A bipartisan group of U.S. House lawmakers just dropped one of the most ambitious proposals to regulate AI development: the Great American Artificial Intelligence Act, a 269-page draft that would reshape how frontier models are built, tested, and secured. But buried inside the political fireworks are some genuinely consequential cybersecurity provisions — and a heated fight over state preemption that could gut local AI protections.
The Core Requirements
The bill targets large frontier AI developers — companies pulling more than $500 million annually. These firms would be required to publish risk assessment frameworks and compliance reports, then submit to audits by independent verification organizations (IVOs). These IVOs would get broad access to company materials and report their findings to NIST’s Center for AI Standards and Innovation (CAISI), which the bill formally authorizes.
That CAISI authorization matters. It comes with a $300 million budget over fiscal years 2027–2029, and permission to hire technical talent above standard government pay scales. If you’ve ever wondered why government AI work struggles to compete with private-sector salaries, this is Congress trying to fix that problem.
Where Security Wonks Should Pay Attention
The bill’s most intriguing provisions live at the intersection of AI and open-source security. It directs CISA to award grants to U.S.-based developers of critical open-source packages for patching, security evaluations, and maintenance. This addresses a real and growing crisis: open-source maintainers running foundational infrastructure on fumes while the world depends on their code.
Here’s the kicker — AI firms would be required to provide open-source developers with access to advanced AI models capable of finding and fixing vulnerabilities. Imagine giving every critical open-source project a sophisticated AI security reviewer. In theory, this could dramatically shrink the window between vulnerability discovery and patching across the entire software supply chain.
The bill also tasks NIST and the Energy Department with creating AI security testbeds: research partnerships between federal labs and private-sector firms to evaluate AI model capabilities and weaknesses, including public hackathons. The Government Accountability Office would audit protections around AI model weights and the broader open-source security posture.
The Controversy
The bill has drawn immediate and sharp criticism, largely over language that would preempt state AI laws. Civil society groups, AI safety advocates, and labor unions have called it dangerous. The AFL-CIO issued a statement opposing the draft. One advocacy group labeled preemption “a generational mistake” that strips states of the ability to address emerging AI harms.
On Capitol Hill, it split roughly along expected lines — Democrats wary of blocking state protections, Republicans arguing that a patchwork of state regulations would smother innovation. That tension will define whether this bill moves forward, and in what shape.
What’s Next
This is a discussion draft, not law. It faces a long road through committees, and the preemption fight alone could stall it for months or force significant revisions. But the security provisions — CAISI funding, open-source grants, mandated AI-assisted vulnerability review — are the kind of structural investments the cybersecurity community has wanted for years. Watch whether those specifics survive the political battle over state preemption, because they could happen even if the broader regulatory framework gets watered down.
