AI Compliance Programs

Illinois becomes the first state to require independent audits of frontier AI developers

Governor JB Pritzker signed SB 315, the Artificial Intelligence Safety Measures Act, on July 6, making Illinois the third state to place safety and transparency duties on the largest AI developers and the first to require independent, conflict-free third-party audits. The law takes effect on January 1, 2027, and its audit mandate is the part that moves the national standard, whatever the "strongest in the nation" billing around it.

Updated on July 07, 2026
Illinois becomes the first state to require independent audits of frontier AI developers

Governor JB Pritzker signed SB 315, the Artificial Intelligence Safety Measures Act, on July 6, making Illinois the first state in the country to require independent third-party audits of the companies that build the most advanced AI models. The law obliges those developers to publish how they assess and manage catastrophic risk, report serious safety incidents to the state, and protect employees who raise concerns, and it takes effect on January 1, 2027. Illinois becomes the third state to place such duties on frontier developers, following New York and California, and the audit requirement is the piece that carries it past what either of those states enacted.

Pritzker cast the law as a response to federal inaction, arguing that states have to move while Washington holds back.

As AI systems become more powerful and the federal government is unwilling to step in, states have a responsibility to protect our people from the dangers of AI while still harnessing the unique potential of the technology,”

"People want protections from the risks of AI and Illinois is stepping up with a bipartisan, first- and most-protective-in-the-nation law.”

Governor JB Pritzker

The bill passed with rare bipartisan margins, clearing the Illinois House by 110 to 0 and the Senate by 52 to 5, and Senator Mary Edly-Allen and Representative Daniel Didech carried it. Supporters call it the strongest AI safety law in the country, a description that belongs to them rather than to any neutral scorekeeper. The account below works through what the law requires, whom it actually binds, and where it fits in the growing patchwork of state AI rules.

Conditions driving this change

Several forces converged to put a binding audit requirement on the governor's desk.

  • The federal government has kept its own hand light, and GAIG covered the voluntary frontier-review executive order the Trump administration signed in June, which opened a channel for government visibility while expressly ruling out mandatory licensing or preclearance.

  • Pritzker and the sponsors framed their move as filling that gap, with Senator Edly-Allen telling reporters that the state was not willing to wait for Congress to act.

  • Illinois built on ground that New York and California broke first, following New York's RAISE Act from June 2025 and California's Transparency in Frontier AI Act from September 2025, both of which require frontier developers to publish and update plans for handling severe or catastrophic risk.

  • Neither of those earlier laws created a way to check whether a developer actually follows its own safety plan, and SB 315 answers that with a mandatory annual audit by an outside party that holds no financial stake in the outcome.

  • The law reaches only the largest developers, those above $500 million in annual revenue whose models cross a high compute threshold, which in practice means a short list that includes OpenAI, Anthropic, Google, Meta, and xAI, and it leaves most enterprises that merely deploy AI outside its direct scope.

  • Parts of the industry lined up behind the bill, with Anthropic calling itself the first AI lab to support it and OpenAI praising the framework, an alignment worth noting given how often frontier labs resist binding rules.

Anthropic tied its support to the verification the audit provides, through Cesar Fernandez, who runs its state and local government relations.

SB 315 makes Illinois the first state to pair AI transparency requirements with independent verification, an important step toward the accountability this technology demands"

"Anthropic is proud to have been the first AI lab to support this bill, and we commend Governor Pritzker and the sponsors, Senator Mary Edly-Allen and Representative Daniel Didech, for their leadership on this critical issue.""

Cesar Fernandez, Head of U.S. State and Local Government Relations at Anthropic

What it looked like before

Before SB 315, the safety practices of the largest AI developers rested largely on their own word. New York and California had begun to change that in 2025, requiring frontier developers to write and publish plans for handling severe or catastrophic risk, yet the checking of those plans stayed inside the companies that wrote them. A developer's account of its own testing was, for the most part, the record the public and regulators had to work from.

At the federal level the standing mechanism was voluntary and aimed at national security rather than routine safety transparency. The executive order signed in June invited developers to share their most capable models with agencies before release, while stating plainly that it created no licensing or preclearance regime. Frontier systems could therefore reach the public with disclosure that varied from one company to the next and verification that came, if at all, from the developer itself.

The result was a widening set of state rules with a shared blind spot. Disclosure requirements were multiplying, while the duty to prove that a published safety plan was actually being followed had no home in any statute. That gap between what a developer said and what anyone could confirm is the specific hole SB 315 was written to close.

What it looks like now

Under the new law, a covered developer has to publish a framework describing how it measures model capabilities, guards against catastrophic risk, secures its systems, and governs its own internal use of frontier models. The statute defines catastrophic risk around a single incident that could kill or seriously injure more than 50 people or cause more than $1 billion in damage, tied to conduct such as giving expert-level help toward a chemical, biological, or nuclear weapon, or a model acting as a cyberweapon or slipping its developer's control. Each covered model carries a pre-deployment transparency report, and the company has to bring in an independent auditor every year to judge whether it genuinely follows the framework it published, with the findings made public.

Supporters describe the audit as the difference between a promise and a proof. Sunny Gandhi of the advocacy group Encode put the point in terms of who has to be believed.

“SB 315 is the strongest AI safety law in the country. It builds on the frameworks California and New York have already passed and goes one step further by requiring independent audits, so the public doesn't have to take AI companies at their word. Illinois has set the new standard,”

Sunny Gandhi, Co-Executive Director, Encode AI

The reach is deliberately narrow, and enforcement runs through the Illinois Attorney General alone, with civil penalties of up to $1 million for a first violation and $3 million after that, and no private right of action. Serious safety incidents go to the state within 72 hours, and within 24 hours when the threat to life is imminent. Most enterprises that buy and deploy AI fall outside the direct obligations, though the companies that supply their frontier models now sit inside them, which tends to push audit-grade documentation and fast incident reporting down through the supply chain.

The mandate arrives ahead of some of the machinery to satisfy it, since no settled standard, certified roster of frontier-safety auditors, or agreed methodology yet exists for the reviews the law requires. Its operational requirements phase in over the following year, and the audit is the verifiable core beneath the state's claim to have written the country's strongest AI law.

Our Take

AI Compliance Take

The mechanism earns credit even after the marketing is set aside. Independent audit is the part that raises the floor, because it moves frontier safety from self-attestation toward outside verification, and it marks the first time a state has required anyone to check a developer's own homework. Illinois has also been candid about its aim, which is to nudge a national standard into being while Congress stays still, and a binding state law rising where the federal order stayed voluntary is a genuine shift in the patchwork GAIG has been tracking.

The harder questions are the ones a signing ceremony cannot answer. An audit regime is only as strong as the people who qualify to conduct it, the standard they measure against, and the penalty that follows a failure, and none of that is settled yet, which is why the industry group NetChoice called the mandate an impossible burden and the White House has argued that a thicket of differing state rules will weigh on American developers. Those objections deserve a fair hearing, and they describe the work between now and 2027 rather than erasing the underlying advance.

For readers who sit outside the law's direct scope, the signal still matters. A frontier developer selling into or operating from Illinois now faces a concrete audit and disclosure timeline, and its enterprise customers will feel that through tougher documentation demands and faster incident expectations. The travel is toward verification over trust, the same thread that runs through the question of who can prove what across the AI supply chain, and the firms that treat an auditable safety record as a standing capability will not scramble when the next state, or Congress, asks to see it.

Related Articles

Pleneo and OneAdvanced announced that they have both achieved ISO 42001 certification AI Regulatory Compliance

Mar 3, 2026

Pleneo and OneAdvanced announced that they have both achieved ISO 42001 certification

Read More
SAP and Uptycs Introduce Verifiable AI Security Controls for Enterprise Systems AI Infrastructure Security

Mar 6, 2026

SAP and Uptycs Introduce Verifiable AI Security Controls for Enterprise Systems

Read More
BigID and Atlan Launch Unified Structured and Unstructured Data Catalog for AI Governance at Gartner Data & Analytics Summit AI Governance Platforms

Mar 10, 2026

BigID and Atlan Launch Unified Structured and Unstructured Data Catalog for AI Governance at Gartner Data & Analytics Summit

Read More

Stay ahead of Industry Trends with our Newsletter

Get expert insights, regulatory updates, and best practices delivered to your inbox