Laws & Statutes NY NY-A-06656
A-06656
NY · State · USA
NY
USA
● Pending
Proposed Effective Date
2025-06-04
New York Assembly Bill 6656 — An Act to amend the general business law, in relation to responsible capability scaling policies
Requires every person, firm, partnership, association, or corporation doing business or offering products to consumers in New York to develop a responsible capability scaling policy for its use and development of artificial intelligence. Each covered entity must file an annual certification of compliance with the Chief Information Officer. The Attorney General, in consultation with the CIO, may audit filed policies. The CIO may issue waivers or designate categories of entities that are covered or exempt. Entities that also file cybersecurity certifications with the Department of Financial Services must file jointly. The bill contains no express penalties, damages provisions, or private right of action.
Passage Likelihood
Low
Chamber No passage
Committee No action
Majority party Yes
Bipartisan No
Prior session None
Legislative History
2025-03-06 committee referral referred to consumer affairs and protection
2026-01-07 committee referral referred to consumer affairs and protection
Mapped Requirements
G-01 AI Governance Program & Documentation R-02 Regulatory Disclosure & Submissions
Official Sources
Full Text
Entry Last Reviewed
2026-03-28
AI generated
Summary

Requires every person, firm, partnership, association, or corporation doing business or offering products to consumers in New York to develop a responsible capability scaling policy for its use and development of artificial intelligence. Each covered entity must file an annual certification of compliance with the Chief Information Officer. The Attorney General, in consultation with the CIO, may audit filed policies. The CIO may issue waivers or designate categories of entities that are covered or exempt. Entities that also file cybersecurity certifications with the Department of Financial Services must file jointly. The bill contains no express penalties, damages provisions, or private right of action.

Enforcement & Penalties
Enforcement Authority
The Attorney General, in consultation with the Chief Information Officer, has the power to audit responsible capability scaling policies filed by covered entities. The Chief Information Officer may issue waivers or designate categories of entities that are covered or exempt. No private right of action is created. No specific penalty or enforcement mechanism beyond audit authority is enumerated in the bill.
Penalties
The bill does not specify any penalties, damages, fines, or monetary remedies for noncompliance.
Who Is Covered
Every person, firm, partnership, association or corporation doing business or offering products to consumers in New York state.
Compliance Obligations 4 obligations · click obligation ID to open requirement page
G-01 AI Governance Program & Documentation · G-01.1 · DeveloperDeployer · General Consumer App
Gen. Bus. Law § 390-f(2)(a)
Plain Language
Every entity doing business or offering products to New York consumers must develop a responsible capability scaling policy governing its use and development of AI. The policy must constitute a set of best practices that identify, monitor, and rectify or mitigate risk of harm. The bill does not prescribe specific content requirements beyond this general framework — the CIO is empowered to promulgate implementing regulations. The CIO may issue waivers or designate categories of entities that are covered or exempt from this requirement.
Statutory Text
Every person, firm, partnership, association or corporation doing business or offering products to consumers in New York state shall develop a responsible capability scaling policy for the use and development of artificial intelligence by such entity.
R-02 Regulatory Disclosure & Submissions · R-02.1 · DeveloperDeployer · General Consumer App
Gen. Bus. Law § 390-f(2)(b)
Plain Language
Each covered entity must file an annual certification of compliance with the responsible capability scaling policy requirement with the Chief Information Officer (or the Chief Cyber Officer or any successor office designated by the governor). The bill does not specify the form or content of the certification beyond affirming compliance — further detail is expected via CIO rulemaking. Entities that also file cybersecurity compliance certifications with the Department of Financial Services must file jointly (see § 390-f(3)).
Statutory Text
Each such entity shall file an annual certification of compliance with this section with the chief information officer.
R-02 Regulatory Disclosure & Submissions · R-02.2 · DeveloperDeployer · General Consumer App
Gen. Bus. Law § 390-f(2)(d)
Plain Language
The Attorney General, acting in consultation with the CIO, may audit the responsible capability scaling policies that entities have filed. This creates an obligation for covered entities to maintain policies in a form that can withstand regulatory audit — i.e., the policies must be substantive and documented, not merely nominal certifications. No specific audit timeline, notice requirements, or consequences for adverse audit findings are specified in the bill.
Statutory Text
The attorney general, in consultation with the chief information officer, shall have the power to audit the policies filed by entities under this section.
R-02 Regulatory Disclosure & Submissions · R-02.1 · DeveloperDeployer · General Consumer AppFinancial Services
Gen. Bus. Law § 390-f(3)
Plain Language
Entities that are already required to file cybersecurity compliance certifications with the New York Department of Financial Services (e.g., under 23 NYCRR 500) must file their AI responsible capability scaling policy certification jointly with that cybersecurity filing. This is a procedural coordination requirement — it does not create a new substantive obligation but does affect the timing and format of the annual certification for DFS-regulated entities.
Statutory Text
If an entity also has to file any certification of cybersecurity compliance with the department of financial services, such filings shall be done jointly.