SALEM, Ore. — The Joint Committee on Information, Management, and Technology on May 9 adopted a Dash-1 amendment to House Bill 3936 that changes how the state would bar some artificial‑intelligence tools from use on state information technology assets.

The amendment, described to the committee by staffer Sean, removes language that would have prohibited software, hardware or services “developed or owned by a corporate entity that is incorporated or registered under the laws of a foreign country,” and instead ties exclusion to whether a covered vendor or product poses “a national security threat to the country, or a cyber security threat to the state of Oregon.” Sean told the committee the bill “prohibits any hardware, software, or service that uses artificial intelligence from being installed or downloaded onto or used or accessed by state information technology assets if the artificial intelligence is developed or owned by a corporate entity that is incorporated or registered under the laws of a foreign country.”

Why it matters: the change shifts the bill from a blunt country‑of‑origin test to a risk‑based process that relies on the existing statutory mechanism used in Oregon to identify vendors that are national security or cybersecurity threats. Committee members said that approach avoids barring multinational vendors solely because of corporate registration and focuses instead on operational risks to state systems.

Committee discussion and guidance came largely around definitions and the vendor‑listing process. Senator Solman, who said she had not attended the bill’s public hearing, asked whether the Dash‑1 definition would “establish overall the definition for AI for the state of Oregon moving forward.” Sean replied that the definition in the amendment was pulled from a task force established earlier in 2024 and is “grounded in the definitions that are used for the federal government, the National Institutes of Standards and Technology, and and other federal rules or standards,” but that including the definition in this bill would not automatically make it compulsory for all future legislation.

On how specific companies are added or removed from the state’s exclusion list, Sean told the committee that House Bill 3127 (2023) charged the State Chief Information Officer with adopting Oregon Administrative Rules and policies to identify additional vendors and products that may be national‑security risks and to add or remove vendors from the list. He cited a February administrative action that added DeepSeek AI under that existing procedure because some states found the product was sending data through foreign servers.

The committee adopted the Dash‑1 amendment on a roll‑call vote and then moved to report the bill to the floor. The committee recorded multiple “aye” votes during both roll calls; after the final motion to report the bill out “with a do pass as amended recommendation,” the motion passed and co‑carriers were identified to carry the bill to the full chambers. Committee staff told members the bill has no fiscal impact and does not require a subsequent referral to Ways and Means, so it will proceed straight to the floor.

Members emphasized a broader policy point raised in the discussion: several legislators urged continued attention to statewide cyber security coordination. Senator Solman and other members said that centralizing some IT functions could improve cybersecurity and save money compared with every agency maintaining its own separate experts.

The chair closed the work session and assigned co‑carriers to carry the bill to the floor. The committee also indicated it will provide materials from the earlier public hearing on the vendor list and the task force work to members who asked for more background.