On March 30, 2026, California Governor Gavin Newsom signed Executive Order N-5-26, which introduces new trust and safety obligations for companies seeking contracts with state agencies. The order focuses on preventing the exploitation or distribution of illegal content, reducing harmful bias, and protecting civil liberties.
Around the same time, Poland formally adopted its draft AI law, which adds national cybersecurity and compliance measures on top of the EU AI Act framework. These two developments show governments moving from general principles toward concrete, enforceable rules for AI systems, especially in public procurement and high-risk use cases.
What Actually Changed
California Executive Order N-5-26
The order directs the Department of Technology and Department of General Services to create new procurement certifications within 120 days. Vendors must now “attest to and explain their policies and safeguards to protect public safety, including those that address: exploitation or distribution of illegal content (e.g., non-consensual sexual imagery); harmful bias in AI models; and violation of civil rights and liberties (e.g., surveillance, free speech).”
It also requires the state Chief Information Security Officer to review federal supply chain risk designations and issue guidance for California agencies. Additional reforms strengthen contractor responsibility rules so the state avoids contracting with entities “judicially determined to have unlawfully undermined privacy or civil liberties.”
Why this matters and what the quote means
The explicit mention of “non-consensual sexual imagery” is significant. It directly connects to the recent EU AI Act amendments that banned “nudifier” systems and other tools designed to create deepfake pornography or non-consensual intimate images. Both California and the EU are responding to the same real-world harm: generative AI being misused to produce exploitative content. By tying this requirement to procurement, California is using its substantial buying power to push vendors toward stronger safeguards and transparency. The order also calls for best practices on watermarking AI-generated or significantly manipulated images and video, giving the state a practical tool to verify content authenticity and reduce the spread of harmful manipulated media.
Poland’s newly adopted draft law introduces national provisions that supplement the EU AI Act. It strengthens cybersecurity requirements for AI systems, enhances risk assessments and transparency obligations for high-risk AI, and creates clearer local enforcement mechanisms for providers and deployers operating in Poland. The law establishes a new supervisory body, the Commission for the Development and Safety of Artificial Intelligence (KRiBSI), which will oversee compliance, conduct administrative proceedings, issue decisions, impose penalties, and coordinate national oversight of AI systems.
Beyond enforcement, KRiBSI will support research and innovation, promote economic competitiveness, manage regulatory sandboxes for testing AI solutions, and engage in educational initiatives while cooperating with EU institutions.
Why Poland adopted this law now
Poland is adding a national layer to make the EU AI Act more practical and enforceable within its borders. Deputy Prime Minister and Minister of Digital Affairs Krzysztof Gawkowski emphasized that the regulations will “ensure public safety, particularly in scenarios where AI technologies may become difficult to control,” while also providing “stable and favorable conditions for businesses to develop AI solutions” and giving citizens “greater influence over how these systems operate.” The focus on cybersecurity and a dedicated commission reflects concerns about protecting critical infrastructure and public services. By acting early, Poland aims to strengthen national security, improve accountability, and prepare local organizations for full EU compliance while fostering domestic AI development in line with ethical standards.
Our Take
AI Compliance Take
California’s Executive Order and Poland’s draft AI law show governments rapidly translating high-level AI principles into concrete, operational requirements. The explicit language in California’s order — requiring vendors to address “exploitation or distribution of illegal content (e.g., non-consensual sexual imagery)” — mirrors the EU AI Act’s recent ban on nudifier systems and deepfake pornography tools. Both moves respond to growing public concern about generative AI being used to create harmful, non-consensual content.
For compliance teams, this means vendor evaluation processes must now include clear evidence of policies addressing illegal content, bias mitigation, civil liberties protections, and watermarking practices. The 120-day timeline in California gives some preparation room, but the direction is clear: governments expect AI systems to demonstrate real accountability before they are used in public contracts or regulated environments.
Organizations that build strong governance, monitoring, and documentation practices today will be much better positioned as more states and countries follow this path. The gap between policy statements and actual enforcement is closing quickly.
