| |
|
|
A BILL TO BE ENTITLED
|
|
|
AN ACT
|
| |
|
|
relating to the regulation and use of artificial intelligence |
|
|
systems and the management of data by governmental entities. |
|
|
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|
|
SECTION 1. Section 2054.003, Government Code, is amended by |
|
|
adding Subdivisions (1-a), (2-b), (2-c), (6-a), and (11) to read as |
|
|
follows: |
|
|
(1-a) "Artificial intelligence system" means a |
|
|
machine-based system that for explicit or implicit objectives |
|
|
infers from provided information how to generate outputs, such as |
|
|
predictions, content, recommendations, or decisions, to influence |
|
|
a physical or virtual environment with varying levels of autonomy |
|
|
and adaptiveness after deployment. |
|
|
(2-b) "Consequential decision" means a decision that |
|
|
has a material, legal, or similarly significant effect on the |
|
|
provision, denial, or conditions of a person's access to a |
|
|
government service. |
|
|
(2-c) "Controlling factor" means a factor generated by |
|
|
an artificial intelligence system that is: |
|
|
(A) the principal basis for making a |
|
|
consequential decision; or |
|
|
(B) capable of altering the outcome of a |
|
|
consequential decision. |
|
|
(6-a) "Heightened scrutiny artificial intelligence |
|
|
system" means an artificial intelligence system specifically |
|
|
intended to autonomously make, or be a controlling factor in |
|
|
making, a consequential decision. The term does not include an |
|
|
artificial intelligence system intended to: |
|
|
(A) perform a narrow procedural task; |
|
|
(B) improve the result of a previously completed |
|
|
human activity; |
|
|
(C) perform a preparatory task to an assessment |
|
|
relevant to a consequential decision; or |
|
|
(D) detect decision-making patterns or |
|
|
deviations from previous decision-making patterns. |
|
|
(11) "Principal basis" means the use of an output |
|
|
produced by a heightened scrutiny artificial intelligence system to |
|
|
make a decision without: |
|
|
(A) human review, oversight, involvement, or |
|
|
intervention; or |
|
|
(B) meaningful consideration by a human. |
|
|
SECTION 2. Section 2054.068(b), Government Code, is amended |
|
|
to read as follows: |
|
|
(b) The department shall collect from each state agency |
|
|
information on the status and condition of the agency's information |
|
|
technology infrastructure, including information regarding: |
|
|
(1) the agency's information security program; |
|
|
(2) an inventory of the agency's servers, mainframes, |
|
|
cloud services, artificial intelligence systems, including |
|
|
heightened scrutiny artificial intelligence systems, and other |
|
|
information technology equipment; |
|
|
(3) identification of vendors that operate and manage |
|
|
the agency's information technology infrastructure; and |
|
|
(4) any additional related information requested by |
|
|
the department. |
|
|
SECTION 3. Section 2054.0965, Government Code, is amended |
|
|
by amending Subsection (b) and adding Subsection (c) to read as |
|
|
follows: |
|
|
(b) Except as otherwise modified by rules adopted by the |
|
|
department, the review must include: |
|
|
(1) an inventory of the agency's major information |
|
|
systems, as defined by Section 2054.008, and other operational or |
|
|
logistical components related to deployment of information |
|
|
resources as prescribed by the department; |
|
|
(2) an inventory of the agency's major databases and |
|
|
applications; |
|
|
(3) a description of the agency's existing and planned |
|
|
telecommunications network configuration; |
|
|
(4) an analysis of how information systems, |
|
|
components, databases, applications, and other information |
|
|
resources have been deployed by the agency in support of: |
|
|
(A) applicable achievement goals established |
|
|
under Section 2056.006 and the state strategic plan adopted under |
|
|
Section 2056.009; |
|
|
(B) the state strategic plan for information |
|
|
resources; and |
|
|
(C) the agency's business objectives, mission, |
|
|
and goals; |
|
|
(5) agency information necessary to support the state |
|
|
goals for interoperability and reuse; [and] |
|
|
(6) an inventory and identification of the artificial |
|
|
intelligence systems and heightened scrutiny artificial |
|
|
intelligence systems deployed by the agency, including an |
|
|
evaluation of the purpose of and risk mitigation measures for each |
|
|
system and an analysis of how each system supports the agency's |
|
|
strategic plan under this subchapter; and |
|
|
(7) confirmation by the agency of compliance with |
|
|
state statutes, rules, and standards relating to information |
|
|
resources and artificial intelligence systems, including the |
|
|
artificial intelligence system code of ethics developed under |
|
|
Section 2054.702, and minimum standards developed under Section |
|
|
2054.703. |
|
|
(c) Local governments shall complete a review of the |
|
|
deployment and use of heightened scrutiny artificial intelligence |
|
|
systems and provide the review to the department in the manner the |
|
|
department prescribes. |
|
|
SECTION 4. Section 2054.137, Government Code, is amended by |
|
|
adding Subsection (a-1) and amending Subsection (c) to read as |
|
|
follows: |
|
|
(a-1) A state agency with 150 or fewer full-time employees |
|
|
may: |
|
|
(1) designate a full-time employee of the agency to |
|
|
serve as a data management officer; or |
|
|
(2) enter into an agreement with one or more state |
|
|
agencies to jointly employ a data management officer if approved by |
|
|
the department. |
|
|
(c) In accordance with department guidelines, the data |
|
|
management officer for a state agency shall annually post on the |
|
|
Texas Open Data Portal established by the department under Section |
|
|
2054.070 at least three high-value data sets as defined by Section |
|
|
2054.1265. The high-value data sets may not include information |
|
|
that is confidential or protected from disclosure under state or |
|
|
federal law. |
|
|
SECTION 5. Chapter 2054, Government Code, is amended by |
|
|
adding Subchapter S to read as follows: |
|
|
SUBCHAPTER S. ARTIFICIAL INTELLIGENCE |
|
|
Sec. 2054.701. DEFINITION. In this subchapter, "unlawful |
|
|
harm" means any condition in which the use of an artificial |
|
|
intelligence system results in a consequential decision that causes |
|
|
harm to an individual who is a member of a state or federally |
|
|
protected class in violation of law. The term does not include a |
|
|
developer's or deployer's offer, license, or use of a heightened |
|
|
scrutiny artificial intelligence system for the sole purpose of |
|
|
testing the system before deployment to identify, mitigate, or |
|
|
otherwise ensure compliance with state and federal law. |
|
|
Sec. 2054.702. ARTIFICIAL INTELLIGENCE SYSTEM CODE OF |
|
|
ETHICS. (a) The department by rule shall establish an artificial |
|
|
intelligence system code of ethics for use by state agencies and |
|
|
local governments that procure, develop, deploy, or use artificial |
|
|
intelligence systems. |
|
|
(b) At a minimum, the artificial intelligence system code of |
|
|
ethics must include guidance for the deployment and use of |
|
|
artificial intelligence systems and heightened scrutiny artificial |
|
|
intelligence systems that aligns with the Artificial Intelligence |
|
|
Risk Management Framework (AI RMF 1.0) published by the National |
|
|
Institute of Standards and Technology. The guidance must address: |
|
|
(1) human oversight and control; |
|
|
(2) fairness and accuracy; |
|
|
(3) transparency, including consumer disclosures; |
|
|
(4) data privacy and security; |
|
|
(5) public and internal redress, including |
|
|
accountability and liability; and |
|
|
(6) the frequency of evaluations and documentation of |
|
|
improvements. |
|
|
(c) State agencies and local governments shall adopt the |
|
|
code of ethics developed under this section. |
|
|
Sec. 2054.703. MINIMUM STANDARDS FOR HEIGHTENED SCRUTINY |
|
|
ARTIFICIAL INTELLIGENCE SYSTEMS. (a) The department by rule shall |
|
|
develop minimum risk management and governance standards for the |
|
|
development, procurement, deployment, and use of heightened |
|
|
scrutiny artificial intelligence systems by a state agency or local |
|
|
government. |
|
|
(b) The minimum standards must be consistent with the |
|
|
Artificial Intelligence Risk Management Framework (AI RMF 1.0) |
|
|
published by the National Institute of Standards and Technology and |
|
|
must: |
|
|
(1) establish accountability measures, such as |
|
|
required reports describing the use of, limitations of, and |
|
|
safeguards for the heightened scrutiny artificial intelligence |
|
|
system; |
|
|
(2) require the assessment and documentation of the |
|
|
heightened scrutiny artificial intelligence system's known |
|
|
security risks, performance metrics, and transparency measures: |
|
|
(A) before deploying the system; and |
|
|
(B) at the time any material change is made to: |
|
|
(i) the system; |
|
|
(ii) the state or local data used by the |
|
|
system; or |
|
|
(iii) the intended use of the system; |
|
|
(3) provide to local governments resources that advise |
|
|
on managing, procuring, and deploying a heightened scrutiny |
|
|
artificial intelligence system, including data protection measures |
|
|
and employee training; and |
|
|
(4) establish guidelines for: |
|
|
(A) risk management frameworks, acceptable use |
|
|
policies, and training employees; and |
|
|
(B) mitigating the risk of unlawful harm by |
|
|
contractually requiring vendors to implement risk management |
|
|
frameworks when deploying heightened scrutiny artificial |
|
|
intelligence systems on behalf of state agencies or local |
|
|
governments. |
|
|
(c) State agencies and local governments shall adopt the |
|
|
standards developed under Subsection (a). |
|
|
Sec. 2054.704. EDUCATIONAL OUTREACH PROGRAM. (a) The |
|
|
department shall develop educational materials on artificial |
|
|
intelligence systems to promote the responsible use of the systems |
|
|
and awareness of the risks and benefits of system use, explain |
|
|
consumer rights in relation to the systems, and describe risk |
|
|
mitigation techniques. |
|
|
(b) The department shall develop training materials for |
|
|
state and local government employees and the general public. The |
|
|
training materials must be made available on the department's |
|
|
public Internet website. |
|
|
(c) The department shall host statewide forums and training |
|
|
sessions on artificial intelligence systems best practices for |
|
|
state and local government employees. |
|
|
(d) The department may: |
|
|
(1) use money appropriated to the department to |
|
|
produce materials required by this section; and |
|
|
(2) contract with a vendor to produce those materials. |
|
|
Sec. 2054.705. PUBLIC SECTOR ARTIFICIAL INTELLIGENCE |
|
|
SYSTEMS ADVISORY BOARD. (a) A public sector artificial |
|
|
intelligence systems advisory board is established to assist state |
|
|
agencies in the development, deployment, and use of artificial |
|
|
intelligence systems. |
|
|
(b) The advisory board shall: |
|
|
(1) obtain and disseminate information on artificial |
|
|
intelligence systems, including use cases, policies, and |
|
|
guidelines; |
|
|
(2) facilitate shared resources between state |
|
|
agencies; |
|
|
(3) consult with the department on artificial |
|
|
intelligence systems issues; |
|
|
(4) identify opportunities: |
|
|
(A) for state agencies to implement artificial |
|
|
intelligence systems to reduce administrative burdens; and |
|
|
(B) to streamline the state procurement process |
|
|
for artificial intelligence systems; and |
|
|
(5) recommend elimination of rules that restrict the |
|
|
innovation of artificial intelligence systems. |
|
|
(c) The department shall provide administrative support for |
|
|
the advisory board. |
|
|
(d) The advisory board is composed of eight members as |
|
|
follows: |
|
|
(1) six members representing state agencies, |
|
|
including one member representing an agency with fewer than 150 |
|
|
employees, appointed by the governor or the governor's designee; |
|
|
and |
|
|
(2) two public members with expertise in technology, |
|
|
appointed by the governor or the governor's designee. |
|
|
(e) Advisory board members serve two-year terms. Advisory |
|
|
board members may be reappointed. |
|
|
(f) Advisory board members are not entitled to compensation |
|
|
or reimbursement of expenses for service on the advisory board. |
|
|
Sec. 2054.706. ARTIFICIAL INTELLIGENCE SYSTEM SANDBOX |
|
|
PROGRAM. (a) In this section: |
|
|
(1) "Eligible entity" means an eligible customer under |
|
|
Section 2054.0525. |
|
|
(2) "Program" means the program established by this |
|
|
section that is designed to allow temporary testing of an |
|
|
artificial intelligence system in a controlled, limited manner |
|
|
without requiring full compliance with otherwise applicable |
|
|
regulations. |
|
|
(3) "Vendor" means a person registered with the |
|
|
department as a contractor to provide commodity items under Section |
|
|
2157.068. |
|
|
(b) The department shall establish and administer a program |
|
|
to support eligible entities in contracting with vendors to engage |
|
|
in research, development, training, testing, and other |
|
|
pre-deployment activities related to artificial intelligence |
|
|
systems to effectively, efficiently, and securely assist the entity |
|
|
in accomplishing its public purposes. |
|
|
(c) The department shall create an application process for |
|
|
vendors to apply to participate in the program. The application |
|
|
process must include: |
|
|
(1) a detailed description of the artificial |
|
|
intelligence system proposed for participation in the program and |
|
|
the system's intended use; |
|
|
(2) a risk assessment of the system that addresses |
|
|
potential impacts on the public; and |
|
|
(3) a plan for mitigating any adverse consequences |
|
|
discovered during the system's testing phase. |
|
|
(d) A vendor participating in the program shall, with |
|
|
oversight by the department, provide eligible entities with secure |
|
|
access to an artificial intelligence system used in the program. |
|
|
(e) The department shall provide to vendors and eligible |
|
|
entities participating in the program detailed guidelines |
|
|
regarding the exemption from compliance with otherwise applicable |
|
|
regulations provided by the program. |
|
|
(f) The eligible entities and vendors shall submit |
|
|
quarterly reports to the department that include: |
|
|
(1) performance measures for the artificial |
|
|
intelligence system; |
|
|
(2) risk mitigation strategies implemented during |
|
|
system testing; |
|
|
(3) feedback on program effectiveness and efficiency; |
|
|
and |
|
|
(4) any additional information the department |
|
|
requests. |
|
|
(g) Not later than November 30 of each even-numbered year, |
|
|
the department shall produce an annual report and submit the report |
|
|
to the legislature summarizing: |
|
|
(1) the number of eligible entities and vendors |
|
|
participating in the program and the program outcomes; and |
|
|
(2) recommendations for legislative or other action. |
|
|
(h) Notwithstanding Section 2054.383, the department may |
|
|
operate the program as a statewide technology center under |
|
|
Subchapter L. |
|
|
Sec. 2054.707. DISCLOSURE REQUIREMENTS. (a) A state |
|
|
agency that procures, develops, deploys, or uses a public-facing |
|
|
artificial intelligence system shall provide clear disclosure of |
|
|
interaction with the system to the public as provided by the |
|
|
artificial intelligence system code of ethics established under |
|
|
Section 2054.702. The disclosure is not required if a reasonable |
|
|
person would know the person is interacting with an artificial |
|
|
intelligence system. |
|
|
(b) A vendor contracting with a state agency to deploy or |
|
|
operate an artificial intelligence system must also provide the |
|
|
disclosure required under Subsection (a). |
|
|
Sec. 2054.708. IMPACT ASSESSMENTS. (a) A state agency that |
|
|
deploys or uses an artificial intelligence system or a vendor that |
|
|
contracts with a state agency for the deployment or use of a system |
|
|
shall conduct a system assessment that outlines: |
|
|
(1) risks of unlawful harm; |
|
|
(2) system limitations; and |
|
|
(3) information governance practices. |
|
|
(b) The state agency or vendor shall make a copy of the |
|
|
assessment available to the department on request. |
|
|
(c) An impact assessment conducted under this section is |
|
|
confidential and not subject to disclosure under Chapter 552. The |
|
|
state agency or department may redact or withhold information as |
|
|
confidential under Chapter 552 without requesting a decision from |
|
|
the attorney general under Subchapter G, Chapter 552. |
|
|
(d) The department shall take actions necessary to ensure |
|
|
the confidentiality of information submitted under this section, |
|
|
including restricting access to submitted information to only |
|
|
authorized personnel and implementing physical, electronic, and |
|
|
procedural protections. |
|
|
Sec. 2054.709. ENFORCEMENT. (a) If a state agency or |
|
|
vendor becomes aware of a violation of this subchapter, the agency |
|
|
or vendor shall report the violation to the department, if |
|
|
applicable, and the attorney general. |
|
|
(b) The attorney general shall: |
|
|
(1) review a report submitted under this section or a |
|
|
complaint reported through the web page established under Section |
|
|
2054.710; and |
|
|
(2) determine whether to bring an action to enjoin a |
|
|
violation of this subchapter. |
|
|
(c) If the attorney general, in consultation with the |
|
|
department, determines that a vendor violated this subchapter, the |
|
|
attorney general shall provide the vendor with a written notice of |
|
|
the violation. |
|
|
(d) If a vendor fails to respond or cure the violation |
|
|
before the 31st day after the date the vendor receives the written |
|
|
notice under Subsection (c), the state agency shall provide the |
|
|
vendor with a notice of intent to void the contract. The vendor may |
|
|
respond and seek to cure the violation before the 31st day after the |
|
|
date the vendor receives the notice of intent. |
|
|
(e) If the vendor fails to cure the violation before the |
|
|
31st day after the date the vendor receives the notice of intent to |
|
|
void the contract under Subsection (d), the state agency may void |
|
|
the contract without further obligation to the vendor. |
|
|
(f) If the department determines that a vendor has had more |
|
|
than one contract voided under Subsection (e), the department shall |
|
|
refer the matter to the comptroller. Using procedures prescribed |
|
|
by Section 2155.077, the comptroller may bar the vendor from |
|
|
participating in a state agency contract. |
|
|
Sec. 2054.710. ARTIFICIAL INTELLIGENCE SYSTEM COMPLAINT |
|
|
WEB PAGE. (a) The attorney general shall, in collaboration with |
|
|
the department, establish a web page on the attorney general's |
|
|
Internet website that allows a person to report a complaint |
|
|
relating to artificial intelligence systems, including: |
|
|
(1) instances of an artificial intelligence system |
|
|
allegedly unlawfully infringing on the person's constitutional |
|
|
rights or financial livelihood; or |
|
|
(2) the use of an artificial intelligence system that |
|
|
allegedly results in unlawful harm. |
|
|
(b) A complaint submitted on the web page created under |
|
|
Subsection (a) must be distributed to the department. |
|
|
(c) A person who submits a complaint on the web page created |
|
|
under Subsection (a) may request an explanation from the |
|
|
department. |
|
|
(d) The attorney general shall post on the attorney |
|
|
general's Internet website information that: |
|
|
(1) educates persons regarding the risks and benefits |
|
|
of artificial intelligence systems; and |
|
|
(2) explains a person's rights in relation to |
|
|
artificial intelligence systems. |
|
|
(e) If the attorney general, in consultation with the |
|
|
department, determines that the complaint is substantiated and a |
|
|
violation of this chapter occurred, the attorney general may seek |
|
|
enforcement under Section 2054.709. |
|
|
(f) Not later than November 30 of each even-numbered year, |
|
|
the attorney general shall submit to the legislature a report |
|
|
summarizing the complaints received under this section, the |
|
|
resolutions of the complaints, and any enforcement actions taken. |
|
|
Sec. 2054.711. STANDARDIZED NOTICE. (a) Each state agency |
|
|
and local government deploying or using an artificial intelligence |
|
|
system that is public-facing or that is a controlling factor in a |
|
|
consequential decision shall include a standardized notice on all |
|
|
related applications, Internet websites, and public computer |
|
|
systems. |
|
|
(b) The department shall develop a form that agencies must |
|
|
use for the notice required under Subsection (a). The form must |
|
|
include: |
|
|
(1) general information about the system; |
|
|
(2) information about the data sources the system |
|
|
uses; and |
|
|
(3) measures taken to maintain compliance with |
|
|
information privacy laws and ethics standards. |
|
|
Sec. 2054.712. RULES. The department shall adopt rules to |
|
|
implement this subchapter. |
|
|
SECTION 6. (a) As soon as practicable after the effective |
|
|
date of this Act, the Department of Information Resources shall: |
|
|
(1) adopt rules necessary to implement Subchapter S, |
|
|
Chapter 2054, Government Code, as added by this Act; and |
|
|
(2) develop the outreach program and form required by |
|
|
Sections 2054.704 and 2054.711, Government Code, as added by this |
|
|
Act. |
|
|
(b) As soon as practicable after the effective date of this |
|
|
Act, the office of the attorney general shall establish the web page |
|
|
as required by Section 2054.710, Government Code, as added by this |
|
|
Act. |
|
|
SECTION 7. This Act takes effect September 1, 2025. |
|
|
|
|
|
* * * * * |