House NDAA would set up protected disclosure program for AI incidents – Federal News Network

The goal of the proposed Pentagon program would be to identify “recurring risks, failure modes, vulnerabilities, and systemic weaknesses” in AI systems.
House lawmakers want to establish a protected disclosure program for employees and contractors to ensure artificial intelligence doesn’t go off the rails at the Defense Department.
The House Armed Services Committee is considering legislation that would require the Defense Department to establish an incident and vulnerability reporting program for AI systems. The provision potentially sets up a landmark reporting mechanism at a time when DoD is rapidly expanding its use of AI to nearly every facet of its operations.
The requirement for the AI reporting program is included in the House Armed Service’s Committee’s cyber, information technology and innovation subcommittee’s mark-up of the fiscal 2027 defense authorization bill.
It would establish a central, department-wide program for “reporting, tracking, analysis, and remediation of covered AI incidents and covered AI vulnerabilities arising from the development, testing, procurement, fielding, or operation of artificial intelligence systems” within DoD.
        Earn CPE credit: The latest webinar from the Billington CyberSecurity Cyber and AI Outlook Series will focus on the real-world risks facing AI deployments across the federal landscape. Register now!
The goal of the program would be to identify “recurring risks, failure modes, vulnerabilities, and systemic weaknesses” in AI systems so they can be addressed.
Under the provision, the secretary of defense would designate an official to oversee the AI incident and vulnerability reporting program.
Colin Shea-Blymyer, a research fellow at Georgetown University’s Center for Security and Emerging Technology, said instituting the proposed reporting program at a massive organization like DoD would be a “landmark experiment” as AI adoption ramps up.
He said the official chosen to oversee the AI reporting program, should it become law, could have a major effect on adoption of the technology.
“This position might seem kind of pedestrian, but could potentially play a really big role in the future of AI adoption, not just in the Department of Defense, but across the government, and potentially, if some of these reports become public, I think they could be really great lessons for the adoption of AI in industry and could really drive growth in AI beyond DoD,” Shea-Blymyer told Federal News Network.
Various research institutes and nonprofits have proposed establishing broader AI incident reporting systems and frameworks. States such as California have also passed AI safety laws that include protections for whistleblowers.
But no federal program yet exists for managing AI incident and vulnerability reports.
        Sign up for our daily newsletter so you never miss a beat on all things federal
Under the Trump administration, DoD officials have moved to accelerate the military’s adoption of AI and autonomous systems.
Amid an ongoing legal battle with leading AI firm Anthropic, the Pentagon recently struck a deal with other big tech companies to deploy their advanced AI capabilities on DoD’s classified networks.
The NDAA provision would require DoD’s AI reporting program to “emphasize non-punitive reporting, protection of sensitive and proprietary information, and dissemination of lessons learned.”
The Pentagon would be required to ensure that anyone making a report “in good faith” under the program “is not, on the basis of that report alone, subject to adverse contract action, subject to adverse personnel action, or otherwise retaliated against by the department.”
The NDAA provision appears partially inspired by established cybersecurity efforts, such as vulnerability disclosure policies. VDPs encourage security researchers to report software vulnerabilities through established channels, including by protecting them from legal liability.
But reporting on potential AI incidents and vulnerabilities will be possible for a much broader set of users compared to finding bugs in software code.
“It doesn’t necessarily take a deep level of expertise in the system to find patterns of misbehavior,” Shea-Blymyer said.
However, since frontier AI models are owned by just a few private technology companies, even DoD may be limited in how it can directly address an AI system incident or vulnerability.
“Even if it’s a project that is being managed by Lockheed Martin or one of the primes, they don’t have access to the model weights of a ChatGPT or Claude,” Shea-Blymyer said. “But they might be able to throw some guard rails around the outside to fix the problem to their level of satisfaction.”
        Read more: Artificial Intelligence
Still, gaining more visibility into how AI systems are working is “extremely important,” he added.
While DoD’s AI reporting would not be publicly accessible under the House provision, it would require the Pentagon to submit annual, unclassified reports to Congress on the program. The reports would include the number of incidents, a summary of significant trends, and recommendations to address any issues with AI systems.
“Being able to share the lessons learned, as they put it, to a broader audience will make a huge difference in the responsible adoption and deployment of AI, not just in the government, but across all sectors,” Shea-Blymyer said.
Copyright © 2026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Follow @jdoubledayWFED

source
This is a newsfeed from leading technology publications. No additional editorial review has been performed before posting.