AI Regulation Tracker  /  Regulation in force

California SB 53 Is in Force: Frontier AI Developers Owe Public Safety Frameworks and 15-Day Incident Reports

California now requires the largest AI developers to publish how they manage catastrophic risk and to report critical safety incidents to the state within fifteen days. Here is what is binding, who it reaches, and the board-level decision it forces.

By Anthony Guerriero  ·  Reviewed by The Leveraged Years Editorial Desk  ·  Published June 27, 2026  ·  Last updated June 27, 2026

A safety practice you kept private is now a public filing

For most of the current AI era, how a frontier lab manages the risk of its most capable models was an internal matter. A safety team wrote a framework, leadership read it, and the public saw a blog post if anyone saw anything at all. California has now moved that document out of the building.

The Transparency in Frontier Artificial Intelligence Act, passed as SB 53 and signed by Governor Newsom on September 29, 2025, took effect on January 1, 2026. It does not try to license models or slow releases. It requires the largest developers to write down how they manage catastrophic risk, publish it, and stand behind it under penalty of state enforcement.

Who the law actually reaches

SB 53 is narrow by design. Its heaviest duties fall on a "large frontier developer," defined by two tests that must both be met: the company trains a model above a very high compute threshold, on the order of ten to the twenty sixth floating point operations, and it has more than 500 million dollars in annual revenue. That pairing is meant to capture the handful of companies building the most capable systems, not a startup fine tuning an open model.

If you do not build at that scale, the direct obligations are lighter, and a deployer of someone else's model is not the primary target. The reason this still belongs on an executive's desk is the signal it sends. The published safety framework is becoming the document a regulator, a litigant, or an enterprise customer asks to see, and California has just made it mandatory for the companies at the top of the supply chain that everyone else relies on.

The four duties that bind

The statute creates four concrete obligations for a covered developer. First, publish a frontier AI safety framework that describes how the company assesses and mitigates catastrophic risk. Second, post a transparency report before deploying a covered model, so the public can see what was assessed before release rather than after. Third, report a critical safety incident to the California Office of Emergency Services within fifteen days, and within twenty four hours where the incident carries an imminent risk of death or serious physical injury. Fourth, protect employees who disclose safety concerns from retaliation.

The California Attorney General enforces all of it, with civil penalties that can reach one million dollars per violation. (These figures sit in SB 53 as enacted: the fifteen day and twenty four hour reporting windows to the California Office of Emergency Services, and the one million dollar per violation civil penalty, are written into the statute itself, and are read the same way by White and Case, Morrison Foerster, and Goodwin in their post enactment analyses.) None of those numbers will move a company of this size on their own. What moves a board is that the framework and the transparency report are now public, dated, and attributable, which means they can be read back against what the company actually did.

Why this is a board decision, not a compliance task

The quiet shift in SB 53 is accountability. A safety framework that lives on an internal wiki can be aspirational. A safety framework published under a California statute is a representation. If a critical incident later shows the company did not follow its own published process, the gap between the document and the conduct becomes the story, in the same way that a gap between a cybersecurity disclosure and an actual breach response has become the story in securities cases.

That is why the operative question for directors is not whether the safety team can produce the documents. It is whether the board is prepared to own them. Approving a model release now carries an implicit sign off on a public commitment about how that model's risks were handled.

What to do before the next release

The practical work is ownership and traceability. Name the person accountable for the published framework and confirm it reflects the process the company truly runs, not a cleaner version of it. Confirm the pre-deployment transparency report is produced and posted as part of the release checklist, not bolted on afterward. Establish the fifteen day and twenty four hour reporting lines to the state now, while there is no incident, so the clock is never a surprise. And make sure the whistleblower channel is real, because a retaliation claim under this statute is its own exposure.

Browse the full AI Regulation News tracker

Informational analysis for working professionals, not legal advice. Confirm how any rule applies to your situation with qualified counsel.