WHAT THIS BILL REGULATES · 6 REQUIREMENT TYPES
How Is This Bill Enforced
Verbatim statutory text on the left; plain-language analysis and a per-section checklist on the right. Numbered markers cross-link to the matching checklist row.
As used in this chapter, unless the context otherwise requires: "Automated decision systemAutomated decision system"Automated decision system" means a computational process derived from machine learning, statistical modeling, data analytics, or artificial intelligence that issues simplified output, including a score, classification, or recommendation, that is used to assist or replace human discretionary decision making and materially impacts natural persons. "Automated decision system" does not include spam email filters, firewalls, antivirus software, identity and access management tools, calculators, databases, datasets, or other compilations of data.§ -1" means a computational process derived from machine learning, statistical modeling, data analytics, or artificial intelligence that issues simplified output, including a score, classification, or recommendation, that is used to assist or replace human discretionary decision making and materially impacts natural personsPerson"Person" means a natural person.§ -1. "Automated decision systemAutomated decision system"Automated decision system" means a computational process derived from machine learning, statistical modeling, data analytics, or artificial intelligence that issues simplified output, including a score, classification, or recommendation, that is used to assist or replace human discretionary decision making and materially impacts natural persons. "Automated decision system" does not include spam email filters, firewalls, antivirus software, identity and access management tools, calculators, databases, datasets, or other compilations of data.§ -1" does not include spam email filters, firewalls, antivirus software, identity and access management tools, calculators, databases, datasets, or other compilations of data. "Electronic communicationElectronic communication"Electronic communication" has the same meaning as defined in section 378-71.§ -1" has the same meaning as defined in section 378-71. "Generative artificial intelligenceGenerative artificial intelligence"Generative artificial intelligence" means the class of artificial intelligence models that emulate the structure and characteristics of input data to generate derived synthetic content, including images, videos, audio, text, and other digital content.§ -1" means the class of artificial intelligence models that emulate the structure and characteristics of input data to generate derived synthetic content, including images, videos, audio, text, and other digital content. "High-risk automated decision systemHigh-risk automated decision system"High-risk automated decision system" or "high-risk use" means an automated decision system that is used to assist or replace human discretionary decisions that have a legal or similarly significant effect, including decisions that materially impact access to, or approval for, housing or accommodations, education, employment, credit, health care, and criminal justice.§ -1" or "high-risk use" means an automated decision systemAutomated decision system"Automated decision system" means a computational process derived from machine learning, statistical modeling, data analytics, or artificial intelligence that issues simplified output, including a score, classification, or recommendation, that is used to assist or replace human discretionary decision making and materially impacts natural persons. "Automated decision system" does not include spam email filters, firewalls, antivirus software, identity and access management tools, calculators, databases, datasets, or other compilations of data.§ -1 that is used to assist or replace human discretionary decisions that have a legal or similarly significant effect, including decisions that materially impact access to, or approval for, housing or accommodations, education, employment, credit, health care, and criminal justice. "PersonPerson"Person" means a natural person.§ -1" means a natural personPerson"Person" means a natural person.§ -1.
This section establishes the key defined terms for the new AI chapter. Generative artificial intelligence is defined broadly as AI models that generate derived synthetic content. Automated decision system covers machine-learning-derived outputs used to assist or replace human discretionary decision making that materially impacts natural persons, with carve-outs for routine IT tools. High-risk automated decision system narrows the scope to decisions with legal or similarly significant effects in domains including housing, education, employment, credit, health care, and criminal justice.
1 No later than twenty days prior to the regular session of 2025, and as often thereafter as is necessary to address new technology, risks, or benefits, the office of enterprise technology services shall submit to the legislature a report on the potential risks and benefits of using generative artificial intelligenceGenerative artificial intelligence"Generative artificial intelligence" means the class of artificial intelligence models that emulate the structure and characteristics of input data to generate derived synthetic content, including images, videos, audio, text, and other digital content.§ -1 for state purposes, including: (1) An examination of the most significant, and potentially beneficial, uses for the deployment of generative artificial intelligenceGenerative artificial intelligence"Generative artificial intelligence" means the class of artificial intelligence models that emulate the structure and characteristics of input data to generate derived synthetic content, including images, videos, audio, text, and other digital content.§ -1 tools by the State; (2) An explanation of the potential risks to individuals, communities, and government workers, of the uses described in paragraph (1), with a focus on high-risk uses, including the use of artificial intelligence to make consequential decisions affecting access to goods and services; (3) An explanation of the specific risks posed by bad actors if a governmental system is breached, including the potential impacts on democratic processes, legal proceedings, public health, public safety, and the state economy; and (4) Any updates or changes in the risks, benefits, or potential uses of generative artificial intelligenceGenerative artificial intelligence"Generative artificial intelligence" means the class of artificial intelligence models that emulate the structure and characteristics of input data to generate derived synthetic content, including images, videos, audio, text, and other digital content.§ -1 for the State, based on emerging technology; provided that the office of enterprise technology services may consult with academic and industry experts and other state departments or agencies for the purposes of preparing the report.
This section requires the Office of Enterprise Technology Services to submit a recurring report to the legislature assessing the potential risks and benefits of generative AI for state purposes. The initial report is due no later than twenty days before the 2025 regular session, with updates as needed for new technology. The report must cover beneficial use cases, risks to individuals and communities (especially high-risk uses), cybersecurity and breach risks, and emerging technology developments. ETS may consult with academic and industry experts.
(a) 2 No later than twenty days prior to the regular session of 2025, and as often thereafter as is necessary to address new technology, risks, or vulnerabilities, the chief information officer; chief data officer; and cybersecurity, economic, education, and infrastructure security coordinator shall perform a joint risk analysis and submit to the legislature a report on the risks that the State's uses, or potential uses, of generative artificial intelligenceGenerative artificial intelligence"Generative artificial intelligence" means the class of artificial intelligence models that emulate the structure and characteristics of input data to generate derived synthetic content, including images, videos, audio, text, and other digital content.§ -1 pose to critical infrastructure in the State, including risks that could lead to mass casualty events or environmental emergencies.
(b) The office of enterprise technology services may consult with academic and industry experts and other state departments or agencies for the purposes of preparing the report.
This section requires a joint risk analysis by the Chief Information Officer, the Chief Data Officer, and the cybersecurity, economic, education, and infrastructure security coordinator, submitted to the legislature no later than twenty days before the 2025 regular session. The report must assess risks that the State's uses of generative AI pose to critical infrastructure, including risks of mass casualty events or environmental emergencies. Updates are required as needed for new technology, risks, or vulnerabilities.
(a) 3 The office of enterprise technology services, in coordination with the state procurement office, shall develop, maintain, and periodically update guidelines for the public sector procurement of artificial intelligence technology, including allowable uses of the technology and required trainings for the use of generative artificial intelligenceGenerative artificial intelligence"Generative artificial intelligence" means the class of artificial intelligence models that emulate the structure and characteristics of input data to generate derived synthetic content, including images, videos, audio, text, and other digital content.§ -1.
(b) 3 The guidelines required by this section shall build on guidance from the White House publication entitled "Blueprint for an Al Bill of Rights," and the National Institute of Standards and Technology's Al Risk Management Framework, and shall address topics including safety, algorithmic discrimination, data privacy, high-risk uses, and the provision of notice when materials are generated by generative artificial intelligenceGenerative artificial intelligence"Generative artificial intelligence" means the class of artificial intelligence models that emulate the structure and characteristics of input data to generate derived synthetic content, including images, videos, audio, text, and other digital content.§ -1.
(c) 3 In developing the guidelines required by this section, the office of enterprise technology services shall consult with organizations that represent state government employees and with industry experts, including trust and safety experts, academic researchers, and research institutions.
This section requires ETS, in coordination with the state procurement office, to develop, maintain, and periodically update guidelines for state procurement of AI technology. The guidelines must build on the White House Blueprint for an AI Bill of Rights and the NIST AI Risk Management Framework, and must address safety, algorithmic discrimination, data privacy, high-risk uses, and notice when materials are generated by generative AI. ETS must consult with employee organizations, trust and safety experts, academic researchers, and research institutions.
(a) 4 The office of enterprise technology services, in coordination with the department of human services, shall develop, maintain, and periodically update guidelines for state agencies, departments, and branches of the government to use in assessing the impact that adopting a generative artificial intelligenceGenerative artificial intelligence"Generative artificial intelligence" means the class of artificial intelligence models that emulate the structure and characteristics of input data to generate derived synthetic content, including images, videos, audio, text, and other digital content.§ -1 tool may have on vulnerable communities, including criteria to evaluate equitable outcomes when considering a high‑risk use.
(b) 4 The guidelines required by this section shall inform whether and how a state agency, department, or branch of the government deploys a particular generative artificial intelligenceGenerative artificial intelligence"Generative artificial intelligence" means the class of artificial intelligence models that emulate the structure and characteristics of input data to generate derived synthetic content, including images, videos, audio, text, and other digital content.§ -1 tool.
(c) 4 In developing the guidelines required by this section, the office of enterprise technology services shall consult with organizations that represent state government employees and industry experts, including trust and safety experts, academic researchers, and research institutions.
This section requires ETS, in coordination with the Department of Human Services, to develop, maintain, and periodically update guidelines for state agencies to assess the impact that adopting a generative AI tool may have on vulnerable communities. The guidelines must include criteria for evaluating equitable outcomes for high-risk uses and must inform whether and how a state entity deploys a particular generative AI tool.
(a) 5 To assist the office of enterprise technology services in preparing and periodically updating the guidelines, risk assessments, and reports required by this chapter, each state agency, department, and branch of the government shall prepare, maintain, and make accessible to the office of enterprise technology services an inventory of all current high-risk uses of generative artificial intelligenceGenerative artificial intelligence"Generative artificial intelligence" means the class of artificial intelligence models that emulate the structure and characteristics of input data to generate derived synthetic content, including images, videos, audio, text, and other digital content.§ -1 within the agency, department, or branch.
(b) 6 Each state agency, department, and branch of the government shall appoint senior-level personnel to maintain and update the inventory required by subsection (a).
This section requires each state agency, department, and branch of government to prepare, maintain, and make accessible to ETS an inventory of all current high-risk uses of generative AI. Each entity must also appoint senior-level personnel to maintain and update the inventory. This provides ETS with the information necessary to carry out the risk assessments, guidelines, and reports required elsewhere in the chapter.
(a) Any state agency, department, or branch of the government may propose to the legislature pilot projects to test new uses of generative artificial intelligenceGenerative artificial intelligence"Generative artificial intelligence" means the class of artificial intelligence models that emulate the structure and characteristics of input data to generate derived synthetic content, including images, videos, audio, text, and other digital content.§ -1, including uses to: (1) Improve access to government services; and (2) Support state employees in performing the employees' job duties.
(b) 7 Risk and impact assessments shall be carried out pursuant to sections -2, -3, and -5 prior to the establishment of any generative artificial intelligenceGenerative artificial intelligence"Generative artificial intelligence" means the class of artificial intelligence models that emulate the structure and characteristics of input data to generate derived synthetic content, including images, videos, audio, text, and other digital content.§ -1 pilot project.
This section authorizes state agencies to propose pilot projects testing new uses of generative AI, including improving access to government services and supporting state employees. Critically, subsection (b) requires that risk and impact assessments under §§ -2, -3, and -5 be carried out before any pilot project is established, creating a pre-deployment assessment gate.
(a) 8 The office of enterprise technology services, in coordination with the department of human resources development, shall consult with each state agency, department, and branch of the government, and with organizations that represent state employees, to establish criteria for evaluating the impact of generative artificial intelligenceGenerative artificial intelligence"Generative artificial intelligence" means the class of artificial intelligence models that emulate the structure and characteristics of input data to generate derived synthetic content, including images, videos, audio, text, and other digital content.§ -1 on the state workforce.
(b) 8 Based on the consultations, the office of enterprise technology services shall create guidelines to help each agency, department, and branch best support its employees in using generative artificial intelligenceGenerative artificial intelligence"Generative artificial intelligence" means the class of artificial intelligence models that emulate the structure and characteristics of input data to generate derived synthetic content, including images, videos, audio, text, and other digital content.§ -1 effectively and adapting to ongoing technological advancements.
(c) 8 The office of enterprise technology services shall make available training courses for state government workers on the ethical and effective use of generative artificial intelligenceGenerative artificial intelligence"Generative artificial intelligence" means the class of artificial intelligence models that emulate the structure and characteristics of input data to generate derived synthetic content, including images, videos, audio, text, and other digital content.§ -1, including training on: (1) Using artificial intelligence tools to achieve equitable outcomes; (2) Identifying and mitigating potential output inaccuracies from generative artificial intelligenceGenerative artificial intelligence"Generative artificial intelligence" means the class of artificial intelligence models that emulate the structure and characteristics of input data to generate derived synthetic content, including images, videos, audio, text, and other digital content.§ -1, including fabricated texts and inaccuracies based on biases; (3) Protecting public privacy; and (4) Complying with all laws, administrative rules, and guidelines applicable to the use of artificial intelligence.
This section imposes three related duties on ETS. First, ETS must consult with state agencies and employee organizations to establish criteria for evaluating generative AI's impact on the state workforce. Second, based on those consultations, ETS must create guidelines to help agencies support employees in using generative AI effectively. Third, ETS must make available training courses for state workers covering equitable use of AI tools, identifying and mitigating output inaccuracies and biases, protecting public privacy, and complying with applicable laws and rules.
(1)–(2) 9 Any state agency, department, or branch of the government that uses generative artificial intelligenceGenerative artificial intelligence"Generative artificial intelligence" means the class of artificial intelligence models that emulate the structure and characteristics of input data to generate derived synthetic content, including images, videos, audio, text, and other digital content.§ -1 to communicate with a personPerson"Person" means a natural person.§ -1 via a form of electronic communicationElectronic communication"Electronic communication" has the same meaning as defined in section 378-71.§ -1 shall: (1) Clearly identify to the personPerson"Person" means a natural person.§ -1 that the personPerson"Person" means a natural person.§ -1's interaction with the agency, department, or branch is being communicated through artificial intelligence; and (2) Provide on the agency, department, or branch's official webpage clear instructions informing the public how to bypass artificial intelligence to communicate directly with a personPerson"Person" means a natural person.§ -1 from the agency, department, or branch.
This section requires any state agency, department, or branch using generative AI to communicate with a person via electronic communication to (1) clearly identify to the person that their interaction is being communicated through AI, and (2) provide clear instructions on their official webpage for how to bypass AI and communicate directly with a human. This is a dual obligation: AI identity disclosure and a human-access bypass mechanism.
(a)(1)–(2) 10 Any automated decision systemAutomated decision system"Automated decision system" means a computational process derived from machine learning, statistical modeling, data analytics, or artificial intelligence that issues simplified output, including a score, classification, or recommendation, that is used to assist or replace human discretionary decision making and materially impacts natural persons. "Automated decision system" does not include spam email filters, firewalls, antivirus software, identity and access management tools, calculators, databases, datasets, or other compilations of data.§ -1 used by a state agency, department, or branch, prior to its adoption, shall: (1) Receive appropriate consultation, testing, risk identification, and risk mitigation consistent with this chapter; and (2) Be approved by the chief information officer.
(b) 11 Any high-risk automated decision systemHigh-risk automated decision system"High-risk automated decision system" or "high-risk use" means an automated decision system that is used to assist or replace human discretionary decisions that have a legal or similarly significant effect, including decisions that materially impact access to, or approval for, housing or accommodations, education, employment, credit, health care, and criminal justice.§ -1 used by a state agency, department, or branch of the government shall receive ongoing monitoring and oversight by the office of enterprise technology services.
This section imposes two requirements for government use of automated decision systems. First, before adoption, any automated decision system must receive appropriate consultation, testing, risk identification, and risk mitigation consistent with the chapter, and must be approved by the Chief Information Officer. Second, any high-risk automated decision system must receive ongoing monitoring and oversight by ETS after deployment.
The department of accounting and general services may adopt rules pursuant to chapter 91 to carry out the purposes of this chapter.
This section authorizes the Department of Accounting and General Services to adopt administrative rules under chapter 91 (Hawaii's Administrative Procedure Act) to carry out the purposes of the new AI chapter. This is a standard rulemaking delegation and creates no standalone compliance obligation.
(3) (amended) 12 Develop and implement statewide technology standards, including standards and guidelines for the State's use of generative artificial technology pursuant to chapter ;
Section 3 of the bill amends existing HRS § 27-43(a) to add a new duty to the Chief Information Officer's mandate: developing and implementing statewide technology standards and guidelines for the State's use of generative AI pursuant to the new chapter. This integrates the new AI governance framework into the CIO's existing statutory responsibilities.
(7) (new) 13 Carrying out joint risk assessments of the State's uses of generative artificial intelligenceGenerative artificial intelligence"Generative artificial intelligence" means the class of artificial intelligence models that emulate the structure and characteristics of input data to generate derived synthetic content, including images, videos, audio, text, and other digital content.§ -1 that potentially affect critical infrastructure, pursuant to section -3; and
Section 4 of the bill amends HRS § 128B-1(d) to add a new duty to the cybersecurity, economic, education, and infrastructure security coordinator: carrying out joint risk assessments of the State's uses of generative AI that potentially affect critical infrastructure, pursuant to § -3. This codifies the coordinator's role in the critical infrastructure AI risk assessment required by the new chapter.
The legislature finds that artificial intelligence has the potential to improve the quality, efficiency, and accessibility of government services. However, the legislature also recognizes that the use of artificial intelligence poses certain concerns. Any state uses of artificial intelligence must carefully guard against bioterrorism, cyberattacks, deception, disinformation, discrimination or biases, violations of privacy, and other risks. If the State adopts artificial intelligence technology for government purposes, an initial risk assessment and ongoing monitoring are needed to ensure the technology's efficient and ethical use. Accordingly, the purpose of this Act is to establish a plan for the use of generative artificial intelligenceGenerative artificial intelligence"Generative artificial intelligence" means the class of artificial intelligence models that emulate the structure and characteristics of input data to generate derived synthetic content, including images, videos, audio, text, and other digital content.§ -1 in state agencies, departments, and government branches.
Section 1 sets out the legislature's findings that AI has potential to improve government services but poses risks including bioterrorism, cyberattacks, deception, disinformation, discrimination, and privacy violations. It states the bill's purpose: establishing a plan for the use of generative AI in state agencies, departments, and government branches. This section creates no compliance obligations.
Statutory material to be repealed is bracketed and stricken. New statutory material is underscored.
Standard notation indicating that bracketed and stricken material is repealed and underscored material is new. No compliance obligation.
This Act shall take effect upon its approval.
The Act takes effect upon its approval. Since the bill does not appear to have been enacted, no effective date is operative.