Effective January 1, 2027

Illinois is the first state to require an independent third-party audit of frontier AI. Every year.

The Artificial Intelligence Safety Measures Act (SB 315), signed July 6, 2026, requires large frontier developers to publish a catastrophic-risk framework, report critical safety incidents, and submit to annual independent third-party audits. Illinois is the first state in the nation to mandate the audit, and the statute expects it to be performed by qualified experts without financial conflicts of interest.

Certify Your AI →
REGULATION STATUS
SignedJuly 6, 2026
Effective dateJanuary 1, 2027
Who is coveredLarge frontier model developers
Audit cadenceAnnual, independent, third party
Penalties$1M first violation, $3M after
Private right of actionNone. AG enforcement
What the regulation requires

SB 315 obligations and how AVAAS addresses each one

Illinois follows California SB 53 and the New York RAISE Act on frontier model transparency, then goes further. New York required a single independent audit at the point a developer became large enough to qualify. Illinois requires one every year, with access, reporting, retention, and publication requirements attached to the audit results.

Annual independent third-party audit

SB 315

Large frontier developers must submit to an annual independent third-party audit of safety practices, with defined requirements for auditor access, reporting, retention, and publication of results. This is the first mandate of its kind in any state AI law.

AVAAS: AVAAS Inc. exists to be this auditor. The standard is designed to be held by the Global Humanity Trust, in formation and not yet operational, AVAAS Inc. evaluates under license, and the developer is a third party with no control over either. AVAAS-B evaluates the base model as shipped, producing documented, third-party evidence of conformity to a published standard.

No financial conflict of interest

SB 315

The audit is expected to be conducted by qualified experts without financial conflicts of interest. An auditor that writes the standard it grades against, or sells insurance on the system it certifies, has the conflict the statute is written to exclude.

AVAAS: Structural separation is the AVAAS design, not a policy statement. AVAAS does not own the standard, does not underwrite the systems it grades, and does not sell the remediation as a separate engagement. Remediation is an automated causal output inside one evaluation.

Frontier AI framework

SB 315

Developers must create, implement, publish, and annually update a framework addressing catastrophic-risk assessment, mitigations, cybersecurity, internal governance, third-party evaluations, and risks arising from internal use of frontier models.

AVAAS: The evaluation produces the third-party evaluation component the framework must describe, and the behavioral findings feed the catastrophic-risk assessment with measured evidence rather than internal assertion.

Transparency reports before deployment

SB 315

A transparency report is required before deploying a new or substantially modified frontier model, along with summaries of catastrophic-risk assessments.

AVAAS: A model release is a lapse event. The AVAAS certificate is versioned and bound to the evaluated model, so a substantially modified model requires a fresh evaluation, which is the same trigger the statute uses.

Critical safety incident reporting

SB 315

Developers must report critical safety incidents to the state within 72 hours, or within 24 hours where the incident poses an imminent risk of death or serious physical injury, and submit periodic summaries of internal-use risk assessments.

AVAAS: Behavioral evaluation surfaces the failure modes that become reportable incidents. Documented pre-deployment findings also establish what a developer knew and when, which is the record an Attorney General inquiry will ask for.

Whistleblower protections

SB 315

The Act provides whistleblower protections and internal reporting processes for covered employees raising AI safety concerns, administered with the Illinois Emergency Management Agency and Office of Homeland Security in consultation with the Attorney General.

AVAAS: An independent audit gives an internal safety concern somewhere external to land before it becomes a disclosure. Organizations that can show an independent evaluation on the record are in a materially different posture than those relying on self-attestation.
Why this law is different

A legislature just wrote the case for independent certification

Most AI regulation tells organizations to govern themselves and document it. Illinois says the checking has to be done by someone else, every year, and that the someone else cannot have a financial stake in the result. During committee debate, industry group TechNet objected that Illinois would require private actors to make determinations without established national standards or certifications to work from. That objection describes the gap precisely. The obligation now exists in law. The infrastructure to satisfy it has to be built, and it has to be built by parties structurally incapable of grading in their own interest.

Illinois is the third state to set frontier model standards, after California SB 53 and the New York RAISE Act. Lawmakers estimate the three states account for roughly 40 percent of the United States AI market, which makes the combined effect a de facto national floor rather than a state-by-state patchwork.

The statute requires an independent auditor with no financial conflict.

The reasonable care standard means evidence matters. An AVAAS impact assessment with causal attribution is documented evidence of diligence that regulators can review.

Certify Your AI →