California isn’t one AI law — it’s a stack. Which layer reaches you?

There is no single “California AI Act” to comply with. California is the de facto lead AI regulator in the United States, and it runs several overlapping laws at once — each aimed at a different actor, each landing on its own timeline. The useful question for an executive is not “are we California-compliant?” It is narrower and more honest: which layer reaches us?

Below are the four layers that matter right now, in order of how likely they are to touch an ordinary business. The first one is already in force and lands squarely on employers. The others reach the companies that build or serve generative AI to Californians.

Reading the stack this way is the point. A company that treats “California” as one monolithic law tends to do one of two unhelpful things: panic at headlines about frontier-model rules that will never reach it, or assume that because the splashiest law has a future date, nothing applies yet. Both miss the same target. The layer that is live today — and that reaches the most ordinary businesses — is the quietest one: the employment rules. Work outward from there.

Layer 1: The employment ADS regulations — the live one

If you are an employer using software anywhere in your hiring, promotion, or HR decisions, this is the layer that almost certainly reaches you — and it is already in force. Effective October 1, 2025, the California Civil Rights Council issued regulations under the Fair Employment and Housing Act (FEHA) governing automated-decision systems (ADS).

An ADS is defined broadly: a computational process that makes, or facilitates human decision-making about, an employment benefit — and it may rely on AI, machine learning, algorithms, statistics, or other forms of data processing. Resume screeners, scoring tools, and ranking software all fall inside the definition. The rules prohibit using an ADS, or any selection criteria, that causes discrimination against a FEHA-protected category — including unintentional, disparate-impact outcomes — and they preserve the duty to accommodate religion and disability.

Three features make this layer demanding in practice:

• Four-year recordkeeping. Employers must retain ADS-related data created or received that bears on employment practices and benefits. Four years of records is impossible to produce for a system you have never inventoried.
• Vendor liability is yours. If you deploy a third party’s ADS and it produces a discriminatory outcome, you retain full FEHA liability. “We bought it from a vendor” is not a defense.
• Bias testing is rewarded. Proactive anti-bias testing is treated as relevant evidence in discrimination cases. Regulators and courts weigh how recent the testing was, how thorough, what it found, and whether you corrected the problems — a strong incentive to test, document, and fix.

The vendor point deserves emphasis because it inverts how most companies think about risk. When you license a screening or scoring tool, the natural assumption is that the vendor — who built the model and made the claims — carries the discrimination exposure. Under these rules you do. The tool is yours the moment you deploy it against California applicants or employees, and so is any disparate-impact outcome it produces. That is precisely why documented bias testing matters: it is the difference between an employer who can show it checked, found, and fixed a problem, and one who simply trusted a procurement deck.

This is the layer most California employers must act on today. It does not wait for a future effective date, and it does not let you outsource the risk to a software company.

Layer 2: AB 2013 — training-data transparency (in force)

Effective January 1, 2026, AB 2013 requires developers of generative-AI systems made available to Californians to publicly post a high-level summary of the datasets used to train the system, covering systems released since January 2022. This is a builder’s duty, not a deployer’s: if you use a third-party model rather than train your own, the obligation sits with the developer.

The law is under legal challenge — xAI has sued the Attorney General, arguing it compels disclosure of trade secrets — so its final contours may shift. If you build and distribute generative models, treat it as live and watch the litigation. If you merely use models someone else trained, this layer likely does not reach you.

Layer 3: The AI Transparency Act (SB 942, amended by AB 853) — landing in 2026

The California AI Transparency Act (“CAITA”) began as SB 942, signed September 19, 2024. AB 853, signed October 13, 2025, amended it and delayed the operative date to August 2, 2026 — deliberately aligned to the EU AI Act’s date. It applies to “covered providers” of generative AI, defined as large systems with more than 1,000,000 monthly users.

Covered providers must offer a free AI-detection tool and embed provenance and disclosure into AI-generated content — both a visible manifest disclosure and a latent one. AB 853 also adds obligations for “large online platforms” and “GenAI hosting platforms,” operative January 1, 2027. For most businesses this layer is out of reach today; for large GenAI providers serving Californians, August 2, 2026 is the date to plan against now.

The choice to align CAITA’s operative date with the EU AI Act is worth reading as a signal, not just a scheduling convenience. California is increasingly building its transparency and provenance rules to sit alongside the emerging global baseline rather than against it. For a provider already preparing for EU obligations, much of the same provenance and disclosure plumbing carries over — another argument for building to a framework once rather than chasing each jurisdiction’s statute separately.

Layer 4: SB 53 — the Frontier AI Act (context)

Signed September 29, 2025 and effective January 1, 2026, SB 53 reaches frontier-model developers. They must publish a safety and security framework plus a plain-language summary, report safety incidents, and extend whistleblower protections. Civil penalties run up to $1M per violation for developers with more than $500M in revenue. For all but a handful of the largest AI labs, this is context, not a duty — useful to understand the direction of travel, not a compliance task for a typical company.

An honest limitation

This briefing maps four layers, but California will keep adding to the stack — new bills, amendments, and effective-date shifts are routine here, and at least one of these laws is in active litigation. Dates and details move. We do not read this as a reason to wait. Every version of every layer rests on the same foundation: you can only disclose, record, or defend an AI system you have actually inventoried. That work pays off no matter which way the statutes break.

California is not a single compliance checkbox; it is a stack of laws aimed at different actors. For employers, the ADS regulations are live today, they carry vendor liability and four-year recordkeeping, and they reward documented bias testing. For anyone building or serving generative AI to Californians, AB 2013 is here now and CAITA arrives August 2, 2026. Stop asking whether you are “California-compliant.” Ask which layer reaches you — then make sure you can describe and keep records on the AI behind it.

This briefing is general information from Sentinel Assurance Group, not legal advice. Regulatory dates and requirements change — we maintain these briefings, but verify against primary sources and counsel before acting. Last reviewed June 11, 2026.

See how a Gap Assessment maps your exposure →