On the morning of July 6, 2026, JB Pritzker stood in his West Loop office in Chicago and signed a bill that could someday cost the AI industry millions of dollars.
In the room were the two state lawmakers who wrote it, a cluster of AI safety advocates who spent a year pushing it through Springfield, and representatives from Anthropic, one of the companies the new law now regulates.
Illinois Senate Bill 315, the Artificial Intelligence Safety Measures Act, does something no other state has done. It requires the companies building the world's most powerful AI models to open their books, every year, to an outside auditor who reports to the state, not to the company paying the bill.
The signing capped a fast run from the Illinois House's unanimous vote in late May to Pritzker's signature four days ago. Signing day is when the law stopped being a proposal and became a deadline. Companies that generate more than $500 million a year and train models on enormous amounts of computing power now have a compliance clock running, with real dollar penalties attached if they miss it.
The law makes Illinois the third state, after California and New York, to pass a frontier AI safety statute in the past ten months. It is the first of the three to require a genuine third-party audit of compliance, not just a company's own account of its safety work. State Sen. Mary Edly-Allen, the bill's chief Senate sponsor, put a number on the combined reach: once Illinois' law fully phases in, she said, the three states together will cover roughly 40% of the US AI market, large enough a share that it starts to function as a national policy even though Congress has passed nothing.
What Companies Must Actually Do
The law applies to what it calls "large frontier developers," a narrow category by design. A company qualifies only if it trains AI models using more than 10^26 floating-point operations of computing power, roughly the scale of today's most capable systems, and if it and its affiliates bring in more than $500 million in annual revenue. That combination is built to catch a small list of companies, OpenAI and Anthropic among them, while leaving startups and smaller labs alone.
Once a company clears both bars, it has to write a public "frontier AI framework," a document posted on its own website explaining how it identifies and manages what the law calls "catastrophic risk."
The bill defines catastrophic risk narrowly: a foreseeable risk that a model materially contributes to the death or serious injury of more than 50 people, or more than $1 billion in property damage, through one of three scenarios:
- Providing expert-level help creating or releasing a chemical, biological, radiological, or nuclear weapon
- Acting on its own, without meaningful human oversight, in a way that would count as a cyberattack or a serious crime if a person did it
- Evading the control of the company or user operating it
Some coverage of the bill has repeated a $1 million figure for that property-damage threshold. The enrolled bill text, obtained from the Illinois General Assembly, is explicit that the real number is one billion dollars, a full three orders of magnitude higher.
Beyond the framework, developers have to report "critical safety incidents," things like a model's weights being stolen or a model evading its own guardrails in a way that increases catastrophic risk, to the state within 72 hours of learning about them. If the incident poses an immediate risk of death or serious injury, that window shrinks to 24 hours.
The law also protects the people most likely to notice a problem first. Large frontier developers must maintain an anonymous internal channel for workers who believe, in good faith, that their employer's activities endanger public safety, and they cannot retaliate against employees who report concerns to the Illinois Attorney General or federal authorities. Covered employees can also use the Attorney General's Workplace Rights Hotline directly.
The Audit Clause Nobody Else Has
California and New York both passed frontier AI laws before Illinois did: California's Transparency in Frontier Artificial Intelligence Act in September 2025, and New York's RAISE Act, signed that December and amended the following March to align more closely with California's approach. Both require large developers to publish a safety framework similar to Illinois', and both require companies to describe, inside that framework, how they use outside experts to help assess their own risks.
Neither requires an independent audit of whether a company is actually following the framework it published. Illinois does.
Under Section 10 of SB 315, large frontier developers must hire an outside auditor every year, one with no financial relationship to the company and who cannot be paid based on the results produced. The auditor gets access to internal safety materials and must certify, in a signed report, whether the developer is substantially complying with the law. A summary of the findings goes public. An unredacted copy goes to the Illinois Emergency Management Agency and the Attorney General, and the company has to retain its own copy for as long as the model stays in use, plus five years.
"SB 315 is the strongest AI safety law in the country," said Sunny Gandhi, co-executive director of Encode AI, an advocacy group that worked on the bill. "It builds on the frameworks California and New York have already passed and goes one step further by requiring independent audits, so the public doesn't have to take AI companies at their word."
| Provision | Illinois (SB 315) | California (SB 53) | New York (RAISE Act) |
|---|---|---|---|
| Signed into law | July 6, 2026 | September 2025 | Dec. 19, 2025 (amended Mar. 27, 2026) |
| Revenue threshold | Over $500 million | Over $500 million | Over $500 million |
| Compute threshold | Over 10^26 FLOP | Over 10^26 FLOP | Over 10^26 FLOP |
| Independent compliance audit | Required annually | Not required | Not required |
| Whistleblower protections | Yes | Yes | No |
| First-violation penalty | Up to $1 million | Up to $1 million | Up to $1 million |
| Repeat-violation penalty | Up to $3 million | Capped at $1 million | Up to $3 million |
| Substantive requirements take effect | Jan. 1, 2028 | Jan. 1, 2026 | Jan. 1, 2027 |
That gap between verification and self-report is the reason advocacy groups pushed so hard for the audit requirement. It is also the reason the provision became the most contested part of the bill.
The Compliance Clock Is Now Running
Illinois built the law with two different start dates, and conflating them is an easy mistake to make.
Beginning January 1, 2027, any large frontier developer operating in Illinois has to file a basic disclosure statement with the state: who they are, where their offices are, who owns more than 5% of the company. That part is paperwork, not substance.
The substance arrives a year later. Beginning January 1, 2028, large frontier developers have to actually publish their catastrophic-risk framework, submit to the annual audit, and comply with everything the framework promises. That is the date that matters for the law's teeth.
Violating the substantive requirements, failing to publish the framework, lying about compliance, skipping the audit, or failing to report a critical safety incident, carries a civil penalty of up to $1 million for a first offense.
Subsequent violations can run up to $3 million each. The Illinois Attorney General's office brings the case, and the law explicitly creates no private right of action, meaning an individual harmed by an AI system cannot sue a developer directly under this statute.
Even Illinois' own top law enforcement officer is not fully convinced the number is big enough. Kwame Raoul, the Illinois Attorney General, acknowledged at the signing that "one could argue $3 million is perhaps not enough" to deter companies approaching trillion-dollar valuations. "But this is the beginning step," he said, noting his office has other tools, including the state's Consumer Protection and Deceptive Practices Act, "that can add to our enforcement ability."
Why the Companies Being Regulated Helped Write It
Unlike a lot of state tech fights, this one did not pit the industry against the government. OpenAI and Anthropic both backed SB 315 as it moved through the legislature, and Anthropic representatives stood behind Pritzker at the signing.
Cesar Fernandez, Anthropic's head of U.S. state and local government relations, said the company was "proud to have been the first AI lab to support this bill." In a separate statement reported by the Chicago Tribune, Anthropic described the law as something that takes the safety practices leading labs already follow voluntarily and turns them into "a baseline that every leading AI developer is expected to meet."
That is a notable thing for a regulated company to say about the law regulating it: that compliance mostly means continuing to do what it already claims to do. It also fits a pattern playing out across the industry. Anthropic has spent two years marketing itself as the lab most willing to slow down and ask hard questions, a positioning that has come under its own scrutiny recently, after the company's new identity-verification policy asked its own users to hand over passports and facial scans on roughly the same trust-us basis it is now asking regulators to write into law.
Rep. Daniel Didech, the Buffalo Grove Democrat who sponsored the bill in the House, argued the risks are not hypothetical. "We have already seen the first AI-inspired mass shooting," he said at the signing. "We have already seen AI systems utilized to attack a municipal water and drainage utility."
Didech also pointed to Anthropic's own Mythos model, which the company said earlier this year was too powerful a cyberweapon to release to the public, as exactly the kind of capability the law is designed to catch before release, not after.
The Other Side
Not everyone welcomed the audit mandate. TechNet, a trade group representing major tech companies in Springfield, warned lawmakers in committee that the provision goes further than it should.
"We remain concerned that Illinois would effectively be requiring private actors to make highly subjective determinations requiring AI safety compliance without established national standards, certifications, or clear regulatory guardrails," Ninia Linero, a TechNet representative, told an Illinois Senate committee on May 20.
The bigger threat to SB 315 may not be industry pushback but Washington. In December 2025, President Trump signed Executive Order 14365, directing the Department of Justice to form an AI Litigation Task Force aimed at challenging state AI laws the administration views as part of a costly regulatory patchwork. Illinois' law is exactly the kind of statute Trump has tried to preempt nationwide. Pritzker addressed that tension directly at the signing, arguing Congress "ought to be passing similar legislation" but has not, because, he said, "many are captive to special interests that profit from the industry having no regulation."
Whether the Justice Department decides SB 315 is worth challenging in court, and whether such a challenge would hold up, is now an open question hanging over a law that does not fully take effect for another year and a half. It is a question California is answering in its own way too: the same state that passed its own frontier AI law now runs Claude across every state agency it has, regulator and customer at once.
The Bottom Line
Strip away the framework language, the audits, and the whistleblower channels, and SB 315 comes down to something simple. Illinois decided that AI companies' safety promises are not good enough on their own, so it hired someone to check.
That is a real shift from where state AI policy stood a year ago, when frameworks like California's asked companies to describe their own risk management and largely took their word for it. Illinois, New York, and California do not need Congress to agree with any of this. Between them, according to state lawmakers, they already cover close to 40% of the US AI market, which means a company that wants to operate at scale in the United States now has to answer to at least one of these audits whether or not Washington ever passes a federal AI law.
What happens next depends on two things nobody in Springfield fully controls: whether the Justice Department decides this law is worth suing over, and whether an auditor who answers to the state, not the company, eventually finds something a self-written framework never would have admitted.
Sources
- Gov. Pritzker Signs Nation-Leading Artificial Intelligence Safety Law — Office of Governor JB Pritzker, July 6, 2026
- Pritzker signs landmark AI regulation bill that aims to mitigate risks — Capitol News Illinois, July 6, 2026
- Gov. JB Pritzker signs Illinois AI regulations into law, aiming to rein in 'the tech bros' — Chicago Sun-Times, July 6, 2026
- Illinois Gov. Pritzker signs nation's 'most protective' AI Safety Measures Act into law — Transparency Coalition, July 6, 2026
- Illinois Sets a New Standard for AI Oversight — Governing / Chicago Tribune, July 7, 2026
- Illinois' new AI safety law is the strongest in the nation, advocate says — NBC Chicago, July 7, 2026
- Illinois governor enacts legislation holding AI companies accountable for safety risks — Jurist, July 7, 2026
- Pritzker Signs Landmark AI Regulation Bill That Aims to Mitigate Risks — WTTW News, July 6, 2026
- Senate Bill 315, Artificial Intelligence Safety Measures Act (enrolled bill text) — Illinois General Assembly
- New York Finalizes RAISE Act for Frontier AI Models; Law Takes Effect January 1, 2027 — Wiley Rein LLP, April 3, 2026
- New York Amends the RAISE Act to Align More Closely with California Law — Morrison Foerster, April 3, 2026
- Ensuring a National Policy Framework for Artificial Intelligence — The White House, December 11, 2025