TL;DR: California’s SB 53 requires large AI developers to publish safety frameworks, disclose risk assessments, and report critical incidents, while other states are moving with different rules, creating a fragmented compliance landscape for enterprises, according to Lasso Security. AI governance is shifting from policy discussion to operational obligation, and identity, access, and incident controls now need jurisdiction-aware design.
NHIMG editorial — based on content published by Lasso Security: Navigating the Patchwork, What California’s SB 53 Signals for AI Governance
Questions worth separating out
Q: How should organisations govern AI systems when state laws differ by jurisdiction?
A: Organisations should treat AI governance as a jurisdiction-mapping exercise, not a single policy.
Q: Why do AI governance rules increase the importance of identity and access management?
A: Because AI rules depend on proving who approved use, who can change the system, and who can access the data it touches.
Q: What do security teams get wrong about AI compliance programmes?
A: They often treat compliance as documentation after deployment rather than as a control system built into access, logging, and incident response.
Practitioner guidance
- Create a jurisdiction-to-control map for AI systems List where each AI use case operates, which laws apply, what evidence each regime expects, and which internal teams own approval and reporting.
- Bind AI approvals to named human and non-human identities Require every significant AI deployment or model change to have a named owner, an approving human role, and the service identities that can modify or call the system.
- Review data access paths feeding model operations Inventory which identities can read training data, prompt data, logs, and exported outputs.
What's in the full article
Lasso Security's full article covers the operational detail this post intentionally leaves for the source:
- The specific state laws and policy details behind California SB 53, Colorado's AI Act, Utah's AI Policy Act, and other examples
- The article's own framing of how Lasso positions AI safety frameworks, risk assessments, and critical incident reporting
- The vendor's broader discussion of how enterprises should interpret the global AI governance landscape across the U.S., EU, and UK
👉 Read Lasso Security's analysis of California SB 53 and state AI governance →
California SB 53 and AI governance fragmentation: what teams need now?
Explore further
SB 53 is a signal that AI governance is becoming an identity governance problem. Once lawmakers require safety frameworks, risk assessments, and incident reporting, the organisation must prove who approved access, who operated the system, and who owns the evidence trail. That pulls IAM, IGA, and security operations into the same control plane. The implication is that AI governance can no longer be managed as a policy appendix to a model programme.
A few things that frame the scale:
- 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
A question worth separating out:
Q: Who is accountable when an AI system causes a reportable incident?
A: Accountability should sit with the business owner of the AI use case, the security or risk function overseeing controls, and the technical identities that administered the system. If those roles are not explicit, incident reporting becomes ambiguous and slow. A regulator will expect a named chain of responsibility, not a vague reference to the platform team.
👉 Read our full editorial: California SB 53 signals a fragmented future for AI governance