On March 30, 2026, Governor Gavin Newsom signed Executive Order N-5-26, building on California's earlier AI framework established by Executive Order N-12-23 (September 2023). The new order directs multiple state agencies to develop and implement a series of measures aimed at ensuring that Generative Artificial Intelligence ("GenAI") is procured and deployed responsibly across state government operations. The order focuses on leveraging public procurement as a tool to shape market behavior and encourage responsible AI innovation, while safeguarding privacy, civil rights, and civil liberties. Though not enforceable in and of itself, the order does direct a number of subsidiary state agencies to take actions that will bind companies operating GenAI within the state, with most of these actions having an initial 120 deadline (falling on July 28, 2026).

Below, we provide a brief summary of the order's specific provisions, as well as some of the key takeaways that companies operating in California should take note of before the various recommendations are due. 

Key Provisions

New Certification Requirements for State Contractors: The order directs the Department of General Services ("DGS") and the Department of Technology ("CDT") to submit recommendations within 120 days for new certifications that may be incorporated into state contracting processes. Companies seeking to do business with the state may be required to attest to and explain their policies and safeguards in several areas, including the prevention of exploitation or distribution of illegal content such as child sexual abuse material and non-consensual intimate imagery; the governance of models to reduce risks of harmful bias; and the protection of civil rights and civil liberties, including free speech, voting, human autonomy, and protections against unlawful discrimination, detention, and surveillance. 

Federal Supply Chain Risk Review: The CDT State Chief Information Security Officer ("CISO") is directed to review any new federal government designations of companies as supply chain risks. If the CISO concludes that a federal designation is improper, DGS and CDT will jointly issue guidance ensuring that state departments and agencies can continue to procure from that company. The CISO may also review other federal procurement changes to assess whether they improperly restrict procurement and recommend appropriate measures in response. 

Contractor Responsibility Reforms: Within 120 days, the Government Operations Agency ("GovOps"), in consultation with DGS and CDT, must submit recommendations on reforms to contractor responsibility provisions, including suspension and ineligibility authorities. These reforms are intended to ensure that state entities do not contract with entities that have been judicially determined to have unlawfully undermined privacy or civil liberties, such as freedom of speech, voting, and protections from unlawful discrimination and surveillance. 

Employee Access to GenAI Tools: The order directs GovOps, CDT, the Office of Data and Innovation ("ODI"), DGS, and the California Department of Human Resources ("CalHR") to facilitate employee access to vetted GenAI tools for general use cases, with appropriate privacy and cybersecurity safeguards and in accordance with procedures specified in the Budget Act of 2025. 

Best Practices, Training, and Community of Practice: State agencies are directed to leverage the State Technology Council and the AI Community of Practice to share best practices on responsible AI procurement and adoption while protecting public safety, civil liberties, and privacy. The order also calls for expanded trainings on emerging technology, including AI, leveraging partnerships with industry and nonprofit partners. 

Data Minimization Toolkit: The order also calls for the development of a minimization toolkit for departments and agencies with best practices, templates, special contract provisions, and program review checklists, and directs support for select departments with sensitive data collection to implement the toolkit. Beyond the practical value of these materials, these documents will also serve as signal indicators for future enforcement and regulatory actions; by setting the standards for data minimization, these agencies are also signaling exactly what they may look for in industry implementations. 

AI Watermarking Guidance. Within 120 days, CDT, in collaboration with GovOps, must issue best practice guidance for departments and agencies to appropriately watermark AI-generated or significantly manipulated images or video, in line with California Business & Professional Code §§ 22757.2 and 22757.3. 

GenAI-Powered Government Services. The order calls for the development of a pilot application or website using GenAI to provide Californians with streamlined, user-friendly access to government services organized by life event, such as disaster relief, starting a business, and finding a job. Additionally, the State Digital Strategy is to be updated to identify opportunities for GenAI to strengthen government transparency, accountability, and performance. 

Key Takeaways 

As an initial matter, companies that sell or license AI products or services to California state agencies should begin preparing for new certification requirements that may be incorporated into the state's procurement process. These may require vendors to affirmatively attest to and document their policies and safeguards around content moderation, bias governance, and civil liberties protections. To support this task, companies may look to revise or update their AI governance policies so that they can efficiently respond to any changing requirements - both internally or with their external vendors to ensure these certification requirements are set. 

he order also  signals California's willingness to diverge from federal supply chain risk designations (among other AI-specific guidance from the federal government) that the state deems improper. Companies affected by federal procurement restrictions should monitor California's review process, as the state may offer an alternative pathway to maintain procurement eligibility within California.

The proposed contractor responsibility reforms underscore the importance of robust compliance programs around privacy and civil liberties. Companies that have been or could be judicially determined to have undermined these protections face potential suspension or ineligibility from state contracts. This provision should prompt AI vendors to conduct thorough internal audits of their products and practices, particularly with respect to surveillance, discrimination, and speech-related concerns. While similar federal guidance does accede the need for protection of constitutional liberties, the California orders' focus on these rights as paramount may fall into conflict with current Executive Orders and guidance set forth by the President - especially recent guidance which asks Congress to preempt state AI regulation. 

The forthcoming data minimization toolkit will likely influence the terms and conditions of future state contracts. Companies handling sensitive data on behalf of state agencies should anticipate stricter requirements around data collection, retention, and use, and should review their data practices accordingly.

Companies producing or deploying AI-generated visual content should familiarize themselves with California Business & Professional Code §§ 22757.2 and 22757.3 and prepare to comply with the state's forthcoming watermarking best practices. While the order's watermarking guidance applies directly to state agencies, it may signal broader expectations for the private sector as well.

The order's emphasis on industry partnerships, training, and pilot programs may create opportunities for AI companies to engage constructively with California state government. Companies should consider participating in the AI Community of Practice and related initiatives to help shape responsible AI procurement standards rather than being told, after the fact, of their obligations.

Conclusion

Executive Order N-5-26 represents signaling of a significant expansion of California's AI governance framework, with a particular emphasis on using the state's procurement power to promote responsible AI deployment. While the order does not itself impose binding legal obligations on private entities, it sets in motion a 120-day rulemaking and recommendation process that is likely to produce concrete new requirements for companies doing business with the state. It is also notable for its provisions allowing California to independently evaluate—and potentially override—federal supply chain risk designations that the state considers improper. Companies operating in the AI space in California should closely monitor the implementation of this order and begin assessing their readiness for the anticipated new standards.