AB 1405 directs the Government Operations Agency to run an online enrollment system for organizations that audit artificial intelligence systems used by California state agencies, and it requires auditors to sign up before performing any statutorily mandated third‑party “covered audit.” The bill sets baseline obligations for enrolled auditors — from following recognized industry standards to producing a specified audit report — and bars certain employment and financial relationships that would create conflicts of interest.
The law also creates an AI Auditors’ Enrollment Fund to receive fees and other moneys to support administration, and it gives the agency a public-facing reporting channel for misconduct that it must retain and share with other state enforcement bodies as needed. For compliance officers and procurement teams, the bill creates new vendor onboarding steps, documentation expectations, and confidentiality rules that will change how state agencies contract for and receive independent AI audits.
At a Glance
What It Does
The agency must provide an online enrollment portal and a public directory of enrolled AI auditors, set an enrollment fee capped at reasonable administrative costs, and publish information auditors submit. The agency must retain misconduct reports while an auditor is enrolled plus 10 years and may share those reports with other enforcement entities.
Who It Affects
Independent AI auditors that perform state‑required third‑party audits, state agencies that procure AI audits, vendors that develop or operate AI systems for state use, and employees of auditing firms who may report compliance problems. The rule set also influences certifiers and peer‑review organizations that appear on auditors’ enrollment records.
Why It Matters
This creates the first statewide registration and public transparency layer specifically for AI auditors in California, tying professional visibility to compliance. It also standardizes minimum documentation and conflict‑of‑interest controls that will matter in procurement, contract negotiations, and risk assessments for teams buying independent AI assurance.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
AB 1405 adds a discrete chapter to the Government Code that governs persons and entities that perform independent third‑party audits of AI systems when a state statute requires such an audit. The bill begins by defining key terms — including “AI,” “AI auditor,” and “covered audit” — and then mandates a public enrollment process for any auditor that intends to perform a covered audit for a California state entity.
Enrollment is a precondition to undertaking those audits.
To enroll, an auditor must provide core contact and business information, disclose the types of AI systems it will audit, list relevant certifications and their issuers, submit a short written description of services (capped at 200 words), and supply a standard operating procedure (SOP). The SOP must describe the auditor’s protocols with enough detail to allow a third party to evaluate whether the auditor follows widely recognized industry standards; the SOP must also include supporting documentation for any claims about its own methods’ accuracy or validity.
The statute requires enrolled auditors to adhere to generally accepted industry best practices or widely recognized standards appropriate to the model being audited.When an enrolled auditor completes a covered audit it must deliver a written audit report to the auditee that lists scope and objectives, documents the audit results and the basis for those results, explains steps the auditee can take to meet recognized standards and comply with state law, and contains a dated signature statement from each auditor certifying completion. Auditors must keep records and any documentation supporting their findings for at least 10 years.
The law also bars audits where the auditor has a financial interest in the auditee, forbids auditors from accepting employment with an auditee within 12 months after completing an audit, and prohibits auditors from auditing an entity that employed them during the prior 12 months.On the transparency and enforcement side, the agency must host a mechanism for natural persons to report auditor misconduct; it will retain those reports for as long as the auditor remains enrolled plus 10 additional years, and may share them with other state agencies for enforcement. The bill creates a dedicated state fund to receive enrollment fees and other moneys; the fund finances administration of the enrollment and oversight regime subject to legislative appropriation.
The agency must set enrollment fees by January 1, 2027, and publish enrolled auditors’ submitted information publicly beginning that date.
The Five Things You Need to Know
The bill fixes January 1, 2027 as the date by which the agency must have the enrollment portal, fee schedule, and public reporting mechanism in place.
An auditor’s enrollment package must include a standard operating procedure and supporting documentation that enable a third party to assess whether the auditor follows widely recognized industry standards.
An enrolled auditor must retain documentation underpinning a covered audit’s results for at least 10 years and the agency must retain misconduct reports for the auditor’s enrollment term plus 10 years.
The statute creates the AI Auditors’ Enrollment Fund in the State Treasury to receive enrollment fees and other moneys, with expenditures subject to appropriation by the Legislature.
The bill imposes a 12‑month cooling‑off rule: auditors cannot accept employment from an auditee within 12 months after completing a covered audit, and auditors cannot audit an auditee who employed them in the prior 12 months.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Definitions and scope
This section defines the chapter’s operative terms: agency (the Government Operations Agency), artificial intelligence, AI auditor (person, partnership, or corporation auditing AI), and covered audit (an audit required by any state statute that mandates an independent third‑party auditor). Practically, the covered‑audit definition limits the chapter’s precondition to those audits that other statutes expressly require, not every voluntary or commercial AI assessment.
AI Auditors’ Enrollment Fund
The bill establishes a dedicated fund in the State Treasury to receive all moneys collected under the chapter. The agency administers the fund and may spend money only upon appropriation. That means the program’s staffing and operational capacity ultimately depend on legislative budgeting even though the agency may collect fees upfront.
Agency duties: portal, fees, publication, and retention
The agency must deliver an online enrollment mechanism and a separate mechanism for members of the public to report alleged auditor misconduct by January 1, 2027. The agency sets an enrollment fee not to exceed the reasonable costs of administering the chapter, must publish information submitted by enrolled auditors in a publicly accessible format, and must retain and—where necessary for enforcement—share misconduct reports with other state agencies. Operationally this creates a public registry and a centralized whistleblower intake point tied to enforcement referral.
Enrollment requirements and SOP
Before performing a covered audit, auditors must enroll and pay the fee. Enrollment requires identity and contact data, the types of AI systems to be audited, names of certifying entities for any listed accreditations, a 200‑word business description, and an SOP. The SOP must describe protocols with enough specificity for third‑party assessment and include documentation supporting claims about the auditor’s methods. This provision operationalizes how auditors demonstrate competence and transparency to both agencies and the public.
Audit conduct, reporting, record retention, and conflict rules
Enrolled auditors must follow widely recognized industry standards appropriate to the audited system. After a covered audit they must deliver a report that details scope, results with supporting documentation, remediation steps to meet standards and comply with law, and a signed certification by each auditor. Auditors must retain supporting records for at least 10 years. The section also bars audits where auditors hold financial interests in the auditee and establishes the 12‑month pre‑ and post‑employment cooling‑off constraints intended to prevent conflicts of interest.
Confidentiality, permitted disclosures, and whistleblower protections
Auditors may disclose auditee confidential information only with written consent or under enumerated exceptions (court subpoena, legal defense, official regulatory inquiry, peer consultation under NDA, professional review organizations, or where law permits). The statute protects employees who report violations to the Attorney General, Labor Commissioner, or via the agency’s misconduct mechanism and prohibits retaliation—creating a statutory whistleblower channel linked to the public registry.
Existing-scope savings and repeal of an earlier sunset clause
This section clarifies that the chapter does not impede audits required by statutes that become operative prior to this chapter’s effective date; the bill also repeals the existing Section 11549.86 (which contained a sunset to January 1, 2027). The practical effect is to eliminate the prior temporary status and fold the new enrollment regime into the statutory framework going forward.
This bill is one of many.
Codify tracks hundreds of bills on Technology across all five countries.
Explore Technology in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- State agencies that procure AI audits — they gain a public registry to vet auditor credentials, a standardized report format, and a centralized complaints channel that can improve quality control and reduce procurement risk.
- Auditees and affected Californians — the audit-report requirements and retention rules increase transparency about how state‑used AI systems were evaluated and what remediation steps were recommended.
- Employees and whistleblowers within auditing firms — statutory protections against employer retaliation and a state reporting mechanism lower barriers to reporting noncompliance or unethical conduct.
- Auditors with formalized processes and certifications — reputable firms benefit from public visibility, clearer marketplace expectations, and a framework that can validate their methodologies.
Who Bears the Cost
- Independent and small auditing firms — they must develop SOPs with supporting documentation, pay enrollment fees, and maintain 10‑year records, increasing compliance costs and administrative burden.
- State Government Operations Agency — the agency must build and run the portal, maintain public records, and manage reports; while fees fund the program, implementation depends on legislative appropriation, potentially straining administrative capacity.
- Auditees (state contractors and vendors) — they may face stricter auditing processes, higher audit costs as auditors pass on compliance expenses, and tighter confidentiality constraints during procurement and due diligence.
- Peer review and certifying organizations — they may face increased demand to provide recognized accreditations and could see liability or reputational risk if listed certifications are later questioned.
Key Issues
The Core Tension
The central dilemma is between transparency/accountability and supply-side friction: the bill increases public visibility into who audits government AI and sets conduct rules to protect independence, but those same registration, documentation, confidentiality, and cooling‑off requirements raise costs and administrative burdens that could shrink the pool of available auditors or push smaller firms out of the market, potentially raising audit costs or delaying procurement.
AB 1405 pushes transparency and basic professional controls into a growing market for AI assurance, but it leaves several practical questions open. The statute requires SOPs and supporting documentation, yet it does not appoint a specific standard‑setting body or enumerate which industry standards qualify as “widely recognized,” leaving both auditors and procuring agencies to interpret adequacy.
That gap will matter in disputes over whether an auditor followed acceptable protocols and in bid evaluations where different auditors claim adherence to competing standards.
The law depends on fee revenue deposited into a new state fund and on legislative appropriation to pay for ongoing administration. That structure means operational capacity could lag demand if the Legislature does not appropriate funds, or if fee revenue is insufficient.
The confidentiality carveouts and permitted disclosures balance auditee privacy against enforcement needs, but they also create operational friction: auditors must make judgment calls on when disclosures are “reasonably necessary” for defense or fall under an official inquiry, which could trigger litigation or divergent disclosure practices. Finally, the 12‑month employment restriction reduces conflicts risk but may limit auditor hiring flexibility and raises questions about how the cooling‑off rule interacts with contract work and subcontracting arrangements.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.