AI Flaw Reporting and Security Enhancement Act
H.R. 9333119th Congress

AI Flaw Reporting and Security Enhancement Act

Introduced in the HouseRep. Deborah Ross (D-NC-2)38 sections · 3 min read
Version: Introduced in House · Jun 18, 2026

Section 1. Short title

This Act may be cited as the AI Flaw Reporting and Security Enhancement Act.

(a) In general

The Director of the National Institute of Standards and Technology (NIST), in consultation with the Director of the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security, shall carry out a program to support the voluntary reporting, collection, and tracking of artificial intelligence flaws (in this section referred to as the program).

(b) Activities

In carrying out the program, the Director of the NIST shall seek to convene appropriate representatives of industry, academia, nonprofit organizations, standards development organizations, civil society groups, and appropriate Federal departments and agencies to carry out the following:

(1) Establish common definitions and characterizations for relevant aspects relating to artificial intelligence flaws, including consideration of the following:

(A) Definitions of the following terms, as such terms relate to artificial intelligence:

(i) Vulnerabilities.

(ii) Failure modes.

(iii) Accidents.

(iv) Failures.

(v) Hazards.

(vi) Catastrophes.

(vii) Misuse.

(viii) Incidents.

(ix) Adverse events.

(B) Taxonomies to classify such artificial intelligence flaws based on relevant characteristics, impacts, or other appropriate criteria to enable the management and prioritization of such flaws, including the following:

(i) Artificial intelligence security-related flaws.

(ii) Artificial intelligence safety-related flaws.

(2) Support the development of technical standards and guidance related to artificial intelligence flaws and processes for managing such flaws.

(3) Support the development of methods, which may include measures of severity or risk associated with artificial intelligence flaws, to enable prioritization of remediation activities of such flaws.

(4) Support the development of technical approaches which accelerate detection and monitoring of artificial intelligence flaws.

(5) Identify and provide guidelines, best practices, methodologies, procedures, and processes for reporting, collecting, and tracking artificial intelligence flaws across different sectors and use cases.

(6) Support the development of standardized reporting and documentation mechanisms, including automated mechanisms, that would help provide information, including public information, regarding artificial intelligence flaws.

(7) Support the development of norms for appropriate disclosure and reporting of artificial intelligence flaws, including when it is appropriate to publicly disclose such flaws.

(1) In general

In carrying out the program, the Director of NIST shall, in consultation with representatives of industry, academia, nonprofit organizations, standards development organizations, civil society groups, appropriate public sector entities, and appropriate Federal departments and agencies, develop, or enter into cooperative agreements with one or more eligible entity designated by the Director to develop, infrastructure for the voluntary reporting, collection, and tracking of artificial intelligence flaws. Such infrastructure shall include a national database of artificial intelligence flaws or the modification of an existing national database to account for such flaws, as determined appropriate by the Director. Such database may be maintained by NIST or one or more eligible entities designated by the Director

(2) Considerations

In carrying out this subsection, the Director shall consider the following:

(A) Technical standards and best practices regarding machine-readability.

(B) Interoperability of the infrastructure described in paragraph (1) with relevant existing standards, best practices, and systems.

(C) Future updates to the infrastructure described in paragraph (1) that may include additional types of information and taxonomies relevant to new stakeholders and coordination mechanisms.

(D) Relevant policies, procedures, and norms regarding dissemination of reported artificial intelligence flaws and public disclosures.

(d) Report

Not later than three years after the date of the enactment of this Act, the Director of NIST shall submit to Congress a report on the implementation of this section. Such report shall include the following:

(1) Findings from the multi-stakeholder activities under subsections (b) and (c).

(2) A description of the infrastructure developed pursuant to subsection (c), including a description of the national database referred to in such subsection.

(3) An assessment of and recommendations for establishing reporting and collection mechanisms by which industry, academia, nonprofit organizations, standards development organizations, civil society groups, and appropriate public sector entities may voluntarily share standardized information regarding artificial intelligence flaws.

(e) Definitions

In this section:

(1) Artificial intelligence

The term artificial intelligence has the meaning given such term in section 5002 of the National Artificial Intelligence Initiative Act of 2020 (15 U.S.C. 9401).

(2) Artificial intelligence flaw

The term artificial intelligence flaw means a set of conditions or behaviors that allow the violation of an explicit or implicit policy related to the safety, security, or other undesirable effects from use of an artificial intelligence system, including artificial intelligence vulnerabilities and artificial intelligence incidents, and which is not dependent on the presence of malicious intent or related harm.

(3) Artificial intelligence system

The term artificial intelligence system has the meaning given such term in section 7223 of the Advancing American AI Act (40 U.S.C. 11301 note; as enacted as part of title LXXII of division G of the James M. Inhofe National Defense Authorization Act for Fiscal Year 2023; Public Law 117–263).

(4) Eligible entity

The term eligible entity means an institution of higher education (as such term is defined in section 101(a) of the Higher Education Act of 1965 (20 U.S.C. 1001)), a research institution (as such term is defined in section 9 of the Small Business Act (15 U.S.C. 638(e)(8)), or consortia thereof.

to ask questions about this bill.