Federal AI Regulation May Start With Incident Reports

Reuters reported that Representative Nathaniel Moran of Texas introduced the AI Incident Reporting Act, a bill that would require AI companies to report significant safety incidents, security breaches, and dangerous model behavior to the U.S. Commerce Department within seven days of discovery. In cases involving serious threats, Commerce would then be required to notify Congress within 48 hours. The bill targets a specific and bounded category of AI risk: the moment when a system behaves in ways that could produce public danger, national security concerns, or loss of human control. Covered incidents include models circumventing safeguards, evading human oversight, unauthorized access to sensitive model weights, or outputs that could facilitate chemical, biological, or nuclear harms.

The narrowness is the point. Sweeping federal AI regulation has stalled because lawmakers disagree across too many dimensions simultaneously — innovation incentives, competitive positioning, civil liberties concerns, state versus federal authority, and the definitional question of what AI even is for regulatory purposes. Incident reporting sidesteps most of those disagreements by focusing on a category everyone agrees is serious: AI systems doing things that put people at risk. In other industries, that kind of mandatory disclosure is standard. Aviation, healthcare, cybersecurity, and finance all require some form of incident reporting when failures could harm the public. AI does not yet have a comparable structure.

Reporting is not prevention. A company that discloses an AI failure after it occurs has told the government something went wrong — it has not necessarily provided the public with protection before the next failure. That is the limit of what this bill proposes, and it is worth naming clearly rather than treating disclosure as a substitute for governance. What incident reporting can do is create a documented record of what AI systems are actually doing at the edge of their behavior, which is currently almost entirely invisible to regulators and the public alike.

The bill represents a realistic first step in a political environment where realistic first steps are the ceiling of what is possible. Whether AI systems should be treated as infrastructure with ongoing public obligations rather than as products with post-market disclosure requirements remains unanswered by this proposal, and probably by any proposal that can currently pass.