Newsom Signs Executive Order Establishing AI Vendor Certification and Procurement Framework

On March 30, 2026, Governor Gavin Newsom signed Executive Order N-5-26 (the “Order”), directing California state agencies to develop new certification requirements and procurement standards for companies seeking to provide AI-enabled products or services to the state.¹ The Order represents the latest move in an intensifying contest between California and the federal government over the future of AI regulation in the United States.

The Order is legally modest in its ambition: it directs the Department of General Services and the Department of Technology (collectively, the “Departments”) to submit recommendations within 120 days for new vendor certifications that may be incorporated into state contracting processes. These certifications would require vendors to attest to and explain their policies and safeguards concerning the exploitation or distribution of illegal content, harmful model bias, and violations of civil rights and civil liberties. The Order also requires the Department of Technology to issue best practice guidance on watermarking AI-generated or significantly manipulated images and video.

As a practical matter, the Order can be seen as a direct counterpoint to the Trump administration’s deregulatory posture on AI. The Order arrives at a critical inflection point in the federal-state contest over AI governance, and its practical significance extends well beyond Sacramento. The Golden State is home to 33 of the top 50 AI companies and commands the world’s fourth-largest economy. Not all of those businesses contract with California, but larger companies may adopt these requirements into their contracting, and smaller companies may adopt these standards to credential their products. Given the scale of the California AI economy, the Order may join the Colorado Artificial Intelligence Act as a lodestar for what are deemed “best practices” nationally.

Key Provisions of the Executive Order

The Order establishes several workstreams, each subject to a 120-day deadline from the date of issuance. At the conclusion of this period in late July, the Departments will submit their recommendations to Governor Newsom, who will determine whether and how to incorporate them into state contracting processes.

New Vendor Certifications. The Order directs the Departments to submit recommendations for new certifications that may be incorporated into state contracting processes.² Entities seeking to do business with California would be required to attest to and explain their policies and safeguards to protect public safety and prevent the misuse of their technologies in the following areas:

• Illegal Content: Exploitation or distribution of illegal content, including child sexual abuse material and nonconsensual intimate imagery.³
• Harmful Bias: Utilization of models that display harmful bias or that lack governance mechanisms to reduce the risk of such bias.⁴
• Civil Rights and Civil Liberties: Violation of civil rights and civil liberties, including free speech, voting, human autonomy, and protections against unlawful discrimination, detention, and surveillance.⁵

Contractor Responsibility Reforms. The Order directs the California Government Operations Agency (GovOps), in consultation with the Departments, to submit recommendations on reforms to contractor responsibility provisions, including suspension and ineligibility authorities, to ensure that state entities do not contract with entities that have been judicially determined to have unlawfully undermined privacy or civil liberties.⁶

Decoupling from Federal Procurement Decisions. In a provision widely interpreted as a response to the Pentagon-Anthropic procurement dispute, the Order directs the Department of Technology’s Chief Information Security Officer (CISO) to review federal designations of companies as supply chain risks.⁷ If the CISO concludes that a federal designation is improper, the Departments will jointly issue guidance enabling other state departments and agencies to continue procuring from that company, effectively enabling California to separate its procurement authorization process from that of the federal government.

AI Watermarking Guidance. The Department of Technology, in collaboration with GovOps, must issue best practice guidance for departments and agencies on watermarking AI-generated or significantly manipulated images or video, consistent with industry best practices and in line with the California AI Transparency Act (operative August 2, 2026).⁸

Expanded Government Use of AI. The Order also directs agencies to facilitate employee access to vetted generative AI tools with appropriate privacy and cybersecurity safeguards, update the State Digital Strategy, develop a pilot application providing Californians with AI-powered access to government services organized by life event, expand workforce trainings on emerging technology, and publish a data minimization toolkit for departments and agencies.⁹

The Broader AI Regulatory Landscape

In December 2025, President Trump signed an executive order entitled, “Ensuring a National Policy Framework for Artificial Intelligence,” which directed federal agencies to challenge state AI laws and sought to establish a “minimally burdensome national standard” for AI regulation.¹⁰ That order created an AI Litigation Task Force within the Department of Justice to challenge state laws on preemption and interstate commerce grounds and instructed the Secretary of Commerce to evaluate state AI laws for potential federal action. The federal order also signaled that states with onerous AI laws could face restrictions on federal funding, including Broadband Equity Access and Deployment Program funds.

Building on the December executive order, the White House released its “National Policy Framework for Artificial Intelligence” on March 20, 2026, outlining legislative recommendations for Congress to broadly preempt state AI laws deemed to impose undue burdens.¹¹ The Framework proposed preserving certain state authorities, including over child protection, consumer fraud, zoning, and notably, “state government procurement and use of AI.” Governor Newsom’s Order appears designed to operate squarely within this carve-out. By exercising California’s procurement power rather than enacting generally applicable regulatory mandates, the state may insulate its requirements from federal preemption challenges.

Meanwhile, Congress has repeatedly declined to enact comprehensive federal preemption of state AI laws. Preemption provisions were stripped from both the “One Big Beautiful Bill Act” and the National Defense Authorization Act after significant pushback from states and other stakeholders. This federal gridlock has created space for states to fill the regulatory void—a dynamic that the California Order exemplifies.

But California is not acting alone among the states. Colorado, Texas, and Utah have enacted or considered AI governance statutes addressing algorithmic accountability and transparency, though some have encountered headwinds from the White House. In California itself, the state legislature is advancing additional AI legislation, which would establish new guardrails for AI companion chatbots used by minors, building on existing chatbot legislation signed by Governor Newsom.

Practical Implications and Influence on Nationwide Practices

As we have seen with privacy legislation, as California goes, so goes the nation. The state’s massive market power gives its procurement decisions outsized influence over corporate behavior, and companies that develop compliance infrastructure to meet California requirements typically adopt those standards across all jurisdictions, establishing in this case a de facto baseline for responsible AI practices.

Attestation-Based Compliance. The Order’s certification model—requiring companies to attest to and explain their policies and safeguards—is notable for its reliance on self-certification rather than prescriptive regulation. This approach may prove more durable against federal preemption challenges because it operates within California’s traditional procurement authority rather than imposing generally applicable regulatory mandates. At the same time, the attestation framework creates meaningful accountability: companies that misrepresent their safeguards in procurement certifications face potential exposure under existing laws governing false claims and fraud in government contracting.

Structural Considerations and Limitations. The Order itself does not impose binding legal requirements on AI companies. It instead initiates a 120-day process to develop recommendations for certifications that may be incorporated into contracting processes and expressly disclaims the creation of any enforceable rights or benefits. Whether the resulting certifications are ultimately adopted will depend on the recommendations that emerge from the diligence process and subsequent gubernatorial action. Similarly, the Order’s provision authorizing California to override federal supply chain risk designations asserts a degree of state procurement sovereignty that could become a flashpoint in future disputes with the administration.

Takeaways for AI Companies and Government Contractors

The Order represents a strategic deployment of California’s procurement authority to shape responsible AI practices at a moment when federal regulatory efforts remain fragmented and contested. By leveraging its position as the nation’s largest state market for AI products and services, California is positioning its procurement standards to function as de facto national benchmarks—potentially filling the governance vacuum left by congressional inaction and the uncertain legal durability of federal executive orders.  The 120-day diligence period that began on March 30, 2026 will be a critical window for stakeholders to engage with and monitor the development of what may become the most consequential AI governance framework in the United States.

Companies developing or deploying AI systems—especially those that currently contract with or intend to contract with California state agencies—should prepare now for the certification and attestation requirements that are likely to follow, and consider taking several immediate steps in response to the Order:

• Evaluate existing AI policies and safeguards.Review current measures related to illegal content prevention, algorithmic bias mitigation, civil rights protections, and content provenance and watermarking, ensuring they align with the categories highlighted in the Order. Although the final certification requirements are still forthcoming, the Order makes clear which areas will be subject to heightened scrutiny.
• Closely monitor California’s 120-day recommendation process.The Departments’ forthcoming recommendations will clarify the scope and rigor of the new certifications, including whether requirements will apply beyond generative AI to other systems, and what level of documentation or third-party validation may be necessary.
• Assess the intersection with existing compliance obligations.Consider how the Order’s anticipated requirements interact with current obligations under California’s privacy, transparency, and algorithmic accountability laws, as well as emerging federal standards. Given California’s influence on national market expectations, companies that proactively align their governance frameworks with the Order’s categories may secure a competitive advantage in both government and commercial sectors.

Ropes & Gray is closely monitoring ongoing developments in state and federal AI regulations. For further information or guidance on navigating these evolving requirements, please reach out to your Ropes & Gray contacts or the authors of this alert.