Understanding California’s Frontier AI Act and Potential Impacts for Small Businesses

On September 29, 2025, Governor Gavin Newsom signed into law the Transparency in Frontier Artificial Intelligence Act (commonly referred to as “SB 53” or “TFAIA”). While TFAIA is a huge deal for a variety of reasons, truthfully, it doesn’t have an immediate impact on small- and medium-sized businesses (SMBs). That’s because its main goal is to mitigate against catastrophic risk by asking the biggest players in AI to assess and disclose aspects of their AI that could result in either (1) mass harm, or (2) $1 billion in damages. But that does not mean downstream impacts aren’t coming for SMBs.

Skip to the bottom to find out what TFAIA might mean for your business.

The Act

TFAIA calls on large AI developers with “frontier models” (think OpenAI, Anthropic, Google, Meta) to be transparent about safety protocols employed in AI systems.

Large frontier developers must provide information on their websites regarding data used “to train the generative artificial intelligence system or service,” including: (1) how a natural person may communicate to the developer; (2) release date of the frontier model; (3) the language supported by the model; (4) the modalities of output supported by the model; (5) the model’s intended use; (6) any generally applicable restrictions or conditions to using the model; (7) assessments of catastrophic risks from the frontier model (in conformance with the developer’s AI model framework); (8) results of the risk assessment; and (9) the extent to which third-party evaluators were utilized.

Rather than requiring developers to comply with certain technical specifications or benchmarks—which the California legislature acknowledge would likely stifle creativity and growth—California will trust the accuracy of the companies’ transparency reporting, and only verify when appropriate (therefore, the Act is said to operate under “trust but verify” principles).  

Large frontier developers must become compliant with TFAIA on or before January 1, 2026, and will have to meet ongoing reporting obligations after that any time they make a “substantial modification” to an AI intelligence system or service that existed as of January 1, 2022, OR any time they release a new AI system or service.

Aside from reporting obligations, here are the Act’s six major features:

• Transparency & Reporting: In addition to the information listed above, large frontier developers must publish a framework on their website, and describe how the framework incorporates national, international, and industry-best practices.

• CalCompute: The Act creates CalCompute, a consortium within the Government Operations Agency tasked with developing a framework for a public computing cluster. The framework aims to advance the development of AI in a safe, sustainable, equitable and ethical manner. The CalCompute framework will become state-wide best practices, and large frontier developers will need to monitor the framework as a guidepost when creating or significantly updating their AI systems.

• Incident Reporting & Safety: Private companies and citizens alike can now report potential critical AI safety incidents to California’s Office of Emergency Services.

• Whistleblower Protection: Though “trust” is a cornerstone of the Act, diligent and honest reporting is paramount. The Act contains whistleblower protections for employees who disclose significant health and safety risks posted by frontier models. One way or another, the State of California will find out about risky practices!

• Enforcement: The Attorney General’s office has been tasked with investigating and enforcing compliance with TFAIA, using civil penalties of up to $1MM as a deterrent. 

• Agile Legislation: The Act directs the California Department of Technology to recommend updates on an annual basis, based on multistakeholder input. This leaves room for the law to change as technology and national and international standards change.

Trend Signaling

California’s decision to enact AI legislation has been the subject of industry and investor criticism that TFAIA will create a “patchwork” regulatory landscape, in which states could create competing, diverging or contradictory frameworks. This could make AI development challenging, or stifle innovation. However, TFAIA was not created out of thin air. Its directives are based on recommendations from California’s first-in-the-nation report, published earlier this year, and compiled by a group of the world’s leading AI experts and academics. The report includes recommendations for policymaking that balance transparency and security risks, which recommendations are based on an empirical analysis of the capabilities and risks of frontier models. Given the extensive thought that went into the Act, TFAIA (or, at a minimum, the report on which it was based) are expected to have a significant impact on the development of other states’ rules.

TFAIA is a state law and, therefore, only applies to California companies. However, California currently houses 32 of the 50 leading AI companies, so the odds of SMBs using California AI vendors are high. As described below, SMBs utilizing California AI vendors should be on the lookout for downstream impacts.

Be on the Lookout!

It will remain critical for large and small AI companies alike to monitor the evolving status of state AI laws. Companies cannot expect that, because TFAIA does not apply to them today, another state’s AI legislation will not apply to them in the future. For instance, while TFAIA limits its reach to “large frontier developers “ with gross revenues over $500MM, and which produce “frontier” AI models, New York’s proposed AI legislation (the Raise Act) is much more broad. At the time of this article, the proposed RAISE Act applies to companies that spend at least $5MM total in compute to develop their models. This is a low hurdle for many AI-centric startups and, if the New York legislation is passed, it may stifle investments in NY-based AI companies, and serve as a reason not to start an AI company in New York State in the first place. Check back for updates on RAISE.

How Small- and Medium-Sized Businesses May be Impacted by TFAIA

Let’s be real: SMBs are not the target of TFAIA. However, because SMBs operate within the same ecosystem as the large model developers that are constrained, TFAIA may create downstream impact on SMBs. Moreover, even if your company is not based in California, in the very likely event that your AI vendor is, you may still see an impact on your contracts, and service.

Here are some practical considerations for SMBs: 

• More, Longer Contracts: This isn’t an action item as much as a heads up. As vendors move to comply with TFAIA, their form contracts will likely contain additional, or more lengthy, provisions relating to technical documentation, risk management practices, whistleblower policy documentation, reporting procedures and compliance practices. Though these “informational purposes only” transparency provisions are unlikely to impact how you do work with AI vendors, it is important to understand whether they carry any additional obligations for your organization, or liability shifting (particularly for indemnity provisions when AI has a limited scope of use). These should be reviewed by counsel. The good news is that transparency requirements will help SMBs understand when they may be exposed to unreliable or risky AI systems.

• Slow Rollouts & Use Case Limitations: In order to stay compliant with TFAIA, AI/LLM vendors will have to engage in more risk analysis, and reporting, likely resulting in slower model updates and iterations. Vendors may adopt stricter controls on how their models are used, implement use caps, and may be slower or more conservative with model rollouts, stifling SMB agility. SMBs should review vendor agreements to ensure that AI systems can still be used in the manner that SMBs need, and tamper expectations about the speed at which model updates may arrive. If use and timing are critical to how your AI is used, you may want to include representations and warranties in vendor contracts that allow for termination or liquidated damages in the event you can’t use AI when and how expected. These termination clauses will avoid lock-in with a vendor that is no longer suiting your needs.

  Realistically, AI vendors large enough to fall under TFAIA will have a form contract, with little negotiation room for SMBs. If your vendor does not seem like it can meet your agility or use needs, now in the future, shopping around for another vendor may be your best bet. 

• Voluntary Transparency & Public Perception: Though SMBs are not regulated by TFAIA in the same manner as giant companies, the public may begin to expect SMBs to disclose more about safety practices, such as when and how AI is used. Having a website page dedicated to the safety practices, risk assessments, and/or the model governance practices your company employs (depending on how tech heavy it is, or how AI is leveraged) will demonstrate transparency and may increase public perception and reduce friction with AI-fearing stakeholders. 

• Internal Gating & Employee Protection: TFAIA implements a whistleblower policy that really highlights the importance, in this day and age, for transparency. While not required, SMBs should consider expanding any existing internal whistleblower policies to clearly encompass issues raised with the utilization or implementation of AI. These policies will create internal accountability, and help management stay ahead of potential pain points in AI utilization, particularly as employees become more aware of AI risk and governance trends.

• Cost Monitoring and Mitigation: As large AI companies face costs associated with TFAIA compliance, those may be passed downstream, and could include higher licensing fees, more limited API access, or more strict contractual terms. Accordingly, SMBs should both prepare for greater costs in the near term, and consider structuring contracts to protect against large cost increases in the future. Some costs may be mitigated by using more narrow/non-full frontier models for noncore functions. SMBs should shop around for the model that best suits their needs, and may even find that switching to a local, RAG-based model is all that is required to perform daily functions. 

• Keep Vendor Operations Open: As the other tips suggest, we don’t know exactly the impact TFAIA will have on AI vendors yet. Accordingly, investigating the strengths and weaknesses of many AI vendors, and maintaining optionality among providers, will help SMBs build fallback or hybrid systems in the event that a vendor is slow to provide necessary tech. It may be the case that AI vendors outside of California will be more agile in providing AI services. However, SMBs should keep in mind that the AI landscape is rapidly changing, and other states are likely to create similar AI legislation.

Conclusion

TFAIA creates noise, but not necessarily action items, for SMBs. The field of AI is changing faster than an LLM can re-draft that sassy email to your best friend. If your SMB is in AI model development, it will be important to monitor new state laws to ensure you do not fit within the definition of business that must comply. If your business is AI-centric, monitor vendor contracts to ensure that, even after TFAIA becomes effective, they are still meeting your business needs.