Beyond California: How Illinois Just Set the New Nationwide Benchmark for AI Governance
July 14, 2026
In the absence of comprehensive federal legislation, the regulatory landscape for artificial intelligence is rapidly taking shape at the state level. On July 6, 2026, Illinois Governor JB Pritzker signed Senate Bill 315, the Artificial Intelligence Safety Measures Act, into law. Backed by bipartisan support and endorsed by major industry players, the Act creates a robust framework governing the development and deployment of highly capable AI models.
While the Act generally takes effect on January 1, 2027, its most demanding requirements concerning published frontier-AI frameworks and annual independent audits kick in on January 1, 2028. Artificial Intelligence Safety Measures Act, Pub. Act No. 104-538, §§ 10(a), 10(d), 99 (Ill. 2026).
By enacting this legislation, Illinois joins California and New York in regulating frontier-model developers through computational thresholds, catastrophic-risk assessments, and incident reporting. However, Illinois stands apart by requiring a mandatory annual independent audit of statutory compliance. This unique provision arguably makes Illinois’s law the most rigorous state law of the multistate compliance regime.
Here is what legal, compliance, and tech professionals need to know about this landmark legislation.
1. Covered Models and Developers: A Narrow, High-Impact Target
The Act is not designed to regulate every business using commercially available AI tools. Instead, it deliberately targets the developers of exceptionally large foundation models.
Under the statute, a “foundation model” is defined as an AI model trained on a broad dataset, designed for generality of output, and adaptable to a wide range of tasks. Id. § 5. The law zeroes in on “frontier models,” which are foundation models trained using more than 10^26 integer or floating-point operations, including computing used for subsequent fine-tuning or reinforcement learning.
A “large frontier developer” is an entity that trains such a model and, together with its affiliates, exceeded $500 million in annual gross revenues during the preceding calendar year. Consequently, the Act imposes its heaviest burdens on a concentrated group of well-capitalized developers rather than downstream businesses implementing off-the-shelf AI.
2. Targeting “Catastrophic Risk”
The legislation is strictly oriented toward preventing massive, systemic harms. The Act defines a “catastrophic risk” as a foreseeable and material risk that a frontier model will materially contribute to a single incident causing death or serious injury to more than fifty people, or more than $1 billion in property damage or loss.
Covered risks include expert-level assistance in creating chemical, biological, radiological, or nuclear weapons; autonomous cyberattacks; serious criminal conduct; and scenarios where a model evades human oversight or uses deceptive techniques to subvert control.
Beginning January 1, 2027, a large frontier developer may not develop, deploy, or operate a frontier model in Illinois unless it has filed a current disclosure statement with the Illinois Emergency Management Agency and Office of Homeland Security and paid a required administrative fee. Id. § 18(a).
3. Transparency and Safety Frameworks
The Act establishes two distinct tracks for disclosure: model-level reporting and organizational safety frameworks.
Pre-Deployment Transparency: Before or concurrently with deploying a new or substantially modified frontier model, a developer must publish a machine-readable transparency report on its website. This must detail the model’s intended uses, limitations, supported modalities, and summaries of catastrophic-risk assessments, including the involvement of third-party evaluators. Id. § 10(c)(1)–(4).
Organizational Safety Frameworks: Beginning January 1, 2028, large frontier developers must publicly disclose and rigorously implement a comprehensive frontier-AI framework. This framework must thoroughly document how the developer incorporates recognized industry safety standards, identifies capabilities triggering catastrophic risks, establishes risk thresholds, protects unreleased model weights from unauthorized access, and assigns accountability to senior personnel. Developers must review this framework at least annually, publishing any material modifications along with an explanation within thirty days. Id. § 10(b)(1)–(2).
4. Mandatory Independent Audits
Illinois’s most notable departure from its coastal peers is the independent-audit requirement. While California and New York require developers to describe the role of third parties in risk evaluation, neither mandates recurring external audits of statutory compliance. See Cal. Bus. & Prof. Code § 22757.12(a)(5), (c)(2)(C) (West 2026); N.Y. Gen. Bus. Law §§ 1420–1425 (McKinney 2026).
Beginning January 1, 2028, large frontier developers must annually retain an independent third party to audit their compliance with Section 10. To guarantee independence, the auditor and developer cannot hold financial interests in one another, nor can compensation depend on the audit's outcome. Id. § 10(d).
The resulting report must state whether the developer substantially complied with the statute, identify material deviations, evaluate internal controls, and assess the authority granted to responsible personnel. Id. § 10(d)(2). Within thirty days of receiving the report, the developer must publish a redacted summary and transmit a copy to the State Agency and the Attorney General. Because Illinois requires this rigorous verification, its audit standard is poised to become the practical benchmark for companies seeking to maintain a unified, nationwide compliance program.
5. Incident Reporting and Whistleblower Protections
AI behaves unpredictably, and the Act’s breach-notification framework reflects this reality. Developers must report a critical safety incident to the State Agency and Attorney General within seventy-two hours. If the incident poses an imminent risk of death or serious physical injury, that window shrinks to twenty-four hours, requiring notification to relevant law enforcement. Id. § 15(c).
To ensure internal accountability, the Act prohibits retaliation against employees or contractors who reasonably believe a developer has violated the statute or endangered public safety. Large frontier developers must establish internal mechanisms for anonymous reporting. Id. § 20(e). Furthermore, the Act amends the Illinois Whistleblower Act to shield employees who report AI safety violations, granting them access to standard whistleblower remedies. 740 Ill. Comp. Stat. 174/15(e), 174/30 (2026).
While the Attorney General is empowered to seek civil penalties—up to $1 million for an initial violation and $3 million for subsequent violations—the Act explicitly does not create a private right of action for substantive safety failures.
6. The Broader AI Regulatory Environment in Illinois
It is crucial for corporate counsel to differentiate this new law from Illinois’s other AI regulations. Effective January 1, 2026, the Illinois Human Rights Act made it a civil rights violation for employers to use AI in hiring, promotion, or discharge if it results in discrimination based on protected classes, requiring explicit employee notice. 775 Ill. Comp. Stat. 5/2-102(L)(1)–(2) (2026).
Illinois now operates on two distinct regulatory tracks. The Artificial Intelligence Safety Measures Act governs the developers of massive foundation models and mitigates systemic, catastrophic risks. The Human Rights Act regulates the downstream employment uses of AI and mitigates discrimination. Depending on their operations, a company may find itself subject to one, both, or neither regime.
Conclusion: Preparing for the New Baseline
Illinois, California, and New York have not created a formally uniform national standard. However, by utilizing closely aligned computational thresholds and safety expectations, they have woven a de facto national safety net for frontier AI.
For developers operating globally, maintaining a single compliance program based on the strictest applicable state requirement—namely, Illinois’s third-party audit—is far more efficient than administering fragmented regional policies. Consequently, Illinois's law will likely dictate corporate governance and risk management nationwide.
