Skip to content

Menu

LexBlog, Inc. logo
NetworkSub-MenuBrowse by SubjectBrowse by PublisherJoin the NetworkGet StartedSubscribeSupport
Contact Us
Search
Close

The Great American AI Act: What It Means — and Doesn’t Mean — for Companies Using AI

By Garen S. Marshall, Justin Givens, David Hirsch & Jake Pryor on June 10, 2026
Email this postTweet this postLike this postShare this post on LinkedIn

On June 4, 2026, Representatives Jay Obernolte and Lori Trahan released a discussion draft of the Great American Artificial Intelligence Act (GAAIA). The proposal has generated significant attention, but many organizations may be overestimating its practical significance for their day-to-day operations. The bill is directed primarily at developers of “frontier” AI models, so for most companies using AI models in their daily operations, these requirements will not apply. Nonetheless, the bill has sparked conversation—it incorporates multiple bipartisan bills on AI, its drafters wrote an op-ed calling on the U.S. to create a national framework covering AI, and the U.S. House Democratic Commission on AI and the Innovation Economy released a statement that the draft “does not meet the enormity of the moment.”

Key Takeaways

  • The bill is primarily aimed at the biggest AI developers with more than $500 million in revenue that are building cutting-edge AI models rather than most typical businesses developing in-house AI or deploying commercial AI models.
  • The proposed preemption provision would leave many state-law obligations governing AI deployment intact, including employment, privacy, consumer protection, healthcare, financial services, and common-law claims.
  • The draft would increase fraud-related penalties and reflects a broader enforcement trend toward applying existing fraud and misconduct frameworks to AI-enabled conduct.
  • If this bill passes, many of the legal risks businesses face when using AI will remain unchanged.

How the GAAIA Fits Into the Federal AI Landscape

As noted, the draft is a federal AI bill, but not a general AI-use law. It would formalize the Center for AI Standards and Innovation (CAISI) within the Department of Commerce and assign it a central role in AI evaluation, standards development, incident reporting, independent verification, and federal coordination. CAISI would develop voluntary guidelines and best practices for AI security, interpretability, evaluation, synthetic content detection, cyber incident response, and certain national security safeguards, among others. Existing executive orders, agency guidance, and NIST risk-management materials remain unaffected by the proposed framework, although the bill would require NIST to establish a pilot program to create a template and technical guidelines for documenting AI models and associated data.

Since the draft’s mandatory obligations apply primarily to large frontier developers that train highly capable foundation models and generate more than $500 million in annual revenue, the draft bill’s provisions would likely affect only a relatively small number of leading AI developers. However, because the proposals could change during the legislative process and apply to smaller developers, companies should monitor developments.  

State-Law Preemption Is Important but Limited

The draft provides that no state or political subdivision may establish, continue in effect, or enforce any law or regulation specifically regulating the development of any AI model. As a reminder, in November 2025, a bipartisan coalition of 36 state attorneys general sent a letter to Congress opposing a proposed federal ban on state laws regulating AI. But the draft bill would not preempt state laws or regulations of general applicability, abridge or alter state common-law remedies, or preempt state laws applicable to activities occurring upon or after deployment, including laws governing implementation, deployment, distribution, offering, or use of AI systems, products, or services. Companies should not assume the draft would eliminate state-law complexity, particularly for product liability, breach of contract, employment, privacy, consumer protection, and common-law claims.

AI Fraud and White-Collar Exposure

Even outside of the frontier-developer context, deployers, executives, and employees could face increased legal and enforcement risk where AI is used to carry out mail fraud, wire fraud, bank fraud, money laundering, or impersonation of federal officials.

Several provisions of the draft bill would significantly increase the financial consequences of AI-assisted financial crimes and, in some respects, would increase penalties even where AI is not involved. Most notably, the draft would double the existing maximum fine for mail and wire fraud affecting a financial institution, regardless of whether AI was used. It would also add AI-specific penalty provisions for mail fraud, wire fraud, bank fraud, and money laundering, which would reinforce that Congress views AI-enabled fraud as a looming risk and distinct enforcement priority. These provisions reflect a legislative judgment that AI magnifies fraud, impersonation, and social-engineering risks in ways that warrant specific statutory treatment.

The enhanced penalties would give prosecutors an additional tool in cases involving AI-generated deepfakes, synthetic identity fraud, and automated social-engineering schemes—categories of conduct that the Department of Justice has already identified as enforcement priorities under existing wire fraud and identity theft statutes. More broadly, prosecutors, regulators, and plaintiffs are likely to continue using existing fraud, securities, consumer protection, and negligence theories to scrutinize AI-related statements and conduct. For white-collar purposes, AI has already created a new trove of potential evidence for prosecutors, including prompts, model outputs, vendor materials, internal testing records, and employee communications.

For many organizations, these enforcement provisions may prove more significant than the bill’s model-governance requirements. They reflect a broader legislative and enforcement trend: AI may change how misconduct occurs, but regulators and prosecutors continue to rely heavily on existing fraud, disclosure, and misconduct frameworks to address it.

Workforce, Cybersecurity, and Other Provisions

One area that could affect many companies using AI is the proposed amendment to the WARN Act to require additional disclosures when AI is a substantial factor in a qualifying mass layoff, including disclosures about the use and impact of AI. The cybersecurity provisions would reauthorize the Cybersecurity Act of 2015 through 2035 and authorize the Cybersecurity and Infrastructure Security Agency (CISA), in consultation with CAISI, to award grants to eligible maintainers of designated critical open-source software to enhance that software’s cybersecurity. Developers of covered frontier models would also have to provide controlled access to eligible maintainers of designated critical open-source software for cybersecurity purposes, subject to reasonable controls.

What the Draft Would Not Resolve for Most Companies

While the draft bill addresses risks associated with developing advanced AI models, most organizations face very different risks associated with deploying AI tools in regulated business functions. Those risks arise under existing legal frameworks and generally would remain in place regardless of whether the GAAIA is enacted.

Organizations should not assume that the involvement of an AI tool changes who bears responsibility for a business decision. In most enforcement, litigation, and regulatory contexts, the focus is likely to remain on the conduct, controls, oversight, and representations of the deploying organization. A lender, healthcare provider, government contractor, or public company that relies on an AI tool will still be evaluated principally by the decisions the organization makes, the controls it maintains, and the representations it provides to regulators, investors, customers, and other stakeholders. 

In many enforcement and litigation contexts, responsibility will depend less on how AI is built and more on how AI is used, whether the organization has adopted appropriate AI governance controls, and whether the organization has prohibited the AI vendor from inappropriately using the organization’s data. 

Practical Steps for Companies Using AI

Outside of the frontier-developer space, most companies should focus on building an AI governance structure by adopting applicable policies, mapping AI use across regulated functions and areas of legal exposure, testing external AI-related statements for support, and tightening vendor contracts to address audit rights, data use, incident notice, and risk allocation. That mapping exercise is a board-level concern and should drive three near-term priorities:

  • Audit external AI-related statements. This includes auditing marketing materials, investor disclosures, regulatory filings, and vendor contracts for accuracy and supportability. The enhanced fraud penalties in the draft, and the enforcement trend they reflect, make unsupported AI claims a material liability.
  • Tighten vendor agreements. Third-party AI tools do not transfer responsibility for business decisions, and contracts should reflect that, with appropriate audit rights, incident notification requirements, and risk allocation provisions.
  • Invest in governance. Organizations that treat the discussion draft as a reason to delay or pause AI governance investment are likely to find themselves unprepared for enforcement and litigation.

Conclusion

The GAAIA would create meaningful new obligations for certain frontier AI developers and could reshape the debate over federal versus state AI regulation. For most organizations, however, the more important point is what the bill does not do. It does not create a comprehensive federal framework governing everyday AI use, and it does not displace many of the enforcement, regulatory, and litigation risks associated with AI deployment.

Companies should therefore view the discussion draft as a planning signal rather than a reason to pause or modify governance efforts. AI risks should still be taken seriously and appropriately addressed. Additional fraud penalties, including new AI-related penalties, and new WARN Act obligations make it even more important for companies deploying AI to adopt appropriate AI safeguards and governance structures. The organizations best positioned for whatever regulatory framework ultimately emerges will be those that already understand where AI is being used, what risks it creates, and who is accountable for managing those risks.

For questions about this proposed legislation and its implications for companies developing or deploying AI, contact the authors or members of the firm’s Artificial Intelligence team.

Tags: AI
Photo of Garen S. Marshall Garen S. Marshall

Garen Marshall is a partner in McGuireWoods’ Government Investigations and White Collar Litigation Department and leads the firm’s Artificial Intelligence Practice Area. A former Assistant United States Attorney in the Eastern District of New York and Navy special operations veteran, he represents corporations…

Garen Marshall is a partner in McGuireWoods’ Government Investigations and White Collar Litigation Department and leads the firm’s Artificial Intelligence Practice Area. A former Assistant United States Attorney in the Eastern District of New York and Navy special operations veteran, he represents corporations, executives, and boards in government and internal investigations, regulatory enforcement matters, and complex civil litigation, with a practice that extends to AI governance, AI-related enforcement and litigation risk, and corporate compliance issues involving artificial intelligence.

Read more about Garen S. MarshallEmail
Show more Show less
Photo of Justin Givens Justin Givens

Justin Givens, a former federal prosecutor, is a member of the firm’s Government Investigations and White Collar Litigation Department. Justin is a skilled trial attorney with over a decade of experience leading sensitive, high-profile internal investigations. He represents corporations, financial institutions, and executives…

Justin Givens, a former federal prosecutor, is a member of the firm’s Government Investigations and White Collar Litigation Department. Justin is a skilled trial attorney with over a decade of experience leading sensitive, high-profile internal investigations. He represents corporations, financial institutions, and executives facing legal and reputational risk in criminal, regulatory, and civil proceedings.

Read more about Justin GivensEmail
Show more Show less
Photo of David Hirsch David Hirsch

Dave is a highly respected member of the securities enforcement and regulatory counseling practice group at McGuireWoods, where he plays a key role shaping the strategic direction of the firm’s securities enforcement initiatives. Before joining McGuireWoods, Dave was Chief of the Crypto Assets…

Dave is a highly respected member of the securities enforcement and regulatory counseling practice group at McGuireWoods, where he plays a key role shaping the strategic direction of the firm’s securities enforcement initiatives. Before joining McGuireWoods, Dave was Chief of the Crypto Assets and Cyber Unit in the SEC Division of Enforcement, and prior to that served as enforcement counsel to SEC Commissioner Crenshaw. He is a recognized expert and frequent speaker with a robust practice that spans a wide array of complex regulatory and enforcement matters, particularly those involving crypto and cyber.

Read more about David HirschEmail
Show more Show less
Photo of Jake Pryor Jake Pryor

Jake is an award-winning former federal prosecutor who represents companies and individuals in government investigations, white collar defense, complex litigation, and regulatory matters. He pairs first-chair trial experience with appellate advocacy in the U.S. Court of Appeals for the Fourth Circuit. He led…

Jake is an award-winning former federal prosecutor who represents companies and individuals in government investigations, white collar defense, complex litigation, and regulatory matters. He pairs first-chair trial experience with appellate advocacy in the U.S. Court of Appeals for the Fourth Circuit. He led high-profile investigations and trials as an Assistant U.S. Attorney in the Middle District of North Carolina, including financial crime, cybercrime, and transnational organized crime matters with more than $20 million at stake.

Read more about Jake PryorEmail
Show more Show less
  • Posted in:
    Corporate Governance and Compliance, Technology and AI
  • Blog:
    Subject to Inquiry
  • Organization:
    McGuireWoods LLP
  • Article: View Original Source

Call us at 1-800-913-0988 or email sales@lexblog.com.

Facebook LinkedIn Twitter RSS
  • About LexBlog
  • The Field We Built
  • Our Beliefs
  • Our Team
  • Contact LexBlog
  • Disclaimer
  • Editorial Policy
  • Terms of Service
  • Get Started
  • Publishing Solutions
  • Compass
  • Submit a Request
  • Support Center
  • System Status
Copyright © 2026, LexBlog, Inc. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo