On March 30, 2026, California Governor Gavin Newsom signed Executive Order N-5-26 (the “Order”), aimed at governing the responsible procurement and deployment of Generative Artificial Intelligence (“GenAI”) across California’s state government. The Order builds on the foundation laid by Executive Order N-12-23, issued in September 2023, by directing a series of actions across multiple state agencies, with most deliverables due within 120 days. The key directives are as follows:
New Vendor Certification Requirements for State Contracts
The Order directs the Department of General Services (“DGS”) and the Department of Technology (“CDT”) to submit recommendations for new certifications that may be incorporated into state contracting processes. These certifications would require companies that contract with California state agencies to attest to and explain their AI policies and safeguards in several critical areas, including:
- exploitation or distribution of child sexual abuse material and other illegal content;
- governance measures to reduce harmful bias in AI models; and
- violations of civil rights and liberties such as free speech, voting, human autonomy, and protections from unlawful discrimination, detention, and surveillance.
Review of Federal Supply Chain Risk Designations
The Order tasks CDT’s CISO with reviewing any new federal government designations of companies as supply chain risks. If the CISO concludes that a federal designation is improper, DGS and CDT will jointly issue guidance ensuring that state agencies continue to procure from the designated company. The CISO may also review other federal procurement changes to assess whether they improperly restrict procurement and to recommend appropriate measures in response.
This follows the Pentagon’s recent designation of Anthropic as a “supply chain risk” in response to Anthropic’s reported refusal to agree to modified AI safety configurations for models provided under its contract with the Pentagon. The Department of War’s designation of Anthropic was recently enjoined by a federal district court. The Order appears intended to insulate the procurement decisions of California’s own state agencies from federal actions the state may view as politically motivated.
Contractor Responsibility Reforms
The Order directs the Government Operations Agency (“GovOps”) to submit recommendations on reforms to ensure that state agencies do not contract with entities that have unlawfully undermined privacy or civil liberties, as determined by a court. It remains to be seen what specific reforms may result from these recommendations. The intent appears to be to give California agencies a mechanism to decline to license AI from companies whose safety or privacy practices have been subject to successful lawsuits or enforcement actions. However, California has a multitude of statutes and regulations that arguably fall under the rubrics of “privacy” or “civil liberties,” as well as an active plaintiffs’ bar and enforcement landscape; a certain baseline level of litigation is normal in California. It remains to be seen how GovOps will balance this with the Order’s request to restrict government contracting with entities judicially determined to have unlawfully undermined privacy or civil liberties.
Additional Provisions
In addition, the Order directs a variety of agencies to:
- Facilitate state employee access to GenAI tools vetted for appropriate privacy and cybersecurity safeguards.
- Update the State Digital Strategy to identify opportunities for GenAI to improve government service, including transparency and accessibility.
- Leverage existing resources to share best practices on responsible AI procurement and adoption that protects public safety, civil liberties, and privacy.
- Develop a pilot application or website using GenAI to facilitate access to government services organized by life event (e.g., disaster relief, seeking employment).
- Expand training on emerging technologies such as AI.
- Publish a data minimization toolkit with best practices, templates, contract provisions, and checklists for agencies to implement.
- Issue best practice guidance for agencies to appropriately watermark AI-generated or significantly manipulated images or video in accordance with state law.
Implications for Businesses and Key Takeaways
The Order carries significant implications for companies that contract with, or seek to contract with, the State of California, and possibly beyond. The Order expressly recognizes that public procurement is a powerful tool for shaping market behavior.
The new vendor certification requirements could impose meaningful compliance obligations on AI companies and technology vendors, requiring them to demonstrate and document safeguards around bias, civil liberties, and illegal content. Potentially affected companies should begin evaluating their internal AI governance policies that address these areas in preparation. The certification standards adopted pursuant to the Order could also prove influential in the development of generally accepted contractual assurances in commercial agreements involving the purchase, sale, and/or license of GenAI solutions or services powered by GenAI tools.
It is important to note that the Order is not self-executing. Most directives require agencies to submit recommendations within 120 days, meaning the specific contours of these requirements will take shape over the coming months. Companies doing business with California should continue to monitor developments as state agencies implement these directives into concrete procurement rules and guidance. If you have questions about how the Order may impact your business, please reach out to our Privacy, Cyber, and Data Strategy Team.
