Laws & Statutes NY NY-A-09219
A-09219
NY · State · USA
NY
USA
● Pending
New York Assembly Bill 9219 — An Act to amend the general business law, in relation to requiring artificial intelligence technology used in professional fields to be developed and maintained in consultation with experts in such fields
Requires developers of AI technology intended for use in professional domains regulated under Title Eight of the Education Law (medicine, law, engineering, education, finance, etc.) to involve at least one credentialed professional domain expert in design, data selection/training, validation/testing, and ongoing risk assessment. Developers must submit documentation to the Attorney General identifying the experts involved, their contributions, and known risks. The Attorney General has exclusive enforcement authority with civil penalties up to $50,000 per violation, injunctive relief, and public disclosure of non-compliance. An affirmative defense is available for developers who discover violations through red-teaming, cure within 60 days, and comply with NIST AI RMF or equivalent frameworks. No private right of action is created.
Passage Likelihood
Low
Chamber No passage
Committee No action
Majority party Yes
Bipartisan No
Prior session None
Legislative History
2025-11-03 committee referral referred to science and technology
2026-01-07 committee referral referred to science and technology
Mapped Requirements
S-01 AI System Safety Program R-02 Regulatory Disclosure & Submissions
Official Sources
Full Text
Entry Last Reviewed
2026-03-28
AI generated
Summary

Requires developers of AI technology intended for use in professional domains regulated under Title Eight of the Education Law (medicine, law, engineering, education, finance, etc.) to involve at least one credentialed professional domain expert in design, data selection/training, validation/testing, and ongoing risk assessment. Developers must submit documentation to the Attorney General identifying the experts involved, their contributions, and known risks. The Attorney General has exclusive enforcement authority with civil penalties up to $50,000 per violation, injunctive relief, and public disclosure of non-compliance. An affirmative defense is available for developers who discover violations through red-teaming, cure within 60 days, and comply with NIST AI RMF or equivalent frameworks. No private right of action is created.

Enforcement & Penalties
Enforcement Authority
The Attorney General has exclusive enforcement authority. Violations constitute unfair trade practices under GBL § 349 but are enforced solely by the Attorney General; the private right of action under § 349(h) is expressly excluded. An affirmative defense is available if the developer discovers a violation through red-teaming, cures it within 60 days, notifies the Attorney General with evidence of mitigation, and is otherwise in compliance with the NIST AI RMF, ISO/IEC 42001, or a substantially equivalent risk management framework.
Penalties
Civil penalties not to exceed $50,000 per violation. Injunctive relief to halt deployment of non-compliant AI technology. Public disclosure of non-compliant practices. No private damages remedy.
Who Is Covered
"Developer" shall mean any entity or individual that designs, builds, trains, or deploys an AI technology for public use or for sale in the state.
Compliance Obligations 3 obligations · click obligation ID to open requirement page
S-01 AI System Safety Program · S-01.1S-01.4 · Developer · HealthcareFinancial ServicesEducationAutomated Decisionmaking
GBL § 1711(1)-(2)
Plain Language
Any developer of AI technology intended for use in a professional domain regulated under Title Eight of the New York Education Law must ensure that at least one professional domain expert — a credentialed individual with at least three years of experience in the relevant field — is directly and substantially involved in: (a) technology design, (b) data selection and training, (c) validation and testing of outputs, and (d) ongoing risk assessment and post-deployment evaluation. This covers healthcare diagnostics, legal decision-making, financial advising, educational tools, construction/architecture safety, and public safety technologies, among others. The requirement is not limited to the enumerated areas or the four listed phases — both lists are non-exhaustive. This is both a pre-deployment and ongoing obligation given the post-deployment evaluation requirement.
Statutory Text
§ 1711. Professional oversight requirement. 1. Any developer of an artificial intelligence technology intended for use in a professional domain regulated under title eight of the education law shall demonstrate that at least one professional domain expert has been directly and substantially involved in at least, but not limited to: (a) the technology design phase; (b) the data selection and training process; (c) validation and testing of system outputs; and (d) ongoing risk assessment and post-deployment evaluation. 2. The provisions of subdivision one of this section shall apply to artificial intelligence technology used in areas such as, but not limited to: (a) health care diagnostics, treatment recommendations, or patient monitoring; (b) legal decision-making or document generation; (c) financial advising or lending tools; (d) educational curriculum or assessment tools; (e) construction, architecture, or structural safety systems; and (f) public safety, law enforcement, or surveillance technologies.
R-02 Regulatory Disclosure & Submissions · R-02.1 · Developer · HealthcareFinancial ServicesEducationAutomated Decisionmaking
GBL § 1712(1)-(2)
Plain Language
Developers must proactively submit documentation to the Attorney General affirming: (1) the identities and qualifications of the professional domain experts who participated, (2) which development phases each expert contributed to, and (3) any known risks, limitations, or ethical concerns identified during development. This is a proactive submission — developers cannot wait to be asked. Upon review, the Attorney General issues a certificate of compliance; developers found non-compliant are subject to investigation and penalties. The statute does not specify a submission schedule or deadline, which will likely be addressed through AG rulemaking under § 1714.
Statutory Text
§ 1712. Documentation and compliance. 1. Developers of artificial intelligence technologies shall submit documentation to the attorney general affirming: (a) The identities and qualifications of professional domain experts involved in the AI technology, pursuant to section seventeen hundred eleven of this article; (b) The specific phases of development in which such professional domain experts contributed; and (c) Any known risks, limitations, or ethical concerns disclosed during development. 2. The attorney general or a duly authorized representative of the attorney general shall issue certificates of compliance to developers who have submitted documentation pursuant to subdivision one of this section and are found to be in compliance. Any technology and developers found to be not in compliance may be subject to investigation and penalties pursuant to section seventeen hundred thirteen of this article.
Other · HealthcareFinancial ServicesEducationAutomated Decisionmaking
GBL § 1713(1)-(4)
Plain Language
The Attorney General has exclusive enforcement authority; violations are treated as unfair trade practices under GBL § 349 but the private right of action under § 349(h) is expressly excluded. An affirmative defense is available if a developer discovers a violation through red-teaming, cures it within 60 days with AG notification and harm mitigation evidence, and maintains compliance with the NIST AI RMF, ISO/IEC 42001, or a substantially equivalent framework. The developer bears the burden of proving the defense. Penalties include up to $50,000 per violation, injunctive relief, and public disclosure of non-compliance. The statute expressly preserves all other rights, claims, and remedies available at law or equity — the affirmative defense applies only to AG enforcement actions under this article.
Statutory Text
§ 1713. Enforcement. 1. The attorney general shall have exclusive authority to enforce the provisions of this article. 2. Nothing in this article shall be construed as providing the basis for a private right of action for violations of the provisions of this article. 3. A violation of the requirements established in this article shall constitute an unfair trade practice for purposes of section three hundred forty-nine of this chapter and shall be enforced solely by the attorney general; provided, however, that subdivision (h) of section three hundred forty-nine of this chapter shall not apply to any such violation. 4. (a) In any action commenced by the attorney general for any violation of this article, it shall be an affirmative defense that the developer, deployer, or other person: (i) discovers a violation of any provision of this article through red-teaming; (ii) no later than sixty days after discovering such violation through red-teaming: (A) cures such violation; and (B) provides to the attorney general, in a form and manner prescribed by the attorney general, notice that such violation has been cured and evidence that any harm caused by such violation has been mitigated; and (iii) is otherwise in compliance with the latest version of: (A) the Artificial Intelligence Risk Management Framework published by the national institute of standards and technology; (B) ISO/IEC 42001 of the international organization for standardization and the international electrotechnical commission; (C) a nationally or internationally recognized risk management framework for artificial intelligence decision technology, other than the risk management frameworks described in clauses (A) and (B) of this subparagraph, that imposes requirements that are substantially equivalent to, and at least as stringent as, the requirements established pursuant to this article; or (D) any risk management framework for artificial intelligence decision technology that is substantially equivalent to, and at least as stringent as, the risk management frameworks described in clauses (A), (B), and (C) of this subparagraph. (b) The developer, deployer, or other person bears the burden of demonstrating to the attorney general that the requirements established pursuant to paragraph (a) of this subdivision have been satisfied. (c) Nothing in this article, including, but not limited to, the enforcement authority granted to the attorney general pursuant to this section, shall be construed to preempt or otherwise affect any right, claim, remedy, presumption, or defense available at law or in equity. Any rebuttable presumption or affirmative defense established pursuant to this article shall apply only to an enforcement action brought by the attorney general pursuant to this section and shall not apply to any right, claim, remedy, presumption, or defense available at law or in equity. 3. Any developer found to be in violation of this article may be subject to: (a) Civil penalties not to exceed fifty thousand dollars per violation; (b) Injunctive relief to halt deployment of an AI technology; or (c) Public disclosure of non-compliant practices.