ChatGPT Memory Just Got a Major Overhaul
Great American AI Act: What It Means for Tool Buyers
On June 4, 2026, Reps. Jay Obernolte (R-CA) and Lori Trahan (D-MA) released a 269-page discussion draft of the Great American AI Act — the most substantive federal AI legislation Congress has ever put on paper. It’s bipartisan. It’s specific. And unlike the four-page sketches and amendment riders that came before it, this one reads like an actual bill someone intends to pass.
The headline grabs are easy to summarize. Frontier developers above $500 million in revenue get mandatory semi-annual third-party audits. States get blocked from passing new AI development laws for three years. Penalties for non-compliance run up to $1 million per violation per day. Anthropic, OpenAI, Google DeepMind, and xAI are the four companies most obviously in scope, but the regulatory model the bill establishes will cascade into every enterprise contract those vendors sign.
The question for an AI tool buyer isn’t whether the bill will pass exactly as drafted — it almost certainly won’t. The question is what shifts in your procurement, compliance, and vendor-risk posture if even half of this framework becomes law in the next twelve months.
Quick Summary: The Great American AI Act at a Glance
Detail Info Released June 4, 2026 (discussion draft, not yet introduced) Sponsors Rep. Jay Obernolte (R-CA) and Rep. Lori Trahan (D-MA) Length 269 pages Covered companies Frontier developers with >$500M annual revenue (Anthropic, OpenAI, Google DeepMind, xAI per Roll Call) Core mechanism Semi-annual third-party audits by CAISI-licensed Independent Verification Organizations Auditor access Full access to records, personnel, and systems Penalties Up to $1 million per violation per day State preemption 3 years — applies to AI development laws only, NOT deployment or use CAISI funding $100M/year authorized for FY 2027-2029 Bipartisan co-leads Reps. Franklin (R-FL), Subramanyam (D-VA), Houchin (R-IN), Peters (D-CA) Bottom line: Federal regulation lands on the model developers. State regulation keeps biting on the enterprise deployers. The compliance math for AI buyers gets harder, not easier.
What the Bill Actually Does
The draft creates a federal regulatory regime for large frontier model developers, codifies the Center for AI Standards and Innovation (CAISI) inside Commerce, and freezes states out of AI development law for a fixed window. Each of those moves has been proposed before in some form. None have been bundled into a single 269-page text with this much specificity.
The audit mechanism is the technically novel piece. Per FedScoop’s read of the draft, frontier developers above the $500 million revenue threshold would be required to retain an Independent Verification Organization — a private-sector auditor licensed by CAISI — and submit to semi-annual compliance verification. The auditor’s mandate is broad: full access to records, personnel, and systems. Not a paperwork review. A live look inside how the model was trained, what risk management framework was applied, and whether the developer’s published safety commitments match operational reality.
The state preemption piece is the part that’s generated most of the political heat. The draft preempts state laws “specifically regulating the development” of AI models for three years. As Roll Call confirmed, preemption does not extend to laws governing how AI systems are deployed or used. California’s AB 2013 training-data disclosure law gets preempted. California’s deployment-side rules around hiring, insurance, and consumer protection do not.
Penalties are the enforcement teeth. Civil penalties run up to $1 million per violation per day for non-compliance or material misrepresentations to auditors. The per-day structure is the unusual choice — it converts a single sustained violation into a multi-million-dollar monthly bill rather than a one-time fine that a frontier lab can absorb as cost of doing business.
The rest of the bill is policy plumbing: codifying CAISI with $100M/year in authorized funding through 2029, criminalizing AI impersonation of government officials, directing Census and BLS to add AI adoption questions to federal surveys, and a list of safety incident reporting requirements that match what most frontier labs already do voluntarily. None of those grabbed headlines. All of them shape how compliance work gets done.
Why This Draft Is Different From the Last Three Attempts
This is at least the third serious congressional attempt to establish federal primacy over state AI law since 2025. The Senate killed a ten-year state AI moratorium tucked into the One Big Beautiful Bill Act on a 99-1 vote in July 2025. A second preemption effort attached to the FY2026 National Defense Authorization Act also failed. The Trump administration’s March 2026 federal preemption framework was four pages of policy direction with no enforcement mechanism.
The Obernolte-Trahan draft is the first version that comes with both real federal substance — actual audits, actual penalties, actual safety framework requirements — and a narrower preemption scope that addresses the specific objection that killed the earlier attempts. The previous proposals tried to block state authority over both AI development and deployment. State attorneys general and consumer protection groups objected because deployment is where most real-world harm shows up. The new draft surrenders deployment authority and only takes development.
That trade-off makes the bill politically viable in a way its predecessors weren’t. Bipartisan co-sponsorship from Reps. Scott Franklin (R-FL), Suhas Subramanyam (D-VA), Erin Houchin (R-IN), and Scott Peters (D-CA) suggests the sponsors lined up a credible coalition before public release. Whether that coalition survives committee markup is a separate question. The discussion draft format explicitly invites public feedback before formal introduction, and groups like Public Citizen have already declared the preemption piece a dealbreaker.
The Audit Mechanism: What Buyers Should Actually Read
The Independent Verification Organization framework is the part of the bill that matters most for enterprise AI buyers, and it’s the part that’s getting the least attention in the news cycle. Here’s why.
When a frontier developer like Anthropic or OpenAI signs an enterprise contract today, the buyer’s compliance team does whatever vendor risk review they have stomach for — sometimes thorough, often a SOC 2 review and a check-the-box exercise. Under the proposed framework, the developer has already been audited by a CAISI-licensed third party every six months on a specific set of safety, risk management, and operational controls. Those audit reports become a procurement artifact.
For most enterprise buyers, that’s a net upgrade. The audit covers questions your vendor-risk team can’t easily probe on its own: how the model was trained, what the developer’s catastrophic risk framework actually is, whether published safety commitments are operationally implemented. Captain Compliance’s analysis read the draft as creating a “shared accountability layer” between federal regulators and enterprise procurement — your due diligence rides on top of the federal audit, rather than duplicating it.
The catch: the audit covers the developer, not your deployment. If you’re using an OpenAI model to make hiring decisions, the audit tells you the model was developed responsibly. It tells you nothing about whether your deployment complies with California’s hiring discrimination rules, Colorado’s algorithmic accountability law, or whatever your state’s AI-in-employment statute says. The federal layer doesn’t replace your state-level compliance burden on deployment. It just guarantees a baseline at the model level.
What Changes for Your Compliance Stack
Three concrete shifts for AI tool buyers if the bill — or anything materially close to it — passes.
Vendor risk reviews get a federal artifact
The CAISI-licensed audit report becomes the starting point for every enterprise AI procurement conversation. Vendors above the $500M threshold will publish redacted audit summaries the way SaaS companies publish SOC 2 reports today. Buyers below frontier scale will reference those reports in their own vendor risk packages.
The practical move now: ask any frontier vendor you’re contracting with what their plan is for the CAISI audit framework if the bill passes. Smart vendors will already have a documented response. Vendors that haven’t thought about it are telling you something useful about their compliance maturity. The same posture matters for enterprise AI deployment decisions where vendor stability and audit-readiness are increasingly load-bearing.
State deployment law stays in play — and gets messier
The preemption is narrow. States keep authority over how AI is used and deployed inside their borders. That means every state-level AI-in-hiring, AI-in-insurance, AI-in-healthcare, and AI-in-housing statute remains live. The 50-state patchwork that worried buyers in 2025 doesn’t disappear under this bill — it just doesn’t expand into model development.
For enterprise compliance teams, that’s a more subtle shift than the headlines suggest. The development-side burden moves to your vendor (audited federally). The deployment-side burden stays with you (regulated state-by-state). Your compliance program doesn’t shrink. It re-shapes around a clearer federal-vs-state line.
The $500M threshold creates a tiering problem
Models from sub-threshold vendors — open-source releases, smaller commercial labs, foreign developers — aren’t covered by the federal audit regime. If you’re running DeepSeek, Mistral, or any of the second-tier providers in production, none of them are subject to the IVO process. Your federal compliance artifact disappears at the vendor boundary.
Two reasonable responses. Either you stick to threshold-covered vendors and accept the price premium for the federal audit umbrella, or you architect your AI stack with multi-vendor routing and apply your own compliance overlay to the sub-threshold portion. The economics-vs-compliance trade-off here mirrors the vendor risk math around frontier lab IPOs — the structural choice is the same, the regulatory dimension is new.
What This Bill Doesn’t Do
The discussion draft has gaps that matter, and some of them are large enough to reshape the compliance picture.
It doesn’t regulate AI deployment. As Nextgov noted, deployment-side rules stay with states. Hiring discrimination, insurance pricing, healthcare diagnosis, housing decisions — every domain where AI actually touches consumer outcomes — remains in the state-law arena.
It doesn’t cover non-frontier models. Below $500M in vendor revenue, there’s no federal compliance regime. Open-source models, smaller commercial labs, and foreign developers operate outside the IVO framework entirely.
It doesn’t address algorithmic transparency for end users. The audit framework is regulator-facing and procurement-facing. Consumer rights around AI explainability, contestability, or disclosure aren’t part of this draft. Those questions stay with state law and existing federal statutes like the FCRA.
It doesn’t establish federal AI liability. If a covered model causes harm, the audit framework doesn’t create or modify the civil liability picture. State product liability, state consumer protection law, and federal sector-specific regulators all keep their pre-existing tools.
It doesn’t ship until Congress passes it. The discussion draft format is explicitly pre-legislative. Formal introduction, committee markup, floor votes, reconciliation with any Senate companion, presidential signature — none of those have happened. The bill could be law in twelve months. It could be a dead letter by August. Both outcomes are live.
What Could Kill the Bill
Three things could derail this between discussion draft and enactment.
State AG opposition. State attorneys general have consistently opposed federal preemption of AI law. The narrower preemption scope in this draft addresses some of the previous objections, but consumer protection officials in California, New York, Texas, and Colorado have built significant institutional investment in state-level AI authority. A coordinated AG letter against the bill is a near-certainty and a real political problem.
Civil society pushback. TechTimes reported that consumer protection groups have framed the three-year preemption as a “freeze on consumer protection.” Even though the preemption only applies to AI development law, the political framing in advocacy press will conflate development and deployment. That framing matters during committee markup.
Industry concerns about audit scope. Frontier labs publicly support federal regulation as a way to head off state-by-state compliance fragmentation. Privately, the IVO framework’s “full access to records, personnel, and systems” language is going to generate substantial lobbying about scope, confidentiality, and operational disruption. The audit-access language is probably the single most-negotiated section of the bill before formal introduction. The ITIF’s Center for Data Innovation analysis flagged exactly this tension.
Trump administration alignment. The June 2026 executive order on AI innovation signaled administration preference for the lightest-touch federal framework possible. The Obernolte-Trahan draft is meaningfully heavier than what the White House had been signaling. Whether the administration backs the bill, modifies it, or quietly opposes it shapes the political path. None of those positions have been publicly clarified.
How This Compares to the EU AI Act Approach
The contrast with the EU AI Act is instructive because the structural choices are nearly opposite.
The EU AI Act regulates deployment by risk category — high-risk uses face strict requirements regardless of which vendor’s model powers them. The Great American AI Act regulates development by vendor scale — the largest model developers face audits regardless of which use cases their models eventually serve.
For multinational enterprise buyers, the practical implication is that the two frameworks complement rather than conflict. Your EU deployment compliance covers your AI use cases. Your US vendor relationships will increasingly come with federal audit artifacts that satisfy parts of your US compliance posture. The overlap is messy at the edges. The structural fit is better than the worst-case “two incompatible regimes” outcome the industry was worried about a year ago.
For US-only buyers, the federal layer is the new addition. State law continues to govern deployment. Your federal-state compliance program looks more like the financial services model — federal regulation of the largest institutions, state regulation of how those institutions interact with state residents — than the chaotic patchwork model that was emerging in 2025.
What to Do This Week
For different reader segments, different concrete moves.
Enterprise procurement teams. Open a vendor conversation with every frontier-scale AI provider you contract with. Ask them three questions. What is their plan for the CAISI Independent Verification Organization framework? When will they publish summary versions of their internal safety and risk management frameworks? How will their audit artifacts be made available to customers under existing contracts? Vendors that answer these clearly are tracking the bill. Vendors that don’t are useful signal.
Compliance and legal teams. Map your current AI compliance program against the development-vs-deployment split. The federal layer is going to absorb the development-side questions for threshold-covered vendors. Your state-law compliance burden on the deployment side stays the same or expands. The reorganization is structural, not just procedural.
Buyers using sub-threshold or open-source models. Decide whether your stack stays on threshold-covered vendors for the federal audit umbrella or moves to a multi-vendor architecture with your own compliance overlay. Both are legitimate choices. The decision shouldn’t be reactive — it should be made deliberately against your specific use case and risk profile. The enterprise AI deployment patterns we’ve covered consistently show buyers who pre-decide this question outperform buyers who chase regulatory headlines.
Policy and government affairs teams. The discussion draft period is the meaningful window for substantive input. Once the bill is formally introduced, the political dynamics harden and the legislative text becomes much harder to move. If your organization has positions on audit scope, threshold definitions, or preemption boundaries, the next 60 days are when written feedback to the sponsors actually changes the text.
Frequently Asked Questions
Is the Great American AI Act law yet?
No. It’s a discussion draft released June 4, 2026, to solicit public feedback before formal introduction. The bill has not been introduced, marked up, voted on, or signed. Sponsors haven’t announced a floor vote timeline. The earliest realistic enactment is late 2026, and significant policy work remains before then.
Which companies are covered by the audit requirement?
Frontier developers with annual revenue above $500 million. Roll Call’s reporting identified Anthropic, OpenAI, Google DeepMind, and xAI as the four companies most clearly above the threshold. Meta’s Llama, Microsoft’s first-party models, and Amazon’s Nova would also likely qualify. The exact list depends on how “annual revenue” is defined in final text, which is still under discussion.
What does the audit actually involve?
Per the draft, a CAISI-licensed Independent Verification Organization conducts semi-annual reviews of compliance with safety framework requirements, with full access to records, personnel, and systems. The auditor verifies that the developer’s published safety and risk management framework matches operational reality. Reports go to CAISI; some version is expected to be available to enterprise customers, though specifics aren’t finalized.
Does the preemption cancel existing state AI laws?
Only state laws specifically regulating AI model development, and only for three years. State laws regulating AI deployment and use stay in effect. California’s AB 2013 (training data disclosure) gets preempted. California’s AI-in-hiring rules don’t. Colorado’s algorithmic accountability law stays. Specific application to existing state statutes will require case-by-case legal analysis. The previous federal preemption framework analysis covered the broader political context here.
What’s the $1 million penalty actually based on?
Civil penalties run up to $1 million per violation per day. The per-day structure means a sustained violation accrues penalties continuously, not as a one-time fine. A six-month period of non-compliance against a single requirement could theoretically generate up to $180 million in penalties. Real-world enforcement would likely settle materially lower, but the statutory ceiling creates meaningful negotiating leverage for regulators.
How does this affect smaller AI companies and startups?
Directly, it doesn’t. The audit and compliance requirements apply only to developers above $500M in revenue. Smaller AI companies operate outside the IVO framework. Indirectly, the federal regime sets compliance expectations that cascade through enterprise procurement — even sub-threshold vendors will be asked about their alignment with the federal safety framework requirements during enterprise sales conversations.
Does this replace state AI regulation entirely?
No. The preemption is narrow and time-limited. It applies only to AI development law, only for three years, and only to states. Existing federal AI requirements from sector-specific regulators (FDA on medical AI, FTC on consumer protection, EEOC on hiring, CFPB on credit) all stay in effect. The bill is additive to existing federal authority, not a replacement for it.
Should I delay AI procurement decisions until the bill passes?
No. The bill timeline is too uncertain and your business needs aren’t going to wait. The right posture is to make procurement decisions on current criteria, document the regulatory assumptions your contracts rely on, and build flexibility into your vendor relationships for the audit framework if it comes. Treating the regulatory uncertainty as a reason to defer is the wrong call. Building flexibility into the procurement is the right one. Same logic applies for vendor risk management around frontier labs broadly.
Our Take
The Great American AI Act is the first federal AI proposal that takes both the regulatory work and the political coalition work seriously. The previous attempts were either policy gestures with no enforcement teeth or preemption maximalism that couldn’t survive a floor vote. This one is calibrated to actually pass. That matters.
The audit mechanism is the part of the bill that most directly affects how enterprise AI buyers should think about vendor selection over the next two years. CAISI-licensed IVO reports become a procurement artifact. Frontier labs above the threshold will compete partly on the quality of their audit posture. Buyers below frontier scale get a federal compliance umbrella for the model-development side of their stack that didn’t exist before. The federal layer doesn’t shrink your state-law deployment burden. It does meaningfully change what “vendor risk review” means for the largest AI providers.
The preemption fight is where the bill survives or dies. Three-year preemption of development law is a real but narrow give. State AGs and consumer advocacy groups will push back hard, and parts of that push-back will be substantively serious — particularly around whether the development-vs-deployment line is as clean in practice as it reads on paper. The bill’s political fate depends more on how that line gets defended in committee than on whether the audit mechanism survives scrutiny.
For AI tool buyers specifically, the structural read is that the regulatory landscape is converging on a model where the federal government audits the biggest vendors and states regulate how everyone deploys the technology. That convergence is the right outcome for buyers. It separates the questions you can offload to your vendor’s federal compliance from the questions you still need to own at your deployment boundary. Whether this specific bill is the vehicle that gets there, or whether the next bill is, the direction of travel is now visible enough to plan around. Plan around it.
Last updated: June 7, 2026. Sources: Obernolte press release · Trahan press release · Roll Call on three-year preemption · FedScoop on the federal AI framework · Nextgov on preemption scope · BroadbandBreakfast on the preemption battle · TechTimes on consumer protection concerns · Public Citizen opposition statement · Captain Compliance enterprise analysis · ITIF Center for Data Innovation.
Related reading: Trump’s AI Policy: What Federal Preemption Means for You · AI Safety Business Guide 2026 · Enterprise AI Deployment 2026 · Anthropic’s $965B IPO and Claude Users · Anthropic vs OpenAI 2026
