H.R. 9333: AI Flaw Reporting and Security Enhancement Act

This bill would direct the National Institute of Standards and Technology (NIST), working with the Cybersecurity and Infrastructure Security Agency, to create a voluntary system for reporting artificial intelligence flaws. The goal is to make it easier to collect, track, and respond to problems in AI systems.

What counts as an AI flaw

The bill uses a broad definition of “AI flaw.” It includes conditions or behaviors in an AI system that can violate safety or security policies or cause other undesirable effects. It covers things like vulnerabilities, incidents, failures, accidents, misuse, and adverse events, even if no one acted with malicious intent.

What NIST would have to do

NIST would be required to convene people from industry, academia, nonprofits, standards groups, civil society, and government to work on several tasks, including:

• Creating common definitions for different kinds of AI problems.
• Building taxonomies, or classification systems, to sort AI flaws by type and seriousness.
• Supporting technical standards and guidance for handling AI flaws.
• Developing ways to measure how severe or risky a flaw is, so serious issues can be addressed first.
• Supporting methods to detect and monitor AI flaws more quickly.
• Providing best practices and procedures for reporting, collecting, and tracking AI flaws across different sectors.
• Supporting standardized, possibly automated, reporting and documentation tools.
• Developing norms for when flaws should be disclosed, including when public disclosure is appropriate.

Database and tracking system

The bill would require NIST to develop infrastructure for voluntary reporting, collection, and tracking of AI flaws. That infrastructure would include a national database of AI flaws, or an update to an existing national database to include AI flaws. NIST could run the database itself or assign that work to eligible outside entities, such as universities or research institutions.

When building this system, NIST would need to consider machine-readable reporting, compatibility with existing systems, possible future expansion, and policies about sharing or publicly disclosing reported flaws.

Reporting to Congress

Within three years after the bill becomes law, NIST would have to report to Congress on how the program was implemented. That report would need to describe the work done, the infrastructure created, the national database, and recommendations for how different groups could voluntarily share standardized information about AI flaws.

What the bill would not do

The bill does not appear to create mandatory AI flaw reporting requirements, penalties, or direct enforcement rules. It focuses on voluntary reporting, coordination, standards, and information-sharing.

Relevant Companies

None found