Illinois AI Safety Law Pioneers Third-Party Audits for Frontier Models
chicagotribune.com

Illinois AI Safety Law Pioneers Third-Party Audits for Frontier Models

Tech News
4 min read

Published by AINave Editorial • Reviewed by Ramit

TL;DRIllinois enacted the first-in-the-nation AI law requiring large frontier developers to undergo annual independent third-party audits, publish safety frameworks, and report critical safety incidents within 72 hours. The law, effective January 1, 2028, includes whistleblower protections and civil penalties up to $3 million.

Illinois has become the first state to require large artificial intelligence developers to undergo mandatory annual independent audits of their safety practices. Governor JB Pritzker signed the Artificial Intelligence Safety Measures Act into law, filling what state lawmakers describe as a void left by federal inaction on AI regulation.

What happened

The Artificial Intelligence Safety Measures Act targets large frontier AI developers with more than $500 million in annual gross revenue. The law requires these companies to publish safety frameworks explaining how their products could pose a catastrophic risk and how those risks would be addressed, as described in the Chicago Tribune. Developers must also report critical safety incidents to the state within 72 hours or within 24 hours if the incident poses an imminent risk of death or serious physical injury.

Illinois is the first state to mandate annual independent audits by technically qualified third parties. New York's similar law only required a single audit at the time a developer became large enough to qualify. The legislation also includes whistleblower protections, prohibiting companies from adopting policies that would prevent employees from disclosing information to state or federal authorities if they believe the company poses a public safety hazard. Companies must maintain an anonymous internal reporting process.

Civil penalties run up to $1 million for a first violation and $3 million for subsequent violations. The law takes effect on January 1, 2028.

Why AI builders should care

Illinois, California, and New York together account for roughly 40% of the U.S. AI market, according to lawmakers. The three states are creating what state Sen. Mary Edly-Allen called a de facto national standard for AI safety, which the Chicago Sun-Times reported. For teams building AI products, this means compliance requirements are converging whether or not federal regulation materializes.

Both Anthropic and OpenAI supported the legislation. Anthropic said the law takes the safety practices leading labs already follow voluntarily and helps establish a baseline that every leading AI developer is expected to meet, as noted in the Chicago Tribune. The industry support signals that mandatory annual audits and incident reporting may become the expected norm, not an outlier.

For AI builders who are not at the $500 million revenue threshold, the law matters because it creates a compliance framework and industry expectations that smaller developers may adopt proactively to de-risk future regulation.

Practical implications

Companies subject to the act must publish a safety framework identifying catastrophic risk. Catastrophic risk is defined as the likelihood that incidents could cause death or serious injury to more than 50 people or more than $1 million in property damage, including expert-level assistance in creating chemical, biological, radiological, or nuclear weapons, according to Capitol News Illinois.

The law's January 1, 2028 effective date gives developers roughly 18 months to prepare. Key compliance milestones include:

  • Publishing a public AI safety framework that identifies and assesses catastrophic risk
  • Establishing an incident detection and reporting system capable of 72-hour (or 24-hour) notification
  • Retaining a technically qualified third-party auditor annually
  • Implementing anonymous internal whistleblower reporting channels

Caveats

The policy landscape remains fluid. The Illinois law mirrors California's SB-53 and New York's Responsible AI Safety and Education Act, but it is not a federal framework. TechNet, a coalition of tech executives, raised concerns during debate about requiring private actors to make highly subjective determinations about AI safety compliance without established national standards or clear regulatory guardrails, as reported by Capitol News Illinois.

Illinois Attorney General Kwame Raoul acknowledged that $3 million may not be enough of a deterrent for companies approaching trillion-dollar valuations, though he noted other enforcement powers exist under the state's Consumer Protection and Deceptive Practices Act, the Chicago Sun-Times reported. Lawmakers and advocates expect to continue working on the topic, with medical care and education identified as likely frontiers needing further evaluation.

FAQs

What is the Artificial Intelligence Safety Measures Act and whom does it affect?

The Artificial Intelligence Safety Measures Act targets large frontier AI developers generating more than $500 million in annual revenue. It requires them to publish safety frameworks, disclose catastrophic risks, report critical safety incidents within 72 hours (24 hours if imminent), and undergo annual independent third-party audits. The law also includes whistleblower protections and anonymous internal reporting channels. It was signed by Gov. JB Pritzker on July 6, 2026 and takes effect January 1, 2028, as described in the Chicago Tribune.

What are the penalties for violations under the act?

Companies that violate the act face civil penalties of up to $1 million for a first offense and up to $3 million for subsequent offenses. Enforcement is handled by the Illinois Attorney General's office, according to the Chicago Sun-Times.

What constitutes 'catastrophic risk' under the law?

Catastrophic risk is defined as the likelihood of incidents that could cause death or serious injury to more than 50 people or cause more than $1 million in property damage. This includes providing expert-level assistance in the creation or release of a chemical, biological, radiological, or nuclear weapon, as well as enabling cyber-attacks, as reported by Capitol News Illinois.

How does this Illinois law compare to California and New York AI regulations?

Illinois' law mirrors California's SB-53 and New York's Responsible AI Safety and Education Act in requiring safety frameworks, incident reporting, and audits. However, Illinois adds a first-in-the-nation requirement for annual independent third-party audits, whereas New York only required a single audit at the time a developer became large enough to qualify. Together, the three states represent roughly 40% of the U.S. AI market, creating a de facto national standard, according to the Chicago Sun-Times.

Sources

Latest Tech News