By ByteBot
The Illinois House voted 110-0 on May 27 to pass SB315, making Illinois the first US state to require mandatory annual third-party audits of the most powerful AI models. Governor Pritzker has said he’ll sign it. The law takes effect January 1, 2028 — and here’s the detail that changes the conversation: OpenAI and Anthropic both supported it.
Every state AI law until now has required frontier labs to publish safety frameworks. Illinois requires them to prove those frameworks are real. That’s a meaningful upgrade from California and New York, which only require documentation.
What SB315 Actually Requires
The law creates what it calls the Artificial Intelligence Safety Measures Act, imposing four primary obligations on covered companies beginning January 1, 2028:
- Frontier AI Framework: Create, publish, and annually update a comprehensive safety plan covering catastrophic-risk assessment, governance, cybersecurity, and third-party evaluations.
- Annual Third-Party Audits: Companies must retain independent auditors every year. Auditors independently validate threat modeling, run sampling-based checks on control effectiveness, and use recognized red-team experts to test model capabilities.
- 72-Hour Incident Reporting: Critical safety incidents must be reported to state officials within 72 hours of discovery — not after legal review, not after PR sign-off.
- Whistleblower Protections: Employees who report safety violations are protected from retaliation.
Non-compliance carries civil penalties up to $3 million per violation, enforced by the Illinois Attorney General. There is no private right of action — citizens cannot sue AI companies directly under this law.
Who This Covers (and Who It Doesnt)
SB315 uses dual thresholds. A company must meet both to be covered:
- Revenue: $500 million or more annually
- Compute: Models trained using more than 1026 floating-point operations — the same threshold used in California’s SB 53 and New York’s RAISE Act
That covers the companies that matter at this scale: OpenAI, Anthropic, Google DeepMind, Meta, Microsoft, and xAI. It does not cover startups, most mid-size AI companies, open-source developers, or university researchers.
If you’re building applications on top of frontier models through an API — Claude, GPT-4o, Gemini — there is essentially no compliance burden on you. The obligations fall entirely on the model developers. SB315 is a frontier lab problem, not a developer problem.
Why OpenAI and Anthropic Backed This
Both companies publicly supported SB315 throughout the legislative process. Anthropic’s head of US state and local government relations stated: “As these models grow more powerful, this kind of enforceable accountability matters more than ever.” OpenAI echoed the sentiment: “Clear expectations around safety, transparency, incident reporting, and accountability matter.”
The strategic logic isn’t hard to see. Both companies already maintain internal safety frameworks — documented safety plans, red-team evaluations, incident response procedures. Turning those existing practices into legal requirements costs them relatively little. But it raises significant barriers for any future competitor building a frontier model without an established safety infrastructure. This could be read as genuine safety commitment. It can also be read as regulatory capture. Probably it’s both.
Illinois in the Bigger Picture
Illinois is the third state in a pattern that looks increasingly like a de facto national standard. According to the Capitol News Illinois report on the bill’s passage:
- California SB 53 (effective January 1, 2026): Safety frameworks and incident reporting
- New York RAISE Act (effective March 2026): Largely aligned with California
- Illinois SB315 (effective January 1, 2028): Adds mandatory third-party verification
All three use the same 1026 FLOPs compute threshold. That’s not a coincidence — it reflects a coordinated policy strategy. The question is no longer whether a national AI safety framework is coming; it’s whether Congress acts before states force a patchwork that becomes effectively national by default.
Opposition from groups like TechNet and NetChoice raises a legitimate concern: auditors will need to make judgment calls about “catastrophic risk” without agreed-upon national standards or certification processes. That ambiguity is real and will create compliance headaches. But the alternative — frontier labs self-certifying their own safety — hasn’t been particularly convincing either. The full bill text is available on the Illinois General Assembly site for those who want to read the specific language.
What Developers Need to Do Right Now
For most developers: nothing. You’re not covered.
For teams at frontier labs or companies approaching the $500M revenue threshold, the 2028 effective date provides roughly 18 months of runway once the law is signed. That’s sufficient time to audit existing safety documentation, identify framework gaps, and begin evaluating third-party audit firms. It is not enough time to build a safety program from scratch — which is precisely the point.
