On September 29th, California Governor Gavin Newsom (d) signed the transparency of Law SB 53, Frontier Artificial Intelligence Act (“TFAIA”) to establish a large-scale basic AI model trained using public safety regulations or large amounts of computing power for developers of the “frontier model.” TFAIA is the country’s first frontier model safety law to become law. Governor Newsom said in his signature statement that TFAIA “provides a blueprint for a balanced AI policy across California’s borders, especially in the absence of a comprehensive federal AI policy framework and national AI safety standards.” TFAIA mainly employs recommendations from the Joint California Policy Working Group on the AI Frontier Model, which released its final report on Frontier AI Policy in June.
Frontier developer. On January 1, 2026, TFAIA will be applied to “Frontier Developers” who have trained or started training with an amount of computing power over 1026 flops (the “Frontier Model”). In particular, starting January 1, 2027, TFAIA will require that California Institute of Technology provide recommendations to Congress on whether or not to update TFAIA definitions for “frontier models,” “frontier developers,” and “large frontier developers.” Below we discuss the key obligations and restrictions that TFAIA has placed on such developers.
Frontier AI framework. To create, implement and publish “Frontier AI Frameworks,” TFAIA must create and publish “Frontier AI Frameworks,” which are defined to large frontier developers as “a documented technical and organizational protocols for managing, assessing and mitigating catastrophic risks.” Such a framework should explain the developer’s approach.
Standard Integration: Incorporates “national standards, international standards, and industry and consent best practices.”
Risk Thresholds and Mitigation: “Thresholds used… Identify and evaluate the capabilities that frontier models may pose catastrophic risks, and define and evaluate the thresholds used to apply “mitigation to address the potential catastrophic risks” based on those assessments.
Pre-development evaluation: Verify the validity of the evaluation and mitigation before deploying the frontier model for external or “widely ()” use a third party to assess catastrophic risk and mitigation.
Framework Maintenance: Defines revisiting and updating developer frontier AI frameworks, including criteria for triggering such updates, and when the model is “fixed sufficiently enough to require” the publication of transparency reports that TFAIA requires.
Security and incident response: Implement the “cybersecurity practices to ensure weights in unpublished models” and the “identify and respond to critical safety incidents.”
Internal use risk management: Assessment and management of “catastrophic risks caused by internal use” of the developer’s frontier model, including risks caused by the model “avoiding the monitoring mechanism.”
Large frontier developers should review and update the Frontier AI framework at least annually, and publish justified “material changes” within 30 days if such changes are made.
Transparency report. Before or during deployment of new or significantly modified frontier models, frontier developers and large frontier developers must publish “transparency reports” as part of websites or large documents such as “system cards” or “model cards.” Frontier Developer Transparency Reports should include the developer’s website, “mechanisms that natural people can communicate,” the release date of the frontier model, supported languages, output modalities, and intended use, and “general applicable restrictions or conditions” for the frontier model.
In addition to these requirements, the Large Frontier Developer Transparency Report should also summarize the Catastrophic risk assessments made based on the large Frontier Developer Frontier AI Framework, the results of their assessments, the involvement of “third-party evaluators” assessing catastrophic risks, and other steps taken to respect the respect of frontier developers who respect the frontier frontier Madele.
Frontier developers can edit transparency reports to protect “in order to comply with trade secrets, frontier developer cybersecurity, public safety, or US national security, or federal or state law.”
Report a serious safety incident. TFAIA must report “critical safety” to frontier developers. This is defined as “loss of control” in order to “caused damage from materializing catastrophic risks” that causes death or injury, “caused from loss of control”, “caused from loss of control”, or to relieve control (control). The catastrophic risk has increased significantly. ”
Frontier developers must report such incidents to the California Emergency Services Office (“OES”) within 15 days. Alternatively, if a serious safety incident “poses an imminent risk of death or serious physical injury,” it will be filed within 24 hours with the appropriate authorities, such as “law enforcement or public safety agencies include jurisdiction.” A critical safety incident report is provided through mechanisms established by the OES and should include the date of the incident, why the incident qualifies as a serious safety incident, a short, explicit statement describing the incident, and whether the incident is “in relation to internal use of the frontier model.”
Catastrophic risk assessment report. TFAIA also requires large frontier developers to report to the OES a “summary of catastrophic risk assessment” resulting from the “internal use” of large developers of the frontier model (“internal use” is not defined, but TFAIA may refer to updates or modifications of the frontier model). Large frontier developers must provide an overview of such assessments to the OES every three months, or “according to another reasonable schedule” that the developer designates and shares with the OES. However, TFAIA does not expressly require large frontier developers to conduct catastrophic risk assessments or to prohibit deployment of frontier models that can pose catastrophic risks.
TFAIA defines “catastrophic risk” as the development, storage, use, or deployment of frontier models of frontier developers contributes substantially to the deaths or serious injuries of more than 50 people and the deaths of more than $1 billion in property damage. It constitutes murder, assault, fear, or theft if a human is committed, without human supervision, or (3) circumvents control of the developer or user.
Protection of whistleblowers. TFAIA prohibits Frontier developers from creating or enforcing “rules, regulations, policies, or agreements” that hinder employees who are responsible for managing important safety risks (the “covered employee”). or (2) safety caused by a frontier developer violates TFAIA or (2) catastrophic risks.” Frontier developers must also provide clear notice to employees about their rights and liability under TFAIA. Additionally, large frontier developers must provide a “rational internal process” for the targeted employee to anonymously disclose the above types of information.
Execution. Large frontier developers who violate TFAIA disclosure and reporting requirements or “do not comply with their own frontier AI framework” will be subject to civil penalties of up to $1 million for each violation enforced by the California Attorney General. TFAIA has not explicitly established penalties for violations of disclosure and reporting requirements by frontier developers who are not large frontier developers. The covered employee may file a civil lawsuit for a violation of TFAIA’s whistleblower protections listed above and may seek injunctive relief and attorney’s fees.
TFAIA provides a safe port from disclosure and reporting requirements to frontier developers who comply with specific federal requirements aimed at assessing, detecting, or mitigating catastrophic risks associated with frontier models. Specifically, Frontier developers will be “considered” to TFAIA disclosure and reporting requirements to the extent that developers comply with federal requirements or standards that designate the developer as “substantially equivalent or stricter” to TFAIA requirements. However, if the Frontier developer declares its intent to comply with designated federal requirements, and fails to comply with these requirements, it shall “constituate a violation” of TFAIA. A potential nod to recent legislative efforts to ban state AI law enforcement and demand that it reflect the framework of national AI regulation from lawmakers in other states, Governor Newsom’s signature statement highlighted the “compliance pathway” as a “compliance pathway” to “maintain or maintain future AI.”
Frontier AI Model Safety Law: TFAIA vs. Salary Risk Law. The TFAIA signature imposes broader developer requirements, including third-party safety audits and “full shutdown” protection, a year after Governor Newsom refused to secure and secure innovation in the Frontier AI Model Act (SB 1047).
The TFAIA signature continues in the passage of the June Frontier Model Public Safety Bill, Responsible AI Safety & Education Pass (“Salary Risk”) Act. Unlike TFAIA, the Raise Act (passed by Congress but not yet signed by New York Governor Kathy Hochul (D)) — defines the “frontier model” as an AI model that costs more than $100 million to train for training. Furthermore, the Raise Act lacks whistleblower protection, and in contrast to TFAIA’s focus on reporting and disclosure requirements, frontier model developers must implement “appropriate safeguards” before deploying the frontier model, and prohibit the deployment of frontier models that pose an irrational risk of “significant harm.”
