Executive Summary
Congress released a landmark AI governance bill on June 4, 2026, that proposes three years of federal preemption over state AI laws: development is covered, deployment is not. Every public company board overseeing AI tools deployed across operations remains exposed to the patchwork of state liability that the Great American AI Act explicitly excludes from its reach. The responsible posture is not to wait for the bill to pass; passage will not change the board’s exposure at the deployment layer.
PRIORITY 9 | SILO: Legislative
The Great American AI Act (Obernolte-Trahan, June 4, 2026) proposes three years of federal preemption over AI development laws, but explicitly excludes state laws governing AI use and deployment: the territory where every board’s oversight obligation lives.
The Deep Dive
The Signal
On June 4, 2026, Representatives Jay Obernolte (R-CA) and Lori Trahan (D-MA) released the discussion draft of the Great American AI Act, a 269-page bipartisan framework that would impose transparency requirements, third-party audits through Independent Verification Organizations (IVOs), whistleblower protections, and critical safety incident reporting on large frontier AI developers with more than $500 million in annual revenue. The draft spans four titles: Frontier AI Governance, Workforce, Cybersecurity, and Research and International Cooperation.
The bill has not been formally introduced. It is a discussion draft, circulated to invite stakeholder comment before introduction. The transparency and audit provisions in Sections 111 and 112 sunset after three years unless reauthorized.
The Evidence
The preemption language in Title I is precise. The bill would preempt state laws “specifically regulating the development of any AI model,” with development defined as “acts performed or directed by a developer prior to its deployment.” (DLA Piper analysis, June 5, 2026.) The bill is equally direct about what it does not cover: state laws of general applicability, common law remedies, and state laws regulating AI use or deployment.
State frontier developer laws in California, New York, and Illinois would likely be preempted. State laws governing AI use in employment decisions, credit, healthcare, and consumer transactions are not preempted. The board at a Fortune 500 company using AI tools in hiring, lending, or patient-facing operations faces the same state law exposure after the bill passes as before it.
The third-party audit requirement (Section 112) applies to frontier developers meeting the $500 million revenue threshold. For companies deploying AI (not building it), the bill creates no direct compliance obligation and provides no safe harbor from state deployment liability.
The Strategic Implication
Defensive Risk. The audit committee chair and lead independent directors at every public company deploying AI across operations face a board-level oversight obligation the Great American AI Act does not resolve. The patchwork of state deployment laws, governing AI use in employment, lending, healthcare, and public safety, remains in force throughout and after the bill’s three-year preemption window, which covers only the developer layer. Delaware’s Caremark doctrine, extended by the Court of Chancery to officers as well as directors, treats mission-critical risks as requiring a functioning oversight system: not a policy document. AI deployment at scale qualifies. A board that reads “federal preemption” as clearing its own oversight responsibility has misread the statute, and the misreading will not hold in a Caremark proceeding. The exposure window is not tied to a federal clock; it runs against each state’s individual enforcement cycle. The correct action before the next audit committee charter review: commission a documented inventory of AI systems deployed across the business, map each to applicable state deployment laws, and establish a board-level oversight mechanism with named ownership and an escalation path to the full board.
Offensive Advantage. Boards that build documented AI deployment governance now occupy a position competitors who wait will not hold. Section 113 of the Great American AI Act provides whistleblower protections for employees who report violations “related to the development, deployment, or operation of artificial intelligence.” Those protections are designed to surface failures. The companies with a functioning oversight architecture (not an AI policy written in 2023) will be positioned to demonstrate Caremark compliance when enforcement actions begin. Documented deployment governance is also a due diligence asset; institutional investors and proxy advisors are moving toward scoring AI oversight quality as a governance metric. A board that can show it owns the deployment oversight standard and that management executes against it with board-level visibility will clear that test. The Governance Boundary Principle applies directly: the board sets the oversight standard; management executes. Boards that hand this to the general counsel and call it governance have confused the roles. That is the Declarative Board Failure Pattern: a governance obligation declared downward rather than owned above. The next wave of state enforcement will make the distinction legible.
Legacy Close
The Great American AI Act will not be the last federal AI governance bill. The boards that endure future legislative cycles are the ones whose directors understood what AI deployment oversight means at the fiduciary level before any statute required them to. What successors inherit is a standard the board owned: not a compliance program assembled when enforcement came close, but a documented oversight discipline built when the obligation was still a judgment call. That is what carries forward when the architects of this generation of governance are gone.
This analysis was developed in the AI Agent Orchestration Governance Playbook.
Touch Stone Publishers | Board-Level Intelligence | June 25, 2026