Illinois just made a significant move in the AI governance space. On May 27, 2026, the state’s General Assembly passed Senate Bill 315, the Artificial Intelligence Safety Measures Act. With Governor Pritzker indicating his intent to sign the bill, the law would take effect January 1, 2027, with most operational requirements kicking in by 2028.
SB 315 isn’t your typical AI bill focused on bias or consumer disclosures. It targets something bigger: the risk that the most powerful AI systems could cause catastrophic, large-scale harm. Here’s what companies need to know.
Who Does This Law Actually Apply To?
Not every company that uses AI needs to worry about SB 315. The law is deliberately narrow in scope, targeting what it calls “large frontier developers,” companies with over $500 million in annual revenue that are building and deploying cutting-edge, large-scale AI models trained with massive computational resources.
If your business uses AI tools off-the-shelf, or builds applications on top of existing models, SB 315 likely doesn’t apply to you directly. The law regulates how the most powerful AI systems are built and governed, not how businesses use them downstream. For most businesses, SB 315 will primarily serve as a signal of how lawmakers are structuring novel AI regulation to protect against AI harms. The bill reflects familiar privacy concepts, including formal governance frameworks, independent audits, breach notification obligations, and both pre-deployment and ongoing transparency requirements.
The Central Concern: Catastrophic Risk
The law’s framework revolves around a concept it calls “catastrophic risk:” scenarios where an AI system could materially contribute to mass casualties or property damage exceeding $1 billion, whether through misuse for weapons development, large-scale cyberattacks, or systems operating beyond meaningful human control.
What Covered Companies Must Do
Beginning in 2028, large frontier developers will need to implement a documented “Frontier AI Framework,” a formal risk management system built around catastrophic harm prevention. The framework must address how a company identifies dangerous capabilities and sets risk thresholds, what mitigation strategies are in place before deployment, how third-party assessments are conducted, and how internal governance and cybersecurity protections are structured, with mandatory annual reviews. The law means what it says on this point: safety considerations must be genuinely integrated into development and deployment decisions, not just documented after the fact.
Before (or at the time of) deploying new or significantly modified models, companies must also publish transparency reports covering the model’s capabilities, intended uses and limitations, risk assessments, and testing results. The goal is to get meaningful disclosures into the public record before problems arise, rather than in response to them.
Annual Independent Audits: A First Among State AI Laws
Perhaps the most distinctive feature of SB 315 is its requirement for mandatory annual independent audits. While California and New York have enacted their own frontier AI transparency laws, neither requires this kind of recurring external review. Third-party auditors under SB 315 must evaluate whether the company is actually complying with its Frontier AI Framework, whether its internal controls are working, and whether there are any material gaps.
Audit summaries must be published publicly, and redacted versions provided to regulators. It’s a model borrowed from financial and data privacy regulation with external assurance as a check on self-reporting, now applied directly to AI safety.
Incident Reporting with Tight Deadlines
Anyone familiar with state data breach notification laws will recognize the structure of SB 315’s incident reporting requirements: mandatory disclosure within a short window, specific content required, and escalating timelines based on severity. Here, though, the trigger isn’t compromised personal data. It’s AI model behavior. Companies have 72 hours to report standard critical safety incidents and just 24 hours for anything posing an imminent threat to life or safety. Reportable events include unauthorized access to model weights, loss of control of a system, or any incident signaling a materially increased catastrophic risk.
Registration, Fees, and Real Penalties
Large frontier developers operating in Illinois must file annual disclosure statements identifying their business and key contacts, and pay regulatory fees. The Illinois Attorney General has exclusive enforcement authority. Penalties can reach $1 million for a first violation and $3 million for subsequent violations, with daily penalties available for missing disclosure deadlines. There is no private right of action under the law.
Looking Ahead
SB 315 follows similar laws enacted in California and New York in 2025, with Illinois lawmakers hoping to push the emerging national standard further. The law also expressly allows companies to satisfy its requirements through compliance with “equivalent” federal standards, signaling that Illinois anticipates eventual federal regulation.
For now, if your organization is building or deploying frontier AI models, this law sets the bar. And even if SB 315 doesn’t apply to your business directly, the compliance frameworks, transparency obligations, and audit requirements will likely shape what “responsible AI governance” looks like for years to come.
If you have questions about how SB 315 or other AI regulations might affect your business, we’re happy to help. Please reach out.
