On March 5, 2026, a federal judge denied X.AI’s request to block enforcement of California’s AI Training Data Transparency Act while the company’s lawsuit against the state proceeds. X.AI, Elon Musk’s AI company, argued the law would destroy trade secrets, hand competitors a blueprint for reverse-engineering its models, and constitute unconstitutional compelled speech. The court rejected both the trade secret and free speech arguments at this stage, leaving the law fully in force.
The ruling generated a lot of coverage about the X.AI litigation and what it means for big AI developers. That’s not the story most HR leaders and business operators should be tracking.
The more important story is the statute’s scope, which is broader than its framing as an AI developer law. It reaches employers who have no idea they’re covered, and sits within a growing stack of California AI regulations that collectively create a compliance picture most companies haven’t mapped.
You Don’t Have to Build AI From Scratch to Have Developer Obligations
California’s Generative Artificial Intelligence Training Data Transparency Act took effect January 1, 2026. It requires developers of generative AI systems available to California residents to publicly post high-level summaries of the training data behind those systems, covering twelve categories of information: the sources or owners of the datasets, whether datasets include personal information or copyrighted content, when data was collected, what modifications were made, how the data is used in training, and related disclosures. The law applies retroactively to systems publicly available since January 2022.
The critical definition is developer, and it extends well beyond companies building foundation models from scratch. Under this law, a developer includes any company that designs, codes, produces, or creates a new version, release, or update that materially changes the functionality or performance of a generative AI system, including through fine-tuning or retraining.
That scope is broader than most mid-size employers recognize. If your company has fine-tuned an open-source model on your own proprietary data, built a custom AI assistant on top of a base model from any major vendor, or materially modified a generative AI system for internal or commercial use, you may have developer obligations.
The employers most likely to be in this category without knowing it include HR technology teams that have customized AI tools for recruiting, performance management, or employee communications; legal and compliance functions that have built AI-assisted document review or contract analysis tools; and customer service operations that have fine-tuned chatbots on company-specific training data. The “off-the-shelf tool with no modification” use case is clearly outside the statute. Everything else requires a closer look at what your technical teams have actually built.
X.AI Lost on Trade Secrets Because ‘Our Data Is Valuable’ Is Not a Legal Argument
The court’s handling of X.AI’s trade secret claims is worth understanding in detail, because it has direct implications for any company that develops AI and intends to rely on trade secret protection for its training data. The court acknowledged that training datasets can theoretically qualify as trade secrets. But found X.AI’s argument too generalized to carry the burden required for a preliminary injunction.
The company argued, in essence, that its training data is proprietary and valuable and that disclosure would harm its competitive position. The court said that fell short and it couldn’t identify what specifically made X.AI’s datasets distinct from competitors’ in a way that merited legal protection.
That’s a precise legal point with significant practical implications. Trade secret protection requires specificity. A company asserting trade secret status for its training data needs to be able to articulate what the data contains, how it was curated, why that curation process is not generally known or readily ascertainable, and what specific competitive harm would flow from its disclosure. General assertions that data is proprietary don’t establish trade secret status in court.
If your organization develops any AI systems and you’re relying on trade secret doctrine to protect them, the ruling signals that you need a documented, specific analysis of what qualifies as protectable and why. That analysis should exist before litigation, not be reconstructed during it.
California’s Attorney General Is Building an AI Enforcement Program, and a Compliance Inquiry Won’t Stay Narrow
California’s Attorney General has publicly announced the building of an AI oversight, accountability, and regulation program, a dedicated enforcement infrastructure for California’s growing AI regulatory framework. The stated position is that California will regulate AI aggressively in the absence of meaningful federal action. The state legislature is simultaneously considering legislation that would give the AG’s office formal authority to develop in-house AI expertise and expand its enforcement capacity.
California has a track record of using its AG enforcement authority with real force across technology, consumer protection, and privacy law. The practical implication for employers is that an AI-related inquiry from California will not stay narrowly scoped to the original complaint. An investigation that starts with a training data disclosure issue will expand to examine how you use AI in employment decisions, whether your AI systems produce discriminatory outputs, how you handle the employee data your systems process, and whether your governance and oversight practices are documented.
Employers using AI in employment decisions in California are simultaneously navigating the California Privacy Rights Act‘s requirements for automated decision-making, including employee rights to opt out of and obtain explanations for decisions made by automated systems. Proposed regulations under the CPRA would extend those requirements specifically to employment contexts. If you’re using AI for hiring, performance management, compensation decisions, or workforce planning, those intersecting obligations need to be mapped together, not managed as separate compliance tracks.
What AI Governance Documentation Regulators Actually Look For
The through-line across the X.AI ruling, California’s enforcement posture, and the broader trajectory of AI regulation is this: the companies in the best position are the ones that built their AI programs with documentation, specificity, and accountability from the start. Governance documentation isn’t bureaucratic overhead. It’s the evidentiary foundation for defending against regulatory inquiries and employment claims.
What regulators and courts are looking for in AI governance documentation at the employer level includes:
- Vendor selection and vetting records: How did you select your AI vendors? What diligence did you conduct on their compliance with applicable law? What contractual representations did they make about training data, bias testing, and output monitoring?
- AI in employment decision records: For any AI system that contributes to hiring, compensation, promotion, or termination decisions, what is the documented rationale for its use, and what human review is layered over its outputs?
- Bias and discrimination auditing: Has your use of AI in employment decisions been tested for disparate impact? Across which protected characteristics? By whom? What remediation was taken when problems were found?
- Output monitoring procedures: What process exists to identify and address problematic AI outputs? Who is responsible? What documentation exists of identified problems and the response?
- Data governance practices: What employee and applicant data flows into AI systems? Under what legal authority is it processed? How is it protected?
The companies that have treated AI governance as an active operational discipline are the ones that can respond to an inquiry quickly and credibly. For everyone else, the investigation itself becomes the build. That’s a far worse position than it needs to be.
Stay Ahead of AI Liability Before It Becomes a Legal Risk
AI regulations are evolving fast, and as this case shows, many businesses don’t even realize when they’ve crossed into legal exposure. Waiting until there’s an inquiry or lawsuit is the worst time to figure out your compliance gaps.
If your company is using, customizing, or relying on AI in any capacity, now is the time to get clarity.
I we help businesses:
- Evaluate AI-related legal risk
- Assess compliance obligations before regulators do
- Strengthen governance and documentation to protect against claims
- Navigate complex intersections between employment law, data privacy, and emerging AI regulations
Don’t assume you’re in the clear, make sure you are. Contact me today to discuss how your business can stay protected as AI oversight continues to expand.
