(1) A large frontier developer or large chatbot provider shall write, implement, comply with, and clearly and conspicuously publish on its website a public safety and child protection plan that describes in detail: (a) For a large frontier developer, how the large frontier developer: (i) Defines and assesses thresholds used by the large frontier developer to identify and assess whether a frontier model has capabilities that could pose a catastrophic risk, which may include multiple-tiered thresholds; (ii) Applies mitigations to address the potential for catastrophic risks based on the results of the assessments undertaken pursuant to subdivision (1)(a)(i) of this section; (iii) Reviews assessments of catastrophic risk and adequacy of mitigations of catastrophic risk as part of the decision to deploy a frontier model or use it extensively internally; (iv) Uses third parties to assess the potential for catastrophic risks and the effectiveness of mitigations of catastrophic risks; (v) Implements cybersecurity practices to secure unreleased frontier model weights from unauthorized modification or transfer by internal or external parties; and (vi) Assesses and manages catastrophic risk resulting from the internal use of its frontier models, including risks resulting from a frontier model circumventing oversight mechanisms;

(b) For a large chatbot provider, how the large chatbot provider: (i) Assesses potential for child safety risks. (ii) Applies mitigations to address the potential for child safety risks based on the results of the assessments undertaken pursuant to subdivision (1)(b)(i) of this section; and (iii) Uses third parties to assess the potential for child safety risks and the effectiveness of mitigations of child safety risks;

(c) For both large frontier developers and large chatbot providers, how the large frontier developer or large chatbot provider: (i) Incorporates national standards, international standards, and industry-consensus best practices into its public safety and child protection plan; (ii) Revisits and updates the public safety and child protection plan, including any criteria that trigger updates and how such developer or provider determines when its foundation models or frontier models are substantially modified enough to require disclosures pursuant to subsection (3) or subsection (4) of this section; (iii) Identifies and responds to safety incidents; and (iv) Institutes internal governance practices to ensure implementation of its public safety and child protection plan.

(2) If a large frontier developer or large chatbot provider makes a material modification to its public safety and child protection plan, the large frontier developer or large chatbot provider shall clearly and conspicuously publish on such developer's or provider's website the modified public safety and child protection plan and a justification for such modification within thirty days after such material modification.

(3) Before, or concurrently with, integrating a new foundation model, or a version of an existing foundation model that has been substantially modified, into a covered chatbot operated by the large chatbot provider, a large chatbot provider shall conspicuously publish on its website summaries of all of the following: (i) Assessments of child safety risks conducted pursuant to the large chatbot provider's public safety and child protection plan; (ii) The results of such assessments; (iii) The extent to which third-party evaluators were involved in such assessments; and (iv) Other steps taken to fulfill the requirements of the public safety and child protection plan with respect to child safety risks.

(4)(a) Before, or concurrently with, deploying a new frontier model or a version of an existing frontier model that the large frontier developer has substantially modified, a large frontier developer shall conspicuously publish on its website summaries of all of the following: (i) Assessments of catastrophic risks from the frontier model conducted pursuant to the large frontier developer's public safety and child protection plan; (ii) The results of such assessments; (iii) The extent to which third-party evaluators were involved in such assessments; and (iv) Other steps taken to fulfill the requirements of the public safety and child protection plan with respect to catastrophic risks from the frontier model. (b) A large frontier developer that publishes the information described in subdivision (5)(a) of this section as part of a larger document, including a system card or model card, shall be deemed in compliance with this subsection.

(5)(a)(i) A large frontier developer or large chatbot provider shall not make a materially false or misleading statement or omission about covered risks from its activities or its management of covered risks. (ii) A large frontier developer or large chatbot provider shall not make a materially false or misleading statement or omission about its implementation of, or compliance with, its public safety and child protection plan. (b) Subdivision (5)(a) of this section does not apply to a statement that was made in good faith and was reasonable under the circumstances.

(6)(a) When a large frontier developer or large chatbot provider publishes documents to comply with this section, the large frontier developer or large chatbot provider may make redactions to those documents that are necessary to protect the large frontier developer's trade secrets, the large frontier developer's or large chatbot provider's cybersecurity, public safety, or the national security of the United States or to comply with any federal or state law. (b) If a large frontier developer or large chatbot provider redacts information in a document pursuant to subdivision (6)(a) of this section, the large frontier developer or large chatbot provider shall describe the character and justification of the redaction in any published version of the document to the extent permitted by the concerns that justify redaction and shall retain the unredacted information for five years.

(2) A frontier developer shall report any critical safety incident pertaining to one of its frontier models to the Attorney General within fifteen days after discovering the critical safety incident. (3) If a frontier developer discovers that a critical safety incident poses an imminent risk of death or serious physical injury, the frontier developer shall disclose that incident within twenty-four hours to an authority, including any law enforcement agency or public safety agency with jurisdiction, that is appropriate based on the nature of that incident and as required by law.

(4) A large chatbot provider shall report any child safety incident pertaining to one of its covered chatbots to the Attorney General within fifteen days after discovering the child safety incident.

(5) The Attorney General shall establish a mechanism to be used by a large frontier developer to confidentially submit summaries of any assessments of the potential for catastrophic risk resulting from internal use of its frontier models. (6) A large frontier developer shall transmit to the Attorney General a summary of any assessment of catastrophic risk resulting from internal use of its frontier models no less frequently than every three months.

(2) A frontier developer or large chatbot provider shall not take adverse action against or otherwise penalize an employee for disclosing information to the Attorney General, a federal authority, a person with authority over the employee, or another employee who has authority to investigate, discover, or correct the reported issue, if the employee has reasonable cause to believe that the information discloses either of the following: (a) The frontier developer's or large chatbot provider's activities pose a specific and substantial danger to the public health or safety or to the health or safety of a minor; or (b) The frontier developer or large chatbot provider has violated the Transparency in Artificial Intelligence Risk Management Act. (3) A frontier developer or large chatbot provider shall not require an employee or applicant to waive or limit any protection granted under this section as a condition of continued employment or of applying for or receiving an offer of employment. Any agreement to waive any right or protection under the act is against the public policy of this state and is void and unenforceable. (4) A frontier developer or large chatbot provider shall not retaliate, discriminate or take adverse action against an employee or applicant because the employee or applicant testifies, assists, or participates in an investigation, proceeding, or action concerning a violation of the Transparency in Artificial Intelligence Risk Management Act.

(5)(a) A large frontier developer shall provide a reasonable internal process through which an employee may anonymously disclose information to the large frontier developer if the employee believes in good faith that the information indicates that the large frontier developer's activities (i) pose a specific and substantial threat to the public health or safety or to the health or safety of a minor or (b) that the large frontier developer or large chatbot provider has violated the Transparency in Artificial Intelligence Risk Management Act. Such internal process shall include providing a monthly update to the person who made the disclosure regarding the status of the large frontier developer's investigation of the disclosure and the actions taken by the large frontier developer in response to the disclosure. Except as provided in subdivision (ii) of this subsection, the disclosures and responses of the process required by this subdivision shall be shared with officers and directors of the large frontier developer at least once each quarter. (b) If an employee has alleged wrongdoing by an officer or director of the large frontier developer in a disclosure or response, subdivision (a) of this subsection shall not apply with respect to that officer or director.

(1) The Attorney General shall establish a mechanism to be used by a frontier developer, a large chatbot provider, or a member of the public to report a safety incident that includes all of the following: (a) The date of the safety incident; (b) The reasons the incident qualifies as a safety incident; and (c) A short and plain statement describing the safety incident.

(1) On or before January 1, 2027, and annually thereafter, the Attorney General shall assess recent evidence and developments relevant to the purposes of the Transparency in Artificial Intelligence Risk Management Act and may adopt and promulgate rules and regulations to update definitions for any of the following terms for the purposes of the act to ensure that such definitions accurately reflect technological developments, scientific literature, and widely accepted national and international standards: (a) Frontier model, so that such definition applies to foundation models at the frontier of artificial intelligence development; (b) Frontier developer, so that such definition applies to developers of frontier models who are themselves at the frontier of artificial intelligence development; (c) Large frontier developer so that such definition applies to well-resourced frontier developers; and (d) Large chatbot provider so that such definition applies to well-resourced companies developing covered chatbots that may pose child safety risks. (2) In adopting and promulgating rules and regulations pursuant to this section, the Attorney General shall take into account all of the following: (a) Similar thresholds used in international standards or federal law, guidance, or regulations for the management of catastrophic risks or child safety risks. The Attorney General shall align any updated definition with a definition adopted in a federal law or regulation to the extent that it is consistent with the purposes of the Transparency in Artificial Intelligence Risk Management Act; (b) Input from stakeholders, such as academic and technology industry professionals, the open-source community, and governmental entities; (c) The extent to which a person will be able to determine, before beginning to train or deploy a foundation model, whether that person will be subject to the definition as a frontier developer or as a large frontier developer with an aim toward allowing earlier determinations if possible; (d) The complexity of determining whether a person or foundation model is covered, with an aim toward allowing simpler determinations if possible; (e) The external verifiability of determining whether a person or foundation model is covered, with an aim toward definitions that are verifiable by parties other than the frontier developer; and (f) Thresholds used by other states in similar laws.

(8) The Attorney General may adopt and promulgate rules and regulations designating one or more federal laws, regulations, or guidance documents that meet all of the following conditions for the purposes of subsection (9) of this section: (a) The law, regulation, or guidance document imposes or states standards or requirements for safety incident reporting that are substantially equivalent to, or stricter than, those required by this section for critical safety incidents, child safety incidents, or both. A law, regulation, or guidance document may satisfy this subdivision even if it does not require safety incident reporting to the State of Nebraska; and (b) The law, regulation, or guidance document is intended to assess, detect, or mitigate catastrophic risk, child safety risk, or both. (9)(a) A frontier developer or large chatbot provider that intends to comply with all or part of this section by complying with the requirements of, or meeting the standards stated by, a federal law, regulation, or guidance document designated pursuant to subsection (8) of this section by the Attorney General shall declare its intent to do so to the Attorney General. (b) After a frontier developer or large chatbot provider has declared its intent pursuant to subdivision (9)(a) of this section, the following shall apply: (i) To the extent that such developer or provider meets the standards of, or complies with the requirements imposed or stated by, the designated federal law, regulation, or guidance document, such developer or provider shall be deemed in compliance with the obligations under this section pertaining to: (A) Critical safety incidents, if such designated law, regulation, or document is intended to assess, detect, or mitigate catastrophic risk; and (B) Child safety incidents, if such designated law, regulation, or document is intended to assess, detect, or mitigate child safety risk; and (ii) The failure by such developer or provider to meet the standards of, or comply with the requirements stated by, such designated law, regulation, or document, shall be considered a violation of the Transparency in Artificial Intelligence Risk Management Act. (c) Subdivision (9)(b) of this section shall not apply to a frontier developer or large chatbot provider to the extent that: (i) Such developer or provider makes a declaration of intent to the Attorney General to modify or revoke a declaration of intent under subdivision (9)(a) of this section; or (ii) The Attorney General revokes a rule or regulation pursuant to subsection (10) of this section. (10) The Attorney General shall revoke a rule or regulation adopted under or promulgated under subsection (8) of this section if the requirements of subsection (8) are no longer met.