A bipartisan group of House lawmakers introduced the Great American Artificial Intelligence Act on Thursday — a sweeping 269-page bill that would reshape how frontier AI models are developed, audited, and secured in the United States. It’s one of Congress’s most ambitious attempts at AI regulation to date, and it’s already drawing fire from multiple directions.
What the Bill Actually Does
The core of the bill targets large frontier AI developers — companies pulling in more than $500 million annually. These firms would be required to publish risk assessment frameworks and submit to audits by independent verification organizations (IVOs). Think of it like financial audits, but for AI safety. The IVOs would get broad access to company materials and report their findings to NIST’s Center for AI Standards and Innovation (CAISI), which the bill formally authorizes and funds at $300 million over fiscal years 2027-2029.
The bill also takes aim at one of the most overlooked risks in AI: open-source security. It directs CISA to award grants to U.S.-based developers of critical open-source packages for patching, security evaluations, and maintenance. Here’s the interesting twist — AI firms would be required to give those open-source developers access to advanced AI models that can find and fix vulnerabilities. That’s a big deal for an ecosystem that’s been drowning in AI-generated bug reports of questionable quality.
The Political Battle Lines
The bill was co-introduced by Reps. Jay Obernolte (R-Calif.) and Lori Trahan (D-Mass.), along with a bipartisan coalition. But unity ends at the preemption clause. The bill would override state AI laws, and that’s where the fireworks start. Civil society groups, AI safety advocates, and labor organizations have all pushed back hard. One advocacy group called it ‘a generational mistake’ to prevent states from addressing emerging AI harms. Democrats on Capitol Hill criticized the preemption language, while Republicans argued that a patchwork of state regulations could strangle innovation.
Two major tech trade groups — the Information Technology Industry Council and BSA — praised the bill, specifically for including a reauthorization of the Cybersecurity Information Sharing Act (CISA). That program, which lets companies and government agencies share threat intelligence without liability concerns, was temporarily renewed through September but needs a permanent home. The bill’s authors argue that AI-powered threats make that sharing more critical than ever.
What It Means for Cybersecurity
Beyond the headline AI regulation, this bill has serious cybersecurity provisions. It would require NIST and the Energy Department to create AI security testbeds — research centers that evaluate AI model capabilities and weaknesses, including through public hackathons. The Government Accountability Office would audit security measures protecting AI model weights and the overall health of the open-source ecosystem.
The open-source security grants could be the most immediately impactful piece. The open-source supply chain has been a weak link for years — think Log4j, think xz Utils backdoor. Giving maintainers resources and AI-powered tools to find vulnerabilities before attackers do is the kind of practical investment that actually moves the needle.
What Happens Next
This is a discussion draft, not law. It’ll go through committee, face amendments, and likely get watered down before anything reaches a vote. The preemption fight alone could stall it for months. But the signal is clear: Congress is done waiting on AI regulation. Whether this specific bill passes or not, the framework it establishes — independent audits, open-source security investment, agency coordination — will shape every AI policy conversation going forward. The question isn’t whether the U.S. will regulate AI. It’s who gets to write the rules.
