HR-9333-119
Ordered to be Reported in the Nature of a Substitute by the Yeas and Nays: 35 - 0.
Sponsored by Deborah Ross (D-NC)
What it does
This bill would direct the Director of the National Institute of Standards and Technology (NIST), in consultation with the Cybersecurity and Infrastructure Security Agency (CISA), to create a voluntary program for reporting, collecting, and tracking flaws in artificial intelligence systems. NIST would convene stakeholders from industry, academia, nonprofits, and government to develop common definitions, technical standards, and best practices for identifying and disclosing AI flaws. The bill would also require NIST to build or designate infrastructure — including a national database — to store and track reported AI flaws, and to submit a report to Congress within three years.
Who benefits
Organizations that deploy AI systems and want a standardized framework for identifying and disclosing flaws. Consumers and the general public who interact with AI-powered products and services and may benefit from faster identification of safety or security problems. Researchers and academics who would gain access to a centralized database of AI flaws. Cybersecurity professionals who would have clearer standards for AI vulnerability disclosure. Small businesses and startups that lack resources to develop their own AI safety frameworks and could rely on NIST guidance. Standards development organizations that would participate in shaping the definitions and taxonomies.
Who is hurt
Large AI developers and technology companies that may face reputational risk if their products appear frequently in a public flaw database, even under a voluntary system. Companies that prefer self-regulated, proprietary approaches to AI safety may find that voluntary norms gradually harden into de facto compliance expectations. NIST itself would bear administrative and resource burdens from convening multi-stakeholder processes and maintaining new infrastructure. Taxpayers would bear the cost of building and maintaining the national database and program operations, though no specific appropriation is included in the bill text.
Supporters argue
Supporters argue that AI systems are increasingly embedded in high-stakes domains — including healthcare, finance, and critical infrastructure — yet no standardized mechanism exists to track and disclose when those systems fail or behave unsafely. They contend that NIST's existing credibility in cybersecurity standards (e.g., the NIST Cybersecurity Framework) makes it the appropriate body to lead this effort, and that a voluntary, multi-stakeholder model avoids heavy-handed mandates while still building the shared vocabulary and infrastructure the field currently lacks.
Opponents argue
Opponents argue that a voluntary reporting program without enforcement mechanisms or mandatory disclosure requirements is unlikely to capture the most consequential AI failures, since companies have strong incentives to avoid publicizing flaws in their products. They contend that NIST's resources are already stretched, that the bill provides no dedicated appropriation to fund the program, and that the three-year timeline before even a congressional report is due means meaningful oversight of rapidly evolving AI systems could be significantly delayed.