DEV Community

Anup Karanjkar
Anup Karanjkar

Posted on • Originally published at wowhow.cloud

The Great American AI Act: 269 Pages That Could Freeze Every State AI Law for 3 Years

Every state AI law passed in the last two years could be frozen for three years if the Great American AI Act clears Congress. The 269-page draft bill, unveiled by Representatives Jay Obernolte (R-CA) and Lori Trahan (D-MA) in the first week of June 2026, establishes federal AI oversight and includes a preemption clause that explicitly supersedes state regulations enacted after January 1, 2024.

This is the most consequential AI legislation drafted in the US since the Biden executive order, and it has bipartisan support in a Congress that has struggled to agree on anything technology-related. The bill has real momentum. Here is what it actually contains and what it means for developers, AI startups, and enterprises building on foundation models.

The Preemption Clause: What Gets Frozen

Section 14 of the bill contains the provision getting the most attention. It establishes a three-year moratorium on state enforcement of AI-specific laws, regulations, and executive orders enacted after January 1, 2024. States retain authority over existing consumer protection, privacy, civil rights, and employment laws — the preemption covers only laws that specifically regulate AI systems.

What this freezes in practice:

  • California AB 2013 (AI transparency requirements for training data) — suspended pending federal standards

  • Colorado HB 24-1468 (consequential decision AI systems) — enforcement suspended

  • Illinois AI Video Interview Act amendments 2025 — suspended

  • Texas HB 4 (automated decision systems in public entities) — suspended

  • Any SB 1047 successor that California passes — would be immediately preempted

What it does NOT freeze: GDPR-equivalent state privacy laws (CCPA, VCDPA, CPA), existing employment discrimination law, financial services regulations under existing statutes, and HIPAA compliance requirements. The bill is precise about this — AI preemption does not create a general deregulatory space.

The three-year window is the federal government's self-imposed deadline to get federal AI regulations into place. If Congress fails to pass implementing regulations within 36 months of enactment, the preemption expires and states regain full authority. That is a forcing function, not a permanent arrangement.

Foundation Model Registration

Title II of the bill creates a Foundation Model Registry administered by NIST. Any organization that trains or fine-tunes a model meeting the compute threshold — defined as models trained using more than 10^25 floating-point operations — must register the model within 90 days of first commercial deployment.

Registration requirements:

  • Model architecture description (does not require open-sourcing weights)

  • Primary training data sources by category (not specific datasets)

  • Known capability limitations and failure modes documented by the developer

  • Contact information for safety and compliance inquiries

  • Intended use cases and explicitly prohibited use cases

The 10^25 FLOP threshold is significant. Current estimates put Claude Opus 4.8, GPT-4.1, Gemini 3.1 Pro, and DeepSeek V4 Pro all above this threshold. Models like Gemini 3.1 Flash, GPT-4.1 Mini, and most open-source models under 70 billion parameters fall below it and are exempt from registration.

For API providers, the registration requirement applies to the developer of the foundation model, not to businesses that build applications on top of registered models. Anthropic, OpenAI, Google DeepMind, Meta AI, and DeepSeek would register their models. A startup building a customer service chatbot on GPT-4.1 has no direct registration obligation under Title II.

Transparency Report Requirements

Registered foundation model developers must publish annual transparency reports covering five areas, per Title III of the bill:

Safety testing results. Standardized format aligned with NIST AI RMF 2.0. Red teaming summaries, benchmark scores on a defined federal evaluation suite, and documented known failure modes. Companies are not required to publish raw evaluation data — only aggregate summaries.

Incident reports. Any deployment incident where the model produced outputs causing "reasonably foreseeable significant harm" must be reported to NIST within 72 hours of discovery. The definition of significant harm includes financial loss exceeding $50,000, physical injury, or systematic discrimination against a protected class. Incidents are published in a public registry after a 30-day de-identification review.

Capability updates. Model updates that "materially change capabilities" require re-disclosure within 30 days. The bill defines material change as any update that changes benchmark performance by more than 10% on the federal evaluation suite.

Third-party access for research. Registered models must provide API access to researchers designated by NIST within 180 days of registration. Access is for red teaming and safety research, subject to a standardized research use agreement.

Compute disclosure. Training compute in FLOP-equivalent, hardware type, and geographic location of training runs. This is the provision that created the most controversy in draft reviews — it gives regulators visibility into which companies are approaching the next compute threshold even before a new model ships.

High-Risk AI System Requirements

Title IV creates a separate regulatory tier for "high-risk AI systems" — AI deployed in consequential decision contexts. The initial high-risk categories defined in the bill are:

  • Healthcare diagnosis or treatment recommendations

  • Criminal justice (sentencing, bail, probation decision support)

  • Employment screening (hiring, promotion, termination decisions)

  • Educational assessment (grading, admissions)

  • Credit scoring and lending decisions

  • Critical infrastructure control systems

High-risk AI systems deployed in these categories by organizations with more than $10M in annual revenue must:

  • Conduct and document a risk assessment before deployment

  • Maintain human oversight that can override AI decisions in real time

  • Provide individuals subject to high-risk AI decisions the right to request human review

  • Conduct annual audits by an approved third-party auditor

The $10M revenue threshold exempts most startups but captures mid-market companies. A Series A startup building a hiring tool is exempt. A $15M ARR company is not.

What Developers Building on Foundation Models Need to Know

The compliance burden for most developers is lower than the bill's length suggests. The registration and transparency requirements fall on foundation model developers, not application builders. The high-risk AI requirements apply only to specific deployment contexts. For a developer building a coding assistant, content generation tool, or productivity application, the direct compliance obligations are minimal.

The practical impacts for application developers:

No new consent requirements for general AI tools. Unless your application falls into the enumerated high-risk categories, the bill does not create new user consent or disclosure requirements beyond existing consumer protection law. CCPA and state privacy laws still apply.

API providers will add compliance metadata. Expect OpenAI, Anthropic, and Google to add model registration information to their API documentation within six months of enactment. This may include standardized model capability cards required under Title II disclosure standards.

Incident reporting flows upstream. If your application causes a significant harm incident through model outputs, you are likely obligated to report to the foundation model developer under API terms of service. The developer then decides whether to report to NIST. You may need to document incidents for potential disclosure even if you are not the registrant.

High-risk applications need a compliance track. If you are building in healthcare, employment screening, credit, or criminal justice, start mapping your workflow to the high-risk requirements now. The 180-day implementation timeline in the bill (if enacted this year) is tight for organizations that need to add human oversight infrastructure from scratch.

Timeline and Legislative Prospects

The bill was introduced in the House as a discussion draft, not a formally filed bill. The next steps are committee markup (likely the House Energy and Commerce Committee and the Senate Commerce Committee) followed by floor votes.

The bipartisan sponsorship is real but fragile. Obernolte and Trahan represent opposite ends of the AI regulatory spectrum — Obernolte has historically opposed heavy AI regulation; Trahan sponsored the Algorithmic Accountability Act in 2022. The bill represents genuine compromise, which means both sides of the AI policy debate have objections to specific provisions.

Current estimates from Hill staff familiar with the bill: committee markup in August 2026, potential floor vote before year-end if no major amendments derail it. A fully enacted law with implementing regulations is more likely an early-2027 outcome. The three-year preemption clock would not start until the bill is signed into law.

For developers, the practical implication: do not wait for enactment to start compliance planning for high-risk applications. The federal requirements in this bill largely track the EU AI Act's risk-tiering approach. If you have already done EU AI Act compliance work, the incremental effort for US compliance under this framework is manageable.

How the Bill Compares to the EU AI Act

The EU AI Act entered full enforcement on August 2, 2026. A direct comparison:

Dimension Great American AI Act (proposed) EU AI Act (in force)
| Foundation model registration | Yes, NIST registry | Yes, EU AI Office |

| High-risk categories | 6 enumerated | 13 enumerated (broader) |

| State/member-state preemption | Yes, 3-year moratorium | Yes, full harmonization |

| Open-source model exemptions | Below 10^25 FLOP threshold | Limited (general-purpose model rules apply) |

| Penalties for non-compliance | Up to $15M or 2% of global revenue | Up to €30M or 6% of global revenue |

| Effective date | 2027 at earliest (if enacted) | August 2026 |
Enter fullscreen mode Exit fullscreen mode

The US bill is lighter on penalties and has a narrower set of high-risk categories, reflecting the different legislative environment. It lacks the EU Act's prohibited uses list (social scoring, real-time remote biometric surveillance in public spaces), which was the most contentious part of the EU framework.

Browse the AI compliance and developer tools at WOWHOW to find frameworks and starter kits for building compliant AI applications. The privacy policy generator covers GDPR, CCPA, and DPDPA — relevant for the data governance aspects of any AI compliance program.

People Also Ask

Does the Great American AI Act ban AI-generated content without disclosure?

No. The current draft does not include a general AI content disclosure mandate. It requires transparency reports from foundation model developers and human oversight in high-risk deployment contexts, but does not impose watermarking or labeling requirements on AI-generated text, images, or code. The Federal Synthetic Content Transparency Act (a separate bill) addresses content labeling, and the two bills may be reconciled in committee.

Would California's AI laws actually be frozen by this bill?

Yes, if enacted as drafted. Section 14 preempts state AI-specific laws enacted after January 1, 2024. California has been the most active state AI legislature. SB 1047 (vetoed by Newsom in 2024), AB 2013 (signed), and any 2025/2026 AI safety bills would be suspended for three years. California's Attorney General has already signaled opposition to the preemption clause, and this is the most likely point of bipartisan breakdown in Senate markup.

Does the bill apply to open-source AI models?

Models below the 10^25 FLOP training compute threshold are exempt from foundation model registration. That covers most open-source models under 70B parameters. Larger open-source models like Meta's Llama 4 variants that exceed the threshold would be subject to registration if Meta commercially deploys them. The bill defines "commercial deployment" as making a model available to third parties for compensation — releasing weights under an open license without commercial terms could qualify for a separate open-source exemption detailed in Section 8.

When would AI startups need to be compliant if the bill passes?

The bill specifies 180-day implementation periods for most requirements after enactment. High-risk AI systems get 365 days for the annual audit requirement. Given the expected legislative timeline (floor vote late 2026 if optimistic), compliance deadlines for most provisions fall in mid-to-late 2027. Start compliance planning now for high-risk categories — the human oversight infrastructure requirement in particular takes significant lead time to build.

Originally published at wowhow.cloud

Top comments (0)