California has spent the past 18 months building the country's most ambitious state AI regulatory regime. The federal government has spent the past six months trying to dismantle it. Federal courts have already issued their first rulings. The European Union is rewriting its own deadlines mid-implementation. And somewhere in the middle, California law firms are advising clients on compliance regimes whose legal status will be argued in federal court before the year is out.
The collision is no longer hypothetical. It is happening now, on a timeline measured in months, and the practice areas it touches read like a directory of what California's top firms do: frontier AI development, health care, consumer protection, advertising and content moderation, antitrust. Each one sits downstream of the same question: whose AI law applies?
- California’s AI rules are already active and enforced, with penalties reaching $1 million per violation.
- Washington is pushing back with litigation, agency action and $21 billion in broadband funds tied to state AI laws.
- Courts are split so far, striking a deepfake law while allowing training data transparency requirements to stand.
- For companies using AI in California, the near term priority is documenting governance, training data sources and compliance.
A State That Did Not Blink
The story begins, as much California regulation does, with a veto. When Gov. Gavin Newsom rejected California's most ambitious AI safety bill in September 2024, the industry assumed the state had blinked. It had not.
Newsom blocked one bill and signed roughly 18 others, and his next legislative session delivered the centerpiece: the Transparency in Frontier Artificial Intelligence Act, signed in September 2025 and effective Jan. 1, 2026. It made California the first state to directly regulate frontier model developers, with civil penalties of up to $1 million per violation enforced by the attorney general.
Across two legislative sessions, California layered new requirements onto nearly every part of the AI stack a top firm is likely to advise on. Generative AI developers must now publish summaries of the datasets used to train their models. Large content platforms face watermarking and AI-detection rules pushed to August 2026 to give them time to build the required tools.
Health care has its own subregime: disclaimers on AI-generated patient communications, a prohibition on insurers denying care based on AI alone, and a ban on AI products holding themselves out as licensed health professionals. In a novel treatment of algorithmic pricing, the state is targeting shared pricing tools used by competitors.
Attorney General Rob Bonta has not stayed quiet about any of it. In legal advisories issued in early 2025, he reminded businesses that "the fifth largest economy in the world is not the wild west." His office has since announced a dedicated AI oversight and enforcement program.
A Federal Counterweight, Without the Mechanism to Match It
On Dec. 11, 2025, President Trump signed an executive order designed to be the administration's answer to what it called the patchwork of state AI regulation. The order does not preempt any state law on its own. What it does is build infrastructure for preemption.
The infrastructure has three legs. The first is litigation: an AI Litigation Task Force charged with challenging state AI laws on Dormant Commerce Clause and federal preemption theories.
The second is money: $21 billion in undisbursed broadband funds, conditioned on whether states maintain AI laws the administration considers onerous.
The third leg is agency action, which involves two major efforts. The FTC is drafting a policy statement on whether state laws altering AI outputs are preempted by the FTC Act, and the FCC is commencing a proceeding on a federal AI reporting standard.
The Courts Are Already Moving
Federal courts are not waiting for the task force. They have been reviewing California's AI statutes for almost a year, and the early results are telling, both for what California can enforce and for what the administration will eventually try.
The most consequential ruling so far came in Kohls v. Bonta, where the judge struck down California's Defending Democracy from Deepfake Deception Act. The opinion partly rested on Section 230 of the Communications Decency Act — federal law already on the books — preempting California's effort to require platforms to remove or label election-related deepfakes, making clear that California's AI laws can lose on federal preemption grounds without the executive order ever entering the picture.
A different result emerged in xAI v. Bonta. xAI argued that the training data transparency law violated the First Amendment and the Fifth Amendment's Takings Clause, was unconstitutionally vague, and would compel disclosure of trade secrets.
The court denied xAI's motion for a preliminary injunction because xAI relied on generalizations and hypotheticals rather than specifically demonstrating how its datasets qualified for trade secret protection, and determined the law likely regulates commercial speech subject to intermediate scrutiny. The law remained in force.
California's attorney general has not been passive. In a December 2025 comment letter joined by 23 other state attorneys general, he called the FCC's preemption inquiry "a dangerous overreach." The pattern is clear. The state is defending its laws on every front available, and so far, it is winning more than it is losing.
What This Means for Clients
For a senior partner advising a generative AI developer, a health system, a retail platform or a regional bank, the practical question is not whether federal preemption will eventually arrive. The practical question is what to do this quarter. The answer outside counsel across the industry has given since the order dropped is the same: comply with the state laws that are in force.
A frontier developer cannot afford to wait. The first compliance deadlines are behind us, and the attorney general has both the authority and the appetite to enforce.
A generative AI company that sells into California cannot quietly skip the training data summary. The early ruling in xAI's challenge tells you what to expect if you try.
A health system using ambient documentation or utilization-review tools has been operating under California's disclosure and human-oversight rules for more than a year, and the executive order's child safety and consumer protection carve-outs read like an exemption written for health care.
A retailer using a third-party pricing engine has new antitrust exposure regardless of where the AI vendor sits.
A content platform that thought it had cover under Section 230 is rethinking that position, which cuts both ways and changes what a defensive posture actually looks like.
What threads through all of it is documentation. Bias testing. Training data provenance. Vendor compliance attestations. Records of human review where the law requires it. Governance committee minutes that show the decisions were made, when and on what record.
The volume of work is unfamiliar to many clients. The legal exposure for skipping it is not.
Building for Every Outcome
There are three plausible scenarios for the next 18 months. Federal preemption could arrive in some form, narrowing what California can enforce. Preemption could fail in court, leaving the existing state architecture intact. Or, most likely, the question could remain unresolved while Congress debates, the FTC drafts and the task force selects its test cases.
All three scenarios point to the same near-term work. California's laws require documented governance, transparency disclosures and risk assessments. The White House's own framework endorses similar concepts under a federal banner. The NIST AI Risk Management Framework, which the frontier law cross-references, sits underneath both. A compliance program built to satisfy California will, with marginal additional work, satisfy the federal floor any preemption regime is likely to set.
What firms should not do is treat the executive order as a safe harbor. It does not preempt anything by itself. Industry guidance on that point is unanimous, and the courts have not yet endorsed any of the administration's preemption theories. Clients who paused compliance work in December are exposed today.
The harder advisory question is contract architecture. Who bears the risk if a vendor's AI system fails to meet California's training data disclosure requirements? What does indemnification look like when a model produces a biased output in a state with discrimination liability and a federal policy statement calling bias mitigation deceptive? Those are the conversations that should be happening now, before the litigation arrives.
The Layer Beyond California
Pull the lens back. A California client with global operations does not face a federalism question. It faces a three-layer regulatory question, and the third layer is moving as fast as the first two.
The European Union's AI Act was supposed to bring its high-risk system obligations and AI-generated content transparency rules into force on Aug. 2, 2026. EU lawmakers adopted their position on the European Commission's Digital Omnibus proposal to delay high-risk obligations and push the compliance deadline for watermarking AI-generated content to late 2026, which simply sets the stage for negotiations with the European Council on the final text. General-purpose AI obligations have been in force since August 2025 and are already being enforced.
For a California firm, this means three compliance clocks — California, federal and EU — running on different timelines toward overlapping but distinct definitions of the same regulated activity. Federal preemption, if it arrives, does not touch the third clock.
California firms are not waiting for federal clarity because they cannot. The state's AI laws are live, enforced and litigated in real time.
The administration's pressure campaign is real but indirect, and the courts have not ratified any of its preemption theories. The EU is restructuring around its own implementation problems. The California attorney general is building enforcement capacity at the same time. The work for the next six to 12 months is the same regardless of how the federal question is eventually resolved.
Document. Govern. Comply. Build for every outcome. The firms that treat this moment as a wait-and-see problem will be advising their clients into avoidable exposure, and a frontier law that allows for $1 million per violation does not leave much margin for advisory error.
