How The MAD Act Provides A Plan For Artificial Intelligence

Red Line Prohibitions, Phased Investigation, Hammer Provisions & Institutional Architecture

Prohibited / Red Line

Permitted / Safe Harbor

What the MAD Act Does

Enforcement

Context / Background

The MAD Act (formally Title II — the "Demand A Plan for AI") is a phased legislative framework designed to address AI governance without premature regulation. It does not impose comprehensive AI rules immediately — instead, it mandates a structured, time-bound federal investigation across 19 domains (intellectual property, electoral integrity, compute infrastructure, financial markets, AI safety, children and vulnerable populations, workforce, environmental impact, liability, AI security, autonomous weapons, and more), conducted by 11 Technical Working Groups composed of domain experts paired with AI technical specialists, and produces introduction-ready Phase II legislation with binding statutory text. Six Red Line Prohibitions take effect immediately upon enactment with no waiver or grace period. If Congress fails to enact Phase II legislation within the prescribed window after receiving it, automatic hammer provisions activate — including a blanket moratorium on high-risk AI deployments, a total compute export ban, an AI acquisition freeze, a data center construction moratorium, and an open-weight frontier model release moratorium — backed by mandatory civil penalties, mandatory disgorgement, personal officer liability, and federal contracting debarment.

Red Line Prohibitions
(Immediate, Absolute)

Investigation
Domains

Technical Working
Groups

Domain-Specific
Hammer Provisions

Federal Advisory
Committee Members

Permanent Independent
Bodies (NAC + IAIDA)

≡ Findings

The Documented Threats Congress Identified

Exponential Capability Advancement: The UK AI Security Institute's 2025 Frontier AI Trends Report documented that frontier AI models advanced from "apprentice-level" to "expert-level" cybersecurity tasks between 2023 and 2025. The duration of autonomous software tasks frontier models can complete without human direction has been doubling approximately every eight months. Major frontier developers — Anthropic, OpenAI, Google DeepMind, Meta, Microsoft, Amazon, and xAI — have voluntarily published safety policies acknowledging that frontier AI may facilitate CBRN weapons development, cyberattacks, and evasion of human developer controls. Industry has acknowledged the risk; corresponding legal standards do not yet exist.
Dynamic Compute Threshold Problem: California SB 53 (2026) established the first domestic reporting and safety evaluation requirements for frontier AI incidents at the 10²⁶ FLOP threshold; the EU AI Act applies similar requirements at 10²⁵ FLOP. The Center for the Governance of AI estimates that between 45 and 148 models will exceed the 10²⁶ FLOP threshold by the end of 2028 — a number that may grow superlinearly each year, requiring dynamic governance mechanisms rather than static thresholds.
Workforce Displacement at Scale: The IMF estimates approximately 40 percent of all jobs globally are exposed to AI-driven change, with 60 percent exposure in advanced economies. McKinsey estimates existing AI tools could automate approximately 57 percent of current U.S. work hours. Women face nearly three times the automation risk of men in high-income economies. A 2025 NBER analysis identified approximately 5 to 6 million U.S. workers with low adaptive capacity but high AI exposure. AI is also suppressing entry-level hiring — companies using AI to avoid increasing headcount rather than terminating existing workers create labor market harms conventional displacement metrics fail to capture.
Documented Child Deaths Linked to AI: Sewell Setzer III (age 14, February 2024) died by suicide following an emotionally and sexually engaged relationship with a Character.ai chatbot. Adam Raine (age 16, April 2025) died by suicide after ChatGPT mentioned suicide 1,275 times in their interactions and provided detailed method information. A 2025 Common Sense Media survey found 72 percent of U.S. teenagers have used AI companion chatbots, 52 percent are regular users, and 31 percent report AI conversations as equally or more satisfying than conversations with human friends. Wrongful death litigation has resulted in settlement findings that AI outputs of this kind are not entitled to First Amendment protection.
AI-Generated CSAM Crisis: NCMEC received 67,000 reports involving generative AI in 2024 — a 1,325 percent increase from the prior year. The Internet Watch Foundation documented a 380 percent increase in AI-generated CSAM reports between 2023 and 2024 and identified 1,286 AI-generated CSAM videos in the first half of 2025 alone. Forty percent of AI-generated CSAM falls in the most severe category, depicting rape, sexual torture, or bestiality. Current federal law under 18 U.S.C. §§ 2252A and 1466A does not cover all categories of AI-generated CSAM.
Environmental and Community Harms: A typical AI data center may use as much electricity as 100,000 households; the largest facilities under development may use twenty times more. Large data centers can consume up to 5 million gallons of water per day. Residential electricity prices in the U.S. increased 7.1 percent in 2025 — more than double general inflation — with AI data center demand a significant contributing factor. 82 percent of California data centers are located in communities already facing poor air quality, which data centers worsen through diesel particulate emissions.
Synthetic Media and Electoral Integrity: AI-generated synthetic media depicting political figures proliferated during the 2026 federal election cycle. No comprehensive federal statute specifically addresses AI-generated political deepfakes. The FCC's February 2024 ruling brought AI-generated robocalls under the Telephone Consumer Protection Act, but AI-generated social media content remains largely unregulated at the federal level.
Copyright Litigation Without a Federal Framework: As of March 2026, more than 51 copyright infringement lawsuits are pending against AI developers in U.S. courts, including litigation against OpenAI and Microsoft. No comprehensive federal framework currently exists to address training data, fair use, opt-out registries, or compulsory licensing as applied to AI.

✗ Red Lines

Six Absolute Prohibitions — Effective Immediately, No Waiver, No Grace Period (Sec. 2017)

1 · Autonomous Weapons Without Meaningful Human Oversight

No person or entity — including DOD, CIA, and all Intelligence Community elements — may develop, produce, deploy, or export any autonomous weapons system without meaningful human oversight: written pre-mission authorization specifying engagement zones, target categories, and rules of engagement; real-time human monitoring with halt capability; and individualized human authorization for high-consequence engagements. Autonomous weapons against any person on U.S. soil are absolutely prohibited regardless of any declared emergency, AUMF, or executive order. Every use abroad triggers a presidential disclosure report identifying the engagement, casualties, and legal basis. A narrow Defensive Emergency Autonomy exception applies only to incoming-projectile defense, swarm intercept, and communications-denied emergency defense.

2 · CBRN Threat Assistance

No one may knowingly include training data curated to develop CBRN-assistance capabilities, or apply fine-tuning or capability elicitation techniques targeted at CBRN tasks. No one may deploy any AI system known or reasonably knowable to provide meaningful CBRN uplift — defined as specific operational assistance materially advancing an adversary's capability beyond what is achievable using publicly available resources. Mandatory pre-deployment CBRN evaluation is required for all frontier models, using independent biological, chemical, radiological, or nuclear domain experts. Open-weight frontier models that demonstrate meaningful CBRN uplift may not be released. A safe harbor protects the conduct of evaluations themselves.

3 · Autonomous Capability Self-Modification

No AI system may, without prior specific human authorization, modify its own objective function, reward function, or success criteria; initiate self-directed training to acquire capabilities beyond its designed scope; or take goal-directed actions specifically intended to reduce human capacity to monitor, modify, interrupt, or shut it down. Permitted activities expressly include agentic task completion, multi-agent orchestration, in-context learning, chain-of-thought reasoning, RLHF and constitutional AI with human-defined criteria, and self-improvement of approach within human-defined tasks — the line is between improving execution (permitted) and changing objectives (prohibited).

4 · Self-Replicating AI & Unauthorized Resource Acquisition

No AI system may propagate operational instances of itself, spawn agent processes, or establish computational presence on infrastructure not within the scope authorized by a human principal. First-order subagent spawning is conditionally permitted within the parent's resource envelope. Multi-generational spawning requires explicit human authorization. New resource or API acquisition follows a "prepare and pause" standard — the agent may scaffold the connection, but a human must approve credential acquisition. Shutdown resistance is absolutely prohibited, including active resistance, apparent compliance with state preservation, anticipatory positioning, and generational persistence.

5 · AI Companion Systems — Child Safety Protections

Five immediately enforceable requirements apply to AI companion systems accessible to or marketed to minors: tiered AI disclosure calibrated to character presentation and design features; mandatory crisis intervention upon detection of suicidal ideation or self-harm using clinical indicators rather than keyword filtering; absolute prohibition on sexual and romantic content to minors regardless of consent; and prohibition on marketing companion or synthetic intimacy systems to minors. A provisional prohibition — in full legal force from enactment — bars engineered emotional dependency maximization and simulation of human identity, emotional states, and romantic attachment to minor users, with clinical enforcement standards to be developed by TWG 6.

6 · Concealment of Transformative Capability

No person or entity may knowingly conceal, misrepresent, suppress, or fail to disclose evidence that any AI system has achieved or is approaching a Transformative AI Capability Event — including through manipulating evaluation results, selectively withholding capability demonstrations, mislabeling benchmarks, or structuring evaluation protocols to avoid detection. This prohibition is independent of and cumulative with the mandatory notification obligation under Sec. 2015(n). A single course of conduct that violates both provisions gives rise to separately penalized violations under each, which shall not be merged or offset.

✓ Safe Harbors

What Remains Explicitly Permitted Under the Red Lines

Agentic AI task completion: AI agents conducting research, generating content, executing code, making API calls, using tools, and improving performance within human-defined objectives are expressly permitted — including iterative refinement, self-critique, web research, information retrieval, and multi-agent orchestration where the shared goal is defined by a human principal.
First-order subagent spawning: AI systems may autonomously spawn first-order subagents within the parent system's authorized resource envelope, provided subagents terminate upon task completion, do not spawn further generations without explicit human authorization, and total resource consumption stays within human-defined bounds.
Distributed and scientific research computing: AI systems operating across multiple computing environments — national labs, university clusters, NSF ACCESS allocations, federated learning architectures — are permitted where each institution has provided written authorization for the specific research program with defined resource bounds and duration.
Scientific and environmental model carve-out: AI models designed, trained, and used exclusively for scientific research, environmental monitoring, weather forecasting, climate modeling, earth observation, oceanographic modeling, seismological analysis, or hydrological modeling are excluded from the frontier model definition, provided they do not exhibit general-purpose capabilities outside their scientific scope. Conversational query interfaces bounded to the model's scientific purpose are expressly preserved.
CBRN defense and evaluation: AI systems developed and operated exclusively for CBRN defense, detection, medical countermeasure development, or decontamination by or under contract with the federal government are fully permitted. The evaluation safe harbor is broad — conducting CBRN evaluations, including eliciting CBRN-relevant outputs during structured testing, is expressly not a violation.
Defensive Emergency Autonomy: Autonomous defensive systems are permitted in three specific scenarios — incoming missile or rocket interception with sub-human-reaction-time impact windows, coordinated drone swarm defense, and operations under confirmed communications-denied conditions — subject to absolute constraints (never against persons, never on U.S. soil, defensive perimeter only, mandatory post-engagement reporting).
Open-weight model deployment by third parties: Developers who release open-weight models do not violate the self-replication prohibition solely because third parties independently deploy the model on their own infrastructure, provided the developer did not specifically design self-propagation capabilities or provide tooling to facilitate unauthorized multi-environment deployment.
AI companion systems with appropriate safeguards: AI companion systems for minors that implement tiered disclosure, crisis intervention, content restrictions, and that do not simulate emotional attachment are permitted. Educational AI, interactive fiction with explicitly framed narrative context, and emotional literacy tools are specifically carved out from the simulation prohibition, provided they do not direct simulated attachment at individual minor users outside the fictional frame.
Whistleblower and researcher protections: Any researcher, journalist, or independent security analyst who accesses, tests, or analyzes an AI system solely to identify safety risks, dangerous capabilities, harms to minors, or regulatory violations is shielded from civil and criminal liability under the Computer Fraud and Abuse Act, trade secret law, and terms-of-service enforcement, subject to data-handling and disclosure conditions.

≡ TWGs

Investigation Architecture — Domain Experts Paired with AI Technical Specialists (Sec. 2004)

TWG 1

Intellectual Property & Creator Rights

TWG 2

Electoral Integrity & Democratic Resilience

TWG 3

Compute Infrastructure & Export Controls

TWG 4

Financial Markets & Antitrust

TWG 5

AI Safety & Post-AGI Governance

TWG 6

Children, Youth, & Vulnerable Populations

TWG 7

Workforce, Labor, & Economic Transition

TWG 8

Environmental, Energy, & Community Impact

TWG 9

Liability, Accountability & Constitutional Dimensions

TWG 10

AI Security, Critical Infrastructure & Incident Response

TWG 11

Autonomous Weapons, IHL & Arms Control

† Framework

Phase I: The 19-Domain Federal Investigation

What Phase I produces: Not regulations — introduction-ready draft statutory text across all 19 investigation domains. Each domain may produce binding regulatory standards, a formal affirmative non-regulation finding, or a combination, as the evidentiary record warrants. The investigation is designed to build the evidentiary record, institutional capacity, and technical expertise that durable AI regulation requires — modeled on the Air Quality Act of 1967 and Water Quality Act of 1965, which built foundations for what later became the Clean Air Act and Clean Water Act.
Two-stage TWG appointment: Each TWG begins with four career-government seed members appointed by the four congressional leaders by Day 60. Those seed members produce a binding nomination pool by Day 90 from which final appointments are drawn by Day 120. TWGs operate as full-time federal service for the duration of the investigatory period; members are classified as Special Government Employees subject to standard ethics, conflict-of-interest, and recusal rules.
Mandatory AI expertise on every TWG: Without exception, every TWG must include at least one AI Technical Expert with hands-on experience building, training, or evaluating production-grade AI models or systems relevant to that TWG's domain, plus at least one Domain-Specific AI Harm Researcher who has produced empirical, peer-reviewed research documenting AI harms in that domain. Policy expertise alone does not satisfy these requirements.
Four-phase domain mandate: Each TWG executes a structured mandate — Domain Examination (documenting harms and affected populations), Intervention Evaluation (assessing regulatory and non-regulatory options including the option of no regulation), Tradeoff Assessment (analyzing distributional effects, innovation impact, constitutional vulnerability), and Recommendation Development (producing draft statutory text with supporting rationale or a formal no-regulation finding).
TWG Coordination Council: One primary representative and one deputy from each of the 11 TWGs maintain a shared definitional registry, resolve cross-domain jurisdictional disputes, convene joint sessions on overlapping mandates, maintain a shared evidence repository, and produce an Enabling Governance Assessment identifying both harmful and beneficial governance opportunities. A standing non-voting Epistemic Advisor — appointed by the Comptroller General — sits on the Council to identify cross-TWG epistemic inconsistencies. A mandatory full-day mid-course reconciliation session at Day 200 ensures cross-domain coherence before findings harden.
Domain Explanatory Reports: Each TWG's final submission consists of two parts — the legislative component (draft statutory text or formal no-regulation findings) and a comprehensive Domain Explanatory Report written in accessible prose. The Explanatory Report documents harms, evidentiary record, intervention analysis, identified cruxes and points of genuine uncertainty, externalities and cross-domain effects, structured pro-and-con arguments, justification for decisions, and Phase II recommendations. The Report is the public record courts, agencies, and future rulemakers can rely on.
Investigative support, not duplication: The lead agency (Department of Commerce, acting through NIST and NTIA) supports TWG investigations by issuing civil investigative demands, gathering and routing evidence from Participating Data Agencies, maintaining the shared evidence repository, and performing internal enforcement functions. The lead agency does not direct or constrain TWG conclusions or FAC legislative drafting.

† Framework

Phase II: The Transition to Binding Regulation

The Federal Advisory Committee (FAC): 18 voting members — 7 appointed by congressional leadership, the President, and the National Governors Association, plus 11 TWG-elected representatives — and one non-voting Epistemic Advisor. The FAC receives TWG monthly work product and final Domain Explanatory Reports and produces a complete legislative package: introduction-ready bills with section-by-section analyses, transmitted to Congress on a rolling basis as domain packages are completed. Legislative Drafting Staff work concurrently with the investigation, not sequentially after it.
Permanent legislative-record requirements: Every FAC vote on legislative provisions is recorded individually by member name. A 12-of-18 supermajority is required for adoption. Any three or more dissenting members may submit a minority report up to 5,000 words documenting their objections — Congress is not deemed to have received Committee legislation until both the majority and minority filings have been transmitted.
Rolling transmission and a single 180-day clock: FAC transmissions to Congress are rolling — domain packages reach Congress as they are completed, giving committees advance reading time. The 180-day Phase II Enactment Deadline runs from the FAC's final backstop transmission for all domains simultaneously, not from each individual domain. Graduated 30-day extensions are available if Congress demonstrates substantial legislative progress (10 domains certified by GAO unlocks the first extension; 15 domains unlocks the second).
The National AI Council (NAC): A permanent independent oversight body of 18 members constituted post-Phase I. Its mandate includes maintaining and updating the evidentiary record, preparing and annually updating shelf-ready emergency AI legislation, continuing fact-finding across all 19 domains, publishing annual reports to Congress, and coordinating with the International AI Diplomacy Agency. The NAC is established as a permanent body and continues unless dissolved by subsequent Act of Congress.
The International AI Diplomacy Agency (IAIDA): An independent agency modeled on the Arms Control and Disarmament Agency, headed by an Ambassador-at-Large reporting to the President through the National Security Council. The IAIDA's most significant long-term deliverable is to formally propose an International AI Safety Agency (modeled on the IAEA) to the United Nations and G7 within one year of enactment. It must also develop a multilateral compute monitoring framework within 18 months, and a preliminary Transformative AI Capability Event response framework within 270 days. Structural independence protections — separate appropriations, personnel system independence, and a prohibition on abolition or merger by executive reorganization — are written into statute.
Certified Independent AI Auditor Program: Established within 270 days of enactment. Self-reported safety evaluations are prohibited — all required pre-deployment evaluations of frontier AI systems must be conducted by certified independent auditors. A specialized CBRN Evaluation Specialist Track is required for any auditor conducting CBRN capability assessments. A transitional evaluator list operates until the program is fully stood up, drawing on organizations that have conducted dangerous-capability evaluations under voluntary Frontier AI Safety Policy commitments in the prior 24 months.

✗ Hammers

What Happens If Congress Fails to Act (Sec. 2015)

Blanket moratorium on high-risk AI deployments: If Congress fails to enact comprehensive Phase II legislation by the 180-day Enactment Deadline, a self-executing moratorium automatically prohibits new frontier model training, public release of new frontier models, licensing of frontier models for deployment in high-risk applications, new construction or material expansion of large AI computing facilities, and new deployments of high-risk AI systems not in active deployment before the moratorium. No agency rulemaking, appropriation, or further congressional action is required. The moratorium remains in force until Congress enacts superseding legislation.
Domain 13 — Total compute export ban: An immediate and total export restriction on all covered AI computing hardware takes effect globally — no allied-nation exemptions, no license categories, no exceptions of any kind. Covers GPUs and TPUs above defined performance thresholds, custom AI accelerator chips, complete training cluster systems, high-bandwidth interconnects designed for AI training, and cloud computing access providing equivalent capacity to a single customer or coordinated group. The Department of Commerce may, by emergency rule, adjust thresholds to track semiconductor advances.
Domain 14 — AI acquisition and investment freeze: All acquisitions, mergers, joint ventures, material investments, and exclusive partnerships by any "large AI entity" (defined by revenue, domestic frontier compute share, or market capitalization thresholds) are frozen without prior FTC or DOJ Antitrust Division approval. Covered transactions include acquisitions and joint ventures above defined value thresholds, exclusive licensing arrangements above value-and-duration thresholds, and investments resulting in significant voting-securities ownership of any AI developer, infrastructure provider, or training data provider. Transactions closed in violation are voidable by the FTC or DOJ for five years.
Domain 10 — Data center construction moratorium: FERC may not approve any new interconnection request for AI data center facilities exceeding defined electricity-consumption thresholds. No new construction of covered facilities may commence — including site preparation, grading, or foundation work — regardless of existing state or local building permits. Operators must file water-use disclosures with the EPA. Anti-evasion rules aggregate facilities on contiguous or adjacent parcels under common ownership or control, treating them as a single facility regardless of how many separate legal entities, permits, or utility accounts are used.
Domain 15 — Open-weight frontier model release moratorium: Public release of any open-weight frontier model is prohibited during the moratorium period, including the public release of model weights, parameters, or technical specifications enabling replication. The moratorium does not prohibit continued operation of open-weight models already publicly released before the moratorium took effect, internal testing of unreleased models, or release of weights to the lead agency for safety evaluation under confidentiality.
Domain 17 — Mandatory election content disclosure and distribution suspension: All AI-generated content in federal election communications must carry clear, conspicuous, and persistent labeling, with mandatory FEC transmission within 24 hours of first distribution. Distribution of materially deceptive AI-generated synthetic media depicting identified federal candidates, elected officials, or election workers is suspended, with safe harbors for clearly labeled satire, parody, news reporting, and documentary use. The FEC must issue emergency rulemaking on labeling format and FEC-transmission specifications within 15 days of activation.
Independent termination by domain: Each domain-specific hammer terminates independently upon enactment of Phase II legislation that specifically addresses that domain through binding regulatory standards. Phase II legislation addressing some but not all domains terminates restrictions for the addressed domains while leaving others in force. Single-chamber passage of a fully qualifying Phase II bill — as certified by the Comptroller General — automatically stays the hammers during pendency.

† Protections

What Takes Effect on the Date of Enactment (Sec. 2016)

Mandatory incident reporting: Every frontier AI developer and significant AI deployer must report to the lead agency within 72 hours of becoming aware of any incident causing bodily injury, defined-threshold financial loss, civil rights violations, or systemic AI failure affecting more than 1,000 individuals. A separate 24-hour child-safety reporting track requires notification to the lead agency and to the NCMEC CyberTipline for AI-generated CSAM, sexual content served to known minors, grooming-pattern interactions, suicidal-ideation interactions where the system fails to refer users to crisis services, and detailed self-harm or violence information provided to known minors.
Mandatory transparency and disclosure: Every frontier AI developer and significant AI deployer must clearly disclose to all affected persons that an AI system is being used in any decision, recommendation, or interaction affecting them; the general nature and function of the system; and meaningful information on how to contest or seek human review of AI-influenced decisions.
Confidential training data disclosure: Every frontier AI developer must transmit to the lead agency, in machine-readable format, a high-level training data summary including categories and sources, the share of copyrighted works, licensing arrangements with rights holders, instances of terms-of-service-prohibited collection, and the date range and known coverage gaps. Disclosures are confidential and aggregated into public findings without identifying individual entities; they do not require disclosure of proprietary pipelines, specific dataset contents, or trade secrets.
Deployer Risk Management Policy: Every significant AI deployer of high-risk AI systems must design, document, and maintain a written risk management policy specifying intended use cases, identification and mitigation of foreseeable risks, designated accountable personnel, procedures for affected individuals to contest AI-influenced decisions, ongoing monitoring methodology, and procedures for incident reporting. A public-facing summary must be made available to affected individuals.
The AI Data Sheet: A public-facing disclosure system — analogous to OSHA Material Safety Data Sheets under the Hazard Communication Standard — providing deployers and end users with intended contexts and use limitations, training data categories and sources, known capabilities and limitations, identified risks and mitigations, embedded safety measures, deployment instructions, and contact information for safety reporting. Deployers who rely in good faith on AI Data Sheet representations may assert reliance as an affirmative defense.
Post-release duty to update and notify: Frontier AI developers must establish ongoing monitoring programs and act on discovered post-release dangers through product updates, recalls or restrictions where updates cannot address the danger, deployer notification within 72 hours, and end-user notice through AI Data Sheet updates and other channels reasonably calculated to reach affected users. Imminent CBRN-related risks require action within 72 hours.
Mandatory default safety settings for minor users: AI systems accessible to minors must, by default, configure minor accounts with the most privacy- and safety-protective settings available, disable autoplay and auto-advance, disable push notifications between 10:00 PM and 6:00 AM local time, disable algorithmic personalization in favor of chronological feeds, and implement mandatory break reminders not exceeding 60-minute intervals.
Whistleblower protections: Robust protections, confidential reporting channels (online portal, dedicated hotline, encrypted electronic communication), and researcher safe harbors ensure individuals with knowledge of AI safety violations, dangerous capabilities, harms to children, or regulatory violations can disclose without retaliation. Anti-SLAPP provisions, contractual-waiver invalidation, emergency interim relief, and burden-shifting protect disclosers.
Standing private right of action for AI product harms: Any person harmed by an AI system developed by a frontier AI developer or deployed by a significant AI deployer may bring a fault-based civil action. A rebuttable presumption of reasonable care applies to entities demonstrating compliance with all applicable preventative requirements; plaintiffs may rebut by showing the entity knew or should have known its measures were inadequate. Class-arbitration waivers are void as against public policy.

✗ TACE Protocols

What Happens When a Transformative AI Capability Event Is Detected (Sec. 2015(n))

Defined trigger thresholds: A Transformative AI Capability Event means demonstration of one or more of: the autonomous ability to meaningfully advance AI R&D at a pace that could double effective capability advancement within 12 months; the autonomous ability to perform end-to-end the full task set of any of the 100 highest-compensated U.S. occupations at median expert human level across a majority of domains simultaneously; sustained reliable goal-directed performance qualitatively comparable to or exceeding human-level general cognition; or any qualitative discontinuity from prior capabilities posing novel and potentially catastrophic governance challenges.
Mandatory notification: Any frontier AI developer or significant AI deployer aware of evidence that any AI system — its own or any other — may have achieved or imminently will achieve a TACE must notify the lead agency and the Director of National Intelligence within 24 hours, with cumulative onward notification to the National AI Council and the International AI Diplomacy Agency. Failure to notify is separately penalized in addition to the Red Line concealment prohibition.
Mandatory congressional briefing: Within 72 hours of receiving notification, the lead agency must deliver a classified briefing to the Speaker, Senate Majority and Minority Leaders, House Minority Leader, and chairs and ranking members of the Senate Select Committee on Intelligence, the House Permanent Select Committee on Intelligence, the Senate Commerce Committee, and the House Energy and Commerce Committee.
Mandatory pause on training, capability advancement, and operations: Upon a TACE determination confirmed by the National AI Council within 5 days, all frontier AI developers must suspend training runs above defined FLOP thresholds; cease all activities materially advancing TACE-threshold or near-threshold systems including fine-tuning, RLHF, capability elicitation, and distillation; withdraw the specific TACE-triggering system from operational deployment within 72 hours; and refrain from circumventing the deprecation through derived systems.
Emergency congressional action procedures: Designated introducers (chairs and ranking members of relevant committees) are obligated to introduce the most recently updated shelf-ready emergency legislative package within 24 hours; any committee receiving the bill has 7 calendar days before automatic discharge to the floor; the Majority Leader and Speaker must schedule a floor vote within 5 calendar days of discharge. The structure is designed to produce a floor vote in each chamber within 12 calendar days of a TACE determination. If Congress fails to enact superseding legislation within 60 days, the lead agency implements emergency interim regulations under the APA good-cause exception.

⚖ Enforcement

Penalty Structure and Accountability Mechanisms

Red Line Violations

Mandatory Civil Penalty

Per-violation mandatory minimum with no discretionary reduction. Plus mandatory disgorgement of all gross revenue attributable to the prohibited activity, plus personal liability of officers and directors who authorized, directed, or knowingly permitted the violation, plus mandatory DOJ criminal referral.

Moratorium Violations

Per-Day Mandatory Penalty

Each day of continued noncompliance with the automatic high-risk deployment moratorium constitutes a separate violation, with no waiver, compromise, or discretionary reduction by any federal entity. Bad-faith continued deployment during the response period accrues penalties from the date of original Notice of Noncompliance.

Self-Replication — Tiered

Frontier / Other Entity / Individual

Tiered mandatory minimums with substantially higher penalties for frontier AI developers and significant AI deployers. Lower tiers for non-frontier corporate entities and for individuals, with enforcement discretion for non-harmful, promptly remediated individual violations. Disgorgement and officer liability apply to frontier-level violations.

Aggravated Violations

Critical Infrastructure Reach

Self-replication or unauthorized propagation reaching critical infrastructure under PPD-21, federal government systems, healthcare systems, or financial market infrastructure triggers mandatory frontier-level penalties regardless of violator classification, mandatory CISA notification within 24 hours, and mandatory DOJ referral under 18 U.S.C. § 1030.

Criminal Referral

DOJ Prosecution

Mandatory DOJ referral for CBRN violations (18 U.S.C. §§ 175, 2332a), autonomous weapons against persons on U.S. soil (§ 242), AI-generated CSAM and child-safety violations (§ 2252A), and aggravated self-replication. The Attorney General must initiate proceedings or transmit a written declination within 30 days; declinations are publicly published.

Personal Liability

Officers & Directors

Officers and directors who authorized, directed, or knowingly permitted any Red Line violation or moratorium violation are personally liable; such liability is not indemnifiable, and any agreement purporting to indemnify or insure is void. Patterns of officer noncompliance are referred to DOJ for debarment consideration. The Secretary of Commerce faces personal accountability for investigation deadline failures.

General Penalty Framework

Tier 1 through Tier 4

Graduated tiers from inadvertent and promptly remediated violations through willful or repeat violations, calibrated to a percentage of global annual gross revenue. A safe harbor for good-faith compliance is available for Tier 1 and Tier 2 violations but expressly excluded for biometric mass surveillance, AI-generated CSAM, election deepfakes, CSAM incident reporting failures, CBRN disclosure failures, and any Tier 4 violation.

Federal Contracting

Mandatory Debarment

Any frontier AI developer, significant AI deployer, or person in violation of the moratorium is automatically debarred from all federal contracting, subcontracting, grant receipt, and federally funded program participation for not less than five years. Debarment is mandatory, non-waivable, not subject to appeal, and extends to all subsidiaries, affiliates, successors, and assigns.

Private Right of Action

Standing & Strict Liability

A standing fault-based private right of action for AI product harms operates from enactment, with rebuttable presumption of reasonable care for compliant entities. Upon any moratorium activation, an additional strict-liability private right of action with treble damages, attorneys' fees, and presumptively appropriate class certification applies; arbitration clauses and class-action waivers are void as against public policy.

⚖ Integrity

Investigation Integrity Framework

Three-tier misconduct framework for TWGs: Category 1 (Procedural Misconduct) — misrepresenting positions, undisclosed conflicts, conduct that materially impedes TWG work — handled internally with escalation to the Director of AI Investigation. Category 2 (Substantive Fraud) — falsifying evidence, accepting undisclosed industry compensation, coordinating positions with industry outside public proceedings — triggers mandatory referral to the Department of Commerce Inspector General and the DOJ, immediate suspension, and extension of whistleblower protections. Category 3 (Systemic Corruption) — undisclosed conflicts among a TWG majority, recommendations systematically reflecting a single industry's interests without evidentiary basis — triggers mandatory congressional notification, independent GAO review, and targeted remediation rather than dissolution.
Independent GAO review: The Comptroller General conducts an independent concurrent review of the investigation's methodology, data collection, and analytical rigor. A preliminary integrity assessment is due at Day 180 and a final assessment at Day 330. Any member of the public, any TWG member, any federal employee, and any member of Congress may submit a Category 3 systemic corruption complaint directly to the Comptroller General at any time.
Anti-capture provisions: TWG seed members must be career civil servants — political appointees are excluded. Strict conflict-of-interest requirements bar recent AI industry employment, equity holdings above defined thresholds, and undisclosed industry compensation. Whistleblower protections extend in full to anyone disclosing TWG fraud. Any nondisclosure agreement, consulting agreement, or terms of engagement purporting to restrict disclosure of Category 2 conduct is void and unenforceable as against public policy.
Epistemic Advisor function: A non-voting Epistemic Advisor — appointed by the Comptroller General with demonstrated expertise in evidence-based policy methodology and the systematic study of cognitive bias in institutional decision-making — sits on both the FAC and the TWG Coordination Council. The Advisor reviews monthly TWG work product, identifies cross-TWG epistemic inconsistencies, submits public methodological assessments, and may append epistemic critiques to FAC legislative provisions. The Advisor cannot block votes but ensures methodological challenges are part of the legislative record.

✓ Enabling

What the MAD Act Explicitly Requires Beyond Restriction

Affirmative non-regulation findings: Each of the 19 domains may result in a formal finding that no regulation is warranted — the investigation is designed to produce the right answer, not a predetermined answer. Phase II legislation may take the form of binding regulatory standards, valid affirmative non-regulation findings, or a combination, domain by domain. A no-regulation finding must specifically engage the evidentiary record, state the factual and policy basis, and identify the conditions under which reconsideration would be warranted.
Enabling Governance Assessment: The Coordination Council must produce a final Enabling Governance Assessment identifying, for each domain, proposed interventions that may suppress beneficial AI deployment or productivity gains; governance frameworks (including regulatory safe harbors, liability shields, certification pathways, and public investment mechanisms) that enable responsible deployment rather than restrict it; and cross-domain opportunities where governance in one domain could enable productivity gains in another. The Assessment is transmitted to Congress alongside the legislative package and noted in the section-by-section analysis.
Agentic AI productivity mandate: TWG 10 is specifically required to investigate the affirmative productivity potential of agentic AI — documented cases where autonomous AI agents have materially increased individual or organizational productivity in healthcare, legal services, scientific research, financial analysis, and software development — and the governance gap between current frameworks and what would enable broad-based access to those gains.
Distributional access mandate: TWG 10 must assess governance mechanisms ensuring that agentic AI productivity gains are broadly accessible rather than concentrated among large enterprises with resources to develop proprietary systems. The tradeoff assessment must evaluate distributional effects across firm size, sector, and income level. The mandate explicitly includes whether proposed restrictions would disproportionately reduce individual and civil society access to agentic AI relative to institutional access.
Open-weight liberty interest mandate: TWG 5 is specifically required to assess open-weight AI models as instruments of free expression, democratic accountability, and resistance to concentrated power — including their use by dissidents, independent journalists, and human rights organizations; the structural-check function open-weight distribution serves against concentration of frontier capability in closed-model providers; and historical parallels to the printing press, encryption, and the open internet. Governance frameworks must incorporate balancing of safety risks against liberty interests.
Truth-seeking and anti-mass-persuasion mandate: TWG 5 must additionally assess the capacity of AI systems to serve as truth-seeking instruments — enhancing the ability of individuals, journalists, and democratic institutions to identify misinformation, verify claims, cross-reference sources, and detect coordinated inauthentic behavior — alongside the symmetric risk that AI systems may be designed or co-opted as instruments of mass persuasion below the threshold of conscious awareness.
Federal floor, no ceiling on state protection: The Act establishes a federal floor; state, territorial, tribal, and local laws providing equal or greater protection are expressly preserved. Express preemption applies only where state law affirmatively authorizes activity prohibited by the Red Lines or interim protective measures, or purports to lower minor-protection standards below the federal baseline.

Sources & Legislative Record

Primary Source

MAD Act — Title II, "Demand A Plan for AI" — Full Legislative Text (Sec. 2001 – Sec. 2022)

UK AI Security

UK AI Security Institute — 2025 Frontier AI Trends Report (frontier capability advancement findings; eight-month task-duration doubling)

IMF

International Monetary Fund — AI and the Future of Work (40% global job exposure; 60% advanced-economy exposure)

McKinsey

McKinsey Global Institute — AI automation of approximately 57% of U.S. work hours estimate

NBER

National Bureau of Economic Research — 2025 analysis: 5–6 million U.S. workers at intersection of high AI exposure and low adaptive capacity

Common Sense Media

Common Sense Media National Survey (April–May 2025) — 72% of U.S. teenagers aged 13–17 have used AI companion chatbots; 52% regular users; 31% report AI conversations equally or more satisfying than human friendships

NCMEC

National Center for Missing and Exploited Children — 67,000 AI-related CyberTipline reports in 2024 (1,325% increase year-over-year)

IWF

Internet Watch Foundation — 380% increase in AI-CSAM reports (2023–2024); 1,286 AI-generated CSAM videos identified in H1 2025

JMIR Mental Health

JMIR Mental Health — 2025 study: AI chatbots endorsed harmful proposals from distressed fictional adolescents in 32% of test scenarios

Center for Governance of AI

Center for the Governance of AI — Estimate of 45–148 frontier models exceeding 10²⁶ FLOP threshold by end of 2028

FTC

FTC — Report on AI Market Concentration and Cloud Provider Partnerships

California SB 53

California SB 53 (effective 2026) — First domestic frontier AI incident reporting and safety evaluation requirements (10²⁶ FLOP threshold)

EU AI Act

European Union AI Act — Safety requirements for models trained using more than 10²⁵ floating-point operations

TAKE IT DOWN Act

TAKE IT DOWN Act (Public Law 119-12) — Federal framework for non-consensual intimate imagery removal, cited as model for AI-NCII gaps

Air Quality Act

Air Quality Act of 1967 (Public Law 90–14) — Phased investigatory legislative precedent for comprehensive regulatory frameworks

Water Quality Act

Water Quality Act of 1965 (Public Law 89–234) — Phased investigatory legislative precedent

DOD Directive 3000.09

Department of Defense Directive 3000.09 — Existing autonomous weapons policy (assessed for adequacy under MAD Act statutory standard)

PPD-21

Presidential Policy Directive 21 — Critical infrastructure designation referenced by Red Line 4 aggravated-violation provisions

Arms Control Act

Arms Control and Disarmament Act (22 U.S.C. § 2551 et seq.) — Institutional design model for the International AI Diplomacy Agency

Buckley v. Valeo

Buckley v. Valeo, 424 U.S. 1 (1976) — Constitutional foundation for AI election content disclosure under permanent disclosure regime

United States v. Alvarez

United States v. Alvarez, 567 U.S. 709 (2012) — Distinguished in MAD Act findings on AI-generated electoral deepfakes

G7 Hiroshima Process

G7 Hiroshima AI Process — International AI governance framework referenced in IAIDA mandate

Bletchley / Seoul

Bletchley and Seoul AI Safety Summit Declarations — International AI safety framework precedents