A bipartisan group of House lawmakers just dropped a 269-page bill that would fundamentally reshape how frontier AI models are developed, tested, and secured in the United States. The Great American Artificial Intelligence Act is ambitious, controversial, and already drawing fire from both sides of the aisle.
What the Bill Actually Does
The legislation targets large AI developers — companies pulling in more than $500 million annually — and forces them to publish detailed risk assessment frameworks for their frontier models. These firms would need to hire independent verification organizations (IVOs) licensed by NIST’s Center for AI Standards and Innovation (CAISI) to audit their compliance. Think of it as financial auditing, but for AI safety and security.
The bill would formally authorize CAISI with a $300 million budget over three years and let it hire top technical talent at above-standard government pay. It also directs CISA to award security grants to developers of critical open-source packages — a provision that could meaningfully improve the security of the open-source ecosystem that underpins most modern software.
Here’s the interesting part for security folks: the bill would require AI companies to give open-source developers access to advanced AI models that can find and fix vulnerabilities. That’s a direct response to the flood of AI-generated bug reports that have overwhelmed maintainers in recent years.
The Preemption Problem
The bill’s most contentious provision would preempt state AI laws, effectively creating a single federal standard. Civil society groups, AI safety advocates, and labor organizations have pushed back hard. The AFL-CIO called it harmful to workers. One advocacy group labeled it “a generational mistake” that would prevent states from addressing emerging AI harms.
On Capitol Hill, Democrats are split — some support federal uniformity, while others argue states need the flexibility to move faster than Washington. Republicans are similarly divided between those who want regulatory certainty and those who fear any regulation will stifle innovation.
Why Security People Should Care
Beyond the political drama, this bill has real implications for cybersecurity. The open-source security grants alone could be a game-changer. Critical infrastructure depends on open-source software that’s often maintained by volunteers with no security budget. Directing CISA to fund patching and security evaluations for these packages addresses a genuine gap.
The AI security testbeds — research centers where models would be stress-tested through public hackathons — could also produce valuable vulnerability data. And requiring GAO audits of AI model weight security would bring much-needed transparency to how well companies protect their most valuable assets.
What’s Next
This is a discussion draft, not law. The preemption language will likely be the battleground, and it could sink the bill entirely if neither side budges. But the security provisions — open-source funding, AI testbeds, independent audits — have bipartisan support and could survive even if the broader package fractures. Watch this space.
