The Battle for AI Governance: California, Federal Policy, and the Future of AI Regulation

Introduction

Although other states have expanded their presence in the artificial intelligence sector, California remains the primary centre of gravity for the US AI ecosystem. It is home to many of the industry’s most influential frontier labs, including Anthropic, Google DeepMind, Meta AI, OpenAI, and xAI, as well as critical platform companies such as Apple and NVIDIA and a deep bench of high-impact start-ups. As a result, California is not only a commercial hub for AI development, but also a leading arena for shaping the national conversation on AI regulation.

In recent years, the state has enacted a significant wave of AI-related legislation, with dozens of laws passed since 2024. At the same time, California’s large entertainment, healthcare, and technology sectors are being rapidly transformed by AI, giving rise to complex legal and policy questions. These include the ownership of AI-generated content, the use of digital replicas and other forms of synthetic media, the risk of algorithmic bias in high-stakes decision-making, the emergence of companion chatbots, the use of algorithmic pricing tools, and the challenges of deploying AI in clinical and healthcare settings.

This high-intensity environment has fostered one of the most sophisticated and closely watched technology regulatory regimes in the United States, along with an ongoing debate over whether that regime ultimately supports or constrains the continued growth of the American AI sector.

Underlying these developments is a growing tension between California’s increasingly assertive approach to AI regulation and the White House’s stated commitment to a unified minimally burdensome federal AI framework, along with scrutiny of state-level AI regulatory initiatives. However, Governor Newsom and other state officials have continued to defend the state’s role in setting AI guardrails, advancing new initiatives while openly pushing back against federal efforts to limit state authority in this area. How, and whether, this conflict is ultimately resolved will have significant implications for the shape and durability of California’s emerging AI regulatory framework.

Legal developments

California lawmakers have continued to build on the state’s recent wave of artificial intelligence legislation, with SB 53, or the Transparency in Frontier Artificial Intelligence Act (TFAIA), emerging as one of the most notable pieces of AI legislation in the past year. Signed into law by Governor Newsom on 29 September 2025, TFAIA was the first state-level attempt in the US to establish a governance framework specifically for frontier AI systems.

Beyond TFAIA, California lawmakers and regulators have continued to advance a wider array of AI-related measures across sectors, confronting the evolving policy questions raised by AI such as the use of companion chatbots by minors and the use of AI systems by healthcare providers.

Transparency in the Frontier Artificial Intelligence Act (SB 53)

The TFAIA establishes a complex governance framework with significant compliance documentation and risk management obligations applicable to a small but critical portion of the AI economy – large frontier AI systems. Effective as of 1 January 2026, the law adopts a disclosure-forward model of regulation aimed at enhancing transparency, accountability, and expanding the state’s oversight over the development of the most advanced AI models.

The statute requires covered developers, depending on revenue, to publish a “frontier AI framework,” provide a “transparency report” in advance of new model releases, submit “assessment[s] of catastrophic risk” to the California Office of Emergency Services, and promptly report “critical safety incident[s]” to the state. (Cal. Bus. & Prof. Code, Sections 22757.12–13.) It also creates substantial whistle-blower protections, barring “retaliat[ion] against a covered employee for disclosing” information, requiring companies to create “a reasonable internal process through which a covered employee may anonymously disclose information” to the company’s officers and directors, and permitting successful claimants to recover “reasonable attorney’s fees,” as well as further directing the Attorney General to publish annual reports with “anonymized and aggregated information” on whistle-blower activity beginning on 1 January 2027. (Cal. Lab. Code, Section 1107.1(a)–(f); and Cal. Bus. & Prof. Code, Section 22757.14(d)(1).)

Nevertheless, TFAIA is more restrained than earlier proposals to regulate frontier AI. Its predecessor, SB 1047, the Safe and Secure Innovation for Frontier Artificial Intelligence Models Act, was vetoed by Governor Newsom in 2024. In contrast to that bill, TFAIA does not require third-party audits, pre-deployment testing and certification, or model shutdown mechanisms. The resulting framework reflects an effort to establish meaningful guardrails for frontier AI development without adopting the more rigid compliance structure envisioned in earlier proposals.

Still, the AI industry’s reaction underscored the extent to which even this narrower approach remained contested. Certain developers were prominent supporters of the law, describing it as a responsible approach to frontier AI governance through transparency obligations, incident reporting, and whistle-blower safeguards. Others continued to argue that the proliferation of state-level AI laws risked creating a fragmented regulatory environment that could complicate compliance and slow innovation contrary to the federal government’s mandate on AI and even national security interests. However, if New York’s Responsible AI Safety and Education Act, which was amended to align with TFAIA, offers any indication of future developments, California’s enactment of the TFAIA may ultimately do less to fragment the regulatory landscape than to help shape the architecture of future frontier AI laws in the US by offering a template which other states build upon.

CCPA Automated Decision-making Technology regulations

California’s Automated Decision-making Technology (ADMT) regulations, issued pursuant to the California Consumer Privacy Act (CCPA), represent the closest approximation California has come to date to a comprehensive AI regulatory framework akin to regimes adopted in Colorado and Texas. Unlike those broader statutes, however, California’s approach is anchored in privacy law and therefore applies primarily to contexts involving the processing of personal information. Within that domain, the ADMT regulations establish a governance structure that combines risk assessment, audit, and consumer rights obligations into a unified compliance regime.

At the core of the framework are detailed requirements for businesses to assess and manage the risks associated with AI systems used to make a “significant decision” that results in “the provision or denial of financial or lending services, housing, education enrollment or opportunities, employment or independent contracting opportunities or compensation, or healthcare services.” (Cal. Code Regs. tit. 11, Section 7001(ddd).) Covered businesses would be required to conduct a comprehensive “risk assessment” not only for the use of ADMT “for a significant decision concerning a consumer”, but also for the training of such systems on personal data. (Id. Sections 7150(b)(3), and (6).) The risk assessment must identify potential “negative impacts to consumers’ privacy” such as “discrimination,” “economic harms,” or “psychological harms”. (Id. Section 7152(a)(5).) These obligations are complemented by new governance requirements, including annual reporting to regulators and, for larger entities, independent cybersecurity audits with executive-level certification. (Id. Sections 7120–24.)

The regulations also introduce a new layer of consumer-facing rights beginning in 2027, including rights to “Pre-use Notice”, “Opt-Out”, and “Access” of the use of ADMT in significant decision-making in a manner that replaces, or substantially replaces, human decision-making. (Id. Sections 7220–22.) Businesses will need to provide detailed pre-use disclosures explaining “how the ADMT works to make a significant decision about consumers” and “how the ADMT processes personal information,” as well as meaningful explanations of the “type of output generated by the ADMT.” (Id. Section 7220(c)(5).) While narrower than earlier regulation proposals by the California Privacy Protection Agency, particularly in its definition of ADMT and its exclusion of outputs that are reviewed by humans, the framework nonetheless represents a substantial expansion of AI-related compliance obligations. In practice, it positions California at the forefront of efforts to integrate AI governance into existing privacy regimes, while signalling a broader shift toward more structured oversight of automated decision-making systems.

Beyond TFAIA and ADMT: sectoral AI legislation and related rulemaking

Beyond TFAIA and the CCPA ADMT regulations, California’s AI agenda over the past year has been defined by a steady expansion of targeted, sector-specific measures, continuing the state’s preference for narrower interventions rather than a single comprehensive AI statute like those adopted in other states.

Healthcare

There have been multiple laws passed and bills proposed to address AI risk in the healthcare sector. Complementing AB 3030, which was signed into law in 2024 and governs the use of generative AI by healthcare facilities and physicians to require enhanced transparency to patients with respect to AI use, AB 489 was signed into law in October 2025 to prohibit messaging that “indicates or implies that the care, advice, reports, or assessments being offered through AI or GenAI technology is being provided by a natural person in possession of the appropriate license or certificate to practice as a health care professional,” (Cal. Bus. & Prof. Code, Section 4999.9(c).) This additional healthcare AI disclosure obligation became effective from 1 January 2026. One of the AI healthcare bills gaining traction in the 2026 legislative session, SB 903, mirrors the Wellness and Oversight for Psychological Resources Act in Illinois, and would move beyond notice to require patient consent be obtained before AI tools are used to record or transcribe psychotherapy sessions and would prohibit, irrespective of notice or consent, the use of AI tools to make independent therapeutic decisions or to detect emotional states.

Alongside AI healthcare legislation, in January 2025, Attorney General Bonta issued a legal advisory specifically mentioning healthcare entities. The advisory emphasised that AI developers, vendors, insurers, and providers remain subject to existing California consumer protection, civil rights, competition, and privacy laws when deploying AI in diagnosis, utilisation review, coverage decisions, and other healthcare functions. In addition to the unsubtle enforcement warning, the advisory also described the specific harms that entities should be wary of when using AI in a healthcare setting, such as potentially increasing health inequity or denying patients necessary care.

Children’s privacy and safety

Recent AI measures involving children have focused on online safety, transparency, and the risks posed by companion chatbots. For example, following New York, California enacted SB 243, which regulates “companion chatbots,” defined as “artificial intelligence system[s] with a natural language interface that provides adaptive, human-like responses to user inputs and is capable of meeting a user’s social needs, including by exhibiting anthropomorphic features and being able to sustain a relationship across multiple interactions.” (Cal Bus. & Prof. Code, Section 22601(b)(1).) The law requires operators to “issue a clear and conspicuous notification indicating that the companion chatbot is artificially generated” when users might be “misled to believe that the person is interacting with a human,” (Id. Section 22602(a)), maintain “a protocol for preventing the production of suicidal ideation, suicide, or self-harm content to the user” (Id. Section 22602(b)(1)), and submit annual reports to the Office of Suicide Prevention (Id. Section 22603). SB 243 reflects the transparency-oriented approach seen in other California AI laws, including TFAIA. It also contrasts with AB 1064, a stricter chatbot bill that the Governor vetoed amid concerns that it could effectively prohibit such products. Nevertheless, legislators are seeking to fortify regulation of companion chatbots through identical bills being advanced in both chambers of the California legislature (SB 119 and AB 2023) which would impose risk assessment and independent audit requirements on companion chatbot operators.

Regulatory attention has extended beyond legislation. In August 2025, Attorney General Bonta, joined by 44 other state attorneys general, launched inquiries into the risks that AI chatbots pose to children.

Deepfakes and synthetic media

California’s deepfake law is now among the most developed in the United States, particularly in addressing sexual exploitation and harms involving minors. In 2025, the state enacted AB 621, effective as of 1 January 2026, which expands enforcement options against the creation of sexually explicit deepfakes when the creator “[knew], or reasonably should [have known], that the depicted individual in that material did not consent to its creation or disclosure or was a minor when the material was created.” (Cal. Civ. Code, Section 1708.86(b)(1).) This measure builds on California’s existing framework governing sexually explicit digital impersonation.

Related to this, AB 853 amends the AI Transparency Act to strengthen provenance requirements, requiring the disclosure of the availability of data “that reliably indicates that content was generated or substantially altered by a GenAI system or captured by a capture device.” (Cal. Bus. & Prof. Code, Section 22757.3.1(a)(2)(A).) Although not aimed specifically at sexually explicit deepfakes, these changes are designed to improve traceability and disclosure for synthetic content online, including sexually explicit material, election-related media, and digital replicas. Bills moving through the 2026 legislative process could potentially supercharge transparency obligations by requiring advertisers to label ads including AI-generated “synthetic performers” (SB 1050) and AI-generated images or audio depicting healthcare providers that are used to advertise health-related consumer products or services (SB 1146). On the enforcement side, in August 2025, Attorney General Bonta joined a multistate coalition of attorneys general in urging search and payment platforms to take stronger action against non-consensual deepfake pornography. Given this continued enforcement activity, synthetic media abuse is likely to remain a priority topic for both California legislators and regulators.

Employment

As noted above, the use of AI in connection with employment decision-making is already subject to ADMT regulations under the CCPA, which, among other things, requires businesses in scope to evaluate the potential discriminatory effects of systems used to make employment decisions, including the evaluation of job applicants. These regulations are complemented by the California Civil Rights Council’s Employment Regulations Regarding Automated-Decision Systems which took effect on 1 October 2025 and extend long-standing employment anti-discrimination law to decisions made with the use of automated-decision systems. The regulations prohibit the use of “an automated-decision system or selection criteria that discriminates against an applicant or employee or a class of applicants or employees on a basis protected by the [Fair Employment and Housing] Act.” (Cal. Code Regs. tit. 2, Section 11009(f).) The decisions in scope for these regulations are broader than those subject to CCPA ADMT regulations, including because they apply to decisions made by entities of all types and sizes, not only those that meet the CCPA’s narrow definition of a business (which has revenue thresholds and excludes non-profits) and because the regulations apply to automated-decision systems even if a human has reviewed the output of the system, in contrast to the narrower definition of ADMT under CCPA regulations. Consistent with the focus on biased outcomes, the Civil Rights Council regulations also provide that evidence of anti-bias testing of systems may be available as an affirmative defence to discrimination claims.

Antitrust and competition

California has also begun to address artificial intelligence through the lens of competition law, most notably by targeting the use of shared algorithmic pricing tools. For example, AB 325, signed in October 2025 and effective as of 1 January 2026, amends the Cartwright Act, the state’s primary antitrust law to make it unlawful, in specified circumstances, for a person to use or distribute a “common pricing algorithm if the person coerces another person to set or adopt a recommended price or commercial term recommended by the common pricing algorithm for the same or similar products or services in the jurisdiction of [California].” (Cal. Bus. & Prof. Code, Section 16729(b).) The law reflects a broader trend in the intersection between antitrust policy and technology that acknowledges how algorithmic tools can facilitate co-ordinated commercial conduct in ways that traditional antitrust doctrine did not originally envision.

Legal challenges to California’s emerging AI framework

California’s increasingly expansive AI regulatory framework has not proceeded without meaningful resistance. As the state has continued to pass laws governing the development and deployment of AI systems across different contexts, such as prohibitions on the altering of election-related communications or training-data transparency requirements, it has also been confronted with legal challenges to such laws, including on constitutional bases.

For example, in Kohls v Bonta, No. 2:24-cv-02527, ECF No. 1 (E.D. Cal. 17 September 2024), a YouTuber known as “Mr. Reagan” challenged, among other laws, AB 2839, an election-related deepfake law that prohibited digitally manipulating communications that are false or misleading, and target an election worker, elected official, voting equipment, or people running for office four months before an election. In August 2025, the US District Court for the Eastern District of California granted summary judgment to the plaintiffs and permanently enjoined enforcement of AB 2839 against the named plaintiffs, concluding that the statute “strikes at the heart of the First Amendment and does not overcome the constitutional safeguards erected to protect [the] Plaintiff’s right to speak.” (Kohls v Bonta, 797 F. Supp. 3d 1177, 1192 (E.D. Cal. 2025).) The state appealed the decision, which is now before the Ninth Circuit.

Another high-profile challenge to California’s AI laws was brought in December 2025 in xAI LLC v Bonta, No. 2:25-cv-12295, ECF No. 1 (C.D. Cal. 29 December 2025), in which xAI alleges that AB 2013, California’s AI training-data transparency law, effects an unconstitutional taking of trade secrets, in violation of the Fifth Amendment’s Takings Clause, compels speech in violation of the First Amendment, and violates the Due Process Clause of the Fourteenth Amendment. Specifically, xAI alleges that the compelled disclosure of information about training datasets, data sources, and related practices would force publication of commercially sensitive information that derives value from secrecy. In March 2026, the US District Court for the Central District of California denied xAI’s motion for a preliminary injunction and found that xAI had not, during the early stage of the litigation, “established a likelihood of success on the merits” of its takings, compelled-speech, or vagueness claims, a decision that was primarily premised on the court’s finding that the factual record to support such claims was not yet sufficiently developed. (See xAI LLC v Bonta, No. 25-cv-12295, 2026 WL 626926, *9 (C.D. Cal. 4 March 2026).) The court left open the possibility that later proceedings could yield a different result, particularly as the litigation proceeds and xAI provides more detailed evidence to support its claims. xAI has since filed an interlocutory appeal to the Ninth Circuit. The appeal is pending and being closely watched.

Looking ahead and possible pre-emption

In the background of California’s expanding AI framework is a continuing tension with the federal government’s preference for a more uniform, minimally burdensome approach to AI regulation. Since taking office, President Trump and his Administration have repeatedly emphasised that it is federal policy to minimise regulatory fragmentation and compliance burdens that stifle innovation. The White House has issued several policy statements and executive orders, including a December 2025 executive order, “Ensuring a National Policy Framework for Artificial Intelligence,” aimed at limiting an inconsistent patchwork of state regulation. More recently, it released a national legislative framework in March 2025 that repeated its call for unified federal legislation.

At the same time, Governor Newsom has continued to emphasise the state’s role in AI regulation. In March 2026, he issued Executive Order N-5-26, which uses state procurement authority to set responsible AI expectations for companies seeking state contracts, including standards related to safety, privacy, and misuse prevention.

Looking ahead in 2026, California is likely to continue advancing state-level regulation and enforcement as recently enacted California AI laws take effect, while the federal government continues to promote a more unified national framework. This interplay is likely to shape a regulatory landscape in which both state and federal frameworks continue to evolve, with California remaining in the spotlight in the interim.