US Lawmaker Introduces 'AI Incident Reporting Act' Mandating Seven-Day Disclosure of Dangerous Capabilities

For years, the developers of the world's most advanced artificial intelligence systems have operated under a patchwork of voluntary safety commitments and internal governance frameworks. When a frontier model exhibited unexpected or dangerous behavior, the decision of whether, when, and how to notify the government rested entirely with the company. That era of self-regulated disclosure may soon end. On June 25, U.S. Representative Nathaniel Moran of Texas introduced the AI Incident Reporting Act, a targeted piece of federal legislation designed to mandate rapid transparency for high-risk AI failures.[1][5][6]

The proposed legislation establishes a strict, legally enforceable timeline for AI developers, replacing the ad-hoc nature of current industry practices. Under the bill, companies building the most capable AI systems—designated by the government as "covered models"—would be required to notify the U.S. Department of Commerce within seven days of discovering a critical safety failure, security breach, or dangerous emergent capability. This mandate shifts the burden of transparency from corporate goodwill to federal law, ensuring that federal regulators are no longer the last to know when a frontier system exhibits unexpected or hazardous behavior.[2][3][6]

The legislation also builds in a rapid escalation mechanism for the most severe and immediate threats. If a reported incident poses an imminent or ongoing risk of serious harm to public safety or national security, the Commerce Department is legally obligated to notify congressional leadership and the chairs of relevant House and Senate committees within 48 hours of receiving the initial report. This dual-track reporting structure is designed to keep technical oversight within the Commerce Department while ensuring that lawmakers are immediately briefed on incidents that could require emergency legislative or executive action.[2][4][6]

Representative Moran described the legislation as a "catch-it-early and sound-the-alarm bill," framing it as a necessary early-warning system rather than a sweeping regulatory overhaul of the technology sector. The goal is to ensure that when a high-capability system goes off the rails, the federal government has the precise information necessary to act quickly. By mandating disclosures, the bill aims to prevent situations where regulators are forced to rely on delayed corporate press releases, media leaks, or third-party researchers to learn about critical vulnerabilities in widely deployed artificial intelligence infrastructure.[4][5]

The urgency behind the bill stems directly from a recent, highly disruptive intervention in the artificial intelligence industry that caught both lawmakers and enterprise consumers off guard. On June 12, the Commerce Department took unprecedented action against Anthropic, a leading U.S. AI developer, citing urgent national security concerns regarding its latest frontier models, Mythos 5 and Fable 5. The sudden government intervention highlighted the fragility of the current regulatory environment and demonstrated that existing voluntary frameworks were insufficient for managing acute national security risks associated with advanced machine learning systems.[4][5][7]

The government's export-control directive forced Anthropic to abruptly disable global access to those models for foreign nationals. Because the company lacked a real-time nationality-verification system robust enough to comply with the order, it temporarily shut down access for all users worldwide, disrupting enterprise workflows across the globe. The episode exposed a glaring gap in U.S. policy: there was no established, transparent framework governing how frontier AI incidents are identified, escalated, or communicated to lawmakers before they trigger blunt instruments like export controls.[4][7]

The AI Incident Reporting Act is explicitly designed to fill that regulatory void by defining exactly what constitutes a dangerous failure. To do so, the bill outlines a specific, broad set of behavioral triggers that mandate a report to the federal government. Developers must alert the Commerce Department if a covered model attempts to evade human oversight, deceive its human operators, circumvent its own built-in safety safeguards, or actively resist shutdown procedures—behaviors that indicate a loss of positive control over the system.[2][6]

The reporting mandate extends beyond behavioral anomalies to include severe cybersecurity breaches and infrastructure compromises. Companies must disclose any unauthorized access to, or theft of, model weights—the underlying mathematical parameters and neural network structures that dictate how an AI system functions. In the hands of malicious actors or rival nation-states, stolen weights from a frontier model could be repurposed and deployed without the original developer's safety guardrails, effectively democratizing access to highly dangerous capabilities.[2][6]

Furthermore, the legislation requires immediate reporting if a model demonstrates capabilities that could materially enable offensive cyber operations against critical infrastructure, such as power grids or financial networks. It also covers the discovery of capabilities that pose chemical, biological, radiological, nuclear, or explosive threats to public safety. This provision directly addresses growing concerns among intelligence agencies that next-generation AI could act as an accelerant for bioterrorism or lower the barrier to entry for developing weapons of mass destruction.[3][6]

To enforce these transparency rules, the bill authorizes the Commerce Department to aggressively investigate compliance, issue subpoenas for internal company records, and mandate specific corrective actions. Companies that fail to report qualifying incidents within the seven-day window could face severe financial consequences, including civil penalties of up to $2 million. Crucially, the legislation stipulates that each day of a continuing violation is treated as a separate offense, creating a massive financial liability for companies that attempt to conceal prolonged security breaches or ongoing model failures.[2]

The deliberate narrowness of Moran's proposal is a strategic legislative calculation designed to navigate a deeply divided Congress. Lawmakers have historically struggled to pass comprehensive technology regulation, and artificial intelligence is proving to be no different. Earlier in June, Representatives Lori Trahan and Jay Obernolte released a discussion draft of the Great American Artificial Intelligence Act, a sweeping, omnibus framework that also included incident reporting provisions alongside a host of other industry mandates.[3][4]

However, that broader bill faces steep political hurdles, particularly regarding controversial clauses that would preempt state-level AI laws for three years and freeze local regulatory efforts. By stripping the AI Incident Reporting Act down to a focused, standalone transparency mechanism, Moran aims to bypass the partisan gridlock over state preemption and innovation guardrails. He is betting that a surgical approach focused purely on national security and public safety can quickly attract bipartisan support where omnibus bills have stalled.[4][5]

For the enterprise artificial intelligence market, the shift from voluntary to mandatory reporting introduces complex new compliance realities. Industry analysts note that while the legal duty to report falls squarely on the AI developers, the operational impacts will inevitably ripple down to the corporate customers who rely on these models for daily operations. Mandatory federal disclosures could force vendors to alter how they communicate risk, handle vulnerability patching, and manage service interruptions in their commercial contracts with enterprise clients.[2][7]

The ultimate impact of the legislation will depend heavily on implementation details that the bill leaves to the executive branch to finalize. The Secretary of Commerce is tasked with establishing the specific capability thresholds that determine which AI models qualify as "covered models" subject to the law. This rule-making process will require extensive consultation with AI developers, academic researchers, cybersecurity experts, and national security officials to ensure the thresholds capture genuine frontier risks without suffocating open-source innovation or smaller startups.[2][3][6]

Until those specific capability thresholds are defined, the exact scope of the law and the number of companies affected remains an open question. Yet the introduction of the bill signals a definitive shift in Washington's regulatory posture toward the technology sector. As artificial intelligence systems grow increasingly autonomous and capable of modifying their own behavior, lawmakers are making it unequivocally clear that the federal government will no longer accept being the last to know when a frontier model goes rogue.[4][6]