WHAT THIS BILL REGULATES · 2 REQUIREMENT TYPES
How Is This Bill Enforced
Verbatim statutory text on the left; plain-language analysis and a per-section checklist on the right. Numbered markers cross-link to the matching checklist row.
(1)(a)–(c) "Artificial intelligenceArtificial intelligence"Artificial intelligence" shall mean any set of computer programming instructions for the purpose of creating technology that performs its own decision making.Gen. Bus. Law § 390-f(1)(a)" shall mean any set of computer programming instructions for the purpose of creating technology that performs its own decision making. (b) "Chief information officerChief information officer"Chief information officer" shall mean the individual or office established pursuant to executive order no. 117 issued on January twenty-eighth, two thousand two by Governor Pataki, or any successor individual or office designated by the governor or provided for in statute, or an individual or office designated by the governor or provided for in statute to regulate artificial intelligence. Such term may also be used to refer to the office of the "chief cyber officer" appointed by the governor.Gen. Bus. Law § 390-f(1)(b)" shall mean the individual or office established pursuant to executive order no. 117 issued on January twenty-eighth, two thousand two by Governor Pataki, or any successor individual or office designated by the governor or provided for in statute, or an individual or office designated by the governor or provided for in statute to regulate artificial intelligenceArtificial intelligence"Artificial intelligence" shall mean any set of computer programming instructions for the purpose of creating technology that performs its own decision making.Gen. Bus. Law § 390-f(1)(a). Such term may also be used to refer to the office of the "chief cyber officer" appointed by the governor. (c) "Responsible capability scaling policyResponsible capability scaling policy"Responsible capability scaling policy" shall mean a set of best practices that identify, monitor, and rectify or mitigate risk of harm.Gen. Bus. Law § 390-f(1)(c)" shall mean a set of best practices that identify, monitor, and rectify or mitigate risk of harm.
Subdivision 1 establishes the three defined terms that frame the bill's obligations: artificial intelligence, chief information officer, and responsible capability scaling policy. The AI definition is notably broad, encompassing any computer programming instructions that create technology performing its own decision making, which could extend well beyond machine learning systems to traditional rule-based automation.
(2)(a) 1 Every person, firm, partnership, association or corporation doing business or offering products to consumers in New York state shall develop a responsible capability scaling policyResponsible capability scaling policy"Responsible capability scaling policy" shall mean a set of best practices that identify, monitor, and rectify or mitigate risk of harm.Gen. Bus. Law § 390-f(1)(c) for the use and development of artificial intelligenceArtificial intelligence"Artificial intelligence" shall mean any set of computer programming instructions for the purpose of creating technology that performs its own decision making.Gen. Bus. Law § 390-f(1)(a) by such entity.
(2)(b) 2 Each such entity shall file an annual certification of compliance with this section with the chief information officerChief information officer"Chief information officer" shall mean the individual or office established pursuant to executive order no. 117 issued on January twenty-eighth, two thousand two by Governor Pataki, or any successor individual or office designated by the governor or provided for in statute, or an individual or office designated by the governor or provided for in statute to regulate artificial intelligence. Such term may also be used to refer to the office of the "chief cyber officer" appointed by the governor.Gen. Bus. Law § 390-f(1)(b).
(2)(c) The chief information officerChief information officer"Chief information officer" shall mean the individual or office established pursuant to executive order no. 117 issued on January twenty-eighth, two thousand two by Governor Pataki, or any successor individual or office designated by the governor or provided for in statute, or an individual or office designated by the governor or provided for in statute to regulate artificial intelligence. Such term may also be used to refer to the office of the "chief cyber officer" appointed by the governor.Gen. Bus. Law § 390-f(1)(b) may issue waivers or designate categories of entities that are covered or exempt from the requirements of this section. Such information shall be available on the secretary of state's website.
(2)(d) The attorney general, in consultation with the chief information officerChief information officer"Chief information officer" shall mean the individual or office established pursuant to executive order no. 117 issued on January twenty-eighth, two thousand two by Governor Pataki, or any successor individual or office designated by the governor or provided for in statute, or an individual or office designated by the governor or provided for in statute to regulate artificial intelligence. Such term may also be used to refer to the office of the "chief cyber officer" appointed by the governor.Gen. Bus. Law § 390-f(1)(b), shall have the power to audit the policies filed by entities under this section.
Subdivision 2 imposes the bill's core obligations. Paragraph (a) requires every entity doing business or offering products to consumers in New York to develop a responsible capability scaling policy for its use and development of AI. Paragraph (b) requires annual certification of compliance filed with the CIO. Paragraph (c) grants the CIO waiver and categorical exemption authority. Paragraph (d) grants the Attorney General, in consultation with the CIO, audit power over filed policies.
The covered-entity scope is extraordinarily broad — any person, firm, partnership, association, or corporation doing business or offering products to consumers in the state — with no size, revenue, or AI-activity threshold. Practical scope will depend heavily on the CIO's rulemaking and waiver authority under subdivision 4.
(3) 3 If an entity also has to file any certification of cybersecurity compliance with the department of financial services, such filings shall be done jointly.
Subdivision 3 addresses entities that are also subject to cybersecurity compliance certification requirements administered by the Department of Financial Services (such as those under 23 NYCRR Part 500). Such entities must file their AI scaling policy certification jointly with their cybersecurity filings. This is a procedural coordination requirement rather than a substantive new obligation.
(4) The chief information officerChief information officer"Chief information officer" shall mean the individual or office established pursuant to executive order no. 117 issued on January twenty-eighth, two thousand two by Governor Pataki, or any successor individual or office designated by the governor or provided for in statute, or an individual or office designated by the governor or provided for in statute to regulate artificial intelligence. Such term may also be used to refer to the office of the "chief cyber officer" appointed by the governor.Gen. Bus. Law § 390-f(1)(b) shall promulgate rules and regulations for the implementation of the provisions of this section.
Subdivision 4 delegates rulemaking authority to the Chief Information Officer to promulgate rules and regulations implementing the bill's provisions. This is a standard delegation clause that creates no direct compliance obligation on regulated entities, though the resulting rules will define the practical scope and specifics of the policy development and certification requirements.
This act shall take effect on the ninetieth day after it shall have become a law. Effective immediately, the addition, amendment and/or repeal of any rule or regulation necessary for the implementation of this act on its effective date are authorized to be made and completed on or before such effective date.
Section 2 provides that the act takes effect on the ninetieth day after becoming law, with immediate authority to begin rulemaking necessary for timely implementation.