Illinois Governor JB Pritzker signed the Artificial Intelligence Safety Measures Act (SB 315) on July 6, 2026, making Illinois the first state to require annual independent third-party audits of frontier AI developers. The law takes effect January 1, 2027, with the framework, audit and incident-reporting obligations phasing in by January 1, 2028 — the compliance deadline the industry is actually racing against. Governor Pritzker's office called it the country's first law mandating independent audits of frontier systems.
What the law actually requires
SB 315 covers "large frontier developers": companies with annual gross revenue above $500 million that train models using more than 10^26 floating-point operations — a threshold that reaches OpenAI, Anthropic, Google, Meta and xAI, according to a Crowell & Moring client alert. Covered developers must publish and annually update a catastrophic-risk framework, submit to yearly audits by conflict-free third parties, publish audit summaries within 30 days, and report critical safety incidents within 72 hours (24 hours if there is imminent risk of death) to the Illinois Emergency Management Agency and the Attorney General. Violations carry civil penalties up to $3 million, enforced exclusively by the Attorney General — there is no private right of action.
Illinois did not write this from scratch. It is the third state in fourteen months to regulate frontier AI directly, following California's Transparency in Frontier Artificial Intelligence Act (SB 53), which Governor Newsom signed on September 29, 2025, and New York's RAISE Act, which Governor Hochul signed on December 19, 2025. Lawmakers estimate the three states together account for roughly 40% of the U.S. AI market — enough, as Capitol News Illinois notes, to function as a de facto national standard in the continued absence of federal legislation.
The case for it
The strongest argument for SB 315 is that frontier models are, by the industry's own admission, being built toward capabilities their developers cannot yet fully evaluate — and the harms under discussion (bioweapon uplift, large-scale cyberattack automation, loss of control) are not the kind you get to learn from after the fact. Voluntary safety commitments have no enforcement teeth and no public verification; an independent audit regime, modeled on financial-sector precedent, at least creates a paper trail regulators and researchers can inspect. Notably, OpenAI and Anthropic backed the bill rather than opposing it, suggesting the largest labs see a legible state-level standard as preferable to a patchwork of unpredictable ones — or to nothing at all. Whistleblower protections and a 72-hour incident-reporting clock also address a real information asymmetry: right now, the public learns about frontier-model failures only when a developer chooses to disclose them.
Where it overreaches
The law's central defect is that it hangs a $3 million penalty on an audit requirement for which no audit exists. NetChoice's testimony against the bill made this concretely: there are "no broadly recognized certification standards, no licensing structures and no established oversight mechanisms" for evaluating frontier-model catastrophic risk, and the bill leans on undefined terms like "unreasonable catastrophic risk" and "meaningful human oversight" that neither companies nor auditors can operationalize. That is a fair criticism independent of one's view on AI risk: a mandate is only as good as the profession available to execute it, and frontier-AI safety auditing is not yet a profession with agreed methods, in the way financial or cybersecurity auditing is.
The smaller-company effect compounds this. A $500 million revenue floor is meant to exempt startups, but it does nothing for a mid-sized lab that crosses the compute threshold before it crosses the revenue one, or for any company forced to build compliance infrastructure around standards regulators haven't written yet. NetChoice's warning that frontier development could simply relocate to states without these requirements is speculative, but not unreasonable given how mobile cloud-based model training is.
The preemption collision ahead
SB 315 also lands squarely in the path of a federal collision. On December 11, 2025, the White House issued an executive order — "Ensuring a National Policy Framework for Artificial Intelligence" — creating a DOJ task force to challenge state AI laws in federal court as unconstitutional burdens on interstate commerce. The order carves out state laws on child safety, compute infrastructure and government AI procurement from preemption, but catastrophic-risk audit mandates like Illinois's fall into none of those categories, leaving SB 315 exposed to exactly the litigation the order contemplates.
Congress, not the executive branch and not three state capitols, is the right body to set a single frontier-AI safety standard — one that pairs mandatory incident disclosure and whistleblower protection (genuinely low-cost, high-value transparency measures) with an audit requirement that follows an established methodology rather than preceding one. Until that happens, Illinois has created a real compliance deadline for an audit regime nobody yet knows how to perform.