California's frontier AI law and what it actually requires
SB 53 made California the first state with a binding transparency regime for frontier AI developers. The practical scope is narrower than the headlines, and the real exposure for most businesses is downstream.
California’s Transparency in Frontier Artificial Intelligence Act (SB 53) was passed by the legislature in September 2025 and signed by Governor Newsom shortly after. It is a narrower statute than the bill the governor vetoed the year before, and it survived industry opposition that had killed the prior version, with Anthropic publicly endorsing it and OpenAI declining to oppose it. The pitch from the bill’s sponsor was that California had to act because Washington would not, and the political reality is that the act has now set the template that other states are already drafting against.
The substantive obligations apply, in their fullest form, to a narrow set of frontier developers, defined by training-compute thresholds and revenue thresholds that catch the largest model labs and almost no one else. Those developers have to publish a frontier AI safety framework, report critical safety incidents to the state’s Office of Emergency Services within a set window, and certify their adherence to the framework. The act also creates whistleblower protections for employees at frontier developers who report safety issues and stands up a state-supported public compute project that is mostly outside the regulatory portion of the statute.
The reason most businesses should still read the law carefully is that the act has two layers, like Florida’s privacy statute. The headline frontier-developer obligations are narrow, but the act and the broader California regulatory environment around it are setting expectations that flow downstream. A SaaS company that integrates a frontier model into its product is not a frontier developer under SB 53, but its enterprise customers are increasingly asking for the same kinds of representations the act requires of upstream developers: a safety framework, an incident-response posture, a transparency artifact that explains what the model does and how its behavior is monitored. That cascade is the part of SB 53 that affects more businesses than the statute’s direct scope suggests.
The other piece worth tracking is what the act does to the multistate landscape. Colorado, New York, Connecticut, and a handful of other states have AI-specific statutes in various stages of effect or development, and they do not align. Colorado’s AI Act, passed in 2024 with an effective date later pushed to 2026, regulates “high-risk” AI systems used in consequential decisions like hiring, lending, and insurance, with developer and deployer obligations that look nothing like SB 53. New York City’s bias-audit rule for automated employment decision tools is still in effect. Illinois BIPA continues to generate large biometric class actions. A business operating across these states is now navigating four or five materially different frameworks at once.
The federal preemption layer added in December 2025 by executive order is supposed to clear some of this away, but as a practical matter, the order does not change the operative scope of any of these state statutes today. The DOJ task force created by the order may eventually challenge state AI laws under preemption theories, the FCC may propose a federal reporting standard, and Congress may pass a federal AI bill, but none of those have happened yet. The state laws are in force. The state AGs are enforcing them. The right operating posture for a multistate business is to comply with the existing state requirements while watching the federal layer take shape, not to plan around preemption that has not yet arrived.
The practical advice for a business that is not a frontier developer is to do three things this quarter. First, build a single internal AI governance document that satisfies the strictest state in your footprint and treat it as your baseline. That document is the artifact you will hand to enterprise customers, regulators, and your own board. Second, inventory which AI systems in use across the company are likely to be classified as high-risk under Colorado’s framework (employment, credit, insurance, housing, essential services), because those systems carry the most distinct multistate exposure. Third, get your incident-response playbook updated to include AI-specific scenarios, because the reporting obligations that exist today and the ones coming next year all assume you can identify, scope, and report an AI safety incident within hours, not weeks.
SB 53 is not the regulatory crisis its more dramatic critics predicted. It is also not the model law that ends the state-by-state churn. It is the first binding state-level transparency regime aimed at frontier AI, and its main effect on most businesses is to accelerate the contract-level and customer-driven obligations that were already moving in the same direction. The companies that get caught flat-footed will be the ones that read the headlines, concluded the law did not apply to them, and missed the downstream pressure that does.