Laws & Statutes NY NY-A-06656
A-06656
NY · State · USA
NY
USA
● Pending
Proposed Effective Date
2025-06-04
New York Assembly Bill 6656 — An Act to amend the general business law, in relation to responsible capability scaling policies
Requires every person, firm, partnership, association, or corporation doing business or offering products to consumers in New York to develop a responsible capability scaling policy for the use and development of artificial intelligence. Covered entities must file an annual certification of compliance with the Chief Information Officer. The Attorney General, in consultation with the Chief Information Officer, may audit filed policies. The Chief Information Officer may issue waivers or designate categories of entities that are covered or exempt. Notably, the bill does not specify any penalties for noncompliance and delegates substantial implementation authority to the Chief Information Officer through rulemaking.
Passage Likelihood
Low
Chamber No passage
Committee No action
Majority party Yes
Bipartisan No
Prior session None
Legislative History
2025-03-06 committee referral referred to consumer affairs and protection
2026-01-07 committee referral referred to consumer affairs and protection
Mapped Requirements
G-01 AI Governance Program & Documentation R-02 Regulatory Disclosure & Submissions
Official Sources
Full Text
Entry Last Reviewed
2026-04-01
AI generated
Summary

Requires every person, firm, partnership, association, or corporation doing business or offering products to consumers in New York to develop a responsible capability scaling policy for the use and development of artificial intelligence. Covered entities must file an annual certification of compliance with the Chief Information Officer. The Attorney General, in consultation with the Chief Information Officer, may audit filed policies. The Chief Information Officer may issue waivers or designate categories of entities that are covered or exempt. Notably, the bill does not specify any penalties for noncompliance and delegates substantial implementation authority to the Chief Information Officer through rulemaking.

Enforcement & Penalties
Enforcement Authority
The Attorney General, in consultation with the Chief Information Officer, has the power to audit responsible capability scaling policies filed by entities. The Chief Information Officer may issue waivers and designate categories of covered or exempt entities. No private right of action is created. Enforcement appears to be agency-initiated through audit authority.
Penalties
The bill does not specify any penalties, damages, fines, or remedies for noncompliance. Enforcement consequences, if any, would depend on rules promulgated by the Chief Information Officer or on the Attorney General's general enforcement powers.
Who Is Covered
Every person, firm, partnership, association or corporation doing business or offering products to consumers in New York state.
Compliance Obligations 5 obligations · click obligation ID to open requirement page
G-01 AI Governance Program & Documentation · G-01.1 · DeveloperDeployer · General Consumer App
Gen. Bus. Law § 390-f(2)(a)
Plain Language
Every entity doing business or offering products to consumers in New York must develop a responsible capability scaling policy governing its use and development of AI. The policy must constitute a set of best practices that identify, monitor, and rectify or mitigate risk of harm. This is an extremely broad mandate — it applies to any entity that uses or develops AI, with no size threshold, compute threshold, or risk-level trigger. The Chief Information Officer may issue waivers or designate exempt categories, which may narrow the practical scope considerably once rules are promulgated.
Statutory Text
Every person, firm, partnership, association or corporation doing business or offering products to consumers in New York state shall develop a responsible capability scaling policy for the use and development of artificial intelligence by such entity.
R-02 Regulatory Disclosure & Submissions · R-02.4 · DeveloperDeployer · General Consumer App
Gen. Bus. Law § 390-f(2)(b)
Plain Language
Every covered entity must file an annual certification of compliance with the responsible capability scaling policy requirement with the Chief Information Officer. This is a proactive filing obligation on a defined annual schedule — entities cannot wait to be asked. The certification attests to compliance with the section as a whole, meaning the entity has developed and presumably maintains its responsible capability scaling policy. The bill does not specify the form or content of the certification, leaving that to the CIO's rulemaking authority.
Statutory Text
Each such entity shall file an annual certification of compliance with this section with the chief information officer.
R-02 Regulatory Disclosure & Submissions · R-02.2 · DeveloperDeployer · General Consumer App
Gen. Bus. Law § 390-f(2)(d)
Plain Language
The Attorney General, acting in consultation with the Chief Information Officer, has authority to audit the responsible capability scaling policies that entities file. This implies that filed policies must be substantive enough to withstand audit scrutiny and that entities must maintain documentation supporting their policies. While this provision directly obligates the AG rather than covered entities, it creates an implicit obligation on entities to maintain audit-ready policy documentation. Entities should treat their filed policies and supporting records as subject to regulatory review at any time.
Statutory Text
The attorney general, in consultation with the chief information officer, shall have the power to audit the policies filed by entities under this section.
Other · General Consumer App
Gen. Bus. Law § 390-f(3)
Plain Language
Entities that are also required to file cybersecurity compliance certifications with the Department of Financial Services must coordinate those filings jointly with the responsible capability scaling policy certification filed with the Chief Information Officer. This is a procedural streamlining provision — it creates no new substantive obligation beyond coordinating the timing or format of two existing filing requirements. It primarily affects financial services entities subject to DFS cybersecurity regulations (e.g., 23 NYCRR 500).
Statutory Text
If an entity also has to file any certification of cybersecurity compliance with the department of financial services, such filings shall be done jointly.
Other · General Consumer App
Gen. Bus. Law § 390-f(2)(c)
Plain Language
The Chief Information Officer has discretion to issue waivers to individual entities or designate entire categories of entities as covered or exempt from the responsible capability scaling policy requirements. Waiver and exemption information must be published on the Secretary of State's website. This provision creates no new compliance obligation for entities — it grants administrative flexibility to the CIO and may narrow or expand the practical scope of the law once exercised.
Statutory Text
The chief information officer may issue waivers or designate categories of entities that are covered or exempt from the requirements of this section. Such information shall be available on the secretary of state's website.