Illinois lawmakers sent SB 315 — the Artificial Intelligence Safety Measures Act — to Gov. JB Pritzker on May 27 after a unanimous 110-0 House vote, making Illinois the first state to require annual independent third-party audits of frontier AI safety protocols. The Senate had already cleared the measure 52-5 on May 21. Pritzker posted on X that he looks forward to signing it. Violations carry civil penalties of up to $3 million each, and the mandate takes effect in 2028.
Who is on the hook
The bill scopes coverage to the largest developers — companies with at least $500 million in revenue that train models above substantial compute thresholds. That deliberately narrow definition keeps startups and downstream enterprise deployers out and points the obligation squarely at the frontier labs: OpenAI, Anthropic, Google, Meta, xAI, and their peers. Notably, OpenAI and Anthropic backed the bill through the process; the TechNet coalition opposed it, with representative Ninia Linero warning of "highly subjective determinations requiring AI safety compliance without established national standards."
What the audit mandate actually requires
The third-party audit provision is the first of its kind in any state AI law. Covered developers must create, publish, and annually update a frontier AI framework addressing catastrophic-risk assessment, mitigations, cybersecurity, internal governance, third-party evaluations, and internal-use risks. They must file transparency reports before deploying new or substantially modified models and submit summaries of their catastrophic-risk assessments. Independent auditors then verify compliance, with statutory requirements for audit access, reporting, retention, and publication of results. The bill also adds whistleblower protections and internal reporting channels for covered employees.
A hardening state patchwork
Illinois becomes the third state with frontier-model standards, after New York's RAISE Act and California's SB 53 (the Transparency in Frontier AI Act). SB 315 borrows the published-safety-plan structure from those laws but goes further by codifying mandatory external audits rather than self-attestation. "This legislation enacts critical protections against the most catastrophic risks that advanced AI systems pose to public safety," said sponsor Rep. Daniel Didech (D-Buffalo Grove). Senate sponsor Mary Edly-Allen (D-Libertyville) framed it as "balancing the great promise of AI with its potential harms."
What changes for builders
For labs, the operational signal is that self-reported safety frameworks are no longer sufficient in three of the largest US markets — and the gap between them is widening. SB 315's audit requirement effectively spins up demand for an independent AI-assurance market: firms qualified to evaluate catastrophic-risk methodology, eval coverage, and cyber controls against a statutory checklist. Teams shipping frontier systems should expect to budget audit cycles into release timelines and to harmonize a single internal governance framework against divergent Illinois, California, and New York requirements rather than maintaining three. With a 2028 effective date, the runway is real but the documentation discipline it demands — versioned risk assessments, retained eval artifacts, pre-deployment transparency reports — is the kind of thing that is far cheaper to build in now than to retrofit.
