- (a) The department by rule shall develop minimum risk management and governance standards for the development, procurement, deployment, and use of heightened scrutiny artificial intelligence systems by a state agency or local government.
(b) The minimum standards must be consistent with the Artificial Intelligence Risk Management Framework (AI RMF 1.0) published by the National Institute of Standards and Technology and must:
- (1) establish accountability measures, such as required reports describing the use of, limitations of, and safeguards for the heightened scrutiny artificial intelligence system;
(2) require the assessment and documentation of the heightened scrutiny artificial intelligence system's known security risks, performance metrics, and transparency measures:
- (A) before deploying the system; and
(B) at the time any material change is made to:
- (i) the system;
- (ii) the state or local data used by the system; or
- (iii) the intended use of the system;
- (3) provide to local governments resources that advise on managing, procuring, and deploying a heightened scrutiny artificial intelligence system, including data protection measures and employee training; and
(4) establish guidelines for:
- (A) risk management frameworks, acceptable use policies, and training employees; and
- (B) mitigating the risk of unlawful harm by contractually requiring vendors to implement risk management frameworks when deploying heightened scrutiny artificial intelligence systems on behalf of state agencies or local governments.
- (c) State agencies and local governments shall adopt the standards developed under Subsection (a).
Added by Acts 2025, 89th Leg., R.S., Ch. 1148 (S.B. 1964), Sec. 5, eff. September 1, 2025.