Is this the Ceiling or the Beginning?: Disclosures in Californian AI Regulations

Written by Bhumika Nebhnani, MPP ’27, Fall 2025 MDI Communications & Events Assistant

In the absence of comprehensive federal-level artificial intelligence (AI) regulations, present-day AI regulation in the US rests primarily with individual states. California, in particular, has been playing the role of a national laboratory for AI Governance, in addition to its established innovation and funding leadership. In 2025, the state enacted eleven privacy and AI-focused laws, out of the thirty-three introduced. As many of these go into effect this year, Sacramento’s regulatory equilibrium seems to have settled on disclosure requirements rather than hard prohibitions or strict liability, a function of its innovation-regulation tussle. The success of disclosure-regulations, however, depends on whether disclosures act as a beginning or a ceiling.  Transparency risks becoming a ceiling if not paired with capacity-building of the disclosure-receivers to vet the information they receive. Efforts must aim to convert these first-steps into a concrete beginning, rather than a ceiling. 

From a regulatory standpoint, disclosures imply transparency mandates for specified stakeholders to share required information with the users, regulators, or both. Here are three key AI laws in California that are useful to corroborate the bent towards disclosures, two as explicit retreats from stricter regulation, and one as an original expression of the same governing instinct. The centerpiece of this agenda is SB 53, the Transparency in Frontier Artificial Intelligence Act, establishing the first statutory foothold in the United States focused explicitly on “catastrophic risk” from advanced models. It applies to the frontier models, defined as those trained above 10²⁶ floating-point operations compute threshold, thereby targeting the largest general-purpose systems developed by firms such as OpenAI, Google, Anthropic, and Meta. The key requirements under the law include, publishing AI safety frameworks, conducting catastrophic-risk assessments for  better capabilities-understanding, reporting critical safety incidents to California’s Office of Emergency Services, and providing whistleblower protections for employees who flag serious concerns. This law settled on a disclosure equilibrium, after its predecessor SB 1047’s stricter liability provisions, and “kill switch” mandates faced severe backlash. 

The trend is also visible in California’s SB 243 which governs companion chatbots, with a focus on use by minors. Passed in the backdrop of tragic cases in which teens formed intense relationships with chatbots and received harmful advice about self-harm, SB 243 is a revised version of the stricter AB 1064. AB 1064 enabled prohibition of  companion chatbots to minors unless proven safe. SB 243 however, requires disclosures by the operators, who are mandated to notify users that they are interacting with AI, and in cases of “known minors”, additional protocols like notifying every three hours and prohibition from engaging in sexually explicit content. Here too, the regulatory equilibrium settled in favour of disclosures paired with ex-post harm redressal, replacing the outright  prohibitions. 

Yet another significant pillar of California’s 2025 AI agenda is the AI Transparency Act (AB 853), mandating content provenance, by requiring large social media platforms, messaging apps and search engines to identify AI-generated content. This law reflects the same regulatory instinct visible in SB 53’s frontier-model reporting requirements and SB 243’s chatbot interaction disclosures, which is, governance through transparency rather than outright restrictions.

In the above-mentioned examples, disclosure is the pragmatic solution for the innovation-safety balance in California, hinted in what Professor Meg Leta Jones at Georgetown University calls a “tech-friendly approach to AI policy so far”, reflecting the reality that many of the companies developing these systems are headquartered in California. However, the pressing question is about the implication of these transparency mandates. Will they harden into a regulatory ceiling, designed to pacify critics while protecting the status quo, or mark the beginning of a more robust, informed oversight? Transparency becomes a ceiling when disclosures neither alter user behaviour nor translate into meaningful regulatory action. It becomes a beginning only when the signals generated by those disclosures are actively interpreted by institutions, influence how platforms and users behave, and form the basis for stronger governance mechanisms over time.

The risk of disclosure requirements hardening into a convenient ceiling due to insufficient oversight and enforcement, could result from several factors. Lack of a sufficient number of technical experts in state offices receiving disclosures is a concern with SB 53 enforcement. In conversations in San Francisco, David Evan Harris of the California Initiative for Technology and Democracy, shared his concerns:

While SB 53 establishes an important reporting framework, its effectiveness ultimately will depend on institutional capacity – particularly of the California Office of Emergency Services (OES), Department of Justice, and Department of Technology – to be sufficiently equipped for evaluation of the transparency and incident reports it receives from frontier model developers.

David Evan Harris

The ceiling risk is not only institutional but behavioral. As Professor Meg Leta Jones of Georgetown University observes, disclosure mechanisms assume that informing users will meaningfully change their behavior. Yet this assumption may not always hold. “If people know they are engaging with an AI bot and seek to do so,” she notes, “disclosures of that fact may have little impact on users.” In other words, transparency does not automatically translate into safer outcomes if users knowingly continue engaging with the systems they are warned about.

Even for provenance regulations, public institutions like the Attorney General’s office, must develop the technical capacity to verify proper compliance, audit provenance systems, investigate manipulated media, and verify whether platforms meaningfully implement detection tools. Professor Lisa Singh, shares her views on this approach:

For these laws to mark a beginning rather than a ceiling, disclosures should follow concrete regulatory responses. In the SB 53 context, that would mean California’s OES, the Department of Justice, and the Department of Technology reviewing the catastrophic‑risk assessments and incident reports against independent benchmarks, ordering additional testing or mitigations where needed, and escalating serious failures into enforcement actions or coordinated responses with federal agencies. For SB 243, using disclosures would involve the Attorney General or other enforcement bodies spot‑checking chatbot interactions, investigating complaints from minors and parents, and pursuing penalties or mandated design changes when platforms fail to label bots or continue harmful engagement. Under AB 853, provenance data and labeling systems would be actively audited, with election officials and regulators using those signals to flag, downrank, or rapidly warn the public about coordinated deepfake campaigns rather than treating labels as a one‑off compliance checkbox.

California is a case in point on how disclosures can be effective in generating signals about technological risks and behaviors. The key question for AI policy-makers in the US, going forward, is usability of the disclosures. Whether these disclosure‑based laws become a comfortable ceiling or a meaningful beginning now depends less on what companies reveal and more on what public institutions are able – and willing – to do with what they receive.