The Californian Senate has passed the bill SB (for “Senate Bill”) 1047, which Safe and Secure Innovation for Frontier Artificial Intelligence Systems Act. In the preceding discussion, the requirements had been softened to a certain extent at the instigation of the industry.
SB 1047 amends existing California laws, the Business and Professions Code and the Government Code. In essence, developers of a covered AI model must already have before training take certain measures, including the following:
- Take cybersecurity measures against access, misuse or unsafe changes;
- provide for an immediately effective switch-off option,
- have, document, implement, store and annually review a security protocol.
Before use developers must take further measures:
- Assess whether the model “critical harms”, i.e. is capable of doing so,
- produce or use a chemical, biological, radiological or nuclear weapon;
- cause damage of at least USD 500M through cyberattacks on critical infrastructure (one tenth of what the Crowdstrike incident is said to have caused) or through (semi-)autonomous behavior that has certain qualified consequences and corresponds to a criminal offense that requires intent or gross negligence;
- cause other threats to public safety of comparable severity.
- keep traceable information about the training and tests;
- Take risk mitigation measures against critical harms;
- ensure the traceability of the model so that its actions and any damage can be attributed.
In addition, an annual Compliance statement be filed with the Attorney General.
Furthermore, a Obligation to report safety incidentsand banned is the Price discriminationthe market power of the providers of powerful models, and there is a certain protection for Whistleblower.
These requirements relate to particularly powerful or otherwise generally applicable models, analogous to the threshold of the GPAI model with systemic risks in the AI Act (Art. 51 para. 2), subject to models that are based on an existing model (“derivative model”).
requirements also apply to the Infrastructure operators such as data centers, if their customers purchase power sufficient to train one – these operators have certain KYC obligations and must be able to shut down the infrastructure for a customer in an emergency.
The fate of SB 1047 depends on Governor Gavin Newsom, who can sign or veto the bill.