The following are the questions of the Center for Technological Responsibility’s AI Legislation Evaluation Framework V1 (CNTR AISLE Framework).
This is part of the AI Legislative Mapping project at the CNTR at Brown University.
Please contact us or raise an issue at https://github.com/brown-cntr/cntr-aisle/ if you have questions or suggestions.
Version: CNTR-AISLE-V1
Updated: March 12, 2025
[G1] Does the bill have a definition for “artificial intelligence” or “automated decision making / systems”?
[G1a] If “Yes” to G1, please select at least one of the following categories of AI definitions that is closest to the definition of AI in the bill.
Select “N/A” if there is no AI definition or the AI definition does not fit the following categories.
Feel free to use “Notes” to elaborate on your selection(s)
If “Yes” to G1, please select at least one of the following categories of ADS definitions that is closest to the definition of ADS in the bill.
[G1bi] If the bill has ADS definition, does the bill provide exclusions for ADS?
Select “N/A” if the bill does not define ADS.
For example, from NY S-7543 (2023-2024)
“Automated decision-making system” shall not include any software used primarily for basic computerized processes, such as calculators, spell check tools, autocorrect functions, spreadsheets, electronic communications, or any tool that relates only to internal management affairs such as ordering office supplies or processing payments, and that do not materially affect the rights, liberties, safety or welfare of any human
[G2] Does the bill include enforcement mechanisms to ensure compliance with any rules for AI governance?
[G2a] If “Yes” to G2, does the bill specify the party responsible for enforcement?
[G3] Does the bill apply to public-sector use of AI / ADS?
[G4] Does the bill apply to private-sector use of AI / ADS?
[G5] Does the bill provide an explicit list of domains where AI / ADS is used?
[G6] Does the bill define concepts related to generative AI, e.g “large language model”, “frontier model”, “foundational model”, etc?
[G6a] If “Yes” to G6, does the bill specify scope (e.g. model size, compute power) specifically related to generative AI or foundational model?
Note: In this category of Accountability & Transparency, “IA” will refer to Impact Assessment and “RA” to Risk Assessment throughout this scorecard. Both terms will be treated synonymously within this category.
[A1] Does the bill provide definitions for “Impact Assessment” (IA), “Risk Assessment” (RA), or similar forms of evaluation? If other forms of evaluation are used, please indicate in the Notes.
[A2] Does the bill require covered entities (as defined in the bill) to conduct Impact/Risk Assessment (IA/RA) or similar evaluations?
[A3] Does the bill specify the requirements or methodologies for conducting an IA/RA?
[A4] Does the bill refer to established standards, such as frameworks from NIST, or published industry standards, specific to accountability?
[A5] Does the bill mandate involving stakeholders, including potentially affected communities, in the IA/RA process?
[A6] Does the bill provide compensation and civil recourse for those affected by harms?
[A7] Does the bill specify enforcement mechanisms or penalties for failing to conduct IA/RA as required?
[A8] Are third-party vendors or partners required to comply with the IA/RA provisions in the bill?
[A9] Does the bill specify or otherwise acknowledge risks caused by poor data quality or algorithmic inaccuracy?
[A10] Does the bill specify or otherwise acknowledgeprivacy harms?
[A11] Does the bill specify or otherwise acknowledge risks to individual rights and freedoms, such as harms to dignity, autonomy, or exposure to unauthorized disclosure and identity theft?
[A11a] If “Yes” to any of A9 - A11, does the bill require the covered companies to identify the origin, nature, and severity of those risks?
[A12] Does the IA/RA establish procedures to assess, benchmark, and monitor identified AI risks and related impacts?
[A13] Does the IA/RA propose measures to address the risks?
[A14] Does the IA/RA include the option of deploying the system in its current state with increased testing and controls, or if necessary, decommissioning the system?
[A15] Is risk management an ongoing procedure, with testing and evaluation occurring over the entire lifecycle of an AI system, including the post-deployment period?
[A16] Does the bill specify the frequency of IA/RA?
[A16a] If “Yes” to A16, are IA/RAs required at regular intervals (e.g., annually, biannually)?
[A17] Does the bill require a pre-deployment IA/RA before the system is implemented?
[A18] Does the bill require a post-deployment IA/RA after the system has been implemented?
[A19] Does the bill require IA/RAs for all stages of the model’s life cycle (e.g., development, deployment, monitoring)?
[A20] Does the bill require IA/RAs for all stages of the data life cycle?
[A21] Does the bill mandate ongoing monitoring and updating of the IA/RA as the system evolves?
[A22] Does the bill require maintenance of IA/RA documentation?
[A23] Does the bill require documentation detailing how a model functions and its intended use cases?
[A24] Does the bill require a transparency report?
[A25] Does the bill identify the party responsible for completing the transparency requirement?
[A26] Does the bill require regular reporting to government agencies?
[A27] Does the bill require public reporting/publication?
[A28] Does the bill aim to address these risks by requiring auditing from expert third parties?
[A28a] If the bill includes auditing requirements or you select “Yes” for A28, does the bill define how frequently auditing should occur (i.e., single point or regular intervals)?
[A29] Does the bill deploy precautionary measures (e.g., licensing)?
[A30] Does the bill include bans on AI systems (for e.g that are viewed as creating a catastropic risk)?
[A31] Does the bill propose a licensing regime for any AI systems?
[A32] Does the bill consider conditional licensing?
[A32a] If “Yes” to A32a, is the conditional licensing imposed by a regulator rather than self-imposed by companies?
[A33] Does the bill deploy post-market measures, such as post-market monitoring and recalls?
[A34] Does the bill give regulators extensive inspection and information-forcing capabilities?
[A35] Does the bill require tools of resilience, e.g., kill switches, emergency training and protocols, and establishing thresholds at which a deployed system should be shut down?
[B1] Does the bill define “algorithmic discrimination” (or a similar term) to characterize unfair treatment toward specific groups? Refer to the Glossary / Definitions for possible list of synonyms
[B2] Does the bill explicitly include legally protected characteristics (e.g., race, gender, age, religion, disability) in its definition of discrimination or bias?
[B3] Does the bill identify specific sectors or domains where the bias provisions are applied?
[B4] Does the bill require or suggest examination of data sources that would implicate biased outcomes?
[B5] Does the bill restrict the use of AI systems that exhibit potentially discriminatory outcomes?
[B6] Does the bill propose or endorse specific methods to reduce algorithmic discrimination?
[B7] Does the bill mandate ongoing monitoring and evaluation of AI systems for bias?
[D1] Rights & Standards related to Privacy [[D1] Does the bill mention or imply a right to privacy concerning personal data or individual information?]
[D2] Rights & Standards related to Privacy [[D2] Does the bill refer to established standards such as ISO standards or NIST guidelines specific to data protection?]
[D3] Rights & Standards related to Privacy [[D3] Does the bill include provisions for the enforcement of these data protection standards?]
[D4] Rights & Standards related to Privacy [[D4] Does the bill establish a private right of action?]
[D5] Does the bill provide a definition of sensitive data?
[D6] Does the bill have specific requirements for handling sensitive data?
[D7] Does the bill require limits on access/use of sensitive data?
[D8] Does the bill require disclosure of the specific categories of sensitive data collected?
[D9] Does the bill specify guidelines or limitations regarding data collection practices?
[D10] Does the bill specify the allowable time frame or conditions under which data can be collected during the pre-deployment stage?
[D11] Does the bill reference data minimization?
[D12] Does the bill require explicit, informed consent from individuals before collecting their personal data?
[D13] Does the bill establish oversight mechanisms to ensure compliance with consent requirements for data collection?
[D14] Does the bill require organizations to document the specific purposes for which personal data is collected?
[D15] Does the bill require documentation of used datasets, including data sources, consent records, and data preprocessing activities?
[D16] Does the bill specify how personal data can be used after deployment of the AI system?
[D17] Does the bill define the duration or conditions under which personal data can be used post-deployment?
[D18] Does the bill reference data retention practices?
[D19] Does the bill identify a data retention period?
[D20] Does the bill specify the conditions under which personal data can be transferred or shared between parties domestically?
[D21] Does the bill specify the conditions for cross-border transfer or sharing of personal data?
[D22] Does the bill reference data deletion?
[D23] Does the bill address how individuals can request deletion of their data?
[D24] Does the bill address how individuals can verify the removal of their data?
[D25] Does the bill reference data security?
[D26] Does the bill specify requirements for informing individuals of data breaches?
[D27] Does the bill require mechanisms for individuals to ascertain if their personal data has been used in AI training datasets?
[D28] Does the bill provide remedies for individuals if their personal data is disclosed in AI outputs without consent?
[I1] Does the bill mandate the establishment of a new entity?
[I2] Does the bill outline clear, measurable objectives for the new entity that must be achieved within defined timelines?
[I3] Does the bill identify how the new entity will work with existing agencies?
[I4] Does the bill mandate periodic reporting and specify subsequent regulatory actions contigent upon report findings or identified compliance issues?
[L1] Does the bill contain provisions aimed at expanding the workforce in the AI Economy? Examples of provisions may include grants, access initiatives, etc.
[L2] Does the bill specify resources to train the labor force for AI-related skills?
[L3] Does the bill specify partners to collaborate with to research the impact of AI on the labor force?
[L4] Does the bill call for the analysis of challenges faced by workers affected by automation or AI implementation?
[L5] Does the bill call for the analysis of demographics that may be most vulnerable to AI displacement?
[L6] Does the bill propose recommendations to alleviate work displacement as a result of AI?
[L7] Does the bill propose compensation for workers who are being displaced, replaced or unemployed due to AI or automation?