Illinois Governor JB Pritzker signed the Artificial Intelligence Safety Measures Act (SB 315) into law on July 6, 2026, and it changes the compliance landscape for every company building large AI systems. The new law introduces a first-in-the-nation requirement for annual independent third-party audits of frontier AI models. But the bigger story is structural: Illinois is the third major state, alongside California and New York, to pass AI safety legislation with overlapping requirements. Together, the three states account for roughly 40 percent of the entire US AI market. For founders, this is not one state's regulation - it is the closest thing to a national standard the United States has right now.
Congress has not passed comprehensive AI legislation. The EU has its AI Act phasing in. China has its own regulatory framework. The United States has a three-state patchwork that, by the numbers, governs nearly half of all AI economic activity nationwide. If you sell an AI product into the US market, you now have to comply with Illinois SB 315, California SB-53, and New York's Responsible AI Safety and Education Act - or be locked out of 40 percent of your addressable market.
The Core Requirements of SB 315
The Illinois law targets the largest AI systems - those generating more than $500 million in annual revenue and trained on massive computing power. It does not apply to every AI startup. But for frontier labs like OpenAI, Anthropic, Google DeepMind, and Meta, and for any company whose AI operations cross that revenue threshold, the requirements are substantial.
First, developers must publish an AI safety framework that outlines how they identify and assess catastrophic risk. The law defines catastrophic risk as the likelihood of incidents that could cause death or serious injury to more than 50 people, or more than $1 million in property damage. The framework must cover whether the model could assist in creating chemical, biological, or nuclear weapons, or enable cyberattacks at scale.
Second, developers must report any covered incident to the state within 72 hours of identification. If the incident poses an imminent risk of death or serious physical injury, the reporting window shrinks to 24 hours. This is a significant operational requirement - it means companies need incident detection and escalation systems that can classify harms and file state reports faster than most current processes allow.
Third, the law requires transparency reports covering safety testing methodology, training data governance, and risk mitigation measures. These reports must be updated annually and must be independently verified by a third-party auditor.
The Audit Requirement That Changes Everything
Illinois' first-in-the-nation annual third-party audit requirement is the most significant new provision that does not exist in California or New York. New York's version required only a single independent audit at the time a developer crossed the threshold. Illinois requires ongoing annual audits, which creates a recurring compliance cost that scales with the number of models in production.
This provision was the most contested during the bill's legislative journey. TechNet, a coalition of tech executives, argued in committee testimony on May 20 that the law would require private actors to make highly subjective determinations about AI safety compliance without established national standards, certifications, or clear regulatory guardrails. The industry group warned that the audit requirement could create inconsistent evaluations across auditors, since no federal standards yet define what constitutes an adequate safety audit.
Despite industry pushback, the bill passed with broad bipartisan support. Only five Republican senators voted against it, and it passed unanimously in the House. Both OpenAI and Anthropic supported the legislation. OpenAI's Caitlin Niedermeyer told an Illinois Senate committee in April that the company strongly saw a role for states like Illinois, California, and New York to lead in advancing aligned frameworks that could create a de facto national direction of travel.
Anthropic had representatives present at the bill signing. The company's Mythos model, which Anthropic itself deemed too dangerous as a cyberweapon to release publicly, was cited during the signing ceremony as evidence that these risks are not theoretical.
Penalties, Enforcement, and Timeline
Companies that violate SB 315 face civil penalties brought by the Illinois Attorney General's office. First offenses carry fines of up to $1 million. Subsequent violations rise to $3 million per infraction. For companies operating at the $500 million+ revenue threshold, these penalties are meaningful but not existential - the real cost is the compliance infrastructure needed to avoid violations in the first place.
The law takes effect on January 1, 2028, giving frontier labs roughly 18 months to build the auditing, reporting, and incident response systems required for compliance. That timeline is tight. Setting up an annual third-party audit program for frontier AI models is not something most companies have done before. The pool of qualified AI safety auditors is small, and demand from three states simultaneously will strain capacity.
Lawmakers and advocates have already signaled that this is only the first step. House sponsor Rep. Daniel Didech identified medical care and education as likely frontiers needing further AI regulation. Scott Wisor of Secure AI, who helped shape the bill, said the next logical step is external evaluation that goes beyond framework compliance to substantive risk judgment - measuring whether a model is actually safe, not just whether the developer followed its own safety checklist.
What Founders Need to Do
For AI founders building for the US market, the Illinois law creates three immediate action items. First, determine whether your company will cross the $500 million revenue threshold within the next two years. If you are on a growth trajectory toward that number, you should begin compliance planning now rather than retrofitting systems in 2028. Second, audit your current safety documentation against the Illinois framework requirements. You need a published catastrophic risk assessment, training data governance documentation, and an incident response playbook that meets the 72-hour and 24-hour reporting windows. Third, start identifying third-party auditing partners. The audit requirement takes effect January 1, 2028, and the supply of qualified auditors will not expand overnight.
For international founders, especially from India, the three-state standard is effectively the US regulatory baseline. Architect your compliance systems to meet the most stringent requirements across California, New York, and Illinois. If you meet all three, you meet the de facto national standard - and you are ready for whatever federal legislation eventually arrives.




