WHAT THIS BILL REGULATES · 3 REQUIREMENT TYPES
How Is This Bill Enforced
Verbatim statutory text on the left; plain-language analysis and a per-section checklist on the right. Numbered markers cross-link to the matching checklist row.
This chapter shall be known and may be cited as "Automated Decision Tools".
Establishes the short title of the chapter as "Automated Decision Tools." No compliance obligations are imposed.
It is the purpose of this chapter to require companies that develop or deploy high-risk artificial intelligence (AI) systems to conduct impact assessments and adopt risk management programs.
States the legislative purpose: requiring companies that develop or deploy high-risk AI systems to conduct impact assessments and adopt risk management programs. This is a purpose statement that creates no independent obligation.
(1) "Consequential decisionConsequential decision"Consequential decision" means a determination made by a deployer that has a legal or similarly significant effect on an individual.R.I. Gen. Laws § 6-60-3(1)" means a determination made by a deployer that has a legal or similarly significant effectLegal or similarly significant effect"Legal or similarly significant effect" means a decision that determines an individual's eligibility for and results in the provision or denial of housing, employment, credit, education, access to physical places of public accommodation, healthcare, or insurance.R.I. Gen. Laws § 6-60-3(2) on an individual.
(2) "Legal or similarly significant effectLegal or similarly significant effect"Legal or similarly significant effect" means a decision that determines an individual's eligibility for and results in the provision or denial of housing, employment, credit, education, access to physical places of public accommodation, healthcare, or insurance.R.I. Gen. Laws § 6-60-3(2)" means a decision that determines an individual's eligibility for and results in the provision or denial of housing, employment, credit, education, access to physical places of public accommodation, healthcare, or insurance.
(3) "Consequential artificial intelligence decision system (CAIDS)Consequential artificial intelligence decision system (CAIDS)"Consequential artificial intelligence decision system (CAIDS)" means machine-based systems or services that utilize machine learning, artificial intelligence, or similar techniques that provide outputs that are not predetermined, and have been specifically developed, or an AI system specifically modified, with the intended purpose of making or determining consequential decisions.R.I. Gen. Laws § 6-60-3(3)" means machine-based systems or services that utilize machine learning, artificial intelligence, or similar techniques that provide outputs that are not predetermined, and have been specifically developed, or an AI system specifically modified, with the intended purpose of making or determining consequential decisionsConsequential decision"Consequential decision" means a determination made by a deployer that has a legal or similarly significant effect on an individual.R.I. Gen. Laws § 6-60-3(1).
(4) "DevelopersDevelopers"Developers" means any entity that designs, codes, or produces a CAIDS, or modifies an AI system with the intended purpose of making a consequential decision, whether for internal use or for use by third parties.R.I. Gen. Laws § 6-60-3(4)" means any entity that designs, codes, or produces a CAIDS, or modifies an AI system with the intended purpose of making a consequential decisionConsequential decision"Consequential decision" means a determination made by a deployer that has a legal or similarly significant effect on an individual.R.I. Gen. Laws § 6-60-3(1), whether for internal use or for use by third parties.
(5) "DeployersDeployers"Deployers" means any entity that uses a CAIDS to make consequential decisions.R.I. Gen. Laws § 6-60-3(5)" means any entity that uses a CAIDS to make consequential decisionsConsequential decision"Consequential decision" means a determination made by a deployer that has a legal or similarly significant effect on an individual.R.I. Gen. Laws § 6-60-3(1).
Defines five key terms used throughout the chapter: consequential decision, legal or similarly significant effect, consequential artificial intelligence decision system (CAIDS), developers, and deployers. The CAIDS definition covers machine-based systems using ML or AI techniques that produce non-predetermined outputs and are specifically developed or modified to make consequential decisions. The scope of consequential decisions is limited to determinations affecting housing, employment, credit, education, public accommodation, healthcare, or insurance.
(a)(1)–(2) 1 A deployer shall: (1) Implement and maintain a risk management program that establishes the policies, processes, and personnel that will be used to identify, mitigate, and document risks arising from the deployment of a CAIDS; and (2) Take into consideration, in implementing the risk management program: (i) The deployer's size and complexity; (ii) The nature and scope of the CAIDS, including its intended use; (iii) The sensitivity and volume of data processed in connection with the CAIDS; and (iv) Cost of implementation and maintenance of the risk management system.
(b) 2 A deployer shall perform an impact assessment prior to deploying a CAIDS and annually thereafter. If the deployer makes material changes to the purpose for which a CAIDS is used or the type of data it receives, a new impact assessment shall be conducted.
(c)(1)–(8) 3 In performing an impact assessment, deployersDeployers"Deployers" means any entity that uses a CAIDS to make consequential decisions.R.I. Gen. Laws § 6-60-3(5) shall maintain documentation for a reasonable time period in light of the intended use regarding: (1) The purpose of the CAIDS and its intended use cases, deployment context, and benefits; (2) The extent to which the use of the CAIDS once it is deployed is consistent with or varies from the developer's description of intended uses; (3) The potential for denials of housing, employment, credit, education, access to physical places of public accommodation, healthcare, or insurance resulting from use of the CAIDS to disproportionately impact people on the basis of protected characteristics, to the extent feasible, and the steps taken to mitigate the risk of such harm occurring; (4) A description of data that will be processed as inputs by the CAIDS once deployed and a description of the outputs produced by the CAIDS; (5) If applicable, an overview of the type of data the deployer used to retrain the CAIDS; (6) If applicable, metrics for evaluating the CAIDS's performance and known limitations; (7) If applicable, transparency measures, including information identifying to individuals when a CAIDS is in use; and (8) If applicable, post-deployment monitoring and user safeguards, including a description of the oversight process in place to address issues as they arise.
This section imposes three distinct compliance obligations on deployers of CAIDS. First, deployers must implement and maintain a risk management program covering policies, processes, and personnel for identifying, mitigating, and documenting deployment risks, calibrated to the deployer's size, system scope, data sensitivity, and implementation cost. Second, deployers must perform an impact assessment before deploying any CAIDS, repeat the assessment annually, and conduct a new assessment whenever material changes are made to the system's purpose or data inputs. Third, deployers must maintain documented records for a reasonable time period covering the system's purpose and intended uses, consistency with developer's intended uses, discriminatory impact potential across protected characteristics, data inputs and outputs, retraining data, performance metrics and limitations, transparency measures, and post-deployment monitoring and safeguards.
(a) 4 A developer shall provide the deployer with the technical capability to access or otherwise make available to a deployer the information reasonably necessary for the deployer to comply with its requirement to perform an impact assessment, including documentation regarding a CAIDS's capabilities, known limitations, and guidelines for intended use. Nothing in this chapter shall require the disclosure of trade secrets or other confidential information.
(b)(1)–(2) 5 A developer shall implement and maintain a risk management program that establishes the policies, processes, training procedures, and personnel that will be used to identify, mitigate, and document risks arising from the development of a CAIDS, including conducting a design evaluation pursuant to subsection (c) of this section. (2) In implementing the risk management program, a developer shall take the following into consideration: (i) Its size and complexity; (ii) The nature and scope of the CAIDS, including its intended end use; (iii) The sensitivity and volume of data used to train the CAIDS; and (iv) Cost of implementation and maintenance of the risk management system.
(c)(1) 6 A developer shall conduct a design evaluation for a CAIDS. The design evaluation shall consider information relevant to the potential for unlawful bias in connection with the intended end use of the CAIDS.
(c)(2)(i)–(v) 7 DevelopersDevelopers"Developers" means any entity that designs, codes, or produces a CAIDS, or modifies an AI system with the intended purpose of making a consequential decision, whether for internal use or for use by third parties.R.I. Gen. Laws § 6-60-3(4) shall, as appropriate given their role in the development of the CAIDS, maintain documentation for a reasonable time period in light of the intended use regarding: (i) The purpose of the CAIDS and its intended end use cases, features, and benefits; (ii) The potential for denials of housing, employment, credit, education, access to physical places of public accommodation, healthcare, or insurance resulting from use of the CAIDS to disproportionately impact people on the basis of protected characteristics, to the extent feasible, and the steps taken to mitigate the risk of such harm occurring; (iii) Known limitations of the CAIDS, including factors affecting performance; (iv) An overview of the type of data used to train the CAIDS and how the data was collected and processed; and (v) Metrics for how the CAIDS's performance was evaluated prior to sale.
This section imposes three categories of obligations on developers. First, developers must provide deployers with the technical capability to access information reasonably necessary for the deployer to perform its impact assessment, including documentation on the CAIDS's capabilities, known limitations, and intended-use guidelines — subject to a trade-secret carve-out. Second, developers must implement and maintain their own risk management program covering policies, processes, training procedures, and personnel, calibrated to the same proportionality factors as the deployer program. Third, developers must conduct a design evaluation for each CAIDS that considers information relevant to potential unlawful bias in connection with the system's intended end use, and must maintain documentation covering the system's purpose and intended uses, discriminatory impact potential, known limitations, training data overview, and pre-sale performance metrics.
(a) 8 DevelopersDevelopers"Developers" means any entity that designs, codes, or produces a CAIDS, or modifies an AI system with the intended purpose of making a consequential decision, whether for internal use or for use by third parties.R.I. Gen. Laws § 6-60-3(4) and deployersDeployers"Deployers" means any entity that uses a CAIDS to make consequential decisions.R.I. Gen. Laws § 6-60-3(5) shall publicly self-certify that they are in compliance with their obligations under this chapter. DevelopersDevelopers"Developers" means any entity that designs, codes, or produces a CAIDS, or modifies an AI system with the intended purpose of making a consequential decision, whether for internal use or for use by third parties.R.I. Gen. Laws § 6-60-3(4) and deployersDeployers"Deployers" means any entity that uses a CAIDS to make consequential decisions.R.I. Gen. Laws § 6-60-3(5) may use an impact assessment or design evaluation conducted in accordance with other laws or regulations if such assessment or evaluation is reasonably similar in scope.
(b) 9 The attorney general may issue a subpoena in the course of an investigation that requires the deployer or developer to disclose to the attorney general the contents of a relevant impact assessment or design evaluation, subject to § 6-60-4(a).
(c) Impact assessments and design evaluations shall be confidential and exempt from public inspection and copying under chapter 2 of title 38 ("public records"). The disclosure of an impact assessment or design evaluation pursuant to a request from the attorney general shall not constitute a waiver of attorney-client privilege or work product protection with respect to the assessment or evaluation and any information contained therein.
This section establishes the enforcement mechanism for the chapter. Developers and deployers must publicly self-certify compliance, and may rely on impact assessments or design evaluations conducted under other laws if reasonably similar in scope. The attorney general may subpoena impact assessments and design evaluations during an investigation. The section also provides that these documents are confidential, exempt from public records disclosure, and that their production to the attorney general does not waive attorney-client privilege or work product protection.