new text begin Subdivision 1. new text end

new text begin Scope. new text end

new text begin For purposes of sections 325M.51 to 325M.54, the following
terms have the meanings given.
new text end

new text begin Subd. 2. new text end

new text begin Artificial intelligence application. new text end

new text begin "Artificial intelligence application" means
a software program or system that uses artificial intelligence to perform tasks that typically
require human intelligence.
new text end

new text begin Subd. 3. new text end

new text begin Artificial intelligence model. new text end

new text begin "Artificial intelligence model" means an
engineered or machine-based system that can, for explicit or implicit objectives, infer from
an input received how to generate output that can influence physical or virtual environments.
new text end

new text begin Subd. 4. new text end

new text begin Commissioner. new text end

new text begin "Commissioner" means the commissioner of commerce.
new text end

new text begin Subd. 5. new text end

new text begin Deployer. new text end

new text begin "Deployer" means a person that implements, integrates, or makes
operational an artificial intelligence model or artificial intelligence application in this state.
Deployer includes a person that makes an artificial intelligence model or artificial intelligence
application available for use by others in this state, whether directly or as part of a product
or service.
new text end

new text begin Subd. 6. new text end

new text begin Developer. new text end

new text begin "Developer" means a person that develops an artificial intelligence
model or artificial intelligence application that is deployed in this state.
new text end

new text begin Subd. 7. new text end

new text begin Independent verification organization or IVO. new text end

new text begin "Independent verification
organization" or "IVO" means an entity licensed by the commissioner pursuant to section
325M.51 to assess an artificial intelligence model's or artificial intelligence application's
adherence to standards reflecting best practices for the prevention of personal injury and
property damage.
new text end

new text begin Subd. 8. new text end

new text begin Security vendor. new text end

new text begin "Security vendor" means a third-party entity engaged by an
IVO or developer to evaluate the safety or security of an artificial intelligence model or
artificial intelligence application, including by using processes such as risk detection and
risk mitigation.
new text end

new text begin Subdivision 1. new text end

new text begin License required. new text end

new text begin An application for an independent verification
organization license must be made by filing with the commissioner the information, materials,
and forms specified in rules adopted by the commissioner.
new text end

new text begin Subd. 2. new text end

new text begin IVO proposed plan. new text end

new text begin An IVO must file a proposed plan with the IVO's
application. The proposed plan must include:
new text end

new text begin (1) the risk or risks that artificial intelligence models or artificial intelligence applications
must mitigate. For each risk identified, the plan must include:
new text end

new text begin (i) a proposed definition of acceptable levels of risk;
new text end

new text begin (ii) metrics that are measurable and can be used to determine whether the acceptable
level of risk defined by the IVO produces beneficial outcomes;
new text end

new text begin (iii) target levels for the metrics, including data sources the target levels are based on
and methods for measurement; and
new text end

new text begin (iv) a description of the evaluation and reporting protocol to determine whether verified
artificial intelligence models or artificial intelligence applications meet the outcome metrics
on an ongoing basis;
new text end

new text begin (2) proposed technical, operational, governance, and other mitigation requirements for
developers or deployers, including procedures for predevelopment and postdevelopment,
to ensure acceptable levels of risk, including:
new text end

new text begin (i) ongoing monitoring risks; and
new text end

new text begin (ii) ongoing assessment of mitigation efficacy;
new text end

new text begin (3) methodologies and sources used to evaluate the efficacy of mitigation requirements;
new text end

new text begin (4) benchmarks, technologies, and audit methodologies proposed to assess developer
and deployer adherence to mitigation requirements;
new text end

new text begin (5) an approach to assessing continued good standing of a verified artificial intelligence
model or artificial intelligence application, including reviewing and evaluating the developer's
or deployer's maintenance of artificial intelligence governance plans and policies, processes
for risk monitoring and mitigation, whistleblower protections, and training for employees
and third parties;
new text end

new text begin (6) disclosure requirements for developers or deployers related to detected risks, incident
reports, or material changes to risk profiles, including both risks detected before verification
and risks resulting from fine-tuning or modifying an artificial intelligence model or artificial
intelligence application after verification;
new text end

new text begin (7) procedures for prescribing and verifying implementation of corrective actions to
remedy a developer's or deployer's identified failure to:
new text end

new text begin (i) achieve an acceptable level of risk with respect to an artificial intelligence application
or artificial intelligence model;
new text end

new text begin (ii) comply with any other mitigation requirements promulgated by the applicant; and
new text end

new text begin (iii) comply with the developer's or deployer's artificial intelligence governance plan
and policy;
new text end

new text begin (8) standards and procedures for revoking verification for noncompliance with the
applicant's mitigation requirements, failure to achieve acceptable levels of risk, or
noncompliance with the developer's or deployer's artificial intelligence governance plans
and policies;
new text end

new text begin (9) whether the applicant proposes risk-specific verification and how plans are tailored
to the specific risk;
new text end

new text begin (10) coordination with federal and state authorities;
new text end

new text begin (11) personnel qualifications;
new text end

new text begin (12) governance policies, sources of funding, and policies ensuring independence; and
new text end

new text begin (13) any other information required by the commissioner.
new text end

new text begin Subd. 3. new text end

new text begin License determination. new text end

new text begin (a) The commissioner may license an applicant if the
commissioner finds:
new text end

new text begin (1) the applicant demonstrated independence from the artificial intelligence community;
and
new text end

new text begin (2) every element of the applicant's proposed plan is adequate to ensure that artificial
intelligence models or artificial intelligence applications verified pursuant to the plan mitigate
one or more risks to an acceptable level.
new text end

new text begin (b) If verification is proposed to a specific risk, the commissioner must evaluate the
plan's adequacy accordingly.
new text end

new text begin (c) If the commissioner finds that an applicant's plan does not adequately mitigate all of
the proposed risks, the applicant must be licensed to verify only those risks for which the
plan is deemed adequate.
new text end

new text begin (d) The license must specify:
new text end

new text begin (1) the risks the IVO is authorized to verify; and
new text end

new text begin (2) any markets the license applies to.
new text end

new text begin Subd. 4. new text end

new text begin License revocation. new text end

new text begin The commissioner must revoke an IVO license if the
commissioner determines:
new text end

new text begin (1) the IVO's plan is materially misleading or inaccurate;
new text end

new text begin (2) the IVO fails to adhere to the IVO's plan in a way that materially impairs the IVO's
responsibilities, including failure to adhere to the plan's procedures for ongoing monitoring
of verified artificial intelligence models or artificial intelligence applications and
implementation of corrective action;
new text end

new text begin (3) a material change compromises independence from the artificial intelligence industry;
new text end

new text begin (4) technological evolution renders methods obsolete for ensuring acceptable levels of
the risk the commissioner has designated the IVO to verify; or
new text end

new text begin (5) a verified artificial intelligence model or artificial intelligence application causes
material harm of the type the IVO defines an acceptable level of risk in order to prevent.
new text end

new text begin Subd. 5. new text end

new text begin Cure opportunity. new text end

new text begin The commissioner may allow an IVO to cure the basis for
revocation before terminating the license.
new text end

new text begin Subd. 6. new text end

new text begin Fees. new text end

new text begin The commissioner must establish reasonable application and renewal
fees sufficient to offset administrative costs.
new text end

new text begin Subd. 7. new text end

new text begin Verification not required. new text end

new text begin Nothing in this section requires an artificial
intelligence model or artificial intelligence application to seek IVO verification.
new text end

new text begin Subd. 8. new text end

new text begin Rulemaking. new text end

new text begin The commissioner may adopt rules necessary to implement
sections 325M.51 to 325M.54.
new text end

new text begin Subdivision 1. new text end

new text begin Implementation. new text end

new text begin A licensed IVO must implement the IVO's approved
plan.
new text end

new text begin Subd. 2. new text end

new text begin Revocation of verification. new text end

new text begin An IVO must revoke verification if a developer
or deployer:
new text end

new text begin (1) fails to meet mitigation requirements;
new text end

new text begin (2) fails to cooperate with monitoring;
new text end

new text begin (3) violates governance policies; or
new text end

new text begin (4) fails to implement corrective actions.
new text end

new text begin Subd. 3. new text end

new text begin Plan modification. new text end

new text begin (a) An IVO may update or modify:
new text end

new text begin (1) technical and operational requirements;
new text end

new text begin (2) evaluation benchmarks;
new text end

new text begin (3) audit methodologies;
new text end

new text begin (4) governance plans;
new text end

new text begin (5) verification activities to enhance efficacy; and
new text end

new text begin (6) any other element of the IVO's plan in order to take advantage of improved
technology.
new text end

new text begin (b) An IVO may address previously discovered issues with the IVO's plan.
new text end

new text begin (c) A notice of material changes must be reported in writing to the commissioner. The
notice shall describe the changes, the rationale for the changes, and an explanation of how
the changes better enable the IVO to ensure the requisite level of mitigation of relevant
risks.
new text end

new text begin (d) Changes must take effect upon notification.
new text end

new text begin (e) The commissioner may, within six months after receiving notice of changes, request
additional information from the IVO regarding the changes or may issue a written notice
rejecting the changes in whole or in part. If the commissioner rejects the changes, the IVO
has 30 days to modify the IVO's plan to comply with the commissioner's determination and
to assess whether artificial intelligence models or applications assessed under the previous
plan must be reassessed.
new text end

new text begin Subd. 4. new text end

new text begin Annual reporting. new text end

new text begin (a) An IVO must submit an annual report to the
commissioner and chairs and ranking minority members of the legislative committees with
jurisdiction over artificial intelligence. The report must include:
new text end

new text begin (1) aggregated information on the capabilities of the artificial intelligence models and
artificial intelligence applications evaluated by the IVO, the observed societal risks and
benefits associated with those capabilities, and the potential societal risks and benefits
associated with those capabilities;
new text end

new text begin (2) the adequacy of evaluation resources, technical capabilities, and mitigation measures
to address observed and potential risks;
new text end

new text begin (3) aggregated results of verification assessments;
new text end

new text begin (4) aggregated and anonymized compliance with prescribed remediation;
new text end

new text begin (5) anonymized descriptions of any additional significant risk the IVO observed while
conducting assessments, even if the risk is not one the IVO is licensed to verify;
new text end

new text begin (6) a list of verified artificial intelligence models and artificial intelligence applications;
new text end

new text begin (7) a description of evaluation methods; and
new text end

new text begin (8) governance or funding changes that affect independence.
new text end

new text begin (b) IVOs may redact trade secrets, sensitive business information, personally identifiable
information, and other security-sensitive content.
new text end

new text begin (c) Documentation used in reports must be retained for ten years. An IVO must also
retain all documentation relating to the IVO's assessment and verification of artificial
intelligence models or artificial intelligence applications, including ongoing monitoring and
any subsequent corrective action, for ten years after the relevant activity.
new text end

new text begin (d) The commissioner must publish on the Department of Commerce website redacted
versions of reports issued by IVOs.
new text end

new text begin Subdivision 1. new text end

new text begin Establishment. new text end

new text begin (a) The council is established within the Department of
Commerce. The commissioner must determine the appropriate size of the council and appoint
all members.
new text end

new text begin (b) Membership must include at least one civil society representative, including but not
limited to nongovernmental organizations, educational and research institutions, public
policy institutes, or consumer and business advocacy organizations.
new text end

new text begin Subd. 2. new text end

new text begin Duties. new text end

new text begin (a) The commissioner must delegate powers, including licensing and
auditing, to the council.
new text end

new text begin (b) A member must:
new text end

new text begin (1) remain free of undue influence and refrain from any action that could compromise
the member's ability to carry out the member's responsibilities or otherwise cast doubt on
the member's ability to independently assess artificial intelligence models or artificial
intelligence applications;
new text end

new text begin (2) refrain from any action or occupation, gainful or not, that is incompatible with the
member's duties, including but not limited to employment by a developer or deployer of
artificial intelligence;
new text end

new text begin (3) refrain from owning or acquiring any equity or other interest, directly or indirectly,
in a company whose business consists in significant part of developing or deploying artificial
intelligence;
new text end

new text begin (4) observe a one-year postemployment restriction from artificial intelligence firms or
IVOs; and
new text end

new text begin (5) be qualified to assess IVO plans.
new text end

new text begin Subd. 3. new text end

new text begin Administration. new text end

new text begin (a) A member must not serve more than two consecutive
terms.
new text end

new text begin (b) A member must receive reimbursement for actual and necessary expenses incurred
in the discharge of duties. A member may also receive a salary for carrying out the member's
duties under this section.
new text end

new text begin (c) A member may be removed for inefficiency, neglect, or malfeasance.
new text end

new text begin (d) A majority of members constitutes a quorum and concurrence of a majority of a
quorum is sufficient for the council's determination.
new text end

new text begin (e) The council must keep a record of the council's proceedings, including all
considerations relating to the issuance, refusal, renewal, and revocation of an IVO license.
new text end