Illinois has enacted a law on July 6, 2026, making it the first U.S. state to require large developers of AI systems to undergo independent safety audits. The Artificial Intelligence Safety Measures Act (SB 315) also mandates the reporting of critical safety incidents within 72 hours and provides protections for whistleblowers. Companies with more than $500 million in annual revenue are affected.
Law mandates external audits and reporting obligations
Governor J.B. Pritzker signed the Artificial Intelligence Safety Measures Act on July 6, 2026. The law, introduced as Senate Bill 315, requires large AI developers to undergo annual audits by independent, conflict-free reviewers. According to StateScoop, Illinois is the first state to impose such an audit requirement. The audited companies must publish redacted versions of their reports and submit prior risk assessments regarding potential catastrophic consequences of their models. Critical safety incidents must be reported to the Attorney General’s office and the emergency agency within 72 hours, and within 24 hours if there is an imminent threat to life. The annual safety practice reports must also be submitted to the Illinois Emergency Management Agency and the state’s Office of Homeland Security. Additionally, the law provides for internal reporting channels and protections for whistleblowers who highlight safety deficiencies. Violations can be penalized by the Attorney General with fines of up to one million dollars for the first offense and up to three million dollars for repeated violations. Enforcement is solely the responsibility of the Attorney General’s office; other agencies cannot file their own lawsuits under the law.
Only large models with high annual revenue are affected
The law applies to so-called large frontier model developers whose annual revenue exceeds $500 million and whose AI systems surpass a specified computational power threshold, reports Inside Global Tech. According to the trade publication, companies such as OpenAI, Anthropic, Google, Meta, and xAI are among those potentially affected. In addition to the annual external audits, the law requires companies to conduct quarterly assessments of catastrophic risks and to submit a risk report prior to the release of new models. Thus, the law targets the highest-grossing providers in the frontier model market, while smaller startups and pure research projects are exempt from the requirements. The regulations will take effect on January 1, 2027, and require affected companies to align their existing safety policies with the new reporting obligations by that date. Several law firms specializing in technology law recommend that affected parties begin building their compliance processes early, as the first complete audit cycles must be completed by early 2028. The Attorney General is to present an anonymized aggregate report on all incident reports received to the state legislature by January 1, 2029.
Illinois goes beyond rules of other states
California issued a directive in May 2026 regarding employment consequences of AI systems, and Utah established its own Office of AI Policy as early as 2025. However, according to StateScoop, no other state currently mandates an external audit by independent reviewers. The law was passed with support from both major parties. Senator Mary Edly-Allen, who introduced the bill, stated that the law aims to create safety measures “before an avoidable disaster occurs.” According to her, power must always be accompanied by wisdom, transparency, and accountability. Support also came from the industry: Anthropic expressed agreement and described the combination of transparency requirements and independent audits as unique nationwide. In addition to Anthropic, the organization Secure AI Project and other security researchers publicly supported the bill. The governor’s office described the approach as a national benchmark for dealing with the most powerful AI systems. Governor Pritzker justified the regulation by pointing to the standstill at the federal level: Since the federal government does not want to intervene, the states bear the responsibility of protecting the public from the risks of AI.
It will be crucial whether other states follow suit before the U.S. Congress presents its own nationwide AI law—a project that has been stalled in Congress for months. Until the Attorney General of Illinois presents its first aggregate report on January 1, 2029, it remains unclear how stringent the mandated audits will be in practice and whether the affected corporations will fully disclose their internal risk reports.


