WHAT THIS BILL REGULATES · 3 REQUIREMENT TYPES
How Is This Bill Enforced
Verbatim statutory text on the left; plain-language analysis and a per-section checklist on the right. Numbered markers cross-link to the matching checklist row.
This chapter shall be known and may be cited as "Automated Decision Tools".
Establishes the short title of the chapter as "Automated Decision Tools." No compliance obligations are created.
It is the purpose of this chapter to require companies that develop or deploy high-risk artificial intelligence (AI) systems to conduct impact assessments and adopt risk management programs.
States the legislative purpose: to require companies that develop or deploy high-risk AI systems to conduct impact assessments and adopt risk management programs. This is a purpose clause and creates no independent compliance obligations.
(1) "Consequential decisionConsequential decision"Consequential decision" means a determination made by a deployer that has a legal or similarly significant effect on an individual.R.I. Gen. Laws § 6-60-3(1)" means a determination made by a deployer that has a legal or similarly significant effectLegal or similarly significant effect"Legal or similarly significant effect" means a decision that determines an individual's eligibility for and results in the provision or denial of housing, employment, credit, education, access to physical places of public accommodation, healthcare, or insurance.R.I. Gen. Laws § 6-60-3(2) on an individual.
(2) "Legal or similarly significant effectLegal or similarly significant effect"Legal or similarly significant effect" means a decision that determines an individual's eligibility for and results in the provision or denial of housing, employment, credit, education, access to physical places of public accommodation, healthcare, or insurance.R.I. Gen. Laws § 6-60-3(2)" means a decision that determines an individual's eligibility for and results in the provision or denial of housing, employment, credit, education, access to physical places of public accommodation, healthcare, or insurance.
(3) "Consequential artificial intelligence decision system (CAIDS)Consequential artificial intelligence decision system (CAIDS)"Consequential artificial intelligence decision system (CAIDS)" means machine-based systems or services that utilize machine learning, artificial intelligence, or similar techniques that provide outputs that are not predetermined, and have been specifically developed, or an AI system specifically modified, with the intended purpose of making or determining consequential decisions.R.I. Gen. Laws § 6-60-3(3)" means machine-based systems or services that utilize machine learning, artificial intelligence, or similar techniques that provide outputs that are not predetermined, and have been specifically developed, or an AI system specifically modified, with the intended purpose of making or determining consequential decisionsConsequential decision"Consequential decision" means a determination made by a deployer that has a legal or similarly significant effect on an individual.R.I. Gen. Laws § 6-60-3(1).
(4) "DevelopersDevelopers"Developers" means any entity that designs, codes, or produces a CAIDS, or modifies an AI system with the intended purpose of making a consequential decision, whether for internal use or for use by third parties.R.I. Gen. Laws § 6-60-3(4)" means any entity that designs, codes, or produces a CAIDS, or modifies an AI system with the intended purpose of making a consequential decisionConsequential decision"Consequential decision" means a determination made by a deployer that has a legal or similarly significant effect on an individual.R.I. Gen. Laws § 6-60-3(1), whether for internal use or for use by third parties.
(5) "DeployersDeployers"Deployers" means any entity that uses a CAIDS to make consequential decisions.R.I. Gen. Laws § 6-60-3(5)" means any entity that uses a CAIDS to make consequential decisionsConsequential decision"Consequential decision" means a determination made by a deployer that has a legal or similarly significant effect on an individual.R.I. Gen. Laws § 6-60-3(1).
Defines the key terms governing the chapter's scope. The bill regulates Consequential artificial intelligence decision systems (CAIDS) — machine-based systems using ML or AI techniques that produce non-predetermined outputs and are specifically developed or modified to make or determine consequential decisions. Consequential decisions are those with a legal or similarly significant effect on individuals, covering housing, employment, credit, education, public accommodation, healthcare, and insurance. Developers and Deployers are defined by their respective roles in designing/producing versus using a CAIDS.
(a)(1)–(2) 1 Implement and maintain a risk management program that establishes the policies, processes, and personnel that will be used to identify, mitigate, and document risks arising from the deployment of a CAIDS; and (2) Take into consideration, in implementing the risk management program: (i) The deployer's size and complexity; (ii) The nature and scope of the CAIDS, including its intended use; (iii) The sensitivity and volume of data processed in connection with the CAIDS; and (iv) Cost of implementation and maintenance of the risk management system.
(b) 2 A deployer shall perform an impact assessment prior to deploying a CAIDS and annually thereafter. If the deployer makes material changes to the purpose for which a CAIDS is used or the type of data it receives, a new impact assessment shall be conducted.
(c)(1)–(8) 3 In performing an impact assessment, deployersDeployers"Deployers" means any entity that uses a CAIDS to make consequential decisions.R.I. Gen. Laws § 6-60-3(5) shall maintain documentation for a reasonable time period in light of the intended use regarding: (1) The purpose of the CAIDS and its intended use cases, deployment context, and benefits; (2) The extent to which the use of the CAIDS once it is deployed is consistent with or varies from the developer's description of intended uses; (3) The potential for denials of housing, employment, credit, education, access to physical places of public accommodation, healthcare, or insurance resulting from use of the CAIDS to disproportionately impact people on the basis of protected characteristics, to the extent feasible, and the steps taken to mitigate the risk of such harm occurring; (4) A description of data that will be processed as inputs by the CAIDS once deployed and a description of the outputs produced by the CAIDS; (5) If applicable, an overview of the type of data the deployer used to retrain the CAIDS; (6) If applicable, metrics for evaluating the CAIDS's performance and known limitations; (7) If applicable, transparency measures, including information identifying to individuals when a CAIDS is in use; and (8) If applicable, post-deployment monitoring and user safeguards, including a description of the oversight process in place to address issues as they arise.
This section imposes the bill's core deployer-side obligations. Deployers of CAIDS must implement and maintain a risk management program covering policies, processes, and personnel for identifying, mitigating, and documenting deployment risks, scaled to the deployer's size, the system's nature and data sensitivity, and implementation cost. Deployers must also perform a documented impact assessment before deploying any CAIDS and annually thereafter — with a new assessment required upon material changes to the system's purpose or data inputs. The impact assessment documentation must cover the system's purpose and intended use, consistency with the developer's intended uses, potential for discriminatory impact across protected characteristics in the covered decision domains, data inputs and outputs, retraining data, performance metrics, transparency measures including notice to individuals, and post-deployment monitoring and user safeguards.
(a) 4 A developer shall provide the deployer with the technical capability to access or otherwise make available to a deployer the information reasonably necessary for the deployer to comply with its requirement to perform an impact assessment, including documentation regarding a CAIDS's capabilities, known limitations, and guidelines for intended use. Nothing in this chapter shall require the disclosure of trade secrets or other confidential information.
(b)(1)–(2) 5 A developer shall implement and maintain a risk management program that establishes the policies, processes, training procedures, and personnel that will be used to identify, mitigate, and document risks arising from the development of a CAIDS, including conducting a design evaluation pursuant to subsection (c) of this section. (2) In implementing the risk management program, a developer shall take the following into consideration: (i) Its size and complexity; (ii) The nature and scope of the CAIDS, including its intended end use; (iii) The sensitivity and volume of data used to train the CAIDS; and (iv) Cost of implementation and maintenance of the risk management system.
(c)(1) 6 A developer shall conduct a design evaluation for a CAIDS. The design evaluation shall consider information relevant to the potential for unlawful bias in connection with the intended end use of the CAIDS.
(c)(2)(i)–(v) 7 DevelopersDevelopers"Developers" means any entity that designs, codes, or produces a CAIDS, or modifies an AI system with the intended purpose of making a consequential decision, whether for internal use or for use by third parties.R.I. Gen. Laws § 6-60-3(4) shall, as appropriate given their role in the development of the CAIDS, maintain documentation for a reasonable time period in light of the intended use regarding: (i) The purpose of the CAIDS and its intended end use cases, features, and benefits; (ii) The potential for denials of housing, employment, credit, education, access to physical places of public accommodation, healthcare, or insurance resulting from use of the CAIDS to disproportionately impact people on the basis of protected characteristics, to the extent feasible, and the steps taken to mitigate the risk of such harm occurring; (iii) Known limitations of the CAIDS, including factors affecting performance; (iv) An overview of the type of data used to train the CAIDS and how the data was collected and processed; and (v) Metrics for how the CAIDS's performance was evaluated prior to sale.
This section imposes three categories of developer-side obligations. First, developers must provide deployers with the technical capability to access the information reasonably necessary to perform impact assessments — including documentation of the CAIDS's capabilities, known limitations, and guidelines for intended use — subject to trade-secret protections. Second, developers must implement and maintain their own risk management program covering policies, processes, training procedures, and personnel for identifying, mitigating, and documenting development-phase risks, with the same proportionality factors as the deployer program. Third, developers must conduct a design evaluation considering information relevant to potential unlawful bias in connection with the CAIDS's intended end use, and maintain documentation covering the system's purpose, discriminatory impact potential, known limitations, training data characteristics, and pre-sale performance metrics.
(a) 8 DevelopersDevelopers"Developers" means any entity that designs, codes, or produces a CAIDS, or modifies an AI system with the intended purpose of making a consequential decision, whether for internal use or for use by third parties.R.I. Gen. Laws § 6-60-3(4) and deployersDeployers"Deployers" means any entity that uses a CAIDS to make consequential decisions.R.I. Gen. Laws § 6-60-3(5) shall publicly self-certify that they are in compliance with their obligations under this chapter. DevelopersDevelopers"Developers" means any entity that designs, codes, or produces a CAIDS, or modifies an AI system with the intended purpose of making a consequential decision, whether for internal use or for use by third parties.R.I. Gen. Laws § 6-60-3(4) and deployersDeployers"Deployers" means any entity that uses a CAIDS to make consequential decisions.R.I. Gen. Laws § 6-60-3(5) may use an impact assessment or design evaluation conducted in accordance with other laws or regulations if such assessment or evaluation is reasonably similar in scope.
(b) 9 The attorney general may issue a subpoena in the course of an investigation that requires the deployer or developer to disclose to the attorney general the contents of a relevant impact assessment or design evaluation, subject to § 6-60-4(a).
(c) Impact assessments and design evaluations shall be confidential and exempt from public inspection and copying under chapter 2 of title 38 ("public records"). The disclosure of an impact assessment or design evaluation pursuant to a request from the attorney general shall not constitute a waiver of attorney-client privilege or work product protection with respect to the assessment or evaluation and any information contained therein.
This section establishes the bill's enforcement framework and confidentiality protections. Developers and deployers must publicly self-certify compliance with all chapter obligations — a notable mechanism that places the affirmative burden of public attestation on the regulated entity rather than relying solely on government inspection. Assessments conducted under other laws may be used if reasonably similar in scope. The attorney general may issue investigative subpoenas compelling disclosure of impact assessments or design evaluations, but these documents are exempt from public records disclosure and production to the AG does not waive attorney-client privilege or work product protection.