QA Financial Forum New York | 14 May 2025 | BOOK TICKETS
Become a sponsor
Linkedin-in Twitter
Register

California’s AI law focuses on risk assessment but stops short of true QA standards

Governor Gavin Newsom signed the law late last month (Source: California Gov)

California has taken the lead in regulating artificial intelligence with the passage of the Transparency in Frontier Artificial Intelligence Act, known as Senate Bill 53.

Signed by Governor Gavin Newsom at the end of last month, the new law is being described as the first state-level AI safety regime in the United States.

It requires the largest AI developers to publish risk-assessment frameworks, transparency reports and incident-reporting mechanisms for their so-called ‘frontier models’, the most powerful, general-purpose AI systems trained on massive data sets.

The statute establishes obligations for companies such as OpenAI, Anthropic, Google and Meta to evaluate and disclose catastrophic risks associated with their models and to demonstrate how they align with recognised national and international safety standards.

For California’s technology ecosystem, it represents a shift from voluntary best practice to enforceable accountability. But for quality assurance and software testing teams, particularly those in tightly regulated industries like banking and insurance, the measure stops short of the structured QA frameworks that underpin software reliability and resilience.

Under Section 22757.10, the bill requires “a large frontier developer to write, implement, and clearly and conspicuously publish on its internet website a frontier AI framework … describ[ing] how the developer approaches incorporating national standards, international standards, and industry-consensus best practices.”

In QA terms, that clause nods toward the need for auditable quality processes, but it leaves the content of those frameworks largely up to the developers themselves. No fixed benchmarks, methodologies or testing thresholds are specified.

The most QA-adjacent provisions are those covering catastrophic-risk evaluation and incident disclosure. Section 22757.12 requires each large frontier developer to “transmit to the Office of Emergency Services a summary of any assessment of catastrophic risk resulting from internal use of its frontier models.”

Meanwhile, the Office of Emergency Services must “establish a mechanism to be used by a frontier developer or a member of the public to report … a critical safety incident.”

For testing teams in finance, these clauses resemble post-deployment defect and incident-management obligations, though the bill focuses on existential risks rather than reliability metrics, data drift or validation coverage.

No QA standards

Despite these governance advances, Senate Bill 53 avoids mandating concrete software-testing procedures. Nowhere in the 45-page statute are there requirements for unit or integration testing of AI components, pre-release validation or stress testing, third-party audit of model outputs, or defect-tracking, reproducibility or regression controls.

Instead, the legislation asks only for transparency reports summarising “the risk assessment results [and] mitigation measures”, not proof of successful verification.

In practice, that means banks and insurers deploying AI models in California will need to map these disclosure and assessment duties onto their own QA frameworks, most likely under existing regimes such as model-risk management, DORA or SR 11-7, rather than relying on the state law for procedural guidance.

Section 22757.15 obliges developers to “review and update their frontier AI framework at least annually,” mirroring continuous-improvement cycles familiar to QA managers.

Yet without explicit metrics or certification requirements, the update can remain a paper exercise. As one Silicon Valley engineer noted after the bill’s signing, “California has told us how to be safe and transparent, it hasn’t told us how to test.”

Implications for financial QA teams

For risk and QA leaders in banking, Senate Bill 53 signals an important policy direction: testing will soon be viewed not only as a technical safeguard but as part of AI-safety governance.

However, compliance teams should not mistake the law for a ready-made QA standard. Its focus is disclosure, not verification; governance, not reproducibility.

The burden remains on regulated firms to define measurable assurance controls, scenario testing, model validation, adversarial evaluation, that demonstrate both transparency and resilience.

California’s SB 53 institutionalises AI risk assessment and incident reporting but leaves the core mechanics of testing and assurance undefined.

For QA and testing teams in finance, it is a signal to prepare for transparency-driven oversight while continuing to build the rigorous, testable foundations that the law itself stops short of prescribing.

IN TWO WEEKS

Why not become a QA Financial subscriber?

It’s entirely FREE

* Receive our weekly newsletter every Wednesday * Get priority invitations to our Forum events *

REGISTER HERE TODAY

REGULATION & COMPLIANCE

Looking for more news on regulations and compliance requirements driving developments in software quality engineering at financial firms? Visit our dedicated Regulation & Compliance page here.

READ MORE

WATCH NOW

NEXT MONTH

Why not become a QA Financial subscriber?

It’s entirely FREE

* Receive our weekly newsletter every Wednesday * Get priority invitations to our Forum events *

REGISTER HERE TODAY

REGULATION & COMPLIANCE

Looking for more news on regulations and compliance requirements driving developments in software quality engineering at financial firms? Visit our dedicated Regulation & Compliance page here.

READ MORE

WATCH NOW

Related News