The bill requires the Secretary of Homeland Security to assess threats that generative artificial intelligence poses when used for terrorism and report to Congress. The statute directs DHS to produce an initial assessment within one year and then annual reports for five years, intended to inform policymaking and operational priorities.
This statute matters because it pulls generative-AI risk analysis into a formal, recurring federal reporting process, creates an expectation of public unclassified reporting, and codifies a role for State and local fusion centers in surfacing relevant incidents and intelligence. For agencies, committees, and practitioners, the assessments will help prioritize resources and coordination across federal, State, and local partners.
At a Glance
What It Does
The bill directs DHS to produce an initial threat assessment within 12 months and then annually for five years analyzing how generative AI is used for terrorism, recommending countermeasures, coordinating with ODNI, and sharing information with fusion centers. DHS must provide the unclassified portion publicly and may include a classified annex.
Who It Affects
DHS and its analytic components, the Office of the Director of National Intelligence, the FBI and members of the intelligence community, State and major urban area fusion centers, and congressional homeland security, intelligence, and commerce committees.
Why It Matters
This statutory reporting requirement elevates generative-AI misuse by foreign terrorist organizations into a recurring oversight product that will shape budgets, interagency priorities, and public understanding of AI-related terrorism risks.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The core obligation the bill creates is a recurring, formal assessment process inside DHS. The Secretary must deliver the first assessment within a year and then again each year for five years; each assessment focuses on how generative-AI tools have been or might be used by terrorist actors and what the federal government should do in response.
The statute makes clear DHS should consult with the Director of National Intelligence while producing these reports, tying domestic homeland-security analysis to the broader intelligence community view.
On substance, the law lists two concrete analytic lines: incidents where foreign terrorist organizations or individuals used generative AI to (1) spread violent extremist messaging and recruit or radicalize, and (2) improve their capacity to develop or deploy chemical, biological, radiological, or nuclear (CBRN) weapons. Beyond cataloging incidents, DHS must include recommendations on measures to counter those threats — in other words, the statute asks for both diagnosis and proposed remedies, not merely a catalog of harms.The bill builds procedural guardrails into the reporting: each assessment must be submitted in unclassified form (with an optional classified annex) and the unclassified portion must be posted publicly on DHS’s website, subject to FOIA and other legal restrictions on sensitive materials.
DHS must coordinate to ensure assessments comply with privacy, civil rights, and civil liberties protections. The Secretary also must brief the appropriate congressional committees within 30 days of each submission, and other agency heads may join those briefings when committees request.Information flow is a second pillar.
DHS must review and, where appropriate, incorporate reporting gathered by State and major urban area fusion centers and the National Network of Fusion Centers, and it must share DHS-produced information back to those centers. The statute explicitly names the ODNI, the FBI, and intelligence-community members as entities that shall share relevant information with DHS, while allowing the Secretary to require additional federal partners as needed.Finally, the text sets out definitional anchors: it adopts the National AI Initiative Act definition of “artificial intelligence” and defines “generative artificial intelligence” as models that generate synthetic content (images, audio, text, video, etc.).
The scope is limited to threats tied to foreign terrorist organizations as those entities are defined under existing immigration law; the reporting requirement has a five-year statutory window rather than indefinite continuation.
The Five Things You Need to Know
Each assessment must analyze incidents in the immediately preceding calendar year where a foreign terrorist organization or individual used generative AI to (a) spread violent extremist messaging and recruit/radicalize, and (b) enhance development or deployment of chemical, biological, radiological, or nuclear weapons.
DHS must include actionable recommendations in every assessment — not just descriptions of incidents — identifying measures to counter the identified generative-AI terrorism threats.
The statute requires DHS to coordinate assessments to ensure compliance with privacy, civil rights, and civil liberties protections before publication or dissemination.
DHS must post the unclassified portion of each assessment on its public website; the unclassified version cannot include materials barred from public release under FOIA or designated For Official Use Only, and the report may contain a separate classified annex.
DHS must review and, as appropriate, incorporate information from State and major urban area fusion centers and ensure those centers receive DHS’s information; ODNI, FBI and intelligence-community members are explicitly directed to share relevant information with DHS.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Short title
Establishes the act’s name: the Generative AI Terrorism Risk Assessment Act. This is a formal label only; it sets no substantive obligation beyond identifying the statute for citation.
Sense of Congress on generative AI and terrorism
Frames Congress’s view that foreign terrorist use of generative AI elevates the national-security threat landscape and that DHS, with ODNI, should take steps to recognize and address those threats. A sense provision signals Congressional intent and priority but creates no enforceable new powers beyond what Section 3 mandates.
Assessment requirement and timeline
Requires the Secretary of Homeland Security, in consultation with the Director of National Intelligence, to submit an initial assessment not later than one year after enactment and then annually for five years to designated congressional committees. The statutory timeline compels DHS to prioritize resources to meet recurring deliverables and establishes a defined oversight cadence for Congress.
Required analytic content
Specifies two mandatory analytic categories—use of generative AI for violent-extremist messaging/recruitment and for enhancing CBRN capabilities—and requires recommendations to counter identified threats. The dual focus forces DHS to address both information operations and high-consequence technical threats in each assessment.
Coordination, form, and congressional briefings
Directs DHS to coordinate reports to ensure privacy and civil-rights protections, to submit the assessments in unclassified form with an optional classified annex, and to post the unclassified portion publicly subject to FOIA and other legal limitations. The Secretary must brief the appropriate congressional committees within 30 days of each submission, and other agency heads may join those briefings at committees’ request—creating both transparency and an avenue for cross-agency accountability.
Information sharing and definitions
Mandates that DHS review and incorporate information from State and major urban area fusion centers and the National Network of Fusion Centers and ensure DHS disseminates information back to those centers. It requires ODNI, FBI and intelligence-community members (and any other federal agencies the Secretary deems necessary) to share relevant information with DHS. The definitions subsection anchors key terms—adopting the National AI Initiative Act’s AI definition and defining generative AI and other statutory terms—closing potential scope ambiguities.
This bill is one of many.
Codify tracks hundreds of bills on Government across all five countries.
Explore Government in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- DHS analysts and leadership — receive a recurring, statutory product focused on generative-AI misuse that will help prioritize analytic effort and justify resourcing requests.
- Congressional homeland security, intelligence, and commerce committee staff — gain a structured, public basis for oversight, hearings, and legislative responses tied to documented trends and recommendations.
- State and local fusion centers and their analytic partners — gain access to DHS assessments and are required contributors, which can improve situational awareness and feed local reporting into national analysis.
- Public-facing security and risk teams (critical infrastructure operators, major platforms) — will get public unclassified analysis and recommendations that can inform defensive measures and industry planning.
- Researchers and policy analysts — public unclassified reports provide a recurring source of vetted, government-level analysis on generative-AI misuse for scholarly and policy work.
Who Bears the Cost
- Department of Homeland Security — must allocate analytic, legal, privacy, and web-posting resources to produce annual assessments and brief Congress within 30 days, with no appropriation in the text.
- State and major urban area fusion centers — face increased reporting and information-sharing demands and may need to standardize incident reporting to be useful to DHS analysis.
- Privacy and civil-rights oversight offices (inside DHS and elsewhere) — will need to review products and workflows to certify compliance with protections the statute references, adding review burden.
- Intelligence community and FBI — expected to share information to inform DHS assessments, which may marginally increase analytic and liaison workloads and require declassification or coordination steps for unclassified summaries.
- Private sector teams (platforms, AI providers) — while the bill imposes no direct compliance duties, expect increased government scrutiny and potential requests for information or cooperation following assessments, which can create downstream costs.
Key Issues
The Core Tension
The central dilemma is transparency and oversight versus secrecy and operational security: Congress wants visible, recurring assessments to drive policy and public understanding, but those same reports risk disclosing sensitive operational details or technical methods; striking an appropriate balance between informative public reporting and safeguarding intelligence and investigative tradecraft is the bill’s unresolved policy problem.
The bill threads an uneasy line between public transparency and operational security. Requiring public, unclassified summaries promotes oversight and public awareness, but the statute also permits classified annexes and restricts unclassified posting where FOIA or other law bars release.
That combination will force DHS to make frequent judgment calls about what to include in the public product: enough detail to be actionable for private-sector defenders and policymakers, but not so much that it reveals intelligence sources, analytic methods, or tactical options that adversaries could exploit.
Implementation relies heavily on information from State and local fusion centers and on cooperation from ODNI, FBI, and intelligence-community members. Fusion-center reporting quality and consistency vary by jurisdiction; DHS’s ability to produce reliable, comparative, national-level assessments depends on standardizing inputs and investing in collection and analysis.
The statute mandates coordination on privacy and civil-rights protections but does not create an independent review mechanism or fund the additional analytic workload, leaving open whether DHS will have the staffing and legal bandwidth to meet both transparency and rights-protection obligations without trade-offs.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.