Laws & Statutes NY NY-A-09219
A-09219
NY · State · USA
NY
USA
● Pending
New York Assembly Bill 9219 — An Act to amend the general business law, in relation to requiring artificial intelligence technology used in professional fields to be developed and maintained in consultation with experts in such fields
Requires developers of AI technologies intended for use in professional domains regulated under Title 8 of New York Education Law (including medicine, law, engineering, architecture, education, and finance) to involve at least one credentialed professional domain expert in the design, data selection, validation, and ongoing risk assessment phases. Developers must submit documentation to the Attorney General identifying the experts involved, the phases of their contribution, and any known risks or limitations. The Attorney General has exclusive enforcement authority with civil penalties up to $50,000 per violation. An affirmative defense is available for developers who discover violations through red-teaming, cure within 60 days, and comply with the NIST AI RMF or equivalent framework. No private right of action is created.
Passage Likelihood
Low
Chamber No passage
Committee No action
Majority party Yes
Bipartisan No
Prior session None
Legislative History
2025-11-03 committee referral referred to science and technology
2026-01-07 committee referral referred to science and technology
Mapped Requirements
R-02 Regulatory Disclosure & Submissions
Official Sources
Full Text
Entry Last Reviewed
2026-04-01
AI generated
Summary

Requires developers of AI technologies intended for use in professional domains regulated under Title 8 of New York Education Law (including medicine, law, engineering, architecture, education, and finance) to involve at least one credentialed professional domain expert in the design, data selection, validation, and ongoing risk assessment phases. Developers must submit documentation to the Attorney General identifying the experts involved, the phases of their contribution, and any known risks or limitations. The Attorney General has exclusive enforcement authority with civil penalties up to $50,000 per violation. An affirmative defense is available for developers who discover violations through red-teaming, cure within 60 days, and comply with the NIST AI RMF or equivalent framework. No private right of action is created.

Enforcement & Penalties
Enforcement Authority
The Attorney General has exclusive authority to enforce the provisions of this article. Enforcement is agency-initiated. Violations constitute unfair trade practices under General Business Law § 349, enforced solely by the Attorney General; the private right of action under § 349(h) is expressly excluded. An affirmative defense is available if the developer discovers the violation through red-teaming, cures it within 60 days, provides notice and evidence of mitigation to the Attorney General, and is in compliance with the NIST AI RMF, ISO/IEC 42001, or a substantially equivalent risk management framework. The burden of demonstrating the affirmative defense rests on the developer.
Penalties
Civil penalties not to exceed $50,000 per violation. Injunctive relief to halt deployment of an AI technology. Public disclosure of non-compliant practices. No private damages are available; the statute expressly excludes the private right of action under GBL § 349(h).
Who Is Covered
"Developer" shall mean any entity or individual that designs, builds, trains, or deploys an AI technology for public use or for sale in the state.
Compliance Obligations 4 obligations · click obligation ID to open requirement page
Other · Developer · Automated DecisionmakingHealthcareFinancial ServicesEducation
GBL § 1711(1)-(2)
Plain Language
Any developer of AI technology intended for use in a professional domain regulated under Title 8 of New York's Education Law must demonstrate that at least one professional domain expert was directly and substantially involved in four phases: technology design, data selection and training, validation and testing of outputs, and ongoing risk assessment and post-deployment evaluation. The expert must hold a valid license or credential in the relevant regulated field with at least three years of experience. The obligation covers AI used in healthcare, law, finance, education, construction/architecture, and public safety, among other regulated professional fields. This is a continuing obligation — post-deployment evaluation means expert involvement does not end at launch.
Statutory Text
§ 1711. Professional oversight requirement. 1. Any developer of an artificial intelligence technology intended for use in a professional domain regulated under title eight of the education law shall demonstrate that at least one professional domain expert has been directly and substantially involved in at least, but not limited to: (a) the technology design phase; (b) the data selection and training process; (c) validation and testing of system outputs; and (d) ongoing risk assessment and post-deployment evaluation. 2. The provisions of subdivision one of this section shall apply to artificial intelligence technology used in areas such as, but not limited to: (a) health care diagnostics, treatment recommendations, or patient monitoring; (b) legal decision-making or document generation; (c) financial advising or lending tools; (d) educational curriculum or assessment tools; (e) construction, architecture, or structural safety systems; and (f) public safety, law enforcement, or surveillance technologies.
R-02 Regulatory Disclosure & Submissions · R-02.1 · Developer · Automated DecisionmakingHealthcareFinancial ServicesEducation
GBL § 1712(1)-(2)
Plain Language
Developers must submit documentation to the Attorney General affirming: (1) the identities and qualifications of the professional domain experts involved; (2) the specific development phases in which each expert contributed; and (3) any known risks, limitations, or ethical concerns identified during development. The Attorney General reviews submissions and issues certificates of compliance to compliant developers. Non-compliant developers may face investigation and penalties. The statute does not specify a submission schedule, so developers should submit prior to or contemporaneous with deployment to obtain their compliance certificate.
Statutory Text
§ 1712. Documentation and compliance. 1. Developers of artificial intelligence technologies shall submit documentation to the attorney general affirming: (a) The identities and qualifications of professional domain experts involved in the AI technology, pursuant to section seventeen hundred eleven of this article; (b) The specific phases of development in which such professional domain experts contributed; and (c) Any known risks, limitations, or ethical concerns disclosed during development. 2. The attorney general or a duly authorized representative of the attorney general shall issue certificates of compliance to developers who have submitted documentation pursuant to subdivision one of this section and are found to be in compliance. Any technology and developers found to be not in compliance may be subject to investigation and penalties pursuant to section seventeen hundred thirteen of this article.
Other · Automated DecisionmakingHealthcareFinancial ServicesEducation
GBL § 1713(1)-(4)
Plain Language
This section establishes the Attorney General's exclusive enforcement authority, expressly bars any private right of action (including by excluding GBL § 349(h)), and sets penalties up to $50,000 per violation plus injunctive relief and public disclosure of non-compliance. It also creates an affirmative defense for developers who discover violations through red-teaming, cure them within 60 days, notify the AG with mitigation evidence, and comply with the NIST AI RMF, ISO/IEC 42001, or a substantially equivalent framework. The affirmative defense applies only to AG enforcement actions and does not affect other legal rights or remedies. This provision creates no independent compliance obligation — it defines enforcement consequences and safe harbors for the obligations imposed by §§ 1711 and 1712.
Statutory Text
§ 1713. Enforcement. 1. The attorney general shall have exclusive authority to enforce the provisions of this article. 2. Nothing in this article shall be construed as providing the basis for a private right of action for violations of the provisions of this article. 3. A violation of the requirements established in this article shall constitute an unfair trade practice for purposes of section three hundred forty-nine of this chapter and shall be enforced solely by the attorney general; provided, however, that subdivision (h) of section three hundred forty-nine of this chapter shall not apply to any such violation. 4. (a) In any action commenced by the attorney general for any violation of this article, it shall be an affirmative defense that the developer, deployer, or other person: (i) discovers a violation of any provision of this article through red-teaming; (ii) no later than sixty days after discovering such violation through red-teaming: (A) cures such violation; and (B) provides to the attorney general, in a form and manner prescribed by the attorney general, notice that such violation has been cured and evidence that any harm caused by such violation has been mitigated; and (iii) is otherwise in compliance with the latest version of: (A) the Artificial Intelligence Risk Management Framework published by the national institute of standards and technology; (B) ISO/IEC 42001 of the international organization for standardization and the international electrotechnical commission; (C) a nationally or internationally recognized risk management framework for artificial intelligence decision technology, other than the risk management frameworks described in clauses (A) and (B) of this subparagraph, that imposes requirements that are substantially equivalent to, and at least as stringent as, the requirements established pursuant to this article; or (D) any risk management framework for artificial intelligence decision technology that is substantially equivalent to, and at least as stringent as, the risk management frameworks described in clauses (A), (B), and (C) of this subparagraph. (b) The developer, deployer, or other person bears the burden of demonstrating to the attorney general that the requirements established pursuant to paragraph (a) of this subdivision have been satisfied. (c) Nothing in this article, including, but not limited to, the enforcement authority granted to the attorney general pursuant to this section, shall be construed to preempt or otherwise affect any right, claim, remedy, presumption, or defense available at law or in equity. Any rebuttable presumption or affirmative defense established pursuant to this article shall apply only to an enforcement action brought by the attorney general pursuant to this section and shall not apply to any right, claim, remedy, presumption, or defense available at law or in equity. 3. Any developer found to be in violation of this article may be subject to: (a) Civil penalties not to exceed fifty thousand dollars per violation; (b) Injunctive relief to halt deployment of an AI technology; or (c) Public disclosure of non-compliant practices.
Other · Automated DecisionmakingHealthcareFinancial ServicesEducation
GBL § 1714
Plain Language
The Attorney General is authorized to promulgate rules and regulations necessary to implement and enforce the article. This delegation may result in future compliance obligations once rules are promulgated, but the provision itself imposes no affirmative obligation on developers.
Statutory Text
§ 1714. Rulemaking authority. The attorney general shall promulgate such rules and regulations as are necessary to effectuate and enforce the provisions of this article.