What happens in Sacramento does not stay in Sacramento
In September 2025, Governor Gavin Newsom signed SB 53, officially known as the Transparency in Frontier Artificial Intelligence Act (TFAIA). Just another piece of California legislation, one might think. That would be a mistake.
California accounts for 15.7% of all AI job postings in the United States. Three of the four companies to surpass $3 trillion in market capitalization are headquartered there. Regulating AI from Sacramento means regulating it from the heart of the industry itself, and in doing so, setting standards that multinationals worldwide will have no choice but to follow.
This is not a new dynamic. California has already used this mechanism in data protection and environmental standards. SB 53 applies the same lever to AI governance. For IT and sustainability leaders in large organizations, including European ones, the question is therefore not “does this law apply to us?” but “how long before we need to align with it?”
Three concrete shifts, one common thread
SB 53 targets developers of so-called frontier models: systems trained using more than 10²⁶ floating point operations (FLOPs). In practice, it is aimed at the OpenAIs, Anthropics, and Googles of the industry. But its structural effects extend far beyond that perimeter.
The law introduces three major shifts, all sharing a common thread: AI governance is no longer solely in the hands of developers.
Transparency becomes public, not merely regulatory. Frontier developers must publish, prior to any deployment, a report describing the model’s capabilities, intended uses, known limitations, and risk assessment outcomes. Larger companies (those with annual revenues exceeding $500 million) face additional obligations: they must publish a comprehensive AI governance framework each year, aligned with recognized standards such as the NIST AI Risk Management Framework or ISO/IEC 42001. This public disclosure requirement goes further than what the EU AI Act demands: in Europe, information is transmitted to regulators; in California, it is accessible to everyone.
Employees become active participants in compliance. SB 53 introduces an unprecedented mechanism: covered large companies must establish anonymous internal reporting channels, with monthly disclosure updates. If retaliation against a whistleblower is proven, the burden of proof is reversed: it falls on the employer to demonstrate that its actions were not in response to the report. From 2027 onwards, the Attorney General will publish annual anonymized reports on whistleblower activity. Those closest to AI development effectively become the first line of defense for public safety.
Compute infrastructure moves beyond private monopoly. SB 53 establishes CalCompute, a public consortium housed within the Government Operations Agency, tasked with developing a compute cluster dedicated to safe, ethical, and equitable AI. The goal is straightforward: give startups, universities, and public research laboratories access to advanced computing resources without depending exclusively on hyperscalers. A report detailing the consortium’s governance structure and funding framework must be submitted to the California Legislature by January 1, 2027.
Less restrictive than It appears, and that is precisely what makes It strategic
To understand SB 53, one must know its predecessor: SB 1047, passed by the California Legislature in 2024 and subsequently vetoed by Governor Newsom following intense debate within the industry. SB 1047 was far more prescriptive: it required mandatory third-party audits before any model launch, emergency shutdown capabilities (kill switches), 72-hour incident reporting deadlines, and penalties of up to 30% of compute costs.
SB 53 is the result of a deliberate compromise. It removes the most prescriptive provisions, extends reporting deadlines to 15 days (or 24 hours in cases of imminent danger), caps penalties at $1 million per violation, and prioritizes public transparency over direct operational control.
This is not a step back. It is a bet on accountability through disclosure: a preventive approach based on the conviction that for potentially systemic risks (assistance in creating weapons, autonomous cyberattacks, loss of model control), forcing transparency before an incident occurs is more effective than sanctioning after the fact. The law sends a clear signal: safety and innovation are not in opposition. They are complementary, provided they are managed together.
Why IT and sustainability leaders cannot afford to wait
SB 53 takes effect in January 2026. For organizations that do not develop frontier models themselves, the timeline may seem distant. It is not.
Three dynamics are accelerating the law’s ripple effect. First, cascading compliance: large tech companies subject to SB 53 will pass their transparency requirements down to partners, suppliers, and clients, including European ones. Second, global regulatory convergence: SB 53 explicitly provides that if a company meets federal standards comparable to those of the EU AI Act, California will accept that compliance in place of its own requirements. This is an invitation to harmonization, not fragmentation. Third, legislative precedent: Colorado adopted broad AI legislation as early as 2024, and Texas followed in June 2025 with the Texas Responsible AI Governance Act. California is not an isolated case; it is the leading edge of a broader movement.
For IT and sustainability leaders, three workstreams are now essential, in a logical sequence.
Map first. Identify high-impact AI use cases within the organization, document associated risk assessments, and align this work with recognized frameworks: the NIST AI Risk Management Framework, ISO/IEC 42001. This mapping exercise is the foundation of any credible AI governance approach, whether driven by regulatory obligation or voluntary commitment.
Structure next. Establish clear monitoring and escalation channels: who detects incidents? Who decides? Through what process? The internal reporting mechanisms that SB 53 imposes on large tech companies are, in reality, a best practice that any organization managing significant AI use cases should adopt, regardless of legal obligation.
Communicate last. Structure AI reporting: model capabilities in use, actual applications, identified limitations, compliance trajectory. This reporting is not merely a compliance exercise; it is a strategic management tool and a foundation for dialogue with internal and external stakeholders.
A standard, not a constraint
SB 53 does not revolutionize AI regulation overnight. It does something more durable: it lays the groundwork for a governance standard that will progressively establish itself as a global reference, much as the GDPR did for personal data protection.
For organizations that act now, this is an opportunity to build their AI strategy on solid foundations: technical, legal, and reputational. For those that wait, it is a risk of finding themselves in catch-up mode, facing partners, regulators, and clients whose expectations will already have moved on.
AI governance is no longer a tomorrow problem. SB 53 just made that official.