A 110-0 vote in the Illinois House of Representatives on 27 May 2026 sent Senate Bill 315 to Governor J.B. Pritzker's desk, making Illinois the first US state to require annual independent third-party safety audits of large frontier AI developers. That claim needs a qualifier: Illinois is the third state to enact frontier model standards of any kind, following California's SB 53 and New York's RAISE Act. What it does first — and what those earlier laws do not — is require covered companies to submit to an external auditor each year. That distinction matters enough to drive a bipartisan supermajority and divide the industry.

What the Law Actually Requires

SB 315, the Artificial Intelligence Safety Measures Act, targets a deliberately narrow slice of the industry: companies with more than US$500 million in annual gross revenue that train or deploy frontier-scale models. That threshold captures a small cohort — among them OpenAI, Anthropic, and Google — while leaving smaller developers untouched.

Covered companies must do four things. First, they must create, publish, and update annually a frontier AI safety framework addressing catastrophic-risk assessment, cybersecurity, internal governance, and red-team evaluations. Second, they must publish transparency reports before deploying any new or substantially modified frontier model. Third — and this is the provision with no precedent in American law — they must retain an independent third-party auditor each year to verify those safety practices, with results made public. Fourth, according to Capitol News Illinois and corroborated by multiple news outlets, covered companies must report critical safety incidents to state authorities within 72 hours of having sufficient reason to believe one has occurred; an accelerated 24-hour window applies where incidents pose imminent risk of death or serious harm. Whistleblower protections cover employees who raise safety concerns internally or to regulators.

The Illinois Attorney General holds exclusive enforcement authority. Civil penalties reach up to US$3 million per violation. There is no private right of action — citizens cannot sue directly.

A Tri-State Compliance Map Is Taking Shape

Illinois is the third state to enact frontier model standards, following California's SB 53 and New York's RAISE Act. Both earlier laws set transparency and risk-assessment obligations, but neither required companies to submit to an external auditor. That gap is what SB 315 closes. Compliance teams at affected companies now face a tri-state framework — California, New York, Illinois — that, taken together, functions as a de facto national benchmark in the absence of federal legislation.

The law takes effect on 1 January 2028, giving covered companies roughly 18 months to establish audit programmes, appoint third-party auditors, and build the internal documentation trails those auditors will need. That timeline is tight for organisations that have never operated under mandatory external safety review.

Rare Bipartisan Consensus — and a Divided Industry

The voting record is striking. The House passed the bill 110-0; the Senate, 52-5 on 21 May 2026. In a US legislature that struggles to agree on much, those margins signal something: AI safety has found a political formula that works across the aisle.

Industry was less unified. OpenAI and Anthropic publicly supported the bill. Anthropic's head of state and local government relations, Cesar Fernandez, said: "As these models grow more powerful, this kind of enforceable accountability matters more than ever." The trade coalition TechNet, which counts other AI developers among its members, opposed the bill, citing concerns about subjective determinations made without established national standards.

That split is instructive. The companies most directly regulated supported the law; the opposition came from a broader coalition that includes developers who do not yet meet the threshold but may in future.

What Changes for Frontier Labs

The audit mandate is the sharpest edge of this legislation. Safety frameworks and transparency reports are self-certifications; an independent auditor is not. Labs will need to open their evaluation methodologies, red-team findings, and governance structures to outside scrutiny — and keep records sufficient to support that scrutiny annually. For companies whose safety work has been largely internal, this is a structural change, not a paperwork exercise.

The incident reporting requirement adds operational pressure. Companies must have clear internal definitions of what constitutes a "critical safety incident," escalation processes that reach a decision-maker within hours, and a legal team ready to notify Illinois authorities before the full picture of an incident may even be clear.

Governor Pritzker has stated he will sign the bill. Once he does, Illinois joins a short list of jurisdictions worldwide — the EU AI Act being the most prominent — that have moved from voluntary AI safety norms to enforceable legal obligations backed by financial penalties.