California AI Transparency Act: Enterprise Compliance Guide

California's SB 942, the California AI Transparency Act, was approved and filed on September 19, 2024 and became operative on January 1, 2026. The law is narrower than many AI-governance summaries imply. It applies to a "covered provider": a person or entity that creates, codes, or otherwise produces a generative AI system with more than 1,000,000 monthly visitors or users and that is publicly accessible in California. The official bill text is available from California Legislative Information.

That means most enterprises are not directly covered merely because employees use AI at work. The practical enterprise issue is procurement and workflow control: if a team relies on covered public GenAI tools to create customer-facing media, the company should know whether the tool supports the required disclosure mechanisms, whether exported files preserve provenance data, and whether downstream editing strips those signals. Treat the Act as a media-provenance and vendor-governance trigger, not as a blanket rule for every AI-written email, report, or support draft.

SB 942 focuses its detection-tool, manifest-disclosure, and latent-disclosure requirements on image, video, and audio content, including combinations of those media. Covered providers must make a no-cost AI detection tool available, offer users the option to include a clear manifest disclosure in generated or altered image, video, or audio content, and include latent provenance data in AI-generated image, video, or audio content when technically feasible and reasonable.

The Act does not impose the same watermarking requirement on blocks of generated text. It also does not name C2PA as the required standard; it requires latent disclosures to be consistent with widely accepted industry standards. Enterprise teams should still prefer tools and workflows that preserve content provenance, because media files often move through editing, DAM, CMS, and social-publishing systems that can strip metadata. A governed workflow can help preserve provider disclosures, document when provenance is lost, and route external media through review before publication.

SB 942 does not create a general enterprise audit-trail mandate for every generative AI deployment. Section 22757.4 sets the civil penalty structure: covered providers that violate the chapter can face $5,000 per violation, enforced by the Attorney General, a city attorney, or county counsel. The Act also includes privacy limits for detection tools, including restrictions on retaining personal information, submitted content, and personal provenance data.

Audit trails remain important, but the reason should be stated accurately. For enterprise buyers and deployers, logs help answer practical governance questions: which tool produced the media, which workflow exported it, whether a manifest disclosure was requested, whether latent provenance survived editing, and who approved external use. Those logs support vendor management, incident response, and consumer-protection reviews, even when SB 942 itself places the core statutory duties on covered providers.

SB 942 does not distinguish low-impact and high-impact enterprise AI usage, and it does not use the phrase "meaningful human review." Those concepts appear in other AI governance discussions and in some automated-decision frameworks, but they should not be attributed to this Act.

That does not make review gates unnecessary. If AI-generated media, chatbot scripts, financial explanations, legal-adjacent drafts, hiring content, healthcare content, or safety-related communications will reach consumers, a human review workflow is still good governance. Using role-based access control and routing logic, a company can require approval before external publication, record who approved the content, and document whether the relevant provider disclosure was preserved. The review gate is a risk-control best practice here, not a specific SB 942 command.

The Act does not directly regulate enterprise Retrieval-Augmented Generation (RAG) inputs or require companies to disclose every document source behind a customer-facing AI bot. RAG quality, source freshness, permission boundaries, and customer-data isolation are still critical, but they are governed by broader privacy, security, consumer-protection, contractual, and sector-specific obligations rather than SB 942's media-provenance rules.

A practical control program should still connect these concerns. Keep an inventory of external-facing AI systems, identify which ones generate or alter image, video, or audio content, track the providers and model routes involved, and separate that media-provenance evidence from RAG source-management evidence. This avoids overstating one statute while still giving security, legal, and product teams the facts they need.

The California AI Transparency Act became operative on January 1, 2026. Covered providers should already have detection-tool and disclosure programs mapped to the statute. Enterprise buyers should focus on a narrower readiness plan: identify covered GenAI providers in the stack, ask vendors how their manifest and latent disclosures work, test whether editing and publishing workflows preserve provenance, and define review rules for external image, video, and audio content.

A centralized AI governance layer can help, but the goal should be precise: preserve provenance where it exists, prevent employees from bypassing approved media workflows, keep evidence of publication decisions, and avoid conflating SB 942 with unrelated high-risk decision or RAG-source obligations. Accurate scoping makes the compliance program stronger and easier to defend.