View as PDF

Frontier AI developers such as OpenAI, Google, Anthropic, xAI, and others are governed by safety and security obligations under California’s SB 53, New York’s RAISE Act, and the frontier AI part of the EU’s AI Act. These laws establish incident reporting requirements, model evaluation standards, safety and security mitigations, internal governance practices, and whistleblower protections. This document summarizes key provisions from these laws, though it is not a substitute for the official legal text.

Law Target Risks Obligations Timeline
CA SB 53 Companies that train a model with >10^26 FLOPs and (for most obligations) >$500m annual revenue Death or injury of >50 people or >$1b damage via:
- CBRN weapons
- Autonomous cyberattacks, murder, assault, extortion or theft
- Loss of control		 Public framework, public report with model release, internal use reports every three months, incident reports, whistleblower protections 1 January 2026: entry into effect
EU AI Act, details in CoP Companies that train a model with >10^25 FLOPs (with exceptions above & below this threshold) "significant impact" via:
- CBRN weapons
- Loss of control
- Cyber offense
- Harmful manipulation		 Risk assessment and mitigation, including evals, security, and incident tracking and reporting (CoP: also frameworks and reports with model release, and internal governance) 2 August 2025: companies must comply
2 August 2026: EU AI Office can enforce
NY RAISE Act Same as CA SB 53 Same as CA SB 53 Same as CA SB 53, but more detailed framework and more rapid incident reporting 1 January 2027: entry into effect

Overview

California’s SB 53 applies to developers who have trained or begun training at least one model using ≥10^26 FLOPs, with a stricter tier of requirements applying to “large” developers who also had gross annual revenue greater than $500M in the previous calendar year.1 It establishes incident reporting requirements, transparency standards, and whistleblower protections. The full text of SB 53 can be found here.2

The EU’s Code of Practice for General-Purpose AI is an elaboration on the EU AI Act, explaining what steps a developer of a general-purpose AI model3 can take to comply with the Act. The Safety and Security chapter of the Code contains requirements for developers of frontier AI models, and its signatories include OpenAI, Anthropic, Google, and xAI. It covers model evaluation, safety and security mitigations, internal governance, and incident tracking and reporting. Signatories have been expected to comply with the Code since August 2025, and the European AI Office will begin enforcement in August 2026. The text of the EU AI Act can be found here and the Code of Practice is here.

Every frontier AI company that has used or expects to use >10^25 FLOPs of compute to train a model that is or will be deployed in the EU is bound by the EU AI Act’s safety and security requirements. However, the European AI Office has discretion to exempt a model above the compute threshold from the requirements, or to determine that a model is covered even though it is below the threshold. Frontier AI companies that decline to sign the Code (such as Meta) must demonstrate compliance through alternative adequate means.4

New York’s RAISE Act is another state-level safety regulation covering frontier AI developers. It will come into effect on the first day of 2027. RAISE requires more rapid incident reporting than SB 53—72 hours as opposed to 15 days—and it requires developers’ frontier AI frameworks to be more detailed than SB 53 requires. It is otherwise quite similar to the California law. Because of its similarity to SB 53, this document will not discuss RAISE separately. The full text of the RAISE Act can be found here.

Risks

SB 53 and the Code of Practice both cover catastrophic risks from AI, but the risks in scope are somewhat different. SB 53 requires large frontier AI developers to assess and mitigate risks related to:5

  • Chemical, biological, radiological, and nuclear (CBRN) weapons
  • AI systems autonomously conducting cyberattacks
  • AI systems autonomously committing murder, assault, extortion, or theft, and
  • AI systems evading the control of their developers or users.

The Code of Practice requires signatories to assess and mitigate risks related to:6

  • CBRN weapons
  • Loss of control
  • Cyber offense, and
  • Harmful manipulation.

Frameworks

SB 53 requires every large frontier AI developer to publish a “frontier AI framework” on its website. This document must describe the developer’s approach to catastrophic risk assessment, engagement with third parties, model weight security, and more.7 The commitments a developer makes in its frontier AI framework are legally binding. If a developer fails to comply with its own framework, it can be fined up to one million dollars per violation.8

The Code of Practice requires a signatory to write a “safety and security framework” and to share it with the European AI Office. The framework must describe how the signatory will assess and mitigate systemic risks, how they determine whether systemic risk is acceptable, how they allocate responsibility for risk assessment and mitigation internally, and more.9 The signatory must then implement their framework and update it as appropriate.10 A signatory is required to publish a summary of the framework if and insofar as necessary to assess or mitigate systemic risk and encouraged (but not required) to clearly communicate the framework to their own staff.11

Incident reporting

SB 53: Frontier developers must report critical safety incidents to the California Office of Emergency Services. Once they discover the incident, the developer has a limited time to make their report.12

Incident type Reporting window
Death/injury from loss of control, materialization of a catastrophic risk, unauthorized access to model weights leading to death/injury, or deceptive subversion by a model of its developer’s controls13 15 days
Incidents posing imminent risk of death or serious injury 24 hours

Additionally, large frontier developers are required to share their assessments of catastrophic risk from internal AI use with the Office of Emergency Services by submitting quarterly summaries.14

Code of Practice: Signatories must track, document, and report serious incidents to the European AI Office.15 Reporting timelines depend on the type of harm:

Incident type Reporting Window
Serious disruption to critical infrastructure 2 days
Serious cybersecurity breach, including model weight exfiltration 5 days
Death of a person 10 days
Serious harm to health, fundamental rights, property, or environment 15 days

For unresolved incidents, signatories must submit intermediate reports at least every four weeks and a final report within 60 days of resolution. Reports must include root cause analysis, a description of the chain of events, any patterns detected in post-market monitoring, and corrective measures taken or recommended. Signatories must also facilitate incident reporting by downstream deployers and users by informing them of available reporting channels. Documentation must be retained for at least five years.

Security

SB 53: Every large frontier developer must describe their cybersecurity practices in their published frontier AI framework, explaining how they prevent unauthorized modification or transfer of frontier model weights.16 A developer is legally bound to follow their announced security practices and can face fines if they don’t.

Code of Practice: Signatories commit to define a security goal saying what kinds of threat actors they will prevent from accessing or stealing their frontier models. At a minimum, the security goal must include defending against non-state external threats and insider threats (including model self-exfiltration).17

A signatory must then implement measures adequate to meet their security goal, possibly including stricter security measures for models further along in the development lifecycle.18

Model evaluation

The Code of Practice says a signatory’s evaluation team must have appropriate and adequate resources to assess the risks posed by the signatory’s models. As appropriate for systemic risk assessment, evaluators should have:19

  • Adequate model access, which may include activations, logits, CoTs, and minimally guardrailed (sometimes called “helpful only”) versions if they exist, insofar as such extensive access is compatible with model security,
  • Adequate information, which may include the model spec, system prompt, training data, and prior results,
  • Adequate access time before model release, with at least twenty business days of access recommended, and
  • Adequate compute, staff, and engineering resources.

A developer should engage independent external evaluators for each new frontier model, and at least every six months thereafter for their most capable models,20 and the external evaluators should be given adequate resources as in the list above.21

Model reports

SB 53: Before or concurrently with deploying a new frontier model or a substantially updated version of an existing model, a large frontier developer must publish a “transparency report” about that model. This report must summarize the catastrophic risk assessments the developer conducted to follow their frontier AI framework, the results of those assessments, the extent to which third party evaluators were involved in assessing the model, and any other steps the developer took to follow their framework.22

Code of Practice: Before placing a GPAI model with systemic risk on the EU market, a signatory must submit a “safety and security model report” to the AI Office.23 This report must describe the model’s architecture, capabilities, and intended operation; justify why the systemic risks stemming from the model are acceptable (including safety margins incorporated); document the signatory’s systemic risk identification, analysis, and mitigation processes; describe any involvement of independent external evaluators; and detail the safety and security mitigations implemented. If and insofar as it is necessary to assess or mitigate systemic risk, a signatory must also publish a summarized version of the report, with redactions permitted to protect the effectiveness of mitigations and sensitive commercial information.24

Internal governance

SB 53: A frontier developer must facilitate internal reporting of evidence that the developer’s activities pose a specific and substantial risk to public health or safety from a catastrophic risk, or that the developer has violated SB 53. There must be a reasonable process by which risk management staff can make such reports anonymously and have them brought to company leaders’ attention.25

Code of Practice: Signatories are required to provide appropriate human, financial, and computational resources as well as appropriate access to information to those who have responsibility for systemic risk oversight, ownership, support, monitoring, and assurance.26 Furthermore, signatories committed to promote a healthy internal risk culture, for example, by:27

  • Allowing open internal communication and challenge of risk decisions,
  • Maintaining channels for reporting concerns, and
  • Keeping risk management staff independent and incentivized to correctly estimate risk.

Whistleblower protections

SB 53: California-based employees with responsibility for risk assessment or management have special whistleblower protections. They are protected from retaliation if they report information that they have reasonable cause to believe shows their employer’s actions pose a specific and substantial danger to public health or safety via catastrophic risk. The employee may report this information to the California Attorney General, federal authorities, supervisors, or colleagues with risk management authority. Every frontier developer must give the relevant employees a clear notice of their whistleblower protections.28

Moreover, all California-based employees are protected from retaliation if they report information that they have reasonable cause to believe shows their employer has failed to comply with SB 53 (or any other federal or state statute).29 Examples of SB 53 noncompliance could include false or misleading statements about catastrophic risk made by a developer or violations of the developer’s published safety policy. Employees may report evidence of such noncompliance to a government or law enforcement agency, a supervisor, or a colleague with authority to investigate or correct the issue.

Code of Practice: Signatories committed to promote a healthy internal risk culture, for example, by not retaliating against employees who report systemic risk information to competent authorities.30 And employees whose contracts are governed by EU law will have enforceable protections against retaliation under the EU Whistleblowing Directive.31 Signatories commit to inform their workers annually of the signatory’s whistleblower protection policy.32

Whistleblowers seeking to contact the European AI Office can send reports through their online whistleblower tool.

Before making a disclosure

Consulting a lawyer before making a disclosure to external authorities or using internal reporting channels can help ensure the disclosure is legally protected. Many whistleblowing attorneys offer pro bono consultations. The House Whistleblower Support Organizations and the AIWI Contact Hub are two resources for finding counsel.

For full regulatory text: SB 53 · Code of Practice · RAISE Act

Post updated on February 6, 2026

  1. Cal. Bus. & Prof. Code §22757.11(h-j)

  2. Specifically, SB 53 added Sections 22757.10-16 to the California Business and Professions Code, Section 11546.8 to the Government Code, and Section 1107 to the Labor Code. 

  3. The EU AI Act (Article 3(63)) defines a general-purpose AI model as “an AI model, including where such an AI model is trained with a large amount of data using self-supervision at scale, that displays significant generality and is capable of competently performing a wide range of distinct tasks regardless of the way the model is placed on the market and that can be integrated into a variety of downstream systems or applications, except AI models that are used for research, development or prototyping activities before they are placed on the market.” 

  4. See the EU AI Act, Article 55. “Providers of general-purpose AI models with systemic risks who do not adhere to an approved code of practice or do not comply with a European harmonised standard shall demonstrate alternative adequate means of compliance for assessment by the Commission.” See also Guidelines, paragraph 95. “Providers of general-purpose AI models that do not adhere to a code of practice that is assessed as adequate … are expected to explain how the measures they implement ensure compliance with their obligations under the AI Act, for instance by carrying out a gap analysis that compares the measures they have implemented with the measures set out by a code of practice that is assessed as adequate. They may also be subject to a larger number of requests for information and requests for access to conduct model evaluations throughout the entire model lifecycle because the AI Office will have less of an understanding of how they are ensuring compliance with their obligations under the AI Act and will typically need more detailed information, including about modifications made to general-purpose AI models throughout their entire lifecycle.” 

  5. Cal. Bus. & Prof. Code, §22757.11(c)

  6. EU CoP, Appendix 1.4

  7. See Cal. Bus. & Prof. Code, §22757.12(a) for a full list of topics that a frontier AI framework must cover. 

  8. Cal. Bus. & Prof. Code, §22757.15(a). “A large frontier developer that fails to publish or transmit a compliant document required to be published or transmitted under this chapter, makes a statement in violation of subdivision (e) of Section 22757.12, fails to report an incident as required by Section 22757.13, or fails to comply with its own frontier AI framework shall be subject to a civil penalty in an amount dependent upon the severity of the violation that does not exceed one million dollars ($1,000,000) per violation.” 

  9. See EU CoP Measure 1.1 for a full description of a safety and security framework’s required content. 

  10. Implementation is covered in EU CoP Measure 1.2, and framework updates are covered in Measure 1.3

  11. See EU CoP Measure 10.2: “If and insofar as necessary to assess and/or mitigate systemic risks, Signatories will publish (e.g. via their websites) a summarised version of their Framework.” See also EU CoP Measure 8.3(1): “Examples of indicators of a healthy risk culture for the purpose of this Measure are…setting the tone for a healthy systemic risk culture from the top, e.g. by the leadership clearly communicating the Signatory’s Framework to staff.” 

  12. Cal. Bus. & Prof. Code, §22757.13(c). “A frontier developer shall report any critical safety incident pertaining to one or more of its frontier models to the Office of Emergency Services within 15 days of discovering the critical safety incident. If a frontier developer discovers that a critical safety incident poses an imminent risk of death or serious physical injury, the frontier developer shall disclose that incident within 24 hours to an authority, including any law enforcement agency or public safety agency with jurisdiction, that is appropriate based on the nature of that incident and as required by law.” 

  13. Model behavior on evals designed to elicit deceptive behavior from models don’t count as incidents of the last type. 

  14. Or by submitting summaries on another reasonable schedule arranged with OES. See Cal Bus. and Prof. Code, §22757.12(d). “A large frontier developer shall transmit to the Office of Emergency Services a summary of any assessment of catastrophic risk resulting from internal use of its frontier models every three months or pursuant to another reasonable schedule specified by the large frontier developer and communicated in writing to the Office of Emergency Services with written updates, as appropriate.” 

  15. EU CoP, Commitment 9

  16. Cal. Bus. and Prof. Code, §22757.12(a). “A large frontier developer shall write, implement, comply with, and clearly and conspicuously publish on its internet website a frontier AI framework that applies to the large frontier developer’s frontier models and describes how the large frontier developer approaches…cybersecurity practices to secure unreleased model weights from unauthorized modification or transfer by internal or external parties.” 

  17. For the security goal and its implementation, see EU CoP, Measure 6.1: “Signatories will define a goal that specifies the threat actors that their security mitigations are intended to protect against (‘Security Goal’), including non-state external threats, insider threats, and other expected threat actors, taking into account at least the current and expected capabilities of their models.” For the definition of self-exfiltration as an insider threat, see Appendix 4.4

  18. “Signatories will implement appropriate security mitigations to meet the Security Goal.” EU CoP Measure 6.2

  19. EU CoP, Appendix 3.4

  20. “In addition to internal model evaluations, Signatories will ensure that adequately qualified independent external evaluators conduct model evaluations”. EU CoP, Appendix 3.5. Signatories are not obliged to engage an external evaluator when releasing a new model that is considered “similarly safe or safer”. For the definition of “similarly safe or safer”, see EU CoP, Appendix 2

  21. “Signatories will provide independent external evaluators with adequate access, information, time, and other resources (pursuant to Appendix 3.4)”. EU CoP, Appendix 3.5

  22. Cal. Bus. & Prof. Code §22757.12

  23. EU CoP, Commitment 7. “Signatories commit to reporting to the AI Office information about their model and their systemic risk assessment and mitigation processes and measures by creating a Safety and Security Model Report (“Model Report”) before placing a model on the market (as specified in Measures 7.1 to 7.5). Further, Signatories commit to keeping the Model Report up-to-date (as specified in Measure 7.6) and notifying the AI Office of their Model Report (as specified in Measure 7.7).” 

  24. EU CoP, Measure 10.2. “If and insofar as necessary to assess and/or mitigate systemic risks, Signatories will publish (e.g. via their websites) a summarised version of their Framework and Model Report(s), and updates thereof (pursuant to Commitments 1 and 7), with removals to not undermine the effectiveness of safety and/or security mitigations and to protect sensitive commercial information. For Model Reports, such publication will include high-level descriptions of the systemic risk assessment results and the safety and security mitigations implemented.” 

  25. Cal. Lab. Code, §1107.1(e). “A large frontier developer shall provide a reasonable internal process through which a covered employee may anonymously disclose information to the large frontier developer if the covered employee believes in good faith that the information indicates that the large frontier developer’s activities present a specific and substantial danger to the public health or safety resulting from a catastrophic risk or that the large frontier developer violated Chapter 25.1 (commencing with Section 22757.10) of Division 8 of the Business and Professions Code, including a monthly update to the person who made the disclosure regarding the status of the large frontier developer’s investigation of the disclosure and the actions taken by the large frontier developer in response to the disclosure.” 

  26. EU CoP, Measures 8.2. “Signatories will ensure that their management bodies oversee the allocation of resources to those who have been assigned responsibilities (pursuant to Measure 8.1) that are appropriate for the systemic risks stemming from their models.” 

  27. See EU CoP Measure 8.3 for all items on this list. 

  28. Cal. Lab. Code, §1107.1. “A frontier developer shall not make, adopt, enforce, or enter into a rule, regulation, policy, or contract that prevents a covered employee from disclosing, or retaliates against a covered employee for disclosing, information to the Attorney General, a federal authority, a person with authority over the covered employee, or another covered employee who has authority to investigate, discover, or correct the reported issue, if the covered employee has reasonable cause to believe that the information discloses either of the following: (1) The frontier developer’s activities pose a specific and substantial danger to the public health or safety resulting from a catastrophic risk. (2) The frontier developer has violated Chapter 25.1 (commencing with Section 22757.10) of Division 8 of the Business and Professions Code [also called the ‘Transparency in Frontier Artificial Intelligence Act’]…A frontier developer shall provide a clear notice to all covered employees of their rights and responsibilities under this section” 

  29. Cal. Lab. Code, §1102.5. “An employer, or any person acting on behalf of the employer, shall not retaliate against an employee for disclosing information, or because the employer believes that the employee disclosed or may disclose information, to a government or law enforcement agency, to a person with authority over the employee or another employee who has the authority to investigate, discover, or correct the violation or noncompliance, or for providing information to, or testifying before, any public body conducting an investigation, hearing, or inquiry, if the employee has reasonable cause to believe that the information discloses a violation of state or federal statute, or a violation of or noncompliance with a local, state, or federal rule or regulation, regardless of whether disclosing the information is part of the employee’s job duties.” 

  30. See EU CoP, Measure 8.3(7), where signatories commit to “not retaliating in any form, including any direct or indirect detrimental action such as termination, demotion, legal action, negative evaluations, or creation of hostile work environments, against any person publishing or providing information acquired in the context of work-related activities performed for the Signatory to competent authorities about systemic risks stemming from their models for which the person has reasonable grounds to believe its veracity.” 

  31. See Article 87 of the EU AI Act. For further analysis, see “Whistleblowing and the EU AI Act” by Koivula and Koch. 

  32. See EU CoP, Measure 8.3(6), where signatories commit to “annually informing workers of the Signatory’s whistleblower protection policy and making such policy readily available to workers such as by publishing it on their website.”