What SB 315 Actually Requires
Illinois’ Artificial Intelligence Safety Measures Act targets what the bill calls “large frontier developers” — AI companies with annual gross revenues exceeding $500 million whose models are trained above defined compute thresholds. In practice, that scope reaches the handful of companies actually building frontier-scale systems: OpenAI, Anthropic, Google, Meta, and xAI, according to Buchanan Ingersoll & Rooney’s legal analysis of the bill’s compute and revenue thresholds.
The law’s central mechanism is a “catastrophic risk” framework. Covered developers must publish and annually update documentation showing how they identify and mitigate risks that could “materially contribute to the death of, or serious injury to, more than 50 people,” cause $1 million or more in property damage, or provide “expert-level assistance” in creating a chemical, biological, radiological, or nuclear weapon, according to the Chicago Sun-Times’ reporting on the signed text. Developers must also issue transparency reports before deploying new or substantially modified frontier models.
Incident reporting follows a tight clock. Companies must report a “critical safety incident” within 72 hours of learning it occurred, or within 24 hours if the incident poses an imminent risk of death or serious physical injury — a threshold Capitol News Illinois describes as tighter than comparable breach-notification windows in most US data-privacy statutes. The Illinois Emergency Management Agency and the state’s Office of Homeland Security are designated to receive and administer these reports, and the law adds confidential reporting channels and whistleblower protections for employees who flag safety concerns internally.
The provision that sets Illinois apart is the audit mandate. Where New York’s earlier RAISE Act requires a single third-party audit when a developer first qualifies as a “large” model, SB 315 requires large frontier developers to undergo an independent third-party audit every year — a first-in-the-nation recurring requirement, according to Governor Pritzker’s own newsroom announcement. Pritzker called it “a bipartisan, first- and most-protective-in-the-nation law.”
Enforcement runs through the Illinois Attorney General’s office, with civil penalties of $1 million for a first violation and $3 million for subsequent violations. There is no private right of action — only the state can bring an enforcement case. Attorney General Kwame Raoul acknowledged to the Sun-Times that these fines “may be modest for trillion-dollar valued companies,” framing the law instead as “the beginning step” toward a durable state-level accountability regime.
Why a Third State Law Matters More Than a First One
A single state passing an AI safety law is a policy experiment. A third state passing a similar one, with a genuinely new provision (annual audits) layered on top, is a pattern — and patterns are what multinational compliance teams actually have to plan around. Illinois follows New York’s RAISE Act and California’s SB 53 (the Transparency in Frontier AI Act), and according to the Transparency Coalition’s analysis, the three states collectively account for roughly 40% of the US AI market despite representing only about 20% of the national population.
That concentration matters because Congress has not passed — and shows no imminent sign of passing — a federal frontier-AI safety statute. In that vacuum, three large, AI-industry-heavy states are functioning as a de facto national floor: any frontier developer selling into California, New York, or Illinois effectively has to build compliance infrastructure to the strictest of the three, because carving out state-by-state model behavior is operationally impractical for a single deployed system. SB 315 takes effect January 1, 2027, giving covered developers roughly six months from signing to build the catastrophic-risk documentation, incident-reporting pipeline, and audit engagement the law requires.
Advertisement
What Enterprise AI Compliance Teams Should Do
1. Map your frontier-model exposure against the $500 million threshold
Most companies using AI are not “covered developers” under SB 315 — the law targets model builders, not model users. But enterprises that fine-tune, host, or materially modify a frontier model (rather than simply calling a vendor API) should check whether their activity crosses into “developer” territory under the bill’s compute and revenue thresholds. If your legal team hasn’t already mapped which vendor relationships (OpenAI, Anthropic, Google, Meta, xAI) fall under Illinois, California, or New York’s frontier-model definitions, that mapping is now a Q3 2026 priority, not a 2027 one — six months is a short runway for audit engagement and incident-response build-out.
2. Build a 72-hour incident reporting playbook before you need one
A 72-hour clock — 24 hours for imminent-risk cases — does not leave room to improvise an escalation path after an incident occurs. Compliance teams should draft the internal chain now: who classifies an event as a “critical safety incident,” who signs off on the report to the Illinois Emergency Management Agency, and how the whistleblower-protected internal channel routes concerns before they become external incidents. Companies that already run SOC 2 or breach-notification playbooks have the muscle memory; the gap is usually the catastrophic-risk classification step, which is new and specific to this law rather than generic security incident response.
3. Budget for annual audits, not one-time compliance reviews
New York’s RAISE Act asks for one audit at qualification; Illinois asks for one every year, indefinitely. That is a recurring line item, not a project cost — treat it like a SOC 2 Type II renewal cycle rather than a one-off certification. Firms that have not yet identified a qualified third-party AI safety auditor should start vendor selection now, since the audit market for frontier-model catastrophic-risk assessment is new and thin; waiting until Q4 2026 risks a capacity crunch as multiple covered developers seek auditors simultaneously ahead of the January 2027 effective date.
4. Track state divergence — Illinois, California, and New York will not stay identical
The three laws share a family resemblance (frontier scope, catastrophic-risk disclosure, incident reporting) but differ on specifics — audit frequency, penalty structure, and enforcement agency. Compliance teams should not build a single “US AI safety” policy and assume it satisfies all three; they should maintain a jurisdiction matrix that tracks each state’s specific thresholds and deadlines, because a fourth or fifth state law is a near-certainty given the current legislative momentum, and each new entrant is likely to borrow — and modify — provisions from Illinois, California, and New York rather than starting from scratch.
The Regulatory Question
Illinois’ third-state status raises a question that Congress has so far avoided answering: does the country end up with 50 different frontier-AI compliance regimes, or does state-level convergence around a few common provisions (catastrophic-risk disclosure, incident reporting, third-party audits) become the practical national standard by default? The early evidence points toward convergence rather than fragmentation — New York, California, and Illinois all converged on the same three pillars, even as they diverged on audit frequency and penalty amounts. That convergence is good news for compliance planning, but it also raises the stakes of a future federal preemption fight: if Washington eventually does legislate, it will be legislating over three states that have already built enforcement infrastructure, appointed regulators, and set penalty precedents. For now, “the beginning step,” as Illinois’ Attorney General put it, is also functionally the national baseline — not because Congress decided that, but because three large states did.
Frequently Asked Questions
What is the Illinois Artificial Intelligence Safety Measures Act?
It is SB 315, signed into law by Governor JB Pritzker on July 6, 2026, requiring large frontier AI developers — companies with over $500 million in annual revenue and models trained above set compute thresholds — to disclose catastrophic-risk assessments, report critical safety incidents within 72 hours, and undergo annual independent third-party audits. It takes effect January 1, 2027.
How is Illinois’ law different from California’s and New York’s AI safety laws?
Illinois is the third state to pass a frontier-AI safety statute, after New York’s RAISE Act and California’s SB 53 (Transparency in Frontier AI Act). Its distinguishing feature is that it requires an independent third-party audit every year, while New York requires only one audit when a developer first qualifies as “large.” All three states target similar catastrophic-risk disclosure and incident-reporting obligations but differ in audit frequency, penalty amounts, and enforcement agency.
Does the Illinois AI Safety Measures Act affect companies outside the United States?
Not directly — SB 315 only binds developers meeting Illinois’ revenue and compute thresholds, and enforcement runs through the Illinois Attorney General with civil penalties up to $3 million per violation. However, because the covered developers (OpenAI, Anthropic, Google, Meta, xAI) sell their models globally, compliance costs and disclosure practices adopted for Illinois, California, and New York often become the default behavior applied to all customers, including those outside the US.
Sources & Further Reading
- Gov. Pritzker Signs Nation-Leading Artificial Intelligence Safety Law — Illinois Governor’s Newsroom
- Pritzker signs landmark AI regulation bill that aims to mitigate risks — Capitol News Illinois
- AI regulations: Illinois law Pritzker signed — Chicago Sun-Times
- Illinois Gov. Pritzker Signs Landmark AI Safety Measures Act Into Law — Transparency Coalition
- Illinois SB 315: Pioneering AI Safety Regulations and the Future of Responsible AI Governance — Buchanan Ingersoll & Rooney














