SB1011 carves out a new chapter requiring utilities that use automated decision systems (ADS) in the design, operation, maintenance, or mapping of electric and gas infrastructure to adopt safety, governance, and workforce protections. The bill distinguishes “high‑risk” ADS — those that change system records, recommend operational actions, or affect safety-critical decisions — and bars those systems from acting in live operations without affirmative human review, logging, and staged testing.
The law assigns oversight to the California Public Utilities Commission for privately owned utilities and the Energy Commission for publicly owned utilities, requires safety-plan filings and extended staging, mandates provenance logs and incident-reporting deadlines, and creates notice and retraining obligations for affected employees and labor organizations. For regulators, vendors, and utilities this shifts the compliance burden onto operational policies, vendor disclosure, and workforce planning; for frontline workers it builds statutory protections against job loss from ADS deployments.
At a Glance
What It Does
SB1011 requires covered utilities to treat certain ADS as "high‑risk," prohibit their autonomous operation in live systems, and implement human‑override, provenance logging, and staged testing. It also compels utilities to file safety plans with the CPUC or Energy Commission, report ADS‑related incidents quickly, and negotiate retraining and notice with labor representatives.
Who It Affects
The law applies to private electrical and gas corporations as well as publicly owned electric and gas utilities, their ADS vendors, licensed California professional engineers, and represented utility workers whose roles intersect with engineering, mapping, or operations. Regulators receive new disclosure and audit authority.
Why It Matters
This is one of the first state statutes to place granular operational controls on AI embedded in utility infrastructure, changing procurement, vendor relationships, and operational change‑management. Utilities will face new safety and documentation obligations while labor groups gain formal notice and retraining leverage when automation reshapes jobs.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
SB1011 begins by defining the tools it covers (automated decision systems) and then draws a bright line around those systems that can materially affect physical utility infrastructure: anything that edits GIS layers, recommends field actions, or alters control room behavior is treated as high‑risk and subject to strict controls. The law does not ban AI in utilities; it requires that AI be a support tool, not an autonomous actor when safety or system records are involved.
Operationally, the bill creates a workflow: before a high‑risk ADS goes live a utility must file a safety plan with the appropriate regulator describing the model, training data, update cadence, known limits, bias testing, cybersecurity controls, human‑override and rollback features, and scenario test results. The system must run in a nonoperational staging environment (the bill sets a statutory minimum staging period and allows the regulator to set an alternative) with all proposed changes held pending human review and approval.
A provenance log must record model identity and version, training data sources, timestamps, human approvers, and the specific modifications or overrides they took.When an ADS contributes to a serious outage, equipment damage, or a safety hazard, the utility must alert the regulator within 24 hours and submit a root‑cause report within 30 days that identifies the vendor model and version, training data source, provenance log entries, and corrective actions. The bill also forces utilities to provide affected labor organizations with safety plans and to give at least 180 days’ notice before introducing technological changes that materially change duties; it requires utilities to pursue retraining, redeployment, or reclassification before laying off staff in certain technical roles.Finally, SB1011 creates parallel compliance tracks: the CPUC enforces the rules for privately owned utilities (including penalties under existing statutory provisions) while the Energy Commission and public utility governing boards handle publicly owned utilities through certification and reporting.
The statute contemplates regulatory rulemaking to fill in operational details and leaves intact existing labor‑law rights and collective bargaining protections.
The Five Things You Need to Know
A licensed California professional engineer must perform the required human review and approval whenever an ADS output qualifies as an "engineering decision.", A high‑risk ADS must operate in staging mode for a minimum of 18 months (unless the CPUC or Energy Commission sets a different period) before full deployment.
Utilities must report to the regulator within 24 hours any event where a high‑risk ADS contributed to outages affecting more than 500 customers, equipment damage, or safety hazards, and submit a 30‑day root‑cause report.
Utilities must provide affected labor organizations at least 180 days’ advance notice before deploying ADS that materially change job duties and must exhaust feasible retraining, redeployment, or reclassification options before laying off engineering or technical staff.
Vendors must supply a vendor ADS supply‑chain disclosure and utilities must maintain provenance logs that record model family and version, training data sources, update cadence, human reviewer identity, timestamps, and the actions approved, modified, or rejected by reviewers.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Definitions and scope
This section establishes the technical vocabulary that drives the rest of the chapter: what counts as an automated decision system, what utilities are covered, what constitutes an engineering decision, and what features make an ADS "high‑risk." The practical effect is to narrow heavy requirements to ADS that touch system records, operational commands, or safety decisions while excluding benign tools (spam filters, firewalls, calculators, raw datasets). That gating matters because obligations like human‑in‑the‑loop review, staging, and provenance logging attach only when the statutory criteria are met.
Division of regulatory oversight
The bill assigns oversight of privately owned utilities to the California Public Utilities Commission and oversight of publicly owned utilities to the Energy Commission, and requires the two agencies to coordinate. That split preserves existing regulatory relationships but creates a need for alignment—utilities will face unitary expectations in practice only if the two agencies adopt consistent rules and review standards.
Human review, overrides, and provenance logging
This provision mandates that utilities keep a formal process enabling qualified staff to modify or override ADS outputs and prohibits implementation of high‑risk ADS outputs without affirmative human approval. If the output is an engineering decision, a state‑licensed professional engineer must do the approval. The section also requires provenance logs that track model identifiers, versions, training sources, timestamps, and reviewer actions—establishing an auditable chain of custody for ADS decisions.
Safety plans and staged testing
Before deploying a high‑risk ADS live, a utility must file a safety plan including model metadata, bias and cybersecurity testing, scenario test results (at least one wildfire/hazard and one DER or equipment‑failure scenario), monitoring and retraining plans, and human‑override and roll‑back mechanisms. The bill requires an initial staging period—statutorily set at a minimum of 18 months unless the regulator decides otherwise—during which any ADS‑proposed changes remain nonoperational and are audited and human approved before going live.
System records controls and audit retention
This section dictates that any ADS that proposes changes to system records must hold those changes in a clearly labeled proposed environment until human review, provide a rollback mechanism to restore prior record versions, and keep provenance and audit trails. The text leaves a blank for the required audit‑trail retention period, signaling an unresolved parameter that regulators will need to fill in.
Incident reporting and annual monitoring
Utilities must notify the relevant commission within 24 hours when a high‑risk ADS contributes to a service interruption affecting more than 500 customers, equipment damage, or safety‑relevant data errors. A root‑cause analysis is due within 30 days identifying model version, training data sources, provenance log entries, and corrective actions. Privately and publicly owned utilities also must conduct continuous monitoring and file annual reports, with the CPUC or Energy Commission and, for public utilities, the governing board receiving performance and near‑miss summaries.
Labor notice, retraining, and layoff protections
Covered utilities must give affected labor organizations at least 180 days' notice before technological changes involving ADS that materially affect duties, classifications, staffing, or training. The notice must describe impacts and a retraining/redeployment plan; utilities must consult with employee reps to develop joint retraining programs and cannot implement ADS‑driven layoffs of engineering or technical staff until feasible retraining or redeployment has been exhausted.
Rulemaking, enforcement, and legal relationships
The commissions may adopt implementing regulations. The CPUC can enforce the chapter against privately owned utilities under its existing safe‑operations authority and penalty provisions, while publicly owned utilities must annually certify compliance to their governing boards and the Energy Commission. The chapter explicitly preserves rights under federal and state labor laws and collective bargaining agreements and declares the provisions severable.
This bill is one of many.
Codify tracks hundreds of bills on Energy across all five countries.
Explore Energy in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Frontline engineering and technical employees — gain statutory notice, joint retraining obligations, and a prohibition on ADS‑driven layoffs until retraining and redeployment options are exhausted, giving workers time and bargaining leverage during technological transitions.
- Consumers and public safety — receive stronger procedural safeguards (human oversight, provenance logs, incident reporting) intended to reduce the risk that opaque algorithms cause outages, mis‑dispatches, or hazardous field actions.
- Regulators and auditors — gain structured disclosures (safety plans, provenance logs, incident root causes) that improve visibility into vendor models, operational testing, and post‑incident analysis, enabling targeted oversight and remediation.
- Labor organizations and unions — secure formal access to safety plans and early notice (180 days) before deployments, strengthening their role in retraining and workforce planning.
- Vendors offering transparent, well‑documented models — those who can supply model metadata, bias testing, and secure update processes may win preference and faster regulatory acceptance.
Who Bears the Cost
- Covered utilities (private and public) — must build staging environments, expand testing and monitoring, maintain longer audit trails, prepare safety plans, and implement provenance logging, increasing operational and procurement costs.
- ADS vendors and system integrators — face new disclosure obligations around model family, versions, training data, update cadence, limitations, and bias testing that can bump up engineering and legal costs and raise IP concerns.
- Regulatory agencies (CPUC and Energy Commission) — may need more staff, technical expertise, and review processes to evaluate safety filings, scenario tests, and root‑cause analyses at scale.
- Ratepayers and customers — could face indirect costs if utilities pass through the expense of compliance, longer piloting timelines, or additional redundancy required by safety controls.
- Publicly owned smaller utilities — may struggle with the administrative burden of compliance and certification absent dedicated resources or funding support.
Key Issues
The Core Tension
SB1011 pits two legitimate priorities against each other: the need to prevent opaque, automated decisions from harming infrastructure or people by imposing long staged testing, human‑in‑the‑loop approvals, and disclosure requirements, versus the imperative to modernize grid operations quickly with AI tools that can improve reliability and efficiency; resolving that tension requires balancing safety and auditability against speed, cost, and vendor confidentiality.
The bill crystallizes sensible guardrails but leaves several implementation levers open and creates real operational trade‑offs. The statutory minimum 18‑month staging period and the requirement that high‑risk ADS never autonomously change live system records prioritize safety, but they can slow deployments of potentially reliability‑enhancing automation, increase integration costs, and prolong vendor‑utility pilots.
Regulators will have to calibrate acceptable staging alternatives and performance thresholds to avoid turning testing into indefinite delay.
Vendor disclosure and provenance requirements improve auditability but cut against vendors’ IP and data‑governance practices. The statute requires model and training‑data metadata disclosure and bias testing without specifying confidentiality protections or acceptable redaction, creating a likely negotiation point and potential litigation risk.
The blanked audit‑retention period in the text is a procedural gap that could produce inconsistency across utilities unless regulators set a uniform standard. Finally, the interplay between the bill’s workforce protections and federal labor law creates predictable bargaining disputes over what counts as "exhausting feasible retraining" and who bears retraining costs.
Liability and post‑incident attribution are also uncertain. The bill forces provenance logging and root‑cause reporting but does not rewrite tort or liability rules; utilities, vendors, and insurers will have to sort out allocation of responsibility when an ADS recommendation, a human reviewer’s override, or a software bug contributes to harm.
Regulators should plan for resource needs, confidentiality frameworks, and clear compliance metrics to avoid uneven application and to keep safety rules from ossifying into barriers to necessary operational innovation.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.