WHAT THIS BILL REGULATES · 4 REQUIREMENT TYPES
How Is This Bill Enforced
Verbatim statutory text on the left; plain-language analysis and a per-section checklist on the right. Numbered markers cross-link to the matching checklist row.
(a)–(d) For purposes of this chapter, the following definitions apply: (a) "AgencyAgency"Agency" means the Government Operations Agency.Gov. Code § 11549.80(a)" means the Government Operations AgencyAgency"Agency" means the Government Operations Agency.Gov. Code § 11549.80(a). (b) "Artificial intelligenceArtificial intelligence"Artificial intelligence" or "AI" means an engineered or machine-based system that varies in its level of autonomy and that can, for explicit or implicit objectives, infer from the input it receives how to generate outputs that can influence physical or virtual environments.Gov. Code § 11549.80(b)" or "AI" means an engineered or machine-based system that varies in its level of autonomy and that can, for explicit or implicit objectives, infer from the input it receives how to generate outputs that can influence physical or virtual environments. (c) "Artificial intelligence auditorArtificial intelligence auditor"Artificial intelligence auditor" or "AI auditor" means a person, partnership, or corporation that assesses an AI system or model on behalf of a third party.Gov. Code § 11549.80(c)" or "AI auditor" means a person, partnership, or corporation that assesses an AI system or model on behalf of a third party. (d) "Covered auditCovered audit"Covered audit" means an audit conducted pursuant to any state statute that requires an audit of an AI system or model by an independent third party auditor.Gov. Code § 11549.80(d)" means an audit conducted pursuant to any state statute that requires an audit of an AI system or model by an independent third party auditor.
This section establishes the four defined terms used throughout the chapter: Agency (the Government Operations Agency), Artificial intelligence (using the same definition already in California law), Artificial intelligence auditor (a person, partnership, or corporation that assesses AI systems on behalf of third parties), and Covered audit (any audit required by state statute to be performed by an independent third-party auditor). The covered audit definition is notable for its breadth — it captures any future California law that mandates independent AI auditing, not just current statutes.
The AI Auditors' Enrollment Fund is hereby created within the State Treasury. The fund shall be administered by the Government Operations AgencyAgency"Agency" means the Government Operations Agency.Gov. Code § 11549.80(a). All moneys collected or received by the agencyAgency"Agency" means the Government Operations Agency.Gov. Code § 11549.80(a) under this chapter shall be deposited into the AI Auditors' Enrollment Fund to be available for expenditure by the agencyAgency"Agency" means the Government Operations Agency.Gov. Code § 11549.80(a), upon appropriation by the Legislature, to administer this chapter.
This section creates the AI Auditors' Enrollment Fund within the State Treasury, administered by the Government Operations Agency. All fees and moneys collected under the chapter are deposited into this fund and are available for expenditure only upon appropriation by the Legislature. This is a fiscal-administrative provision that does not impose compliance obligations on AI auditors.
(a)(1)–(3) 1 By January 1, 2027, the agencyAgency"Agency" means the Government Operations Agency.Gov. Code § 11549.80(a) shall do all of the following: (1) Establish a mechanism on the agencyAgency"Agency" means the Government Operations Agency.Gov. Code § 11549.80(a)'s internet website allowing AI auditors to enroll with the agencyAgency"Agency" means the Government Operations Agency.Gov. Code § 11549.80(a) pursuant to paragraph (1) of subdivision (a) of Section 11549.83. (2) Fix enrollment fees at an amount not exceeding the reasonable costs of administering this chapter. (3) Establish a mechanism on the agencyAgency"Agency" means the Government Operations Agency.Gov. Code § 11549.80(a)'s internet website allowing natural persons to report misconduct by an enrolled AI auditor.
(b)(1)–(3) 2 Beginning January 1, 2027, the agencyAgency"Agency" means the Government Operations Agency.Gov. Code § 11549.80(a) shall do all of the following: (1) Publish any information provided by an enrolled AI auditor pursuant to subdivision (a) of Section 11549.83 in a publicly accessible format on the agencyAgency"Agency" means the Government Operations Agency.Gov. Code § 11549.80(a)'s internet website. (2) Retain any report submitted using the mechanism established pursuant to paragraph (3) of subdivision (a) for as long as the enrolled AI auditor remains enrolled, plus 10 years. (3) Share reports submitted using the mechanism established pursuant to paragraph (3) of subdivision (a) with other state agencies as necessary for enforcement purposes.
This section imposes obligations on the Government Operations Agency — not on AI auditors — to build the administrative infrastructure for the enrollment program by January 1, 2027. The agency must establish a web-based enrollment mechanism, fix enrollment fees at a level not exceeding reasonable administrative costs, and create a public misconduct-reporting mechanism for natural persons. On an ongoing basis beginning January 1, 2027, the agency must publish enrolled auditor information in a publicly accessible format, retain misconduct reports for as long as the auditor remains enrolled plus ten years, and share misconduct reports with other state agencies as necessary for enforcement.
(a)(1)–(3)(A)–(F) 3 Beginning January 1, 2027, prior to initially conducting a covered auditCovered audit"Covered audit" means an audit conducted pursuant to any state statute that requires an audit of an AI system or model by an independent third party auditor.Gov. Code § 11549.80(d), an AI auditor shall do all of the following: (1) Enroll with the agencyAgency"Agency" means the Government Operations Agency.Gov. Code § 11549.80(a) using the mechanism established pursuant to paragraph (1) of subdivision (a) of Section 11549.82. (2) Pay to the agencyAgency"Agency" means the Government Operations Agency.Gov. Code § 11549.80(a) the enrollment fee set forth in paragraph (2) of subdivision (a) of Section 11549.82. (3) Provide to the agencyAgency"Agency" means the Government Operations Agency.Gov. Code § 11549.80(a) all of the following information: (A) The name of the auditor. (B) All of the following contact information: (i) The primary physical address of the auditor, if the auditor has a physical address. (ii) The primary internet website of the auditor, if the auditor has an internet website. (iii) A telephone number enabling a natural person to communicate with the auditor. (iv) An email address enabling a natural person to communicate with the auditor. (C) The types of AI systems or models that the auditor is enrolling to audit. (D) Any relevant certifications or accreditations and the identities of the certifying or accrediting entities. (E) A written description of the auditor and the services they provide, not to exceed 200 words in length. (F) A standard operating procedure (SOP) that describes the auditor's procedures in sufficient detail to enable a third party to assess whether audits are conducted according to generally accepted industry best practices.
(b) 4 In conducting a covered auditCovered audit"Covered audit" means an audit conducted pursuant to any state statute that requires an audit of an AI system or model by an independent third party auditor.Gov. Code § 11549.80(d), an enrolled AI auditor shall abide by generally accepted industry best practices appropriate to the system or model being audited.
This section imposes the core pre-audit obligations on AI auditors. Before conducting any covered audit, an auditor must enroll with the agency, pay the enrollment fee, and submit detailed information: name, contact details, types of AI systems the auditor is enrolling to audit, certifications and accreditations with certifying-entity identities, a written description of the auditor and services (capped at 200 words), and a standard operating procedure describing audit processes in sufficient detail for third-party assessment against generally accepted industry best practices. The section also requires enrolled auditors to abide by generally accepted industry best practices appropriate to the system or model being audited when conducting a covered audit.
(a)(1)–(5) 5 After conducting a covered auditCovered audit"Covered audit" means an audit conducted pursuant to any state statute that requires an audit of an AI system or model by an independent third party auditor.Gov. Code § 11549.80(d), an enrolled AI auditor shall provide the auditee with an audit report that contains, but is not limited to, all of the following: (1) The scope and objectives of the audit. (2) The results of the audit and any documentation necessary to demonstrate the basis of those results. (3) An explanation of any steps the auditee can take to meet generally accepted industry standards appropriate to the system or model being audited. (4) An explanation of any steps the auditee can take to become compliant with state law. (5) A statement that is signed and dated by each auditor that certifies that the covered auditCovered audit"Covered audit" means an audit conducted pursuant to any state statute that requires an audit of an AI system or model by an independent third party auditor.Gov. Code § 11549.80(d) was completed.
(b) 6 An AI auditor shall not knowingly make a material misrepresentation in an audit report prepared pursuant to this subdivision.
(c) 7 An enrolled AI auditor shall retain any documentation that is provided to an auditee pursuant to this chapter, or that is necessary to demonstrate the basis of the result of a covered auditCovered audit"Covered audit" means an audit conducted pursuant to any state statute that requires an audit of an AI system or model by an independent third party auditor.Gov. Code § 11549.80(d), for at least 10 years.
(d) 8 An enrolled AI auditor shall not conduct a covered auditCovered audit"Covered audit" means an audit conducted pursuant to any state statute that requires an audit of an AI system or model by an independent third party auditor.Gov. Code § 11549.80(d) if it has a financial interest in the auditee other than financial compensation for performing an audit.
(e)(1)–(2) 9 Notwithstanding Chapter 1 (commencing with Section 16600) of Part 2 of Division 7 of the Business and Professions Code, an enrolled AI auditor shall not accept employment with an auditee within 12 months of completing a covered audit of the auditee. (2) An enrolled AI auditor shall not conduct a covered auditCovered audit"Covered audit" means an audit conducted pursuant to any state statute that requires an audit of an AI system or model by an independent third party auditor.Gov. Code § 11549.80(d) if the auditee had employed the auditor during the 12-month period preceding the audit.
This section establishes five distinct obligation clusters for enrolled AI auditors. First, after completing a covered audit, the auditor must provide the auditee with a structured audit report containing the scope and objectives, results with supporting documentation, steps to meet industry standards, steps for state-law compliance, and a signed and dated certification. Second, auditors are prohibited from knowingly making material misrepresentations in audit reports. Third, auditors must retain all documentation provided to auditees and materials necessary to demonstrate the basis of audit results for at least 10 years. Fourth, auditors must not conduct covered audits where they hold a financial interest in the auditee beyond compensation for performing the audit. Fifth, the section imposes a bilateral revolving-door restriction: auditors may not accept employment with an auditee within 12 months of completing a covered audit, and may not conduct a covered audit if the auditee had employed the auditor during the preceding 12 months.
(a)(1)–(6) 10 An enrolled AI auditor may disclose confidential information concerning an auditee only if the auditee provides written authorization or if the disclosure is any of the following: (1) Made in compliance with a subpoena or a summons enforceable by order of a court. (2) Reasonably necessary to maintain or defend the auditor in a legal proceeding initiated by the auditee. (3) Made in response to an official inquiry from a federal or state government regulatory agencyAgency"Agency" means the Government Operations Agency.Gov. Code § 11549.80(a). (4) Made to another enrolled AI auditor or person in connection with a proposed sale or merger of the auditor's professional practice, provided the parties enter into a written nondisclosure agreement with regard to all auditee information shared between the parties. (5) Made to either of the following: (A) Another enrolled AI auditor to the extent necessary for purposes of professional consultation. (B) Organizations that provide professional standards review and ethics or quality control peer review. (6) Specifically permitted by state or federal law.
(b)(1)–(2) 11 An enrolled AI auditor shall not do either of the following: (1) Prevent an employee from disclosing information to the Attorney General or the Labor Commissioner, or using the mechanism established pursuant to paragraph (3) of subdivision (a) of Section 11549.82, including through terms and conditions of employment or seeking to enforce terms and conditions of employment, if the employee has reasonable cause to believe the information indicates that the auditor is out of compliance with the requirements of this chapter. (2) Retaliate against an employee for disclosing information pursuant to paragraph (1).
This section establishes two distinct obligation clusters. First, enrolled AI auditors are subject to a default confidentiality obligation: they may not disclose confidential auditee information except in six enumerated circumstances — written auditee authorization, court-enforceable subpoena or summons, defense in auditor-initiated litigation by the auditee, official government regulatory inquiry, proposed sale or merger of the auditor's practice (with NDA), professional consultation with other enrolled auditors or standards-review organizations, and where otherwise permitted by law. Second, the section creates whistleblower protections: enrolled auditors may not prevent employees from disclosing noncompliance information to the Attorney General, the Labor Commissioner, or via the agency's misconduct-reporting mechanism, and may not retaliate against employees who make such disclosures.