Back to Blogs

California Frontier AI Act: Key Takeaways for Legal Teams 

By Onit

|
October 16, 2025

4 min read

California Frontier AI Act requires disclosures and transparency to regulate frontier AI.

Artificial Intelligence

Summary of SB 53 

California recently enacted Senate Bill 53, the Transparency in Frontier Artificial Intelligence Act (TFAIA). It targets large “frontier” AI developers and requires: 

  • Public safety disclosures: Big AI developers must publish a frontier AI framework that explains how they assess catastrophic risks, apply standards, test mitigations, secure model weights, and govern internal processes. Redactions are allowed to protect trade secrets and security. 
  • Transparency reports before deployment: When releasing a new or substantially modified frontier model, developers must publish a report that includes intended use, restrictions, and summaries of catastrophic risk assessments and third-party evaluations. 
  • Incident reporting to the state: Developers must report critical safety incidents to California’s Office of Emergency Services within 15 days of discovery, or within 24 hours if there is an imminent risk of death or serious injury. 
  • Whistleblower protections: Covered employees who raise concerns about catastrophic risks or violations receive legal protections. Large developers must also provide an internal anonymous reporting channel. 
  • Possible civil penalties: Up to $1 million per violation, enforced by the Attorney General. 
  • “Frontier” scope: The law applies to large developers training models above a high compute threshold and with revenue above a specified level. Smaller developers are not the primary target. 
  • CalCompute concept: A state-led framework for a public cloud cluster to support safe, equitable AI research, subject to future appropriation. 

This approach differs from the EU AI Act, which generally emphasizes private disclosures to regulators. California’s law requires public safety frameworks and transparency reports, with sensitive content redacted where necessary. 

What this means for companies using AI 

Even if a company does not build frontier models, this law affects how AI is procured, integrated, and governed. 

  1. Vendors will be more transparent. Expect system cards, safety frameworks, and incident reporting practices to become standard. Procurement teams should request and evaluate these artifacts. 
  1. Incident handling will mature. Vendors will need defined incident taxonomies, timelines, and contacts. Downstream users should align internal playbooks to vendor timelines to manage operational risk. 
  1. Security and access controls matter. The focus on protecting model weights signals higher expectations for cybersecurity. Companies that host or fine-tune models should review controls, access logging, and key management. 
  1. Public disclosures have ripple effects. Public transparency reports may reveal capabilities, limits, and risk mitigations. Risk management, communications, and compliance should be ready to interpret and operationalize these disclosures. 
  1. Whistleblower readiness is now part of AI governance. Even non-developers benefit from clear, trusted channels to report AI risks within the enterprise and with vendors. 
  1. Multi-jurisdiction complexity increases. Companies operating in California, the EU, and other regions will need a harmonized compliance posture that can satisfy different transparency and reporting obligations. 

What legal teams need to know  

1) Map exposure 

  • Inventory AI use across the organization. Note systems that rely on third-party models, fine-tuning, or internal tools. 
  • Classify vendors by risk and determine which suppliers may fall under “frontier developer” definitions. 

2) Update contracts and procurement 

  • Require transparency artifacts: frontier AI framework, system/model cards, safety testing summaries, and redaction policies. 
  • Add incident clauses: notification within set timelines, incident definitions aligned to SB 53, cooperation and evidence preservation, and remediation plans. 
  • Strengthen security terms: controls for model weights and parameters, credential management, third-party testing, and audit rights where appropriate. 
  • Whistleblower and non-retaliation provisions: reflect legal protections and specify internal channels for concerns. 

3) Build an internal AI safety and disclosure framework 

  • Adopt clear policies for AI selection, testing, deployment, and monitoring. Tie policies to recognized standards and internal risk tiers. 
  • Define an incident taxonomy that maps to vendor and regulatory categories. Include triggers, severity levels, and escalation paths. 
  • Document the verification process for safety claims and use limits, including how business units validate vendor statements. 

4) Coordinate with security, risk, and comms 

  • Create a unified playbook that covers legal, security, privacy, and communications actions for AI incidents. 
  • Run tabletop exercises that include AI-specific scenarios such as deceptive model behavior, loss of control, or significant misuse. 

5) Train the organization 

  • Educate stakeholders on safe AI use, data handling, and limitations. 
  • Explain disclosure expectations so teams understand what may be shared publicly, what must be redacted, and how to route questions. 

6) Monitor the landscape 

  • Track California guidance from the Office of Emergency Services and the Attorney General. 
  • Align with other regulations such as the EU AI Act and sector-specific rules that may interact with AI obligations. 

The Gist of It 

California’s SB 53 sets a new baseline for public safety transparency, incident reporting, and whistleblower protections in frontier AI. Even companies that only use AI will feel the effects through vendor terms, security expectations, and incident coordination. Legal teams should move now to update procurement language, tighten governance and playbooks, and train stakeholders so the organization can adopt AI confidently and stay ahead of evolving rules.