Legal

Illinois requires AI companies to conduct independent safety audits

4 min read
Signing of the Artificial Intelligence Safety Measures Act on a desk in front of the illuminated dome of the Illinois State Capitol in Springfield Image generated with GPT Image 2
Signing of the Artificial Intelligence Safety Measures Act on a desk in front of the illuminated dome of the Illinois State Capitol in Springfield

TL;DR Too Long; Didn’t read

The U.S. state of Illinois requires leading AI companies to conduct annual external safety audits starting January 1, 2027 – the first state in the U.S. to do so. The new law applies to companies with annual revenues over $500 million and covers models from OpenAI, Anthropic, and Google, among others. Violations can be penalized by the Attorney General with fines of up to three million dollars.

Key takeaways

  • The bill is titled Senate Bill 315 and passed through the legislature with bipartisan support.
  • Affected companies must report critical security incidents to the Attorney General within 72 hours, and within 24 hours in cases of imminent danger to life.
  • A first violation can be penalized with up to one million dollars, repeated violations with up to three million.
  • Senator Mary Edly-Allen initiated the law and calls it a safeguard against a preventable disaster.
  • Anthropic publicly supported the regulation and highlights the combination of transparency obligations and independent audits.
  • California and Utah have enacted their own AI rules, but so far no other state mandates external audits.

Illinois has enacted a law on July 6, 2026, making it the first U.S. state to require large developers of AI systems to undergo independent safety audits. The Artificial Intelligence Safety Measures Act (SB 315) also mandates the reporting of critical safety incidents within 72 hours and provides protections for whistleblowers. Companies with more than $500 million in annual revenue are affected.

Law mandates external audits and reporting obligations

Governor J.B. Pritzker signed the Artificial Intelligence Safety Measures Act on July 6, 2026. The law, introduced as Senate Bill 315, requires large AI developers to undergo annual audits by independent, conflict-free reviewers. According to StateScoop, Illinois is the first state to impose such an audit requirement. The audited companies must publish redacted versions of their reports and submit prior risk assessments regarding potential catastrophic consequences of their models. Critical safety incidents must be reported to the Attorney General’s office and the emergency agency within 72 hours, and within 24 hours if there is an imminent threat to life. The annual safety practice reports must also be submitted to the Illinois Emergency Management Agency and the state’s Office of Homeland Security. Additionally, the law provides for internal reporting channels and protections for whistleblowers who highlight safety deficiencies. Violations can be penalized by the Attorney General with fines of up to one million dollars for the first offense and up to three million dollars for repeated violations. Enforcement is solely the responsibility of the Attorney General’s office; other agencies cannot file their own lawsuits under the law.

Only large models with high annual revenue are affected

The law applies to so-called large frontier model developers whose annual revenue exceeds $500 million and whose AI systems surpass a specified computational power threshold, reports Inside Global Tech. According to the trade publication, companies such as OpenAI, Anthropic, Google, Meta, and xAI are among those potentially affected. In addition to the annual external audits, the law requires companies to conduct quarterly assessments of catastrophic risks and to submit a risk report prior to the release of new models. Thus, the law targets the highest-grossing providers in the frontier model market, while smaller startups and pure research projects are exempt from the requirements. The regulations will take effect on January 1, 2027, and require affected companies to align their existing safety policies with the new reporting obligations by that date. Several law firms specializing in technology law recommend that affected parties begin building their compliance processes early, as the first complete audit cycles must be completed by early 2028. The Attorney General is to present an anonymized aggregate report on all incident reports received to the state legislature by January 1, 2029.

Illinois goes beyond rules of other states

California issued a directive in May 2026 regarding employment consequences of AI systems, and Utah established its own Office of AI Policy as early as 2025. However, according to StateScoop, no other state currently mandates an external audit by independent reviewers. The law was passed with support from both major parties. Senator Mary Edly-Allen, who introduced the bill, stated that the law aims to create safety measures “before an avoidable disaster occurs.” According to her, power must always be accompanied by wisdom, transparency, and accountability. Support also came from the industry: Anthropic expressed agreement and described the combination of transparency requirements and independent audits as unique nationwide. In addition to Anthropic, the organization Secure AI Project and other security researchers publicly supported the bill. The governor’s office described the approach as a national benchmark for dealing with the most powerful AI systems. Governor Pritzker justified the regulation by pointing to the standstill at the federal level: Since the federal government does not want to intervene, the states bear the responsibility of protecting the public from the risks of AI.

It will be crucial whether other states follow suit before the U.S. Congress presents its own nationwide AI law—a project that has been stalled in Congress for months. Until the Attorney General of Illinois presents its first aggregate report on January 1, 2029, it remains unclear how stringent the mandated audits will be in practice and whether the affected corporations will fully disclose their internal risk reports.

Frequently asked questions

Which companies are specifically covered by the law?

Developers with more than 500 million dollars in annual revenue whose models exceed specified computational power thresholds are affected. According to industry media, this includes companies like OpenAI, Anthropic, Google, Meta, and xAI.

When must the required audits actually be completed?

The law itself takes effect on January 1, 2027, but according to several law firms, the first complete audit cycles will not need to be completed until early 2028.

Does Illinois differ from the AI rules of other states?

California and Utah have enacted their own AI regulations, such as regarding employment consequences or a dedicated oversight body. However, only Illinois currently mandates external audits by independent reviewers.

What happens to the results of the audits?

The audited companies must publish redacted versions of their audit reports. The Attorney General will also receive aggregated incident reports for an anonymized report to the state legislature by 2029.

What role does Anthropic play in the law?

Anthropic was among the companies that publicly supported the law and described the combination of transparency obligations and independent audits as unique nationwide.


← Back to the blog