California AB 2013 Is Now in Effect. Most AI Developers Are Not Ready.
Jan 1, 2026 | AI Policy
California’s Generative AI Training Data Transparency Act, known as AB 2013, took effect January 1, 2026. It requires developers of generative AI systems made available to Californians to publicly document the data used to train those systems. The deadline has passed. Compliance is uneven. Legal challenges are already in court.
Organizations that develop, deploy, or procure generative AI need to understand what the law demands, where enforcement stands, and what the gaps mean for their governance posture.
What the Law Requires
AB 2013 applies to any generative AI system or service released on or after January 1, 2022 and made publicly available to Californians, whether or not compensation is involved. Before each public release or substantial modification, developers must post documentation on their website covering twelve categories of training data information, including dataset sources and descriptions, the number of data points, data types, whether copyrighted or personal information is included, whether data was purchased or licensed, whether synthetic data was used, and the time period during which data was collected.
The law does not define “high-level summary,” which is the standard it applies to dataset disclosure. It provides no enforcement mechanism. It establishes no civil penalties. It contains no trade secret protection provisions.
Those omissions are not minor. They are the fault lines where compliance disputes will be resolved.
Where Major Developers Stand
OpenAI, Anthropic, and Google each posted training data disclosures by the January 1 deadline. Neither OpenAI nor Anthropic identified specific datasets used to train their models; both provided high-level summaries that satisfy the letter of the statute without revealing dataset composition or sourcing methodology. Anthropic’s disclosure adopts a more structured format than OpenAI’s; both stop well short of the detailed provenance documentation the law’s text implies.
xAI filed a lawsuit against the California Attorney General shortly before the deadline, challenging AB 2013 as unconstitutional. The lawsuit alleges the law compels disclosure of trade secrets in violation of the Fifth Amendment’s Takings Clause. That litigation is pending.
Many smaller AI developers have taken a wait-and-see posture, watching how the major foundation model developers structured their disclosures and how California intends to enforce the statute before committing to a compliance approach.
The Compliance Gaps Organizations Must Address
Three structural problems in the law create concrete risk for organizations building on or procuring generative AI.
Retroactive documentation scope is ambiguous. The law applies to systems released on or after January 1, 2022. For models trained iteratively or built on third-party or open-source datasets, assembling documentation covering that period requires data lineage records that many organizations did not build in real time. The law’s reference to datasets “first used during development” suggests the disclosure scope may extend beyond final training datasets to all datasets evaluated during development.
Intellectual property exposure is unresolved. The law requires disclosure of whether training data includes content protected by copyright, trademark, or patent. Disclosing that information publicly, before the pending IP litigation over AI training data is resolved, exposes developers to claims from rights holders. Organizations that comply with AB 2013 may simultaneously increase their litigation surface area under copyright law.
“Substantial modification” has no statutory definition. The disclosure obligation triggers not just at initial release but at each substantial modification. The statute does not define what constitutes a substantial modification. Organizations operating continuous learning systems or deploying frequent model updates face genuine uncertainty about how frequently disclosure obligations refresh.
What This Means for AI Governance Programs
AB 2013 is the first U.S. law to mandate public documentation of training data for commercial AI systems at this level of specificity. It arrived alongside California’s SB 942, which governs AI-generated content disclosure. Together, the two laws establish California as the de facto national standard for AI transparency obligations, in the absence of a federal mandate.
The White House AI Policy Framework released this month explicitly directs Congress to preempt state AI laws that impose undue burdens. AB 2013 is precisely the type of law that directive targets. Until preemption legislation advances, the law remains in effect and organizations operating in California must treat it as enforceable.
Three actions follow directly from the law’s current status.
Organizations that develop generative AI must establish dataset registries that document sources, licensing terms, collection timeframes, and intellectual property status for every dataset used in training, starting from January 1, 2022. Without that foundation, compliant disclosure is not possible.
Organizations that procure generative AI from third-party developers must require disclosure-ready documentation as a contract term. Deploying a non-compliant system that is accessible to Californians creates derivative exposure, even where the organization is not the original developer.
Organizations that have not yet aligned their AI governance programs to a structured framework must treat data lineage and provenance tracking as a core governance function, not a compliance checkbox. The ARISE Framework™ GOVERN and MANAGE domains address precisely this class of obligation: establishing the policies, documentation practices, and audit trails that enable organizations to respond to disclosure requirements as they emerge across jurisdictions, not after the deadline has passed.
Bottom Line
AB 2013 is in effect. Enforcement mechanisms are undefined, legal challenges are active, and the federal preemption debate has not been resolved. That combination does not reduce risk; it distributes uncertainty across timelines that organizations cannot predict. The organizations positioned to absorb what follows are the ones that built the documentation infrastructure before the requirement arrived.
Secure & Responsible Technology does not treat regulatory uncertainty as permission to wait.
Assessed Intelligence provides embedded leadership and continuous assurance through the ARISE Framework™, and regulatory readiness engineering for organizations deploying AI in complex operating environments. Learn more at assessedintelligence.com.
