What the Great American AI Act Means for Business

What Is the Great American AI Act?

The Great American Artificial Intelligence Act (PDF) is a congressional discussion draft focused on frontier artificial intelligence governance. According to FedScoop, the draft would authorize $100 million per year for a Center for AI Standards and Innovation and would create new oversight expectations for advanced AI systems.

The proposal arrives shortly after the Trump administration issued a scaled-back AI executive order. CyberScoop reported the order keeps much of the federal review process voluntary rather than creating a broad mandatory approval system.

If you've been following state AI laws, Colorado AI laws, California AI laws, or the EU AI Act, this proposal shows federal lawmakers are also trying to define the rules of the road.

Why This Matters for Cybersecurity

Although much of the public discussion will focus on AI regulation, this bill has major cybersecurity implications. The proposal addresses model weight security, AI-enabled cyberattacks, open-source software security, data center security, and incident reporting.

That matters because AI systems are no longer just productivity tools. They can interact with sensitive data, write code, automate workflows, summarize confidential information, and influence business decisions. Without governance, AI can quickly become another form of Shadow AI.

New Center for AI Standards and Innovation

One of the most important pieces of the draft is the proposed Center for AI Standards and Innovation, or CAISI. The center would support AI security standards, evaluations, synthetic content detection, international coordination, and independent verification programs.

For cybersecurity leaders, CAISI may sound familiar. It reflects the same general idea behind trusted frameworks and standards from organizations like the National Institute of Standards and Technology (NIST). Businesses already using structured cybersecurity frameworks may be better prepared for future AI governance expectations.

If you haven't yet documented how AI is approved, monitored, secured, and reviewed, now is the time to start. Our AI Security Checklist for Businesses is a good starting point.

Transparency Requirements for AI Developers

The bill would require large frontier AI developers to publish AI governance frameworks. These frameworks would need to address risk thresholds, catastrophic risk assessments, model weight cybersecurity, internal governance, incident response, and third-party review.

Most businesses will not qualify as frontier AI developers. However, the direction is clear. Regulators, insurers, customers, and business partners are likely to expect more documentation around AI use.

That includes answering questions such as:

• Who's allowed to approve new AI tools?
• What data can employees enter into AI systems?
• How are AI vendors reviewed?
• How are AI-generated outputs validated?
• What happens if an AI tool creates a security or compliance issue?

State AI Law Debate

One of the most controversial parts of the bill is its proposed three-year preemption of state laws that specifically regulate AI model development. Supporters argue this would prevent a confusing patchwork of state rules. Critics argue it could limit state-level consumer protections.

Importantly, the bill wouldn't eliminate every state AI law. The draft distinguishes between AI model development and AI deployment or use. Businesses should continue monitoring state AI laws because many state-level requirements may still apply to how companies use AI systems.

AI Fraud and Deepfake Risks

The proposed legislation also includes AI fraud deterrence provisions. These would increase penalties when artificial intelligence is used in certain financial crimes, wire fraud, mail fraud, money laundering, or impersonation of federal officials.

This aligns with a growing trend we're already seeing in the threat landscape. AI can make phishing, impersonation, business email compromise (BEC), and deepfake scams more convincing. Businesses should train employees to recognize these risks and update their incident response plans accordingly.

For more on this topic, review our guides on phishing and deepfake detection.

Don't Wait for Congress

This bill is still a discussion draft, not final law. But businesses shouldn't wait for Congress to act before building basic AI governance.

At a minimum, organizations should:

• Create an inventory of AI tools currently in use
• Define what data employees may and may not enter into AI platforms
• Review AI vendors for security, privacy, and compliance risks
• Train employees on safe AI usage
• Document AI approval and oversight processes
• Include AI-related scenarios in incident response planning

If your company uses Microsoft 365 Copilot or is considering it, review our Microsoft AI Decision Brief before deployment.

Frequently Asked Questions

What is the Great American Artificial Intelligence Act?
The Great American Artificial Intelligence Act, also known as GAAIA, is a bipartisan discussion draft that proposes a federal framework for AI governance, frontier AI oversight, cybersecurity, workforce development, and AI fraud deterrence.

Is the Great American AI Act currently law?
No. As of this writing, it is a discussion draft. The proposal may change as lawmakers debate, revise, or formally introduce legislation.

Does this bill apply to every business using AI?
Most of the strictest requirements focus on large frontier AI developers. However, the bill signals that AI governance, documentation, and security expectations are becoming more important for all organizations using AI.

What is frontier AI?
Frontier AI generally refers to highly advanced foundation models with capabilities that could create significant cybersecurity, public safety, or national security risks.

Would the bill override state AI laws?
The draft includes a temporary preemption of state laws specifically regulating AI model development. It doesn't appear to eliminate every state law related to AI deployment, use, privacy, or consumer protection.

What should businesses do now?
Businesses should begin documenting how AI tools are approved, secured, monitored, and used. They should also review vendor risks, train employees, and include AI-related events in incident response planning.

Federal AI Guiderails

The Great American AI Act shows that federal AI governance is becoming a serious policy priority. Whether or not this exact proposal becomes law, businesses should expect more scrutiny around how AI is selected, secured, documented, and monitored.

AI adoption can create real business value, but only when paired with security, governance, and accountability. Companies that prepare now will be in a stronger position as AI regulation continues to evolve.

Related AI & Cybersecurity Resources

• AI Security Checklist for Businesses
• What Is Shadow AI?
• State AI Laws Guide
• AI Best Practices
• NIST Adversarial AI
• Deepfake Detection Guide
• AI FAQs for Business