Directs the National Institute of Standards and Technology to update the National Vulnerability Database for AI vulnerabilities and assess voluntary reporting of significant AI security and safety incidents. Requires multi-stakeholder collaboration to evaluate and develop definitions, standards, guidelines, and reporting mechanisms for incident tracking.
Analysis summaries, actor details, and coverage mappings were LLM-classified and may contain errors.
This is a binding legislative instrument (Congressional bill) that directs federal agencies to take specific actions with mandatory language and establishes legal obligations.
The document has good coverage of approximately 5-6 subdomains, with strong focus on AI system security vulnerabilities (2.2), governance structures (6.5), competitive dynamics (6.4), and AI safety failures (7.1, 7.3). Coverage is concentrated in security, governance, and system safety domains.
This is an external regulation that applies broadly across all sectors where AI systems are deployed. The multi-stakeholder process explicitly includes representatives from different sectors and use cases, and the voluntary incident reporting framework is designed to track incidents 'across different sectors.' No specific sectors are prioritized or excluded.
The document primarily addresses the Deploy and Operate and Monitor lifecycle stages through its focus on vulnerability databases, incident reporting, and tracking mechanisms. It also covers Build and Use Model through vulnerability management processes and Verify and Validate through safety and security incident assessment.
The document explicitly mentions AI systems and AI security vulnerabilities. It does not specifically reference AI models, frontier AI, general purpose AI, foundation models, generative AI, predictive AI, open-weight models, or compute thresholds. The focus is on AI systems broadly defined.
United States Congress
The document is a Congressional bill enacted by the Senate and House of Representatives, establishing it as proposed by the legislative branch of the U.S. government.
National Institute of Standards and Technology (NIST), Cybersecurity and Infrastructure Security Agency (CISA)
NIST is designated as the primary implementing agency with authority to update the National Vulnerability Database and convene stakeholder processes, in consultation with CISA. However, the Act explicitly limits enforcement authority.
United States Congress, National Institute of Standards and Technology (NIST)
Congress serves as the monitoring body through mandatory reporting requirements, while NIST monitors the multi-stakeholder process and voluntary incident reporting mechanisms being developed.
National Institute of Standards and Technology (NIST), industry stakeholders, standards development organizations, academia, nonprofit organizations, civil society groups, Sector Risk Management Agencies, Federal departments and agencies
The Act directs NIST to coordinate with industry stakeholders and convene multi-stakeholder processes involving AI developers, deployers, and various governance actors to develop voluntary reporting mechanisms.
7 subdomains (3 Good, 4 Minimal)