Business and Professions Code section 22757.12
(a)
A large frontier developer shall write, implement, comply with, and clearly and conspicuously publish on its internet website a frontier AI framework that applies to the large frontier developer’s frontier models and describes how the large frontier developer approaches all of the following:(1)
Incorporating national standards, international standards, and industry-consensus best practices into its frontier AI framework.(2)
Defining and assessing thresholds used by the large frontier developer to identify and assess whether a frontier model has capabilities that could pose a catastrophic risk, which may include multiple-tiered thresholds.(3)
Applying mitigations to address the potential for catastrophic risks based on the results of assessments undertaken pursuant to paragraph (2).(4)
Reviewing assessments and adequacy of mitigations as part of the decision to deploy a frontier model or use it extensively internally.(5)
Using third parties to assess the potential for catastrophic risks and the effectiveness of mitigations of catastrophic risks.(6)
Revisiting and updating the frontier AI framework, including any criteria that trigger updates and how the large frontier developer determines when its frontier models are substantially modified enough to require disclosures pursuant to subdivision (c).(7)
Cybersecurity practices to secure unreleased model weights from unauthorized modification or transfer by internal or external parties.(8)
Identifying and responding to critical safety incidents.(9)
Instituting internal governance practices to ensure implementation of these processes.(10)
Assessing and managing catastrophic risk resulting from the internal use of its frontier models, including risks resulting from a frontier model circumventing oversight mechanisms.(b)
(1)A large frontier developer shall review and, as appropriate, update its frontier AI framework at least once per year.(2)
If a large frontier developer makes a material modification to its frontier AI framework, the large frontier developer shall clearly and conspicuously publish the modified frontier AI framework and a justification for that modification within 30 days.(c)
(1)Before, or concurrently with, deploying a new frontier model or a substantially modified version of an existing frontier model, a frontier developer shall clearly and conspicuously publish on its internet website a transparency report containing all of the following:(A)
The internet website of the frontier developer.(B)
A mechanism that enables a natural person to communicate with the frontier developer.(C)
The release date of the frontier model.(D)
The languages supported by the frontier model.(E)
The modalities of output supported by the frontier model.(F)
The intended uses of the frontier model.(G)
Any generally applicable restrictions or conditions on uses of the frontier model.(2)
Before, or concurrently with, deploying a new frontier model or a substantially modified version of an existing frontier model, a large frontier developer shall include in the transparency report required by paragraph (1) summaries of all of the following:(A)
Assessments of catastrophic risks from the frontier model conducted pursuant to the large frontier developer’s frontier AI framework.(B)
The results of those assessments.(C)
The extent to which third-party evaluators were involved.(D)
Other steps taken to fulfill the requirements of the frontier AI framework with respect to the frontier model.(3)
A frontier developer that publishes the information described in paragraph (1) or (2) as part of a larger document, including a system card or model card, shall be deemed in compliance with the applicable paragraph.(4)
A frontier developer is encouraged, but not required, to make disclosures described in this subdivision that are consistent with, or superior to, industry best practices.(d)
A large frontier developer shall transmit to the Office of Emergency Services a summary of any assessment of catastrophic risk resulting from internal use of its frontier models every three months or pursuant to another reasonable schedule specified by the large frontier developer and communicated in writing to the Office of Emergency Services with written updates, as appropriate.(e)
(1)(A)A frontier developer shall not make a materially false or misleading statement about catastrophic risk from its frontier models or its management of catastrophic risk.(B)
A large frontier developer shall not make a materially false or misleading statement about its implementation of, or compliance with, its frontier AI framework.(2)
This subdivision does not apply to a statement that was made in good faith and was reasonable under the circumstances.(f)
(1)When a frontier developer publishes documents to comply with this section, the frontier developer may make redactions to those documents that are necessary to protect the frontier developer’s trade secrets, the frontier developer’s cybersecurity, public safety, or the national security of the United States or to comply with any federal or state law.(2)
If a frontier developer redacts information in a document pursuant to this subdivision, the frontier developer shall describe the character and justification of the redaction in any published version of the document to the extent permitted by the concerns that justify redaction and shall retain the unredacted information for five years.
Source:
Section 22757.12, https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=BPC§ionNum=22757.12. (updated Jan. 1, 2026; accessed Dec. 22, 2025).
