US lawmakers on Thursday introduced a bill that would require developers of advanced AI models to report major safety and security incidents to the Commerce Department, establishing a federal oversight framework for high-risk AI systems.The proposed AI Incident Reporting Act would mandate that developers of designated “covered models” disclose incidents within seven days of knowing, or reasonably believing, that one has occurred. For incidents posing an imminent or ongoing risk of serious harm, the Commerce Department would have to notify congressional leadership and the chairs of relevant House and Senate committees within 48 hours after receiving the report.The bill directs the Secretary of Commerce to establish capability thresholds to determine which AI models and developers are subject to the reporting requirements.“AI is a powerful engine of innovation, and I want to see it flourish, but not without accountability and not without human oversight,” Moran said in a statement announcing the legislation. “The rule of law should apply to this new frontier. This legislation ensures that when something goes wrong with a high-capability AI system, the US Government has the information needed to act quickly.”Broad range of reportable incidentsThe proposal identifies a broad set of incidents that would require disclosure to the Commerce Department.According to the bill, developers would have to report attempts by covered AI models to evade human oversight, deceive operators, circumvent safeguards, resist shutdown, or obtain unauthorized access to systems or privileges.The reporting requirement would also apply to theft or attempted theft of model weights, capabilities that could materially enable offensive cyber operations against important software or critical infrastructure, autonomous development of more capable AI systems, and capabilities that could accelerate the development or use of chemical, biological, radiological, nuclear, or explosive weapons.The legislation also directs the Commerce Department to develop the capability thresholds in consultation with AI developers, academic researchers, cybersecurity experts, national security officials, and other stakeholders before issuing implementation guidance.Sanchit Vir Gogia, chief analyst at Greyhound Research, said the proposal would make reporting serious AI incidents a legal obligation rather than a voluntary practice for developers of frontier AI models.“The serious frontier developers already run the evaluations, the red-teaming and the escalation drills,” Gogia said. “What they have never faced at the federal level is a legal obligation to tell the government, on the clock, when a model behaves dangerously.”Reporting timelines and enforcementThe bill requires covered developers to submit an initial report within seven days of discovering a reportable incident and supplemental reports as additional information becomes available. The legislation also authorizes the Commerce Department to investigate compliance, issue subpoenas, require corrective action, and impose civil penalties of up to $2 million for violations. Each day of a continuing violation would constitute a separate violation, the bill states.Gogia said implementation could hinge on how regulators define reporting triggers.“Capability thresholds are the visible difficulty, and not the deepest one. Thresholds decide which models enter the regime. Discovery decides whether the regime ever sees the fire,” he said.Drawing a comparison with cybersecurity regulations, he said reporting requirements should clearly define when an incident becomes reportable.“Cyber reporting has already taught the lesson. A vague trigger produces either silence or noise: firms stay quiet until they are certain, or they file everything and bury the signal,” Gogia said.Filling a gap, a recent dispute exposedThe bill follows a US government action that exposed the absence of any such process. On June 12, the Commerce Department took action against the latest models from Anthropic, a US AI developer, on national security grounds, prompting the company to disable global access to those models.“Export control was the sledgehammer. This proposal is the search for a scalpel,” Gogia noted. The measure is a narrower alternative to the Great American Artificial Intelligence Act, a broader discussion draft released earlier in June that also routes critical safety incidents to Commerce.The Commerce Department’s Center for AI Standards and Innovation has separately signed agreements to evaluate leading models before deployment.Compliance burden falls on enterprisesGogia said the legal duty falls on the developer, but the operational cost reaches the customers. “Regulation may name the lab, but the bill for poor visibility is settled downstream,” he said.He said the hardest question is not which models qualify but when a reporting clock starts. “Thresholds decide which models enter the regime. Discovery decides whether the regime ever sees the fire,” he said, adding that a model can pass laboratory tests yet behave differently once connected to live tools and enterprise data.The bill exempts submitted reports from public disclosure requirements and states that submitting a report would not waive trade secret protections or attorney-client privilege.“The instinct behind this bill is sound, but the balance cannot be scored from a press release,” Gogia said. “The wording will decide everything.”