Illinois Becomes First US State to Mandate Annual Safety Audits of Frontier AI

Illinois lawmakers have passed the most demanding AI safety law in the United States, unanimously approving legislation that would force the world’s most powerful AI companies to open their safety protocols to independent annual audits. The Artificial Intelligence Safety Measures Act—Senate Bill 315—cleared the Illinois House 110-0 on May 27, 2026, after the Senate had passed it 52-5 earlier in the session. Governor J.B. Pritzker has publicly stated his intention to sign the bill.

If enacted, SB 315 will take effect on January 1, 2027, with audit and transparency reporting requirements activating on January 1, 2028—giving covered companies roughly 18 months to build compliance programs. The law would directly affect OpenAI, Anthropic, Google, Meta, and a handful of other frontier AI developers.

A First for AI Regulation

Every major AI safety law passed at the state level so far has been built around disclosure: require companies to document their models’ risks, make those documents public, and trust the industry to police itself. Illinois SB 315 breaks that pattern. It mandates annual, independent, third-party audits of covered companies’ safety protocols—the first legally binding audit requirement for frontier AI anywhere in the United States.

“Artificial intelligence can be a powerful tool for good, but currently guardrails are minimal,” said Sen. Mary Edly-Allen, the bill’s lead sponsor in the Illinois Senate. “We are not regulating AI itself. We are requiring that the companies building the most powerful AI systems prove that they are managing the risks they create.”

The audit requirement is deliberately specific. Covered developers must grant auditors meaningful access to internal safety documentation, risk assessments, incident records, and the results of any internal red-teaming exercises. Auditors must publish their findings publicly, and companies cannot select auditors with financial relationships that could compromise independence.

Who It Covers and What It Requires

The bill applies to AI developers meeting two criteria: annual gross revenues exceeding $500 million, and training or deploying frontier-scale models defined by a compute threshold tied to the current FLOP standard used in the EU AI Act. That scope effectively captures the same companies already navigating EU rules—OpenAI’s ChatGPT and Anthropic’s Claude are named explicitly in the bill’s preamble as examples of covered systems—while leaving smaller startups and academic researchers untouched.

The full set of obligations for covered companies includes:

Safety planning and disclosure. Companies must create, publish, and annually update comprehensive plans describing how they identify and manage catastrophic risks from their models. These plans must address scenarios including large-scale disinformation, critical infrastructure disruption, and biological or chemical weapon development assistance.

Pre-deployment transparency. Before releasing a new frontier model or a substantially modified version of an existing one, companies must publish a transparency report detailing the safety evaluations performed and the residual risks identified.

Third-party audits. The annual audit cycle covers the safety planning documents, the pre-deployment reviews, and any changes made in response to audit findings from the prior year. Audit reports are public.

Incident reporting. Companies must report critical safety incidents—defined as real-world cases where a covered system contributed to significant harm or near-miss events—to the Illinois Emergency Management Agency and Office of Homeland Security within 72 hours of the company’s own identification of the incident.

Whistleblower protections. Employees of covered companies who report safety concerns to regulators, auditors, or the press receive explicit legal protections against retaliation.

A State Law With National Reach

Illinois joins California and New York as the third state to establish obligations for frontier model developers, but SB 315 is the most stringent of the three. California’s SB 1047 (enacted in October 2024 after a prolonged battle with the Governor’s office) requires safety plans and incident reporting but stopped short of mandatory external audits. New York’s recently passed transparency legislation focuses on disclosure rather than audit. Illinois is going further.

The law’s practical reach extends well beyond Illinois borders. No frontier AI developer maintains separate US deployments for each state—ChatGPT serves Illinois users from the same infrastructure it serves California users. If Pritzker signs SB 315, covered companies will almost certainly comply nationally rather than maintain Illinois-specific audit programs in parallel with different standards elsewhere.

That national spillover dynamic is part of the law’s strategic logic, according to legislative staffers who spoke to reporters after the vote. Illinois lawmakers are explicitly aware that they are setting a floor, not a ceiling—and counting on other states to match or exceed it.

Industry Response: Measured, Not Panicked

The sweeping bipartisan margins—110-0 in the House, 52-5 in the Senate—are notable. Earlier AI regulation battles in California, Colorado, and Texas produced contentious floor votes and aggressive industry lobbying campaigns. Illinois’s relative consensus reflects a shift in the political environment: after a year of high-profile AI incidents including misinformation campaigns in three national elections, hospital diagnostic errors, and a widely publicized financial fraud enabled by a deepfake voice call, the default political assumption has moved from “regulate carefully” toward “regulate now.”

Major AI companies have not publicly opposed the bill, though industry associations including the Chamber of Progress and TechNet submitted written testimony calling for a federal preemption carve-out and expressing concern about the audit access provisions’ scope. OpenAI and Anthropic both declined to comment on the record before passage.

Smaller AI developers outside the $500 million revenue threshold have largely cheered the bill’s scoping. Several venture-backed companies issued statements calling SB 315 “good for competition” on the grounds that mandatory safety audits create a compliance burden that larger incumbents are better positioned to absorb—a dynamic critics describe as regulatory capture by another name.

The Federal Vacuum and the State Race

SB 315 moves into a federal environment where AI oversight remains fragmented. The Trump administration’s AI Executive Order, signed in June 2026, replaced the Biden-era mandatory safety reporting framework with a voluntary program. The Great American AI Act, currently working through Congress, would preempt state AI laws—a provision that has united Silicon Valley lobbyists and civil-rights organizations in opposition for opposite reasons.

Until federal preemption is resolved, states are functioning as the de facto AI regulators. California has 30 additional AI bills in secondary chamber review. Colorado, which became the first state to enact comprehensive frontier AI legislation in 2024, is already debating amendments to tighten its requirements in response to SB 315’s precedent. The EU AI Act’s mandatory audit requirements for high-risk systems officially enter enforcement in August 2026—a timeline that has pressured US companies to build audit-readiness functions for global compliance regardless of what Illinois does.

For frontier AI developers, the message from the state-level regulatory environment is increasingly clear: the era of self-attestation is ending. Annual third-party audits are coming—the only remaining question is whether they arrive through a patchwork of 50 different state regimes or a single federal standard.