artificial intelligence 
                systems, including--
                            (i) transparency reports submitted under 
                        section 203(a);
                            (ii) risk management assessments conducted 
                        under section 206(a); and
                            (iii) any additional information provided 
                        to the Secretary pursuant to section 
                        203(a)(1)(B);
                    (B) consider whether a proposed standard is 
                reasonable, practicable, and appropriate for the 
                particular type of critical-impact artificial 
                intelligence system for which the standard is proposed;
                    (C) consult with relevant artificial intelligence 
                stakeholders and review industry standards issued by 
                nongovernmental standards organizations;
                    (D) pursuant to paragraph (1)(B)(iii), consider 
                whether adoption of a relevant standard issued by a 
                nongovernmental standards organization as a TEVV 
                standard is the most appropriate action; and
                    (E) consider whether the standard takes into 
                account--
                            (i) transparent, replicable, and objective 
                        assessments of critical-impact artificial 
                        intelligence system risk, structure, 
                        capabilities, and design;
                            (ii) the risk posed to the public by an 
                        applicable critical-impact artificial 
                        intelligence system; and
                            (iii) the diversity of methodologies and 
                        innovative technologies and approaches 
                        available to meet the objectives of the 
                        standard.
            (3) Consultation.--Before finalizing a TEVV standard issued 
        under this subsection, the Secretary shall submit the TEVV 
        standard to the advisory committee established under subsection 
        (a) for review.
            (4) Public comment.--Before issuing any TEVV standard under 
        this subsection, the Secretary shall provide an opportunity for 
        public comment.
            (5) Cooperation.--In developing a TEVV standard under this 
        subsection, the Secretary may, as determined appropriate, 
        advise, assist, and cooperate with departments, agencies, and 
        instrumentalities of the Federal Government, States, and other 
        public and private agencies.
            (6) Effective date of standards.--
                    (A) In general.--The Secretary shall specify the 
                effective date of a TEVV standard issued under this 
                subsection in the order issuing the standard.
                    (B) Limitation.--Subject to subparagraph (C), a 
                TEVV standard issued under this subsection may not 
                become effective--
                            (i) during the 180-day period following the 
                        date on which the TEVV standard is issued; and
                            (ii) more than 1 year after the date on 
                        which the TEVV standard is issued.
                    (C) Exception.--Subparagraph (B) shall not apply to 
                the effective date of a TEVV standard issued under this 
                section if the Secretary--
                            (i) finds, for good cause shown, that a 
                        different effective date is in the public 
                        interest; and
                            (ii) publishes the reasons for the finding 
                        under clause (i).
            (7) Rule of construction.--Nothing in this subsection shall 
        be construed to authorize the Secretary to impose any 
        requirements on or take any enforcement actions under this 
        section or section 208 relating to a critical-impact AI 
        organization before a TEVV standard relating to those 
        requirements is prescribed.
    (d) Exemptions.--
            (1) Authority to exempt and procedures.--
                    (A) In general.--The Secretary may exempt, on a 
                temporary basis, a critical-impact artificial 
                intelligence system from a TEVV standard issued under 
                subsection (c) on terms the Secretary considers 
                appropriate.
                    (B) Renewal.--An exemption under subparagraph (A)--
                            (i) may be renewed only on reapplication; 
                        and
                            (ii) shall conform to the requirements of 
                        this paragraph.
                    (C) Proceedings.--
                            (i) In general.--The Secretary may begin a 
                        proceeding to grant an exemption to a critical-
                        impact artificial intelligence system under 
                        this paragraph if the critical-impact AI 
                        organization that deployed the critical-impact 
                        artificial intelligence systems applies for an 
                        exemption or a renewal of an exemption.
                            (ii) Notice and comment.--The Secretary 
                        shall publish notice of the application under 
                        clause (i) and provide an opportunity to 
                        comment.
                            (iii) Filing.--An application for an 
                        exemption or for a renewal of an exemption 
                        under this paragraph shall be filed at such 
                        time and in such manner and contain such 
                        information as the Secretary may require.
                    (D) Actions.--The Secretary may grant an exemption 
                under this paragraph upon finding that--
                            (i) the exemption is consistent with the 
                        public interest and this section; and
                            (ii) the exemption would facilitate the 
                        development or evaluation of a feature or 
                        characteristic of a critical-impact artificial 
                        intelligence system providing a safety and 
                        security level that is not less than the TEVV 
                        standard level.
            (2) Disclosure.--Not later than 30 days after the date on 
        which an application is filed under this subsection, the 
        Secretary may make public information contained in the 
        application or relevant to the application, unless the 
        information concerns or is related to a trade secret or other 
        confidential information not relevant to the application.
            (3) Notice of decision.--The Secretary shall publish in the 
        Federal Register a notice of each decision granting or denying 
        an exemption under this subsection and the reasons for granting 
        or denying that exemption, including a justification with 
        supporting information for the selected approach.
    (e) Self-Certification of Compliance.--
            (1) In general.--Subject to paragraph (2), with respect to 
        each critical-impact artificial intelligence system of a 
        critical-impact AI organization, the critical-impact AI 
        organization shall certify to the Secretary that the critical-
        impact artificial intelligence system complies with applicable 
        TEVV standards issued under this section.
            (2) Exception.--A critical-impact AI organization may not 
        issue a certificate under paragraph (1) if, in exercising 
        reasonable care, the critical-impact AI organization has 
        constructive knowledge that the certificate is false or 
        misleading in a material respect.
    (f) Noncompliance Findings and Enforcement Action.--
            (1) Finding of noncompliance by secretary.--Upon learning 
        that a critical-impact artificial intelligence system deployed 
        by a critical-impact AI organization does not comply with the 
        requirements under this section, the Secretary shall--
                    (A) immediately--
                            (i) notify the critical-impact AI 
                        organization of the finding; and
                            (ii) order the critical-impact AI 
                        organization to take remedial action to address 
                        the noncompliance of the artificial 
                        intelligence system; and
                    (B) may, as determined appropriate or necessary by 
                the Secretary, and if the Secretary determines that 
                actions taken by a critical-impact AI organization are 
                insufficient to remedy the noncompliance of the 
                critical-impact AI organization with this section, take 
                enforcement action under section 208.
            (2) Actions by critical-impact ai organization.--If a 
        critical-impact AI organization finds that a critical-impact 
        artificial intelligence system deployed by the critical-impact 
        AI organization is noncompliant with an applicable TEVV 
        standard issued under this section or the critical-impact AI 
        organization is notified of noncompliance by the Secretary 
        under paragraph (1)(A)(i), the critical-impact AI organization 
        shall--
                    (A) without undue delay, notify the Secretary by 
                certified mail or electronic mail of the noncompliance 
                or receipt of the notification of noncompliance;
                    (B) take remedial action to address the 
                noncompliance; and
                    (C) not later than 10 days after the date of the 
                notification or receipt under subparagraph (A), submit 
                to the Secretary a report containing information on--
                            (i) the nature and discovery of the 
                        noncompliant aspect of the critical-impact 
                        artificial intelligence system;
                            (ii) measures taken to remedy such 
                        noncompliance; and
                            (iii) actions taken by the critical-impact 
                        AI organization to address stakeholders 
                        affected by such noncompliance.

SEC. 208. ENFORCEMENT.

    (a) In General.--Upon discovering noncompliance with a provision of 
this Act by a deployer of a high-impact artificial intelligence system 
or a critical-impact AI organization if the Secretary determines that 
actions taken by the critical-impact AI organization are insufficient 
to remedy the noncompliance, the Secretary shall take an action 
described in this section.
    (b) Civil Penalties.--
            (1) In general.--The Secretary may impose a penalty 
        described in paragraph (2) on deployer of a high-impact 
        artificial intelligence system or a critical-impact AI 
        organization for each violation by that entity of this Act or 
        any regulation or order issued under this Act.
            (2) Penalty described.--The penalty described in this 
        paragraph is the greater of--
                    (A) an amount not to exceed $300,000; or
                    (B) an amount that is twice the value of the 
                transaction that is the basis of the violation with 
                respect to which the penalty is imposed.
    (c) Violation With Intent.--
            (1) In general.--If the Secretary determines that a 
        deployer of a high-impact artificial intelligence system or a 
        critical-impact AI organization intentionally violates this Act 
        or any regulation or order issued under this Act, the Secretary 
        may prohibit the critical-impact AI organization from deploying 
        a critical-impact artificial intelligence system.
            (2) In addition.--A prohibition imposed under paragraph (1) 
        shall be in addition to any other civil penalties provided 
        under this Act.
    (d) Factors.--The Secretary may by regulation provide standards for 
establishing levels of civil penalty under this section based upon 
factors such as the seriousness of the violation, the culpability of 
the violator, and such mitigating factors as the violator's record of 
cooperation with the Secretary in disclosing the violation.
    (e) Civil Action.--
            (1) In general.--Upon referral by the Secretary, the 
        Attorney General may bring a civil action in a United States 
        district court to--
                    (A) enjoin a violation of section 207; or
                    (B) collect a civil penalty upon a finding of 
                noncompliance with this Act.
            (2) Venue.--A civil action may be brought under paragraph 
        (1) in the judicial district in which the violation occurred or 
        the defendant is found, resides, or does business.
            (3) Process.--Process in a civil action under paragraph (1) 
        may be served in any judicial district in which the defendant 
        resides or is found.
    (f) Rule of Construction.--Nothing in this section shall be 
construed to require a developer of a critical-impact artificial 
intelligence system to disclose any information, including data or 
algorithms--
            (1) relating to a trade secret or other protected 
        intellectual property right;
            (2) that is confidential business information; or
            (3) that is privileged.

SEC. 209. ARTIFICIAL INTELLIGENCE CONSUMER EDUCATION.

    (a) Establishment.--Not later than 180 days after the date of 
enactment of this Act, the Secretary shall establish a working group 
relating to responsible education efforts for artificial intelligence 
systems.
    (b) Membership.--
            (1) In general.--The Secretary shall appoint to serve as 
        members of the working group established under this section not 
        more than 15 individuals with expertise relating to artificial 
        intelligence systems, including--
                    (A) representatives of--
                            (i) institutions of higher education;
                            (ii) companies developing or operating 
                        artificial intelligence systems;
                            (iii) consumers or consumer advocacy 
                        groups;
                            (iv) public health organizations;
                            (v) marketing professionals;
                            (vi) entities with national experience 
                        relating to consumer education, including 
                        technology education;
                            (vii) public safety organizations;
                            (viii) rural workforce development 
                        advocates;
                            (ix) enabling technology companies; and
                            (x) nonprofit technology industry trade 
                        associations; and
                    (B) any other members the Secretary considers to be 
                appropriate.
            (2) Compensation.--A member of the working group 
        established under this section shall serve without 
        compensation.
    (c) Duties.--
            (1) In general.--The working group established under this 
        section shall--
                    (A) identify recommended education and programs 
                that may be voluntarily employed by industry to 
                inform--
                            (i) consumers and other stakeholders with 
                        respect to artificial intelligence systems as 
                        those systems--
                                    (I) become available; or
                                    (II) are soon to be made widely 
                                available for public use or 
                                consumption; and
                    (B) submit to Congress, and make available to the 
                public, a report containing the findings and 
                recommendations under subparagraph (A).
            (2) Factors for consideration.--The working group 
        established under this section shall take into consideration 
        topics relating to--
                    (A) the intent, capabilities, and limitations of 
                artificial intelligence systems;
                    (B) use cases of artificial intelligence 
                applications that improve lives of the people of the 
                United States, such as improving government efficiency, 
                filling critical roles, and reducing mundane work 
                tasks;
                    (C) artificial intelligence research breakthroughs;
                    (D) engagement and interaction methods, including 
                how to adequately inform consumers of interaction with 
                an artificial intelligence system;
                    (E) human-machine interfaces;
                    (F) emergency fallback scenarios;
                    (G) operational boundary responsibilities;
                    (H) potential mechanisms that could change function 
                behavior in service; and
                    (I) consistent nomenclature and taxonomy for safety 
                features and systems.
            (3) Consultation.--The Secretary shall consult with the 
        Chair of the Federal Trade Commission with respect to the 
        recommendations of the working group established under this 
        section, as appropriate.
    (d) Termination.--The working group established under this section 
shall terminate on the date that is 2 years after the date of enactment 
of this Act.
                                 <all>