Sophie Laurent, YuSMP Group
Sophie Laurent Legal & Compliance Lead, YuSMP Group · Advises US and EU teams on GDPR, the EU AI Act and cross-border data flows
The Illinois State Capitol dome in Springfield under an overcast sky, representing state-level oversight of artificial intelligence under the new AI Safety Measures Act

The short answer

On 6 July 2026, Illinois Governor JB Pritzker signed SB 315, the Artificial Intelligence Safety Measures Act, making Illinois the first US state to require independent third-party audits of the safety practices of the largest AI developers. The law takes effect on 1 January 2027, with the safety-framework and audit duties starting on 1 January 2028.

The obligations bite hardest on “large frontier developers” — companies above $500 million in annual revenue that train models with more than 10^26 FLOPs. They must publish a safety and transparency framework, report significant safety incidents, and submit to an annual outside audit. Most companies fall outside that definition, but the downstream signal is clear: audited, documented AI is becoming the price of doing business, and the same “know your model” discipline that good AI and data engineering already values is now written into state law.

What did Illinois actually pass?

SB 315, the Artificial Intelligence Safety Measures Act, establishes a framework for safety, transparency and accountability aimed squarely at the most powerful AI systems. Governor JB Pritzker signed it into law on 6 July 2026, framing it as an effort to hold the developers of frontier models accountable for catastrophic-risk scenarios rather than to regulate everyday software. The bill drew rare cross-industry support: Anthropic publicly backed it, calling independent accountability “an important step toward the accountability this technology demands.”

The core of the Act is a duty to be transparent and then to be checked. Covered developers must create and publish a written safety framework describing how they identify and mitigate the risk that a model could enable serious harm, disclose the results of their catastrophic-risk assessments, and explain how independent evaluators were involved. The novelty is what sits on top of that disclosure: an obligation to have those claims verified by an outside auditor with no financial stake in the outcome. That verification step is what separates Illinois from the states that came before it, and it is why teams that build or commission AI and data products should read the law as a signal about where enterprise expectations are heading, not just as someone else’s compliance problem.

This did not appear from nowhere. Illinois has moved aggressively on AI in 2026, and SB 315 slots alongside a wave of state activity — California’s executive actions on workforce disruption, New York’s frontier-model transparency bill, and Utah’s Office of AI Policy. What makes Illinois distinct is that it pairs transparency requirements with mandatory independent verification, the same pattern that made SOC 2 and financial audits credible: a claim is only as good as the third party willing to sign off on it.

Who does the law bind?

The heaviest duties apply to a narrow set of companies the Act calls “large frontier developers” — those with annual gross revenues in excess of $500 million in the preceding calendar year that build “frontier models.” A frontier model, in turn, is defined by compute: one trained using more than 10^26 floating-point operations. Those two tests together are designed to capture the handful of labs training the largest general-purpose systems, not a mid-size product team fine-tuning an open model on a domain corpus.

That scoping matters, because it tells you exactly who is on the hook and who is not. If you are a SaaS company embedding a third-party model, a fintech running a fraud classifier, or a startup shipping an AI feature, the statute does not bind you directly — you sit below both thresholds. Frontier developers below the $500 million line face lighter, disclosure-only duties: publishing a model’s website, release date, supported languages, modalities, intended uses and generally applicable restrictions. The full weight — safety framework, incident reporting and independent audit — lands only on the largest players.

But “not directly bound” is not the same as “unaffected.” The frontier labs you build on will now publish richer model documentation and risk disclosures, and your enterprise customers — especially in regulated sectors like FinTech and HealthTech — will increasingly expect you to pass along or match that evidence. Regulation written for the top of the stack has a way of flowing down through procurement.

Why do independent audits matter?

The independent-audit requirement is the part worth dwelling on, because it changes the nature of an AI safety claim. Under the Act, large frontier developers must, from 1 January 2028, undergo an annual audit by an independent third party, conducted in line with generally accepted auditing standards and best practices. The auditor examines the developer’s model risks and the mitigations in place, and the results are not left in a drawer: a summary of the audit must be published within 30 days of the developer receiving the report, with the full report available to the state agency and the attorney general on request.

This is a familiar move to anyone who has worked through a SOC 2 engagement or a security audit. Self-attestation is cheap and easy to discount; an outside evaluator with no financial conflict of interest is expensive precisely because it is credible. Illinois is betting that the discipline of preparing for an audit — documenting how risks were assessed, what evaluators found, and how issues were closed — will do more to raise the floor on AI safety than any list of prohibited behaviours could. For teams that already treat evidence as a first-class deliverable, this is comfortable territory; for those who treat safety documentation as an afterthought, it is a warning shot.

What is the timeline and who enforces it?

The dates are staggered on purpose. The Act becomes effective on 1 January 2027, but the substantive safety-framework and independent-audit obligations do not begin until 1 January 2028, giving covered developers roughly eighteen months from signing to build the internal machinery. That lead time is a tell: the state expects genuine engineering and governance work, not a one-page policy uploaded the week before the deadline.

Enforcement runs through the Illinois attorney general, who may seek civil penalties for noncompliance. Crucially, there is no private right of action — individuals cannot sue developers directly under the Act — with one exception: whistleblower protections shield employees who raise safety concerns from retaliation. Concentrating enforcement in the attorney general’s office, backed by mandatory published frameworks and audit summaries, gives the state a documentary trail to act on and keeps the litigation surface narrow. For a company weighing exposure, the practical read is that the risk is regulatory and reputational rather than a flood of private suits.

How does this fit the wider US patchwork?

With no comprehensive federal AI statute in force, US AI regulation is being written state by state, and the result is a patchwork that companies operating nationally have to navigate as a whole. California has leaned on executive action and sector-specific rules; New York has advanced frontier-model transparency; Utah stood up a dedicated Office of AI Policy to guide developers. Illinois now adds the missing ingredient — independent verification — and in doing so raises the bar the other states will be measured against.

For teams that ship products across the country, the lesson from the last decade of privacy law is instructive: when states diverge, the pragmatic strategy is to build to the strictest credible standard rather than maintain a different posture per jurisdiction. Data-protection teams learned this with the California Consumer Privacy Act and the GDPR; AI governance is heading the same way. The overlap with Europe is not accidental either — the documentation, risk-assessment and transparency duties in the Illinois law rhyme closely with the obligations teams already face under the EU AI Act. Two regimes, one underlying demand: know what your model does, assess how it can fail, and be able to prove both.

What it means for US & EU software teams

Strip away the statutory detail and three practical signals remain. First, scope is narrow but influence is broad. The letter of the law touches only a handful of frontier labs, but its effects reach every team that builds on their models, because the documentation and audit evidence produced at the top of the stack become the reference standard buyers cite everywhere below it. “Our vendor is audited; are you?” is a question you should expect on procurement questionnaires long before any law names your company.

Second, the work is documentary and upstream. Whether the pressure arrives as Illinois-style regulation, an enterprise security review, or an EU AI Act obligation, the underlying deliverables are the same: a written account of intended use and restrictions, a risk assessment for how the system could cause harm, records of what independent evaluation you ran, and lineage for the data and models involved. None of that is exotic — it is the same “know your model” rigour that separates durable AI engineering from a demo that cannot survive scrutiny — but it has to be produced as you build, not reconstructed at audit.

Third, this is the direction of travel, and building for it early is cheaper than retrofitting. Illinois is first, not last; more states and, eventually, federal rules will converge on transparency plus verification. The teams that will move fastest when a customer or a regulator asks for evidence are the ones already generating it as a by-product of shipping — treating governance as a design input rather than a compliance surprise. That is the same principle we apply to SOC 2 readiness work: get the evidence trail right while you build, and the audit becomes a formality.

A practical readiness checklist

Nothing here is a statutory deadline for most companies. It is the work that turns a fast-moving AI-regulation landscape into a routine review rather than a scramble:

  1. Write down intended use and restrictions. For every AI feature, document what it is for, who it serves, and the limits you place on it — the same fields Illinois asks frontier developers to publish.
  2. Run and record a risk assessment. Identify how the system could cause harm, what you did to mitigate it, and what residual risk remains. Keep it current, not frozen at launch.
  3. Capture model and dataset lineage. Track which models and data went into the product, from where, and under which basis — so you can answer a vendor-security or AI-governance questionnaire without re-deriving it.
  4. Collect your vendors’ evidence. Gather the model cards, safety frameworks and audit summaries your frontier providers publish; you will be asked to stand behind what you build on.
  5. Prepare for outside review. Assume a customer or auditor will eventually inspect your AI governance. Structure the documentation so it can be handed over, not excavated.
  6. Build to the strictest standard you plausibly face. Aligning to the toughest of Illinois, EU AI Act and enterprise expectations is cheaper than maintaining a different posture per jurisdiction.

This is not legal advice, and the right approach depends on your models, your markets and your customers. But the signal from SB 315 is unambiguous: the era of taking AI safety claims on trust is closing, and the teams that will win enterprise deals are the ones who can prove their claims on demand.

Frequently asked questions

What is the Illinois AI Safety Measures Act (SB 315)?

SB 315, the Artificial Intelligence Safety Measures Act, is a state law signed by Illinois Governor JB Pritzker on 6 July 2026. It requires the largest AI developers to publish safety and transparency frameworks, report significant safety incidents, and undergo annual independent third-party audits of their safety practices. It makes Illinois the first US state to mandate outside audits of AI safety by evaluators without a financial conflict of interest. The law takes effect on 1 January 2027, and the audit and safety-framework duties begin on 1 January 2028.

Who does the Illinois AI law apply to?

The strictest duties fall on “large frontier developers” — companies with more than $500 million in annual gross revenue that build “frontier models,” defined as models trained using more than 10^26 floating-point operations (FLOPs). That threshold captures the biggest frontier labs, not a startup fine-tuning an open model. Smaller frontier developers still face lighter transparency duties, such as disclosing a model’s release date, languages, modalities, intended uses and restrictions.

When do the Illinois AI audit requirements take effect?

The law becomes effective on 1 January 2027, but the core safety-framework and independent-audit obligations begin on 1 January 2028. From that date, large frontier developers must undergo an annual audit by an independent third party against generally accepted auditing standards, and publish a summary of the audit within 30 days of receiving the report, providing the full report to the state and the attorney general on request.

How is the Illinois AI law enforced?

The Illinois attorney general enforces the Act and may seek civil penalties for noncompliance. There is no private right of action for individuals, except for whistleblower protections that shield employees who report safety concerns. Enforcement therefore runs through the state, and the published transparency frameworks and audit summaries give the attorney general a documentary basis to act on.

What does the law mean for companies that build on or buy AI?

Most companies are not “large frontier developers,” so the statute does not bind them directly. But the effects flow downstream: frontier vendors will publish more model documentation and risk disclosures, procurement and enterprise customers will increasingly expect the same evidence from every AI supplier, and an audit-first pattern — like SOC 2 before it — tends to spread from law into contracts. The practical move for teams building AI-enabled products is to treat model documentation, risk assessment and dataset lineage as standing engineering artifacts now, not paperwork assembled under deadline later.

Sources

Office of Gov. JB Pritzker — Gov. Pritzker Signs Nation-Leading Artificial Intelligence Safety Law
StateScoop — Illinois governor signs AI safety law requiring audits of frontier models
Capitol News Illinois — Pritzker signs landmark AI regulation bill that aims to mitigate risks
Crowell & Moring LLP — Illinois Imposes Transparency and Safety Obligations on Frontier AI Systems