On December 19, New York Governor Kathy Hochul (D) signed the Responsible AI Safety & Education (“RAISE”) Act into law, making New York the second state in the nation to codify public safety disclosure and reporting requirements for developers of frontier AI models.  Prior to signing, Governor Hochul secured several commitments from the legislature to adopt updates (known as “chapter amendments”) to the RAISE Act to align its text with California’s Transparency in Frontier AI Act (“TFAIA”), significantly modifying the version passed by the legislature in June.  In a press release, Governor Hochul stated that the RAISE Act “builds on California’s recently adopted framework, creating a unified benchmark among the country’s leading tech states as the federal government lags behind.”

Frontier Developers.  Effective January 1, 2027, the RAISE Act adopts a regulatory framework aligned with that of the TFAIA, which imposes separate and overlapping requirements for (1) “frontier developers,” i.e., persons who have trained, or initiated the training of, a foundation model using a quantity of computing power greater than 1026 FLOPS (a “frontier model”), and (2) “large frontier developers,” i.e. frontier developers with annual gross revenues over $500 million.  Unlike TFAIA, however, the RAISE Act only applies to frontier models “developed, deployed, or operating in whole or in part” in New York, and exempts New York colleges and universities that “engag[e] in academic research regarding artificial intelligence models.” 

The RAISE Act does not expressly contemplate future modifications to these definitions.  By contrast, TFAIA will require California’s Department of Technology to provide “recommendations” to the California Legislature on “whether and how to update” its definitions of “frontier model,” “frontier developer,” and “large frontier developer.”

Frontier AI Frameworks.  The RAISE Act requires large frontier developers to write, implement, and publish “documented technical and organizational protocols to manage, assess, and mitigate catastrophic risks” (“frontier AI frameworks”).  Like TFAIA, the RAISE Act defines “catastrophic risk” as a foreseeable and material risk that a frontier developer’s development, storage, use, or deployment of a frontier model will materially contribute to death or serious injury to more than 50 people or more than $1 billion in property damage by: (1) providing expert-level assistance in creating or releasing a chemical, biological, radiological, or nuclear weapon, (2) engaging in unsupervised conduct that is a cyberattack, or that would constitute murder, assault, extortion, or theft if committed by a human, or (3) evading the control of its developer or user.  The RAISE Act requires developers’ frontier AI frameworks to address topics identical to those required by TFAIA, including how the developer incorporates national and international standards; applies thresholds for identifying and assessing whether a frontier model poses a catastrophic risk; reviews assessments and mitigations when deciding to deploy a frontier model or “use it extensively internally”; and institutes internal governance practices to ensure the implementation of the framework, among other topics. 

Although it appears substantively similar to TFAIA, the RAISE Act’s frontier AI framework requirement may be more expansive.  While TFAIA requires frontier AI frameworks to describe a developer’s “approach” to the topics above, the RAISE Act requires large frontier developers to describe how they “handle” these topics “in detail.”

Transparency Reports.  Like TFAIA, the RAISE Act requires frontier developers to publish “transparency reports” on their websites, or as part of larger documents such as system or model cards, before or when deploying new or substantially modified frontier models.  Frontier developers must disclose various categories of information about the frontier model’s uses and limitations in their transparency reports, and large frontier developers must include additional information about catastrophic risk assessments.

Critical Safety Incident Reporting.  Like TFAIA, the RAISE Act requires frontier developers to report “critical safety incidents,” i.e., death or bodily injury caused by unauthorized modification or exfiltration of model weights or loss of control, harm from the “materialization of a catastrophic risk,” or “materially increased catastrophic risk” from a frontier model’s use of “deceptive techniques” to subvert its controls.  However, the RAISE Act requires frontier developers to report critical safety incidents within 72 hours after either (1) determining that a critical safety incident “has occurred” or (2) “learning facts sufficient to establish a reasonable belief” that an incident occurred.  TFAIA, on the other hand, only requires developers to report critical safety incidents within 15 days of “discovering the incident.”  Both laws require developers to report critical safety incidents within 24 hours to appropriate authorities if the incident “poses an imminent risk of death or serious physical injury.”  

Internal Use Catastrophic Risk Assessment Reporting.  Like TFAIA, the RAISE Act requires large frontier developers to report “a summary of any assessment of catastrophic risk” resulting from the large frontier developer’s “internal use” of its frontier models every three months or “pursuant to another reasonable schedule” specified by the developer. 

Disclosure Statement & Assessment Fee.  Unlike TFAIA, the RAISE Act prohibits large frontier developers from developing, deploying, or operating a frontier model in New York unless the large frontier developer files a “disclosure statement” with a new “office” established by the RAISE Act within the New York’s Department of Financial Services (“DFS Office”).  The disclosure statement must include:

  • The identity of the large frontier developer and all names under which it conducts business;
  • The addresses of the large frontier developer’s principal place of business and offices in New York;
  • If the large frontier developer is a private company, a list of all “persons or entities that beneficially own a five percent or greater interest” in the large frontier developer, along with all persons who formerly owned such interest in the preceding five years;
  • If the large frontier developer is a publicly traded company, all persons or entities that beneficially own a 50 percent or greater interest in the large frontier developer; and
  • The large frontier developer’s primary, secondary, and tertiary points of contact for purposes of receiving RAISE Act inquiries.  

Large frontier developers must renew their disclosure statements once every two years, or if the “ownership of the frontier model is transferred” or there is a “material change to the information reported” in a prior disclosure statement.  In addition to the statement, large frontier developers must be “assessed in pro rata shares” by DFS “to defray the operating expenses” of RAISE Act implementation. 

DFS Office Implementation and Rulemaking.  In a significant departure from prior versions of the bill, the DFS Office created by the RAISE Act will be “tasked with implementation” of the law.  Similar to the role of California’s Office of Emergency Services under TFAIA, the RAISE Act’s DFS Office will be charged with receiving critical safety incident reports, summaries of assessments of catastrophic risk resulting from internal use, and biannual disclosure statements.  The DFS Office also will be required to “maintain and publish a list of large frontier developers who have filed disclosure statements.” 

The RAISE Act also grants the DFS Office broad rulemaking authority.  Specifically, the DFS Office is authorized to “adopt rules and regulations to implement” the RAISE Act’s provisions, including “additional reporting or publication requirements” such as “post-critical safety incident information, sharing plans and protocols, and the transmission of frontier AI frameworks to the office,” if such regulations will “facilitate safety and transparency consistent with the underlying purpose of” the RAISE Act.  TFAIA, by contrast, does not authorize any rulemaking powers to implement the law.

Enforcement and Safe Harbor.  A large frontier developer that violates the RAISE Act’s frontier AI framework and reporting requirements, or that “fails to comply with its own frontier AI framework,” faces civil penalties of up to $1 million for first violations and up to $3 million per subsequent violation, enforced by the New York Attorney General.  Additionally, a large frontier developer that fails to file a disclosure statement or pay the assessment fee, or that files a disclosure statement with false information, also faces civil penalties of $1,000 per day of non-compliance and an amount equal to any assessments owed, levied by the DFS Office after notice and hearing.  Like TFAIA, the RAISE Act does not expressly establish penalties for violations by frontier developers who are not large frontier developers. 

Both the RAISE Act and TFAIA establish safe harbors for frontier developers who comply with certain federal requirements, although the RAISE Act’s safe harbor only applies to its critical safety incident reporting requirement.  Specifically, frontier developers will be “deemed in compliance” if the developer complies with federal requirements or standards that the DFS Office designates as “substantially equivalent to, or stricter than,” the RAISE Act’s critical safety incident reporting requirement.  If a frontier developer declares their intent to comply with designated federal requirements, however, failure to comply with those requirements “shall constitute a violation” of the RAISE Act.  Additionally, such frontier developers must send “copies of any critical safety incident reports required by such federal standards” to the DFS Office “concurrently with sending them to federal authorities.”

The signing of the RAISE Act and Governor Hochul’s comments that the law creates a “unified benchmark” with California’s TFAIA for frontier AI model regulation “as the federal government lags behind,” comes just weeks after President Trump signed an Executive Order directing federal agencies to preempt or challenge state AI laws, including “onerous” state AI laws that “may compel AI developers or deployers to disclose or report information in a manner that would violate the First Amendment or any other provision of the Constitution.”  However, absent any comprehensive federal AI legislation or regulatory framework, it remains uncertain what impact, if any, the President’s order will have on implementing the RAISE Act, TFAIA, or other state AI rules.

Photo of Micaela McMurrough Micaela McMurrough
Read more about Micaela McMurrough
Matthew Shapanka

Matthew Shapanka draws on more than 15 years of experience – including on Capitol Hill, at Covington, and in state government – to advise and counsel clients across a range of industries on significant legislative, regulatory, and enforcement matters. He develops and executes…

Matthew Shapanka draws on more than 15 years of experience – including on Capitol Hill, at Covington, and in state government – to advise and counsel clients across a range of industries on significant legislative, regulatory, and enforcement matters. He develops and executes complex, multifaceted public policy initiatives for clients seeking actions by Congress, state legislatures, and federal and state government agencies, many with significant legal and political opportunities and risks.

Matt rejoined Covington after serving as Chief Counsel for the U.S. Senate Committee on Rules and Administration, where he advised Chairwoman Amy Klobuchar (D-MN) on all legal, policy, and oversight matters within the Committee’s jurisdiction, including federal election law and campaign finance, and oversight of the Federal Election Commission, legislative branch agencies, security and maintenance of the U.S. Capitol Complex, and Senate rules and regulations.

Most significantly, Matt led the Rules Committee staff work on the Electoral Count Reform and Presidential Transition Improvement Act – landmark bipartisan legislation to update the antiquated process of certifying and counting electoral votes in presidential elections that President Biden signed into law in 2022.

As Chief Counsel, Matt was a lead attorney on the joint bipartisan investigation (with the Homeland Security and Governmental Affairs Committee) into the security planning and response to the January 6, 2021 attack on the Capitol. In that role, he oversaw the collection review of documents, led interviews and depositions of key government officials, advised the Chairwoman and Committee members on two high-profile joint hearings, and drafted substantial portions of the Committees’ staff report on the attack. He also led oversight of the Capitol Police, Architect of the Capitol, Senate Sergeant at Arms, and executive branch agencies involved in implementing the Committees’ recommendations, including additional legislation and hearings.

Both in Congress and at the firm, Matt has prepared many corporate and nonprofit executives, academics, government officials, and presidential nominees for testimony at legislative, oversight, or nomination hearings before congressional committees, as well as witnesses appearing at congressional depositions and transcribed interviews. He is also an experienced legislative drafter who has composed dozens of bills introduced in Congress and state legislatures, including several that have been enacted into law across multiple policy areas.

In addition to his policy work, Matt advises and represents clients on the full range of political law compliance and enforcement matters involving federal election, campaign finance, lobbying, and government ethics laws, the Securities and Exchange Commission’s “Pay-to-Play” rule, as well as the election and political laws of states and municipalities across the country.

Before law school, Matt worked as a research analyst in the Massachusetts Recovery & Reinvestment Office, where he worked on all aspects of state-level policy, communications, and compliance for federal stimulus funding awarded to Massachusetts under the American Recovery & Reinvestment Act of 2009. He has also worked for federal, state, and local political candidates in Massachusetts and New Hampshire.

Read more about Matthew Shapanka
Show more Show less
August Gweon

August Gweon counsels national and multinational companies on data privacy, cybersecurity, antitrust, and technology policy issues, including issues related to artificial intelligence and other emerging technologies. August leverages his experiences in AI and technology policy to help clients understand complex technology developments, risks…

August Gweon counsels national and multinational companies on data privacy, cybersecurity, antitrust, and technology policy issues, including issues related to artificial intelligence and other emerging technologies. August leverages his experiences in AI and technology policy to help clients understand complex technology developments, risks, and policy trends.

August regularly provides advice to clients for complying with federal, state, and global privacy and competition frameworks and AI regulations. He also assists clients in investigating compliance issues, preparing for federal and state privacy regulations like the California Privacy Rights Act, responding to government inquiries and investigations, and engaging in public policy discussions and rulemaking processes.

Read more about August Gweon
Show more Show less