While the White House spent two weeks deciding by phone call which companies could use the most powerful AI models, Congress was busy with something less dramatic and possibly more durable: small bills it might actually pass. Representative Nathaniel Moran has introduced the AI Incident Reporting Act, which would require AI developers to tell the Commerce Department within seven days when something goes seriously wrong, whether a security breach, a loss of human oversight, or a threat to public safety. It is a narrow law by design, and that is the point.
The narrowness is a lesson learned. Sweeping attempts to govern AI, the kind that try to define artificial intelligence, rank its risks and regulate its uses in a single document, have mostly stalled, in Washington and beyond. Moran's bill sidesteps that fight. It does not say which models may exist or how they must be built; it asks only that developers report failures after the fact, the way airlines log incidents and hospitals report adverse events. That framing, transparency rather than prohibition, is far easier to move through a divided Congress, and it leaves the hardest questions for another day.
A second bill aims at the plumbing. Representatives Josh Gottheimer and John Moolenaar are introducing the bipartisan Cloud Security Act, meant to help US cloud providers report suspected foreign misuse of advanced AI compute to the Commerce Department. It targets a real hole in the export-control regime: even when the most advanced chips are banned from sale abroad, a foreign actor can often just rent equivalent power from a US cloud service. Chips are physical and stoppable at a border; compute is a login. The bill is an admission that controlling hardware means little if the same capability is available by the hour over the internet.
Europe, meanwhile, is moving the opposite way on timing. The European Parliament has approved amendments delaying some of the heaviest obligations in the EU AI Act and simplifying parts of the framework, giving companies more time to comply with the rules covering high-risk systems. The bloc that wrote the world's most ambitious AI law is now easing its own schedule under pressure from businesses worried they cannot meet it. Read alongside the American bills, it points to the same conclusion from the other side: the grand framework is hard, and the practical adjustments are what actually get made.
None of these measures touches the question that dominated the week, which is who decides when a frontier model is too dangerous to release. That is precisely why they may advance. Incident reports, cloud-misuse alerts and softened deadlines are the regulation of the achievable: narrow, enforceable, aimed at infrastructure and transparency rather than capability. The biggest AI fights are still about power, who holds it and who gets cut off. The laws most likely to pass this year are about paperwork. In a field moving this fast, paperwork that exists may matter more than a framework that does not.