Three days ago, Representatives Jay Obernolte and Lori Trahan dropped a 269-page discussion draft called the Great American Artificial Intelligence Act. Bipartisan. Big. And generating exactly the kind of reaction you'd expect when Big Tech gets most of what it wanted from Congress.
The Information Technology Industry Council — which represents companies like Apple, Google, Microsoft, and Meta — immediately backed it. The American Federation of Teachers, the Association of Flight Attendants, Public Citizen, and the Consumer Federation of America called it "a giveaway to the AI industry" and urged Congress to reject it.
That gap tells you something. Let's talk about what's actually in it and why your organization should care.
The Headline: States Can't Touch AI Development for 3 Years
The biggest provision in the bill is federal preemption. For three years after passage, states and local governments would be prohibited from enacting or enforcing laws that specifically regulate the development of AI models.
That's not nothing. States have been moving fast. New York, California, and Illinois had meaningful frontier AI legislation in the works. Colorado already passed its AI Act in 2024. Some of those laws would have imposed algorithmic transparency requirements, bias audits, and documentation standards on the labs training the biggest models. Under this bill, those requirements on the development side go on pause.
Now, the preemption has a meaningful limit: it does not cover laws about AI use and deployment. If your state bans algorithmic hiring discrimination, that stays. If your state requires disclosure when AI is used in housing decisions, that stays. What goes away is the ability of states to impose new requirements on how the underlying models are built and trained.
That sounds technical. Here's why it matters practically: state AGs have been the most aggressive enforcers of consumer rights in the AI space. They move faster than federal agencies. They can respond to emerging harms in months, not years. Preempting their authority — even narrowly — removes one of the few real deterrents AI vendors face at the development stage.
Brad Carson, president of Americans for Responsible Innovation, called the preemption provision "a generational mistake." His read: this turns the current floor of state AI protections into a federal ceiling, preventing states from addressing new harms as they emerge for three years.
What the Bill Actually Requires of Big AI Companies
To be fair, the bill isn't a blank check. It puts real requirements on what it calls "large frontier developers" — companies with more than $500 million in gross revenue from the prior year. That threshold is doing a lot of work here. It captures OpenAI, Google DeepMind, Microsoft, Meta, and a handful of others. It doesn't capture the mid-tier labs, open-source projects, or any startup that hasn't hit that revenue mark.
The requirements for those large frontier developers are substantive:
- They must publish a public AI framework explaining their safety standards, risk thresholds, and whether any model poses "catastrophic risk" (defined as foreseeable risk of death or injury to 50+ people, or more than $1 billion in property damage)
- They must submit to semi-annual audits by an Independent Verification Organization licensed through NIST's Center for AI Standards and Innovation
- They must report serious safety incidents — breaches of model weights, failures in safety controls — quickly to federal authorities
- They face penalties of up to $1 million per day for material violations or misrepresentations to auditors
That's real accountability. The problem consumer groups point out: it's accountability that only applies to the very top of the market. The vendors you're probably using — the mid-market tools, the SaaS wrappers, the third-party integrations — don't have to do any of this.
The One Provision That Actually Helps Small Orgs: Product Liability
Buried in the bill is something that could be genuinely useful. The draft enables the U.S. Attorney General, state attorneys general, and private plaintiffs to bring civil claims against AI system developers for:
- Defective design
- Failure to warn
- Breach of express warranty
- Unreasonably dangerous or defective products
This is a meaningful shift. Right now, suing an AI vendor for harm caused by a defective model is legally murky. Courts haven't settled whether AI systems are "products" under existing liability law. This bill would clarify that and create an explicit federal cause of action.
For a 20-person nonprofit that deploys an AI tool that produces discriminatory outputs or exposes client data due to a design flaw — that's a real pathway to recovery that doesn't exist clearly today. Document what happens when AI tools fail your organization. That documentation will matter if this bill passes.
The Canadian Angle
This bill is US federal legislation. It doesn't apply to Canadian organizations directly.
But if you're a Canadian NGO, public sector team, or small business, you're almost certainly using US-built AI tools. And the regulatory environment those vendors operate in shapes how much accountability they feel. A vendor that faces no state-level regulatory risk and only voluntary federal oversight is a vendor with less incentive to fix problems quickly.
It also landed on the same day as Canada's own "AI for All" strategy — the Carney government's national AI framework released June 4. That strategy is largely voluntary. Canada still has no binding federal AI legislation. AIDA died when Parliament was prorogued.
What that means: Canadian organizations are operating in a regulatory vacuum on both sides of the border. US tools with weakened state oversight. Canadian policy with no enforcement teeth. For organizations doing sensitive work — healthcare data, youth services, immigration support, government-funded programs — that's a meaningful risk profile that regulation alone isn't going to manage.
What to Actually Do Right Now
This is a discussion draft. It will change. It might die in committee. Congress has a poor track record of passing comprehensive AI legislation. Don't restructure your operations around it.
But do take three things seriously:
Stop relying on regulation to protect you. Whether this bill passes, gets watered down, or collapses entirely, the message is clear: regulatory protection for AI-related harms is not reliable, not fast, and not designed around your size of organization. The companies that are ahead of this are the ones that built internal AI governance before they needed it.
Know the difference between development and deployment law. The preemption in this bill is specifically about model development. Your state's employment discrimination law, housing rules, consumer protection frameworks for AI use — those are still in play. If you're using AI in any way that touches those domains, you still have state-level legal exposure. That's not a bad thing. It means accountability exists. Understand where.
Build a short paper trail on vendor failures. If the product liability provisions in this bill become law, the organizations that can recover damages are the ones that documented what went wrong, when, and how. Start now. Every time an AI tool produces a bad output, a security issue, or a workflow failure — log it. Three sentences in a shared doc is enough.
We spend a lot of time helping small teams get actual governance in place — not 40-page policies, but working practices that protect you without slowing you down. If your org is navigating AI tool selection right now and wondering where the legal and operational risks actually live, that's a conversation worth having.
The regulatory environment is moving. Don't let it move without you.