New California Law Requires AI Risk Assessments by End of 2027
As companies rapidly adopted artificial intelligence (AI) throughout 2025, they may have neglected a critical issue: the emergence of new risks and the exposure of longstanding infrastructure weaknesses. According to legal experts, this oversight could have significant implications for organizations.
The Urgency for AI Risk Assessments
Law firm Lowenstein Sandler is urging companies to take immediate action regarding AI risk assessments. The firm emphasizes that boards and regulators are expecting visible progress on AI governance. Companies face mounting pressures, including:
- Engineers deploying models faster than legal teams can review them.
- Vendor contracts that fail to clarify ownership of training data.
- Increased scrutiny from regulators.
Mandatory Risk Framework
Under California’s new mandatory risk framework, organizations must incorporate AI risk assessments into their enterprise risk evaluations by December 31, 2027. This regulation aligns with a recent executive order establishing a national AI policy framework, which indicates that federal regulatory enforcement may intensify amidst jurisdictional conflicts between state and federal governments.
Adopting the NIST AI Risk Management Framework
Lowenstein Sandler recommends organizations adopt the National Institute of Standards and Technology (NIST) AI Risk Management Framework as a foundational strategy. This sector-neutral framework is becoming an industry standard and offers practical tools for legal, risk, and engineering teams to collaborate effectively.
Avoiding Potential Pitfalls
The firm cautions against scenarios where miscommunication leads to unauthorized decision-making by AI systems. For instance, customer service AI might make eligibility decisions without proper authorization, causing legal and operational complications. It is crucial for companies to establish clear ownership of AI outputs and understand who has the authority to pause or override AI systems when necessary.
A Three-Phase Approach to Compliance
Lowenstein Sandler outlines a comprehensive three-phase approach for organizations:
Phase 1: Initial Mapping and Ownership
In the first three months, companies should:
- Map AI usage.
- Assign ownership for AI risk and compliance.
- Create a system of record for all AI systems in use.
Phase 2: Broadening Testing Protocols
From months three to nine, organizations should:
- Expand testing protocols.
- Revise contracts to include AI-specific obligations.
- Implement technical controls.
Phase 3: Continuous Monitoring
From nine months onward, ongoing monitoring through alerts, dashboards, and drift detection is essential. Regulators recognize that perfection is not immediately achievable but expect visible progress and a credible narrative of improvement.
Key Deliverables for the First Year
Within the first year, organizations should prepare:
- An AI system inventory with risk tiers and ownership.
- Updated incident response plans for AI-specific risks.
- A charter for an AI governance committee.
For systems affecting employment or housing, it is critical to implement testing protocols sooner rather than later. Establishing clear AI policies, standards, and vendor diligence questionnaires will be paramount.
The Importance of Operational Documentation
Operational documentation is vital for ensuring that companies possess the necessary knowledge to act decisively when risks arise. Organizations should prioritize infrastructure mapping and governance chartering to stay ahead of evolving requirements and maintain the reliability and compliance of their AI tools.
Conclusion
As AI technology continues to evolve rapidly, the message from legal experts is clear: the time to build robust governance frameworks is now, rather than waiting for regulatory scrutiny.
