Illinois SB 315 AI Safety Measures Act: Audit Mandate | TLY

AI Regulation Tracker  /  New law

Illinois Becomes First State to Mandate Independent Third-Party Safety Audits of Frontier AI Developers

Regulatory summary: The Artificial Intelligence Safety Measures Act, enacted as Illinois Public Act 104-0538 (Senate Bill 315) and signed by Governor JB Pritzker on July 6, 2026, is a binding state law that regulates large frontier AI developers, meaning companies training very-high-compute models that also generate more than $500 million in annual.

Governor JB Pritzker signed Senate Bill 315, the Artificial Intelligence Safety Measures Act, on July 6, 2026. The law requires the largest frontier AI developers to publish catastrophic-risk frameworks, file transparency reports, report safety incidents within 72 hours, and submit to annual conflict-free third-party audits. It takes effect January 1, 2027, with the framework and audit duties phasing in January 1, 2028.

Primary source

Illinois Becomes First State to Mandate Independent Third-Party Safety Audits of Frontier AI Developers regulation briefing
The Leveraged Years AI Regulation Tracker

Key takeaways

  • Illinois moved from having no frontier-AI safety statute to enacting the first US state law that requires independent third-party safety audits of covered AI developers. Covered developers must publish and annually update a catastrophic-risk framework, file transparency reports before deployment, report critical safety incidents to state authorities within 72 hours, and submit to annual audits by conflict-free experts. The law also protects employees who raise safety concerns and requires confidential internal reporting channels.
  • Frontier AI developers above the compute and revenue thresholds; enterprise AI governance and compliance officers who rely on developer disclosures; in-house counsel and general counsel advising on AI procurement and liability; executives and boards procuring or deploying frontier models; and the independent audit and assurance firms that will conduct the new third-party safety reviews.
  • Status: Signed into law July 6, 2026 as Public Act 104-0538.
  • If you are a covered developer, inventory your frontier models against the compute and revenue thresholds, draft the catastrophic-risk framework, define the 72-hour incident-reporting path, and select a conflict-free third-party auditor before the January 1, 2028 phase-in. If you procure frontier models, add these disclosures to your vendor questionnaires now.
DateJurisdictionRuleAffected professionalsStatus or effective date
2026-07-09United States (Illinois)Illinois moved from having no frontier-AI safety statute to enacting the first US state law that requires independent third-party safety audits of covered AI developers. Covered developers must publish and annually update a catastrophic-risk framework, file transparency reports before deployment, report critical safety incidents to state authorities within 72 hours, and submit to annual audits by conflict-free experts. The law also protects employees who raise safety concerns and requires confidential internal reporting channels.Frontier AI developers above the compute and revenue thresholds; enterprise AI governance and compliance officers who rely on developer disclosures; in-house counsel and general counsel advising on AI procurement and liability; executives and boards procuring or deploying frontier models; and the independent audit and assurance firms that will conduct the new third-party safety reviews.Signed into law July 6, 2026 as Public Act 104-0538. In force January 1, 2027, with the catastrophic-risk framework and third-party audit obligations phasing in January 1, 2028.

Frequently Asked Questions

Is the Illinois AI Safety Measures Act in force now?

It is enacted law. Governor Pritzker signed Senate Bill 315 on July 6, 2026, and it became Public Act 104-0538. The Act takes effect January 1, 2027, and the catastrophic-risk framework and annual audit duties phase in January 1, 2028.

Which companies does it regulate?

Large frontier developers, meaning companies that train very-high-compute frontier models and also generate more than $500 million in annual revenue. Smaller labs and ordinary enterprise deployers are not the directly regulated parties.

What is the third-party audit requirement?

Covered developers must undergo an annual independent safety audit conducted by experts without financial conflicts of interest. It is the first such state-law mandate in the United States and phases in on January 1, 2028.

How fast do developers have to report a safety incident?

Reporting indicates covered developers must notify the relevant Illinois state authorities, including the emergency management agency and the Attorney General, within 72 hours of a critical safety incident.

What are the penalties, and can individuals sue?

The Attorney General enforces the Act with civil penalties reported at up to $1 million for a first violation and up to $3 million for repeat violations. The Act creates no private right of action, so there is no individual lawsuit path.

Browse the full AI Regulation News tracker

Informational analysis for working professionals, not legal advice. Confirm how any rule applies to your situation with qualified counsel.