Legislation
SECTION 1421
Transparency requirements
General Business (GBS) CHAPTER 20, ARTICLE 44-B
* § 1421. Transparency requirements. 1. A large frontier developer
shall write, implement, comply with, and clearly and conspicuously
publish on its internet website a frontier AI framework that applies to
the large frontier developer's frontier models and describes in detail
how the large frontier developer handles all of the following:
(a) incorporating national standards, international standards, and
industry consensus best practices into its frontier AI framework;
(b) defining and assessing thresholds used by the large frontier
developer to identify and assess whether a frontier model has
capabilities that could pose a catastrophic risk, which may include
multiple-tiered thresholds;
(c) applying mitigations to address the potential for catastrophic
risks based on the results of assessments undertaken pursuant to
paragraph (b) of this subdivision;
(d) reviewing assessments and adequacy of mitigations as part of the
decision to deploy a frontier model or use it extensively internally;
(e) using third parties to assess the potential for catastrophic risks
and the effectiveness of mitigations of catastrophic risks;
(f) revisiting and updating the frontier AI framework, including any
criteria that trigger updates and how the large frontier developer
determines when its frontier models are substantially modified enough to
require disclosures pursuant to subdivision three of this section;
(g) cybersecurity practices to secure unreleased model weights from
unauthorized modification or transfer by internal or external parties;
(h) identifying and responding to critical safety incidents;
(i) instituting internal governance practices to ensure implementation
of these processes; and
(j) assessing and managing catastrophic risk resulting from the
internal use of its frontier models, including risks resulting from a
frontier model circumventing oversight mechanisms.
2. (a) A large frontier developer shall review and, as appropriate,
update its frontier AI framework at least once per year.
(b) If a large frontier developer makes a material modification to its
frontier AI framework, the large frontier developer shall clearly and
conspicuously publish the modified frontier AI framework and a
justification for that modification within thirty days.
3. (a) Before, or concurrently with, deploying a new frontier model or
a substantially modified version of an existing frontier model, a
frontier developer shall clearly and conspicuously publish on its
internet website a transparency report containing all of the following:
(i) the internet website of the frontier developer;
(ii) a mechanism that enables a natural person to communicate with the
frontier developer;
(iii) the release date of the frontier model;
(iv) the languages supported by the frontier model;
(v) the modalities of output supported by the frontier model;
(vi) the intended uses of the frontier model; and
(vii) any generally applicable restrictions or conditions on uses of
the frontier model.
(b) Before, or concurrently with, deploying a new frontier model or a
substantially modified version of an existing frontier model, a large
frontier developer shall include in the transparency report required by
paragraph (a) of this subdivision, summaries of all of the following:
(i) assessments of catastrophic risks from the frontier model
conducted pursuant to the large frontier developer's frontier AI
framework;
(ii) the results of the assessments under subparagraph (i) of this
paragraph;
(iii) the extent to which third-party evaluators were involved; and
(iv) other steps taken to fulfill the requirements of the frontier AI
framework with respect to the frontier model.
(c) A frontier developer that publishes the information described in
paragraph (a) or (b) of this subdivision as part of a larger document,
including a system card or model card, shall be deemed in compliance
with the applicable paragraph.
4. (a) (i) A frontier developer shall not make a materially false or
misleading statement about catastrophic risk from its frontier models or
its management of catastrophic risk.
(ii) A large frontier developer shall not make a materially false or
misleading statement about its implementation of, or compliance with,
its frontier AI framework.
(b) This subdivision shall not apply to a statement that was made in
good faith and was reasonable under the circumstances.
5. (a) When a frontier developer publishes documents to comply with
this section, such frontier developer may make redactions to such
documents that are necessary to protect such frontier developer's trade
secrets, such frontier developer's cybersecurity, public safety, or the
national security of the United States or to comply with any federal or
state law.
(b) If a frontier developer redacts information in a document pursuant
to this subdivision, such frontier developer shall describe the
character and justification of such redaction in any published version
of such document to the extent permitted by the concerns that justify
redaction and shall retain the unredacted information for five years.
* NB Effective January 1, 2027
shall write, implement, comply with, and clearly and conspicuously
publish on its internet website a frontier AI framework that applies to
the large frontier developer's frontier models and describes in detail
how the large frontier developer handles all of the following:
(a) incorporating national standards, international standards, and
industry consensus best practices into its frontier AI framework;
(b) defining and assessing thresholds used by the large frontier
developer to identify and assess whether a frontier model has
capabilities that could pose a catastrophic risk, which may include
multiple-tiered thresholds;
(c) applying mitigations to address the potential for catastrophic
risks based on the results of assessments undertaken pursuant to
paragraph (b) of this subdivision;
(d) reviewing assessments and adequacy of mitigations as part of the
decision to deploy a frontier model or use it extensively internally;
(e) using third parties to assess the potential for catastrophic risks
and the effectiveness of mitigations of catastrophic risks;
(f) revisiting and updating the frontier AI framework, including any
criteria that trigger updates and how the large frontier developer
determines when its frontier models are substantially modified enough to
require disclosures pursuant to subdivision three of this section;
(g) cybersecurity practices to secure unreleased model weights from
unauthorized modification or transfer by internal or external parties;
(h) identifying and responding to critical safety incidents;
(i) instituting internal governance practices to ensure implementation
of these processes; and
(j) assessing and managing catastrophic risk resulting from the
internal use of its frontier models, including risks resulting from a
frontier model circumventing oversight mechanisms.
2. (a) A large frontier developer shall review and, as appropriate,
update its frontier AI framework at least once per year.
(b) If a large frontier developer makes a material modification to its
frontier AI framework, the large frontier developer shall clearly and
conspicuously publish the modified frontier AI framework and a
justification for that modification within thirty days.
3. (a) Before, or concurrently with, deploying a new frontier model or
a substantially modified version of an existing frontier model, a
frontier developer shall clearly and conspicuously publish on its
internet website a transparency report containing all of the following:
(i) the internet website of the frontier developer;
(ii) a mechanism that enables a natural person to communicate with the
frontier developer;
(iii) the release date of the frontier model;
(iv) the languages supported by the frontier model;
(v) the modalities of output supported by the frontier model;
(vi) the intended uses of the frontier model; and
(vii) any generally applicable restrictions or conditions on uses of
the frontier model.
(b) Before, or concurrently with, deploying a new frontier model or a
substantially modified version of an existing frontier model, a large
frontier developer shall include in the transparency report required by
paragraph (a) of this subdivision, summaries of all of the following:
(i) assessments of catastrophic risks from the frontier model
conducted pursuant to the large frontier developer's frontier AI
framework;
(ii) the results of the assessments under subparagraph (i) of this
paragraph;
(iii) the extent to which third-party evaluators were involved; and
(iv) other steps taken to fulfill the requirements of the frontier AI
framework with respect to the frontier model.
(c) A frontier developer that publishes the information described in
paragraph (a) or (b) of this subdivision as part of a larger document,
including a system card or model card, shall be deemed in compliance
with the applicable paragraph.
4. (a) (i) A frontier developer shall not make a materially false or
misleading statement about catastrophic risk from its frontier models or
its management of catastrophic risk.
(ii) A large frontier developer shall not make a materially false or
misleading statement about its implementation of, or compliance with,
its frontier AI framework.
(b) This subdivision shall not apply to a statement that was made in
good faith and was reasonable under the circumstances.
5. (a) When a frontier developer publishes documents to comply with
this section, such frontier developer may make redactions to such
documents that are necessary to protect such frontier developer's trade
secrets, such frontier developer's cybersecurity, public safety, or the
national security of the United States or to comply with any federal or
state law.
(b) If a frontier developer redacts information in a document pursuant
to this subdivision, such frontier developer shall describe the
character and justification of such redaction in any published version
of such document to the extent permitted by the concerns that justify
redaction and shall retain the unredacted information for five years.
* NB Effective January 1, 2027