Illinois Governor J.B. Pritzker on Monday signed SB 315, known as the Artificial Intelligence Safety Measures Act. It is the first US state law to require developers of the most powerful AI models to undergo annual, independent safety audits and to promptly report critical safety incidents. The core requirements take effect on January 1, 2028.
Key takeaways
- The bill was signed Monday after clearing the House 110-0 and the Senate 52-5
- It covers only "large frontier" developers: annual revenue above 500 million USD and training compute above 10^26 operations
- "Catastrophic risk" means more than 50 deaths or serious injuries, or more than 1 billion USD in damage from a single incident
- Annual audit by an independent third party — first such mandate of any US state
- Civil penalties up to 1 million USD for a first violation and 3 million USD for each subsequent one
Narrow scope, sharp tool
The act is deliberately modest — that is how the analysis by law firm Akerman LLP, published on JD Supra, describes it. The law does not tell developers what their models should say or do. Instead it requires them to publish safety frameworks (so-called frontier AI frameworks) that describe how a company assesses and mitigates "catastrophic risk." Before deploying a new model, a developer must also publish a transparency report covering its intended uses and a summary of its risk assessment.
The definition of "catastrophic risk" is narrow and therefore hard to contest. It refers to a foreseeable, material risk that a model will contribute to the death or serious injury of more than 50 people, or to property damage above 1 billion USD, arising from a single incident. The law enumerates three scenarios: expert-level help in building a chemical, biological, radiological or nuclear weapon, an autonomous cyberattack or conduct that would be murder or extortion if committed by a human, and a model evading its developer's control.
Who the law covers
The law applies only to "large frontier" developers — companies with annual revenue above 500 million USD that train models using more than 10^26 operations of compute. As Akerman estimates, that threshold narrows the law's reach to about a dozen companies, among them OpenAI, Anthropic, Google DeepMind, Meta and xAI. Startups, deployers and end users are exempt.
The audit as signature feature
SB 315's defining feature is its audit mandate. From 2028, covered developers must annually retain independent third parties to verify they follow their stated procedures. Auditors may not share a financial interest with the company and must receive all materials necessary for the audit, including unredacted documents. Within 30 days of the report, the developer publishes a summary and transmits copies to the Illinois Attorney General and the state emergency management agency.
Incidents, whistleblowers and penalties
The law introduces mandatory reporting of critical safety incidents within 72 hours. When an incident threatens death or serious injury, the window shrinks to 24 hours. It also protects whistleblowers and bars contracts that would penalize employees for disclosing dangers. Enforcement rests solely with the state Attorney General — there is no private right of action. Civil penalties reach 1 million USD for a first violation and 3 million USD for each subsequent one.
Against the state patchwork
Illinois is not the first state to reach for AI regulation. California (SB 53) and New York (the RAISE Act) already require frontier developers to create and update plans addressing severe risks. Neither state, however, had a clear mechanism to verify that a company actually follows its own frameworks. The Illinois audit fills that gap.
Colorado stands as a cautionary case. It went furthest by passing SB 24-205 in 2024, targeting "algorithmic discrimination," but under political pressure and a lawsuit from xAI it repealed the measure before it took effect. In its place it adopted a scaled-down version, SB 26-189, set to take effect on January 1, 2027. Federal pressure looms too. Executive Order 14365 of December 2025 called the state "patchwork" a barrier to innovation and directed agencies toward preempting it.
| State | Law | Approach |
|---|---|---|
| Illinois | SB 315 | Independent annual safety audits (from 2028) |
| California | SB 53 | Plans for severe risks, no verification mechanism |
| New York | RAISE Act | Plans for severe risks, no verification mechanism |
| Colorado | SB 24-205 → SB 26-189 | Original law repealed, scaled-down version from 2027 |
Industry reaction is split. OpenAI and Anthropic publicly backed the bill, seeing consistent state standards as a way to order the market amid the absence of federal law. Some trade groups oppose it, including CCIA and TechNet, which warn the state is mandating audits before the needed infrastructure, standards and auditors exist.
Why it matters
SB 315 shifts the center of gravity in America's AI debate. Until now the largest developers operated on voluntary commitments they defined and judged themselves. The independent audit requirement introduces external scrutiny of those claims for the first time — and does so in a way that is politically hard to attack, because it concerns risks such as instructions for building weapons of mass destruction.
Strategy matters here too. The bill's authors openly admit they would prefer a federal solution, but with Congress inactive they treat state law as a spur. If federal rules never emerge, SB 315 could become a de facto national baseline. If they do, an "equivalence" clause built into the law lets companies meeting federal standards avoid double compliance. In either scenario, Illinois sets a direction other states may follow.
What's next
- Core requirements — safety frameworks and annual audits — take effect on January 1, 2028, giving companies and the audit market time to prepare
- Akerman's analysts expect constitutional challenges (including on free-speech and Commerce Clause grounds), but courts are unlikely to engage them before the second half of 2027
- Colorado's competing model, SB 26-189, takes effect on January 1, 2027 — a test for the entire state approach
Sources
- JD Supra — Illinois SB 315: A State Strategy for Enduring National AI Safety Standards
- Government Technology — Illinois Governor Signs Bipartisan AI Oversight Bill Into Law
- Wired — Illinois Lawmakers Just Passed America's Strongest AI Safety Bill
- NBC News — Illinois Legislature passes historic AI bill that would require third-party safety audits





