California’s Transparency in Frontier Artificial Intelligence Act (the “Act”) went into effect on January 1, 2026. The Act is the state’s latest attempt to manage “catastrophic risks” associated with advanced AI models. The Act imposes six main obligations:
- Large Frontier Developers must develop and publish on their website a Frontier AI Framework.
- Large Frontier Developers must report to the California Office of Emergency Services (“OES”) a risk assessment from using AI models, every three months or pursuant to a reasonable schedule specified by the Larger Frontier Developer in writing to the OES.
- All Frontier Developers must publish a Transparency Report on their website.
- All Frontier Developers must report any safety incidents to the OES within 15 days, or within 24 hours if it involves death or serious bodily injury.
- All Frontier Developers must develop internal reporting mechanisms for whistleblowers to report safety or risk concerns.
- All Frontier Developers must provide notice to Covered Employees of their rights and responsibilities.
The Act applies to “Frontier Developers” and “Large Frontier Developers.”
Under the Act, a “Frontier Model” is a foundation model trained using a quantity of computing power greater than 10^26 integer or floating-point operations (“FLOPs”). A “Frontier Developer” is a person who has trained or initiated the training of such a model. “Large Frontier Developers” means a Frontier Developer that, together with its affiliates, had annual gross revenues exceeding $500,000,000 in the preceding calendar year.
Large Frontier Developers must publish a “Frontier AI Framework.”
Large Frontier Developers are required to write, implement, and clearly and conspicuously publish a framework detailing their protocols for managing catastrophic risks. This framework must describe how the Large Frontier Developer incorporates national and international standards, assesses risk thresholds, and applies mitigations. Large Frontier Developers must review and update this framework at least annually. Furthermore, before deploying a new or substantially modified Frontier Model, a Large Frontier Developer must publish a transparency report summarizing the model’s capabilities, limitations, and the results of safety assessments.
The Act requires reporting of “Critical Safety Incidents.”
This is defined as a high-consequence event, such as the unauthorized access to a model’s core programming (i.e., model weights) or a loss of developer control resulting in death or bodily injury. It also includes any harm resulting from the materialization of a catastrophic risk, or an incident where the Frontier Model uses deceptive techniques against its Frontier Developer to subvert safety controls.
All Frontier Developers must report “Critical Safety Incidents” to the OES within 15 days of discovery. If the incident poses an imminent risk of death or serious physical injury, the Frontier Developer must disclose the incident within 24 hours. Additionally, Large Frontier Developers must transmit summaries of catastrophic risk assessments resulting from internal use of their models to the OES every three months.
Civil penalties for noncompliance.
A Large Frontier Developer that fails to publish required documents, makes materially false statements regarding compliance, or fails to report incidents is subject to a civil penalty up to $1,000,000 per violation. These civil penalties may result in a civil action brought by the Attorney General. The Act does not permit a private right of action for noncompliance.
Specific whistleblower protections with a private right of action.
The Act prohibits Frontier Developers from retaliating against Covered Employees who disclose information regarding catastrophic risks or statutory violations. A “Covered Employee” is an employee responsible for assessing, managing, or addressing risk of critical safety incidents. Unlike the Act’s provisions enforced by the Attorney General, these whistleblower protections authorize a private right of action to be brought by Covered Employees who may, among other relief, seek temporary or preliminary injunctive relief.
Frontier Developers must notify Covered Employees of their whistleblower protections.
This can be satisfied either by continuously posting a notice in the workplace and periodically distributing it to remote Covered Employees, or by providing written notice to each Covered Employee annually and obtaining their acknowledgment of receipt.
Key take aways.
The AI legal landscape continues to evolve and developers of AI systems should expect new requirements, obligations, and constraints to be imposed on their operations as new laws are enacted in various states across the country. California’s regulatory approach may be a prototype for actions other states may take. The Act imposes upon Frontier Developers important new reporting and notice obligations, and their failure to comply with these obligations could lead to significant liability.
* * *
Members of our AI Practice can determine whether the Act or other AI legal developments apply to you and can provide assistance in complying with applicable legal requirements and obligations. Please reach out to Jose Meneses at or Evan Littman at .
**This Client Alert does not create an attorney-client relationship with any person. The information contained in this Client Alert is provided for general informational purposes only and should not be construed as legal advice. The content is not intended to be a substitute for professional legal counsel or services.
