California signed two AI executive orders in sixty days. Both have compliance implications, but what are they?
Governor Newsom signed two AI executive orders in the last 60 days. Together they reflect a consistent pattern: when California can't move AI legislation through the legislature, it uses executive authority and procurement power to build the governance framework anyway. Both orders carry real compliance implications and generate real compliance work, but have different timelines, different audiences.
EO N-5-26, signed March 30, creates a procurement certification framework for AI vendors seeking California state contracts. The second order, signed May 21, addresses AI workforce disruption and is still taking shape.
Most practitioner coverage has focused on the March order. The May order has gotten far less attention since it was signed less than a week ago.
Here's what each order actually does.
N-5-26: the procurement certification clock
The core mechanism: the Department of General Services (DGS) and the Department of Technology (CDT) have a 120-day window from March 30 to submit recommended certification standards for AI vendors seeking state contracts. That deadline falls around late July 2026.
Under the framework those certifications will create, vendors will need to attest to compliance across five categories.
Illegal content prevention. Policies governing prevention of CSAM, non-consensual intimate images (NCII), and similar harmful content.
Harmful bias governance. Documentation of bias testing and mitigation practices, broader in scope than what most vendor AI governance frameworks currently cover.
Civil rights protections. Free speech, voting rights, and anti-surveillance safeguards. This goes beyond the non-discrimination focus of most private-sector AI programs and into territory most vendors haven't mapped.
Federal supply chain override. The State CISO is directed to independently review any federal supply chain risk designation. If California concludes a federal designation is improper, DGS and CDT can issue guidance allowing state agencies to continue contracting with the designated company. For vendors selling to both the federal government and California state agencies, that creates a genuine compliance conflict. A company accepted under California's independent review may simultaneously be restricted under federal procurement rules. Companies operating in both markets need to map which agencies they serve and model both scenarios now, before certification standards are finalized.
Contractor responsibility reform. GovOps must recommend changes ensuring California doesn't contract with companies judicially found to have unlawfully undermined privacy or civil liberties.
The broad scope of these categories matters. Most AI vendor governance programs are built around data accuracy, model fairness in outputs, and incident response. The N-5-26 framework adds civil rights protections and federal supply chain analysis, two areas many vendors haven't built internal attestation capacity for. The 120-day window is when DGS and CDT deliver their recommendations, not when vendors are required to comply. Once those recommendations get incorporated into contract templates, the compliance clock runs from the contract date.
What the "not enforceable" language actually means in practice
The order contains standard boilerplate: it doesn't create enforceable rights or obligations against the state, and some vendor legal teams may be reading that as clearance to wait.
The compliance obligations come through the contracts, not the order itself. That is how this mechanism works. When DGS and CDT certifications get embedded in standard state contract templates, which is the stated purpose of the 120-day recommendation process, non-compliance is a bid disqualification problem. A vendor that can't meet certification requirements won't be sued under the executive order. It won't win the contract. The enforcement arrives through procurement paperwork, before any dispute reaches a court.
California has used this path before. Environmental procurement standards, living wage requirements, and supplier diversity obligations all entered state contracting terms through executive guidance and agency rulemaking before they had legislative footing. AI governance certifications are on the same track. The boilerplate language is accurate: the order creates no legal rights. What it creates is a contract compliance framework. Those are different things, and conflating them is a planning error.
The 120-day deadline is the relevant date. Litigation timelines don't enter this picture until after a contract dispute has already started.
The May 21 workforce order
The second order is exploratory by design. It mobilizes state agencies, labor economists, universities, and industry representatives to study AI-driven workforce displacement and develop policy recommendations across several areas.
The specific mechanisms under study include: severance standards for AI-displaced workers, expanded employment insurance for displaced workers, worker ownership models, universal basic capital concepts, enhanced hiring and payroll trend tracking, and expanded workforce training programs.
No compliance obligations attach today. The policy framework this order is building is 12 to 24 months from regulatory maturity at the earliest.
California is actively building policy infrastructure around how employers deploy AI internally: what obligations may attach when AI displaces workers, how workforce disruption trends get tracked at the state level, and who bears the transition cost. For employers using AI in ways that touch hiring decisions, performance management, workforce planning, or job function automation, the compliance exposure from this order will likely arrive through labor and employment frameworks, not technology regulation.
The employers best positioned when that framework matures are the ones documenting AI deployment decisions and workforce impacts now. Documenting this information voluntarily is easier and more accurate than reconstructing it after regulators ask.
Why practitioners need to track both
SB 1047, California's proposed comprehensive AI liability bill, was vetoed by Newsom in September 2024. The pattern since then is consistent. When the legislature moves slowly or not at all, Newsom uses available executive authority to build the governance framework anyway. N-5-26 deploys the state's $14B+ annual procurement budget as the regulatory instrument. The May 21 order deploys executive rulemaking and research authority to set the policy direction on workforce issues.
The obligations that come out of this approach don't look like statutes. They appear in contract templates, certification requirements, and agency guidance documents. None of them are tracked on the legislative calendar.
For AI vendors with California state contracts in their portfolio, the N-5-26 certification framework is the near-term action item, specifically the DGS and CDT recommendations due in late July and what contract templates look like after they're incorporated.
For employers deploying AI in workforce-relevant ways, the May 21 order is the longer-range item to monitor. The policy direction is set even if the specific obligations aren't.
For AI governance counsel, whether in-house or external, California now requires tracking three channels simultaneously: legislation, executive orders, and contracting standard updates. Missing any one of them creates gaps that appear only after a contract is already on the table.
How JHarris Advisory can help
If your organization sells AI products or services to California state agencies, operates at the intersection of federal and state procurement, or is working through what AI governance certifications your vendor contracts will require, this is the work JHarris Advisory handles.
I map incoming state procurement requirements against existing AI governance frameworks, identify attestation gaps, and build the documentation to close them. That work is grounded in 12 years running these programs inside a large regulated health system.