Laws & Statutes WA WA-SB-6120
SB-6120
WA · State · USA
WA
USA
● Pending
Proposed Effective Date
2027-01-01
Washington Senate Bill 6120 — An Act Relating to regulating high-risk artificial intelligence system development, deployment, and use; adding a new chapter to Title 19 RCW
Washington SB 6120 regulates developers and deployers of high-risk AI systems — AI systems intended to autonomously make or be a substantial factor in making consequential decisions affecting consumers in areas such as employment, housing, credit, healthcare, education, insurance, and legal services. Developers must provide deployers with documentation on intended uses, known limitations, bias risks, evaluation methods, and mitigation measures before making a system available. Deployers must implement a risk management program, complete impact assessments before deployment and after significant updates, disclose AI use to affected consumers before interaction, and provide explanations for adverse decisions. The bill creates a private right of action for any person, with injunctive relief and attorneys' fees available, subject to a 45-day cure affirmative defense. It provides safe harbors for conformity with NIST AI RMF, ISO/IEC 42001, or equivalent frameworks, and exempts insurers, financial institutions subject to existing AI guidance, HIPAA-covered telemedicine providers, and federal government acquisitions (except for employment and housing decisions).
Passage Likelihood
Low
Chamber No passage
Committee No action
Majority party Yes
Bipartisan No
Prior session None
Legislative History
2026-01-14 introduced First reading, referred to Environment, Energy & Technology.
Mapped Requirements
H-02 Non-Discrimination & Bias Assessment G-02 Public Transparency & Documentation T-02 AI Content Labeling & Provenance G-01 AI Governance Program & Documentation T-01 AI Identity Disclosure H-01 Human Oversight of Automated Decisions
Official Sources
Full Text
Entry Last Reviewed
2026-04-02
AI generated
Summary

Washington SB 6120 regulates developers and deployers of high-risk AI systems — AI systems intended to autonomously make or be a substantial factor in making consequential decisions affecting consumers in areas such as employment, housing, credit, healthcare, education, insurance, and legal services. Developers must provide deployers with documentation on intended uses, known limitations, bias risks, evaluation methods, and mitigation measures before making a system available. Deployers must implement a risk management program, complete impact assessments before deployment and after significant updates, disclose AI use to affected consumers before interaction, and provide explanations for adverse decisions. The bill creates a private right of action for any person, with injunctive relief and attorneys' fees available, subject to a 45-day cure affirmative defense. It provides safe harbors for conformity with NIST AI RMF, ISO/IEC 42001, or equivalent frameworks, and exempts insurers, financial institutions subject to existing AI guidance, HIPAA-covered telemedicine providers, and federal government acquisitions (except for employment and housing decisions).

Enforcement & Penalties
Enforcement Authority
Private right of action. Any person may file a civil action against a developer or deployer for a violation of the chapter. No designated agency enforcer. Affirmative defense available if the developer or deployer discovered the violation, cured it within 45 days, provided notice and evidence of cure to the person bringing the action, and is otherwise in compliance with the chapter.
Penalties
Injunctive relief and reasonable attorneys' fees and costs. No statutory minimum damages or per-violation penalty amounts are specified. The statute provides that a court 'may enjoin the violation and award reasonable attorneys' fees and costs.' No actual harm is required to obtain injunctive relief.
Who Is Covered
"Deployer" means any person doing business in Washington that deploys or uses a high-risk artificial intelligence system to make a consequential decision in Washington.
"Developer" means any person doing business in Washington that develops or intentionally and substantially modifies a high-risk artificial intelligence system that is offered, sold, leased, given, or otherwise made available to deployers or consumers in Washington and who earns more than $100,000 in gross annual revenue.
What Is Covered
"High-risk artificial intelligence system" means any artificial intelligence system that is specifically intended to autonomously make, or be a substantial factor in making, a consequential decision. A system or service is not a "high-risk artificial intelligence system" if it is intended to: (i) Perform a narrow procedural task; (ii) improve the result of a previously completed human activity; (iii) detect any decision-making patterns or any deviations from preexisting decision-making patterns; or (iv) perform a preparatory task to an assessment relevant to a consequential decision. (b) "High-risk artificial intelligence system" does not include any of the following technologies: (i) Antifraud technology that does not use facial recognition technology; (ii) Antimalware technology; (iii) Antivirus technology; (iv) Artificial intelligence-enabled video games; (v) Autonomous vehicle technology; (vi) Calculators; (vii) Cybersecurity technology; (viii) Databases; (ix) Data storage; (x) Firewall technology; (xi) Internet domain registration; (xii) Internet website loading; (xiii) Networking; (xiv) Spam and robocall filtering; (xv) Spell-checking technology; (xvi) Spreadsheets; (xvii) Web caching; (xviii) Web hosting or any similar technology; or (xix) Technology that communicates with consumers in natural language for the purpose of providing users with information, making referrals or recommendations, and answering questions and is subject to an acceptable use policy that prohibits generating content that is discriminatory or unlawful.
Compliance Obligations 17 obligations · click obligation ID to open requirement page
H-02 Non-Discrimination & Bias Assessment · H-02.1H-02.2 · Developer · Automated Decisionmaking
Sec. 2(1)
Plain Language
Developers of high-risk AI systems must exercise reasonable care to protect consumers from known or reasonably foreseeable risks of algorithmic discrimination arising from intended and contracted uses. Compliance with the full set of developer obligations in Section 2 creates a rebuttable presumption of reasonable care. The self-testing and diversity-expansion carve-outs in the definition of algorithmic discrimination mean that using the system solely to test for or mitigate bias does not itself constitute prohibited discrimination.
Statutory Text
(1) A developer of a high-risk artificial intelligence system shall use reasonable care to protect consumers from any known or reasonably foreseeable risks of algorithmic discrimination arising from the intended and contracted uses of the high-risk artificial intelligence system. In a civil action brought against a developer pursuant to this chapter, there is a rebuttable presumption that a developer of a high-risk artificial intelligence system used reasonable care as required by this subsection (1) if the developer complied with the requirements of this section.
G-02 Public Transparency & Documentation · G-02.1 · Developer · Automated Decisionmaking
Sec. 2(2)(a)-(c)
Plain Language
Developers may not provide a high-risk AI system to any deployer or other developer without delivering comprehensive documentation covering: intended uses, known limitations and discrimination risks, purpose and intended outputs, a summary of pre-deployment performance and bias evaluations, discrimination mitigation measures taken, guidance on proper use, misuse, and human monitoring, plus any additional documentation reasonably necessary for the deployer to understand outputs and monitor for discrimination. This is a pre-distribution prerequisite — the system cannot be made available until the documentation is delivered.
Statutory Text
(2) A developer of a high-risk artificial intelligence system may not offer, sell, lease, give, or otherwise provide to a deployer or other developer a high-risk artificial intelligence system unless the developer makes available to the deployer or other developer: (a) A statement disclosing the intended uses of such high-risk artificial intelligence system; (b) Documentation disclosing the following: (i) The known or reasonably known limitations of such high-risk artificial intelligence system, including any and all known or reasonably foreseeable risks of algorithmic discrimination arising from the intended uses of such high-risk artificial intelligence system; (ii) The purpose of such high-risk artificial intelligence system and its intended outputs, benefits, and uses; (iii) A summary describing how such high-risk artificial intelligence system was evaluated for performance and for mitigation of algorithmic discrimination before it was licensed, sold, leased, given, or otherwise made available to a deployer or other developer; (iv) A description of the measures the developer has taken to mitigate known or reasonably foreseeable risks of algorithmic discrimination that may arise from the reasonably foreseeable deployment or use of such high-risk artificial intelligence system; and (v) A description of how the high-risk artificial intelligence system should be used, not be used, and be monitored by an individual when such system is used to make, or is a substantial factor in making, a consequential decision; and (c) Any additional documentation that is reasonably necessary to assist the deployer or other developer in understanding the outputs and monitoring performance of the high-risk artificial intelligence system for risks of algorithmic discrimination.
G-02 Public Transparency & Documentation · G-02.1 · Developer · Automated Decisionmaking
Sec. 2(3)
Plain Language
Developers must provide deployers with the information and artifacts — including system cards, pre-deployment impact assessments, and risk management policies — necessary for the deployer or its contracted third party to complete the impact assessment required under Section 3(3). This obligation is limited to what is feasible and necessary but ensures deployers have adequate upstream documentation to conduct their own compliance assessments.
Statutory Text
(3) A developer that offers, sells, leases, gives, or otherwise makes available to a deployer or other developer a high-risk artificial intelligence system shall make available to the deployer or other developer to the extent feasible and necessary, information and documentation to enable the deployer, other developer, or a third party contracted by the deployer to complete an impact assessment required by section 3(3) of this act. Such information and documentation must include artifacts, such as system cards or predeployment impact assessments, including relevant risk management policies and impact assessments.
G-02 Public Transparency & Documentation · G-02.1 · Developer · Automated Decisionmaking
Sec. 2(6)
Plain Language
Developers must update all deployer-facing disclosures within 90 days of performing an intentional and substantial modification to a high-risk AI system. This is a continuing accuracy obligation — documentation delivered under Section 2(2) must remain current. Notably, routine deployer customizations and changes arising from predetermined continuous learning that were included in the initial impact assessment do not trigger this update obligation.
Statutory Text
(6) For a disclosure required pursuant to this section, a developer shall, no later than 90 days after the developer performs an intentional and substantial modification to a high-risk artificial intelligence system, update such disclosure as necessary to ensure that such disclosure remains accurate.
T-02 AI Content Labeling & Provenance · T-02.1T-02.2 · Developer · Automated DecisionmakingContent Generation
Sec. 2(7)(a)-(c)
Plain Language
Developers of high-risk generative AI systems that produce or substantially modify synthetic content must ensure outputs are identifiable and detectable using industry-standard or developer-provided tools, with identification embedded at the time of generation. For audio, image, or video in artistic, creative, satirical, or fictional works, identification must not hinder display or enjoyment. Text-only content, content published on matters of public interest, content unlikely to mislead a reasonable person, assistive editing outputs, and law enforcement tools are exempt. This obligation applies only to high-risk generative systems — non-high-risk generative tools are not covered.
Statutory Text
(7)(a) A developer of a high-risk generative artificial intelligence system that generates or substantially modifies synthetic content shall ensure that the outputs of such high-risk artificial intelligence system: (i) Are identifiable and detectable in a manner that is accessible by consumers using industry-standard tools or tools provided by the developer; (ii) comply with any applicable accessibility requirements, as synthetic content, to the extent reasonably feasible; and (iii) apply such identification at the time the output is generated. (b) If such synthetic content is an audio, image, or video format that forms part of an evidently artistic, creative, satirical, fictional, or analogous work or program, the requirement for identifying outputs of high-risk artificial intelligence systems pursuant to (a) of this subsection (7) is limited to a manner that does not hinder the display or enjoyment of such work or program. (c) The identification of outputs required by (a) of this subsection (7) do not apply to: (i) Synthetic content that consists exclusively of text, is published to inform the public on any matter of public interest, or is unlikely to mislead a reasonable person consuming such synthetic content; or (ii) the outputs of a high-risk artificial intelligence system that performs an assistive function for standard editing, does not substantially alter the input data provided by the developer, or is used to detect, prevent, investigate, or prosecute any crime as authorized by law.
G-01 AI Governance Program & Documentation · G-01.1 · Developer · Automated Decisionmaking
Sec. 2(5)
Plain Language
This provision establishes a safe harbor for developers: high-risk AI systems conforming to the NIST AI RMF, ISO/IEC 42001, or an equivalent nationally or internationally recognized risk management framework are presumed to comply with the developer obligations in Section 2. This is a rebuttable presumption — conformity with a recognized framework does not guarantee compliance but shifts the burden of proof. The safe harbor applies to the full scope of Section 2 developer obligations, including documentation, disclosure, and anti-discrimination duties.
Statutory Text
(5) High-risk artificial intelligence systems that are in conformity with the latest version of the artificial intelligence risk management framework published by the national institute of standards and technology, standard ISO/IEC 42001 of the international organization for standardization, or another nationally or internationally recognized risk management framework for artificial intelligence systems, or parts thereof, are presumed to be in conformity with related requirements set out in this section.
H-02 Non-Discrimination & Bias Assessment · H-02.1H-02.2 · Deployer · Automated Decisionmaking
Sec. 3(1)
Plain Language
Deployers of high-risk AI systems have a general duty to exercise reasonable care to protect consumers from known or reasonably foreseeable algorithmic discrimination risks. Full compliance with all deployer obligations in Section 3 creates a rebuttable presumption of reasonable care. This parallels the developer duty in Section 2(1) but applies to the deployment and operational context rather than the development phase.
Statutory Text
(1) A deployer of a high-risk artificial intelligence system shall use reasonable care to protect consumers from any known or reasonably foreseeable risks of algorithmic discrimination. In a civil action brought against a deployer pursuant to this chapter, there is a rebuttable presumption that a deployer of a high-risk artificial intelligence system used reasonable care as required by this subsection (1) if the deployer complied with the provisions of this section.
G-01 AI Governance Program & Documentation · G-01.1 · Deployer · Automated Decisionmaking
Sec. 3(2)(a)-(c)
Plain Language
Deployers may not use a high-risk AI system to make consequential decisions without first designing and implementing a risk management policy and program. The policy must specify the principles, processes, and personnel for identifying, mitigating, and documenting algorithmic discrimination risks. Alignment with the NIST AI RMF, ISO/IEC 42001, or a substantially equivalent framework creates a rebuttable presumption of compliance for both the risk management program and the high-risk system itself. This is a deployment prerequisite — the system cannot be used for consequential decisions until the program is in place.
Statutory Text
(2)(a) A deployer may not deploy or use a high-risk artificial intelligence system to make a consequential decision unless the deployer has designed and implemented a risk management policy and program for such high-risk artificial intelligence system. The risk management policy must specify the principles, processes, and personnel that the deployer must use in maintaining the risk management program to identify, mitigate, and document any risk of algorithmic discrimination that is a reasonably foreseeable consequence of deploying or using such high-risk artificial intelligence system to make a consequential decision. (b) A risk management policy and program designed, implemented, and maintained pursuant to this section is presumed to be in conformity with related requirements set out in this section if the policy and program align with the guidance and standards set forth in the latest version of: (i) The artificial intelligence risk management framework published by the national institute of standards and technology; (ii) Standard ISO/IEC 42001 of the international organization for standardization; or (iii) A nationally or internationally recognized risk management framework for artificial intelligence systems with requirements that are substantially equivalent to, and at least as stringent as, the guidance and standards described in (b)(i) and (ii) of this subsection (2). (c) High-risk artificial intelligence systems that are in conformity with the latest version of the artificial intelligence risk management framework published by the national institute of standards and technology, standard ISO/IEC 42001 of the international organization for standardization, or another nationally or internationally recognized risk management framework for artificial intelligence systems, or parts thereof, are presumed to be in conformity with related requirements set out in this section.
H-02 Non-Discrimination & Bias Assessment · H-02.3H-02.10 · Deployer · Automated Decisionmaking
Sec. 3(3)(a)-(c)
Plain Language
Deployers must complete a comprehensive impact assessment before initially deploying a high-risk AI system and before using any significant update for consequential decisions. The assessment must cover at minimum: purpose and intended uses, discrimination risks and mitigation steps, data categories processed, customization data, performance metrics, transparency measures, post-deployment monitoring, oversight processes, and a validity and reliability analysis. A single assessment may cover comparable systems. Cross-compliance is available — an impact assessment completed for another law satisfies this requirement if reasonably similar in scope. All impact assessments and records, including raw performance evaluation data, must be retained for at least three years following final deployment.
Statutory Text
(3)(a) Except as provided in (c) of this subsection (3), a deployer may not deploy or use a high-risk artificial intelligence system to make a consequential decision unless the deployer has completed an impact assessment for such high-risk artificial intelligence system. The deployer shall complete an impact assessment for a high-risk artificial intelligence system before the deployer initially deploys such high-risk artificial intelligence system and before a significant update to such high-risk artificial intelligence system is used to make a consequential decision. (b) An impact assessment completed pursuant to (a) of this subsection (3) must include, at a minimum: (i) A statement by the deployer disclosing the purpose, intended use cases, and deployment context of, and benefits afforded by, the high-risk artificial intelligence system; (ii) A statement by the deployer disclosing whether the deployment or use of the high-risk artificial intelligence system poses any known or reasonably foreseeable risk of algorithmic discrimination and, if so, the nature of such algorithmic discrimination and the steps that have been taken, to the extent feasible, to mitigate such risk; (iii) For each postdeployment impact assessment completed pursuant to this section, whether the intended use cases of the high-risk artificial intelligence system as updated were consistent with, or varied from, the developer's intended uses of such high-risk artificial intelligence system; (iv) A description of the categories of data the high-risk artificial intelligence system processes as inputs and the outputs such high-risk artificial intelligence system produces; (v) If the deployer used data to customize the high-risk artificial intelligence system, an overview of the categories of data the deployer used to customize such high-risk artificial intelligence system; (vi) A list of any metrics used to evaluate the performance and known limitations of the high-risk artificial intelligence system; (vii) A description of any transparency measures taken concerning the high-risk artificial intelligence system, including any measures taken to disclose to a consumer that such high-risk artificial intelligence system is in use when such high-risk artificial intelligence system is in use; (viii) A description of any postdeployment monitoring performed and user safeguards provided concerning such high-risk artificial intelligence system, including any oversight process established by the deployer to address issues arising from deployment or use of such high-risk artificial intelligence system as such issues arise; and (ix) An analysis of such high-risk artificial intelligence system's validity and reliability in accordance with standard industry practices. (c)(i) A single impact assessment may address a comparable set of high-risk artificial intelligence systems deployed or used by a deployer. (ii) If a deployer completes an impact assessment for the purpose of complying with another applicable law or regulation, such impact assessment satisfies the relevant requirements established in this section if such impact assessment is reasonably similar in scope and effect to the impact assessment that would otherwise be completed pursuant to this section. (iii) A deployer that completes an impact assessment pursuant to this section shall maintain such impact assessment and all records concerning the impact assessment for three years. Throughout the period of time that a high-risk artificial intelligence system is deployed and for a period of at least three years following the final deployment of the high-risk artificial intelligence system, the deployer shall retain all records concerning each impact assessment conducted on the high-risk artificial intelligence system, including all raw data used to evaluate the performance and known limitations of such system.
T-01 AI Identity Disclosure · T-01.1 · Deployer · Automated Decisionmaking
Sec. 3(4)(a)-(e)
Plain Language
Before or at the time a high-risk AI system interacts with a consumer, the deployer must disclose that the consumer is interacting with AI and provide a comprehensive set of additional disclosures: the system's purpose, nature, the type of consequential decision at stake, deployer contact information, and a plain-language description covering what personal attributes the system measures, how it measures them, their relevance to the decision, human components, and how automated components inform decisions. This is an unconditional disclosure — it applies regardless of whether a reasonable person would be misled.
Statutory Text
(4) Not later than the time that a deployer uses a high-risk artificial intelligence system to interact with a consumer, the deployer shall disclose to the consumer that the consumer is interacting with an artificial intelligence system. At such time, the deployer shall also disclose to the consumer: (a) The purpose of such high-risk artificial intelligence system; (b) The nature of such system; (c) The nature of the consequential decision; (d) The contact information for the deployer; and (e) A description of the artificial intelligence system in plain language, which must include: (i) A description of the personal characteristics or attributes that such system will measure or assess; (ii) The method by which the system measures or assesses such attributes or characteristics; (iii) How such attributes or characteristics are relevant to the consequential decisions for which the system should be used; (iv) Any human components of such system; and (v) How any automated components of such system are used to inform such consequential decisions.
H-01 Human Oversight of Automated Decisions · H-01.1 · Deployer · Automated Decisionmaking
Sec. 3(5)(a)-(c)
Plain Language
Deployers must transmit consequential decisions to consumers without undue delay. If the decision is adverse and relied on personal data beyond what the consumer directly provided, the deployer must additionally explain: the principal reasons for the decision, the degree and manner of the AI system's contribution, the types of data used, and the data sources. This explanation right is triggered only when (1) the decision is adverse and (2) personal data beyond the consumer's direct submissions was used — favorable decisions and decisions based solely on consumer-provided data do not require the detailed explanation.
Statutory Text
(5) A deployer that has deployed a high-risk artificial intelligence system to make a consequential decision concerning a consumer shall transmit to the consumer the consequential decision without undue delay. If such consequential decision is adverse to the consumer and based on personal data beyond information that the consumer provided directly to the deployer, the deployer shall provide to the consumer a statement disclosing the principal reason or reasons for the consequential decision, including: (a) The degree to which and manner in which the high-risk artificial intelligence system contributed to the consequential decision; (b) The type of data that was processed by such system in making the consequential decision; and (c) The sources of such data.
G-02 Public Transparency & Documentation · G-02.4 · Deployer · Automated Decisionmaking
Sec. 3(6)
Plain Language
Deployers must publish a clear, readily available summary of how they manage algorithmic discrimination risks arising from their high-risk AI systems. 'Readily available' implies public accessibility — not buried in terms of service or available only upon request. This is a standalone public transparency obligation distinct from the impact assessment requirement and consumer-facing disclosures.
Statutory Text
(6) A deployer shall make readily available a clear statement summarizing how the deployer manages any reasonably foreseeable risk of algorithmic discrimination that may arise from the use or deployment of the high-risk artificial intelligence system.
G-02 Public Transparency & Documentation · G-02.1 · Deployer · Automated Decisionmaking
Sec. 3(7)
Plain Language
Deployers must update all required disclosures within 30 days of being notified by the developer of an intentional and substantial modification to the high-risk AI system. This is a continuing accuracy obligation — deployer disclosures to consumers and the public must remain current as the system evolves. Note the 30-day deployer window is shorter than the developer's 90-day update window under Section 2(6).
Statutory Text
(7) For a disclosure required pursuant to this section, each deployer shall, no later than 30 days after the deployer is notified by the developer that the developer has performed an intentional and substantial modification to a high-risk artificial intelligence system, update such disclosure as necessary to ensure that such disclosure remains accurate.
G-02 Public Transparency & Documentation · G-02.1 · Deployer · Automated Decisionmaking
Sec. 3(8)
Plain Language
When a deployer performs an intentional and substantial modification to a high-risk AI system, the deployer steps into the developer's shoes and must comply with all developer documentation and disclosure obligations under Section 2. This effectively means the deployer must produce and deliver the same comprehensive documentation package (intended uses, limitations, bias evaluations, mitigation measures, monitoring guidance) that a developer would produce. This triggers only for modifications that create new material discrimination risks or materially change the system's purpose.
Statutory Text
(8) A deployer who performs an intentional and substantial modification to a high-risk artificial intelligence system shall comply with the documentation and disclosure requirements for developers pursuant to section 2 of this act.
Other · DeveloperDeployer · Automated Decisionmaking
Sec. 4(13)
Plain Language
When a developer or deployer withholds or redacts information under any exemption in the chapter (including trade secret protections), they must notify the person who would otherwise receive the disclosure and explain the basis for withholding or redacting. This ensures that deployers receiving documentation from developers, and consumers receiving decision explanations from deployers, are informed when information has been omitted and why — preventing silent gaps in disclosure.
Statutory Text
(13) If a developer or deployer withholds information pursuant to an exemption set forth in this chapter for which disclosure would otherwise be required by this chapter, including the exemption from disclosure of trade secrets, the developer or deployer shall notify the subject of disclosure and provide a basis for withholding the information. If a developer or deployer redacts any information pursuant to an exemption from disclosure, the developer or deployer shall notify the subject of disclosure that the developer or deployer is redacting such information and provide the basis for such decision to redact.
Other · Automated Decisionmaking
Sec. 5(1)-(2)
Plain Language
Any person may sue a developer or deployer for violations of the chapter. Available remedies are injunctive relief and reasonable attorneys' fees and costs — there are no statutory damages or per-violation penalties. An affirmative defense is available if the defendant discovered the violation, cured it within 45 days, notified the plaintiff with evidence of cure, and is otherwise in compliance with the chapter. This provision creates no independent compliance obligation — it is the enforcement mechanism for all other obligations in the chapter.
Statutory Text
(1) In addition to any other remedy provided by law, a person may file a civil action against a developer or deployer for a violation of this chapter. If a court finds that the developer or deployer violated this chapter, the court may enjoin the violation and award reasonable attorneys' fees and costs. (2) In an action brought pursuant to this section, it is an affirmative defense that the developer or deployer: (a) Discovered a violation of any provision of this chapter; (b) Cured such violation no later than 45 days after discovering the violation; (c) Provided notice to the person bringing the civil action pursuant to this section that such violation has been cured and provides accompanying evidence that the violation has been cured; and (d) Is otherwise in compliance with the requirements of this chapter.
Other · Automated Decisionmaking
Sec. 2(4)
Plain Language
When a developer also serves as the deployer of its own high-risk AI system (a vertically integrated entity), it is not required to generate the deployer-facing documentation under Section 2 unless the system is also provided to an unaffiliated third-party deployer. This prevents requiring an entity to generate documentation for itself. The exemption is lost if the system is shared with any unaffiliated deployer. This provision creates no new obligation — it narrows the scope of an existing one.
Statutory Text
(4) A developer that also serves as a deployer for a high-risk artificial intelligence system may not be required to generate the documentation required by this section unless such high-risk artificial intelligence system is provided to an unaffiliated entity acting as a deployer or as otherwise required by law.