The Great American AI Act, a 269-page bipartisan discussion draft circulated by Reps. Obernolte and Trahan, draws a structural line between federal jurisdiction over AI model development and state authority over AI deployment. That division — not the preemption itself — is the governance signal compliance officers should read carefully.
This is a discussion draft, not enacted law. The bill has not been introduced for a formal vote. The analysis below reflects the draft's stated provisions as of June 4, 2026.
On June 4, 2026, Reps. Jay Obernolte (R-CA) and Lori Trahan (D-MA), along with co-sponsors Scott Franklin, Suhas Subramanyam, Erin Houchin, and Scott Peters, circulated a 269-page bipartisan discussion draft titled the Great American AI Act. The draft establishes a federal framework for frontier AI governance and, for a three-year period, preempts state AI development regulation while explicitly preserving state authority to regulate AI use and deployment. The preemption scope is the most consequential design choice in the draft, and it is the one most likely to be misread.
The draft does not propose to eliminate state AI regulation. It proposes to divide the regulatory field between federal and state jurisdiction along a development/deployment axis. That division has direct consequences for the current state AI law landscape: laws like Colorado's original SB 24-205 — which imposed governance mandates on AI model development and deployment pipelines — would be preempted under this draft. Laws like Colorado's replacement SB 26-189 — which impose notice and transparency requirements on the use of AI in consequential decisions — would not. For compliance officers navigating both federal developments and state law obligations, the boundary between development and deployment is the interpretive work this bill requires.
The draft's preemption applies to state regulation of AI model development — the training, architecture, fine-tuning, and release processes that produce frontier AI systems. For a three-year period, states may not impose development-layer governance requirements on frontier AI developers operating above the bill's coverage threshold. The draft explicitly carves out state authority over AI use and deployment: how AI systems are applied in products and services, what disclosures consumers receive, what recourse mechanisms exist, and what operational constraints govern AI-assisted decisions. That is the layer where most consumer protection, employment, housing, and financial services AI regulation operates.
The practical implication is that the patchwork problem does not resolve under this bill. It narrows. The federal government would occupy the development-layer field; the states would continue to occupy the deployment-layer field. An enterprise deploying AI in a regulated sector — credit underwriting, employment screening, insurance pricing — would still need to track state-level deployment requirements, which vary and continue to evolve. What the bill would remove is the obligation to navigate divergent state requirements for the underlying model development and release process.
The draft codifies and funds the Consortium for Artificial Intelligence Safety and Innovation, or CAISI, at $100 million per year for FY2027 through FY2029, with the consortium itself set to sunset after three years. CAISI is the technical body through which the bill's safety evaluation framework operates. Frontier developers above the revenue threshold — set at $500 million in annual revenue — would be subject to semi-annual independent verification and oversight audits conducted through CAISI's framework in collaboration with NIST.
The penalty structure is significant: $1 million per day for large frontier developers found in violation. The draft also includes a 15-day reporting obligation for safety incidents and a 24-hour reporting obligation for imminent-risk events, along with whistleblower protections for individuals who report safety concerns. The combination of rapid incident reporting, independent audits, and material penalties is designed to create enforcement gravity that voluntary frameworks have lacked.
The preemption is framed as a relief mechanism — removing the burden of divergent state development requirements from frontier AI companies. But the three-year sunset on CAISI and the discussion-draft status of the bill both introduce uncertainty that may be less useful to compliance planning than it appears. A company that relies on federal preemption to reduce its state compliance obligations and then finds the bill's preemption provisions amended, narrowed, or simply not enacted faces a compliance gap. The development/deployment boundary will also be litigated: the line between training a model and deploying it in a product is not always clean, and how regulators and courts draw it will matter as much as where Congress draws it.
For financial institutions and the vendors serving them, the operational question is which layer their AI governance obligations sit on. Model risk management under SR 11-7, model documentation requirements, and validation frameworks all operate primarily at the development and pre-deployment layer — the layer the bill would federalize. Consumer-facing AI obligations in credit, payments, and insurance operate primarily at the deployment layer — the layer states would retain. The practical effect for a bank deploying a vendor's AI model is that the vendor's development-layer obligations would be subject to the federal framework, while the bank's own deployment-layer obligations would remain subject to both federal financial services regulators and applicable state law.
This is a structural shift worth tracking, but its practical contours depend heavily on whether the bill advances, what amendments it absorbs, and how CAISI's audit and verification standards interact with existing model risk management frameworks in regulated industries.
The discussion draft stage invites formal comment and revision before introduction. Key questions the draft leaves open: how exactly is the development/deployment boundary defined for AI systems that are continuously updated post-deployment; whether the CAISI audit framework will be harmonized with existing sector-specific model risk guidance; and whether the $500 million revenue threshold is calibrated to catch the right population of developers. A long-form analysis examining the regulatory architecture in detail will follow separately. For the state law implications, see the Colorado AI Act article on SB 24-205 and its replacement.
Regulatory signals and analysis, when there is something worth saying. No fixed cadence.
Subscribe →