California just fired a shot across the bow. On March 30, Governor Gavin Newsom signed Executive Order N-5-26, requiring AI companies that want state contracts to prove they have safeguards against bias, civil rights violations, and the creation of illegal content. It’s the first order of its kind by any state governor, and the timing is no accident.
“While Trump pressures companies to deploy AI for autonomous weapons and domestic surveillance, California is using our power to raise the bar on privacy and security,” Newsom said upon signing.
The order lands three and a half months after President Trump signed his own executive order in December 2025, one that directs federal agencies to challenge state AI laws in court and threatens to condition broadband funding on states rolling back their AI regulations. This is now a full-blown standoff between Sacramento and Washington over who gets to write the rules for artificial intelligence.
What the Order Actually Requires
Within 120 days, California’s Department of General Services and Department of Technology must develop a new certification framework for AI vendors seeking state contracts. Companies will have to attest to and explain their policies across three areas:
Illegal content prevention. Vendors must show how their AI models prevent the creation or distribution of child sexual abuse material (CSAM) and non-consensual intimate imagery. This is one area where even the Trump administration’s preemption order carved out an exception—child safety remains explicitly off-limits from federal override.
Bias mitigation. Companies must demonstrate governance structures that reduce algorithmic bias. This is the provision most likely to generate industry pushback, since “bias” in AI systems is notoriously difficult to define, measure, and eliminate.
Civil liberties protection. Safeguards must cover free speech, voting rights, human autonomy, and protections against unlawful discrimination, detention, and surveillance. This is a broad mandate that could affect everything from facial recognition systems to predictive policing tools.
Beyond vendor certifications, the order includes two additional requirements:
The California Department of Technology must create watermarking guidance for AI-generated or manipulated images and video—a first-of-its-kind statewide mandate aimed at deepfakes and misinformation.
The state’s Chief Information Security Officer gains authority to review and override federal supply chain risk designations if they’re deemed improper. In practice, this means California can continue doing business with AI companies that the federal government has blacklisted, maintaining a state-level counterweight to federal restrictions.
Why California’s Leverage Matters
This order would be a political statement if it came from Montana. From California, it’s a market-shaping event.
California hosts 33 of the world’s 50 top privately held AI companies and generates 25% of all U.S. AI patents. It’s the world’s fourth-largest economy. When California sets procurement requirements, vendors comply because they can’t afford to walk away from the market.
Neil Shah from Counterpoint Research told Computerworld the order “essentially wants to set a benchmark for de facto AI standards when it comes to procurement, safety, and ethics.” He noted the certification requirements could increase compliance burdens for smaller vendors while establishing “strong precedent for these players to expand globally relatively smoothly.”
This is the Brussels Effect applied to American state politics. Just as the EU’s GDPR forced companies worldwide to adopt stricter data privacy practices because they couldn’t build separate products for the EU market, California’s procurement requirements could become de facto national standards. It’s cheaper for an AI company to build one product that meets California’s requirements than to maintain separate compliant and non-compliant versions.
The Federal Collision Course
The Trump administration’s December 2025 executive order set up several mechanisms to push back against exactly this kind of state action:
A DOJ litigation task force. Starting January 10, 2026, the AI Litigation Task Force within the Department of Justice has been authorized to challenge state AI laws that “unconstitutionally burden interstate commerce” or are “preempted by federal regulations.”
Financial pressure. The Commerce Department has been directed to condition $42 billion in broadband infrastructure funding on states rolling back AI regulations the administration deems “onerous.”
A review of state laws. The Secretary of Commerce was directed to publish, by March 11, 2026, an evaluation identifying state AI laws that conflict with federal policy and merit referral to the DOJ task force.
But the federal order has a fundamental weakness: it’s not a law. An executive order can’t actually preempt state legislation. As legal analysts at Ropes & Gray point out, “the Executive Order is neither a statute nor a regulation, and it does not itself have the force of law.” Only Congress can preempt state laws through actual legislation, and Congress hasn’t passed a comprehensive AI bill.
Newsom’s order is deliberately crafted to exploit this gap. It doesn’t regulate AI companies directly—it sets procurement conditions for doing business with the state. That’s squarely within a governor’s authority and much harder to challenge in court than a statute.
What This Means for AI Companies
If you’re an AI company selling to government clients, you now face a split market. The federal government under Trump wants fewer restrictions and faster deployment. California wants documented safeguards, bias certifications, and content safety attestations.
For large companies like OpenAI, Anthropic, Google, and Microsoft, this probably isn’t a crisis. They already have compliance teams and responsible AI frameworks. The certification process will be paperwork, not a fundamental change to their products.
For smaller AI startups, the picture is murkier. Building compliance infrastructure costs money. A certification framework that requires documenting bias mitigation strategies, content safety mechanisms, and civil liberties safeguards could be a real barrier for a five-person team shipping fast.
The question is whether other states follow California’s lead. Oregon, Washington, Illinois, and New York have all been advancing their own AI laws. If procurement safeguards become a multi-state requirement, the compliance burden multiplies—and the pressure to build AI responsibly from the start, rather than bolting on safeguards later, becomes significant.
The Bigger Picture
Zoom out and you see a pattern. In the absence of federal AI legislation, states are filling the vacuum. California now has the AI Transparency in Frontier AI Act, over 20 AI-related statutes effective since January 2026, and this new procurement order. Utah passed mental health chatbot regulations. Oregon passed youth safety chatbot requirements. Colorado has the nation’s most comprehensive state AI law.
The Trump administration’s response has been to threaten preemption without the legal tools to enforce it. The AI Litigation Task Force exists, but challenging state procurement requirements is fundamentally different from challenging state statutes. States have broad discretion over who they do business with.
The result is an AI governance system that looks a lot like the U.S. system for regulating everything from emissions to data privacy: a patchwork of state laws with no coherent federal framework, periodically disrupted by executive orders that face legal challenges.
For anyone building or using AI, the practical takeaway is straightforward: California’s requirements are coming, and they’ll likely set the floor. Build for the strictest requirements, and you’ll be compliant everywhere.
What You Can Do
- If you’re an AI vendor: Start preparing bias mitigation documentation and content safety attestations now. The 120-day clock is ticking for the certification framework, and being ready early gives you a competitive advantage for California contracts.
- If you’re a privacy-conscious user: California’s watermarking mandate for AI-generated content is worth watching. If implemented well, it could be the most practical deepfake defense yet deployed at scale.
- If you follow AI policy: Watch whether other states adopt similar procurement requirements. The real power of this order isn’t in California alone—it’s in whether it triggers a cascade.