Existing law requires all contracts for the acquisition of information technology goods and services related to information technology projects, as defined, to be made by or under the supervision of the Department of Technology. Existing law requires all other contracts for the acquisition of information technology goods or services to be made by or under the supervision of the Department of General Services. Under existing law, both the Department of Technology and the Department of General Services are authorized to delegate their authority to another agency, as specified.
This bill would require the Department of Technology to develop and adopt regulations to create an automated decision system (ADS) procurement standard. To develop those regulations, the bill would require the department to consider principles and industry standards addressed in specified publications regarding AI risk management. The bill would require the ADS procurement standard to include, among other things, a detailed risk assessment procedure that analyzes specified characteristics of the ADS, methods for appropriate risk controls, as provided, and adverse incident monitoring procedures. The bill would require the department to, among other things, collaborate with specified organizations to develop the ADS procurement standard and review and update the ADS procurement standard and related regulations, as specified.
Commencing January 1, 2027, this bill would prohibit a state agency from procuring an ADS, entering into a contract for an ADS, or any service that utilizes an ADS, as specified, until the department has adopted regulations creating an ADS procurement standard. Commencing January 1, 2027, the bill would also require a contract for an ADS or a service that utilizes an ADS, as specified, to include a clause that, among other things, provides a completed risk assessment of the relevant ADS, as specified, requires adherence to appropriate risk controls, and provides procedures for adverse incident monitoring.