Illinois is the first state to require an independent third-party audit of frontier AI. Every year.
The Artificial Intelligence Safety Measures Act (SB 315), signed July 6, 2026, requires large frontier developers to publish a catastrophic-risk framework, report critical safety incidents, and submit to annual independent third-party audits. Illinois is the first state in the nation to mandate the audit, and the statute expects it to be performed by qualified experts without financial conflicts of interest.
Certify Your AI →SB 315 obligations and how AVAAS addresses each one
Illinois follows California SB 53 and the New York RAISE Act on frontier model transparency, then goes further. New York required a single independent audit at the point a developer became large enough to qualify. Illinois requires one every year, with access, reporting, retention, and publication requirements attached to the audit results.
Annual independent third-party audit
Large frontier developers must submit to an annual independent third-party audit of safety practices, with defined requirements for auditor access, reporting, retention, and publication of results. This is the first mandate of its kind in any state AI law.
No financial conflict of interest
The audit is expected to be conducted by qualified experts without financial conflicts of interest. An auditor that writes the standard it grades against, or sells insurance on the system it certifies, has the conflict the statute is written to exclude.
Frontier AI framework
Developers must create, implement, publish, and annually update a framework addressing catastrophic-risk assessment, mitigations, cybersecurity, internal governance, third-party evaluations, and risks arising from internal use of frontier models.
Transparency reports before deployment
A transparency report is required before deploying a new or substantially modified frontier model, along with summaries of catastrophic-risk assessments.
Critical safety incident reporting
Developers must report critical safety incidents to the state within 72 hours, or within 24 hours where the incident poses an imminent risk of death or serious physical injury, and submit periodic summaries of internal-use risk assessments.
Whistleblower protections
The Act provides whistleblower protections and internal reporting processes for covered employees raising AI safety concerns, administered with the Illinois Emergency Management Agency and Office of Homeland Security in consultation with the Attorney General.
A legislature just wrote the case for independent certification
Most AI regulation tells organizations to govern themselves and document it. Illinois says the checking has to be done by someone else, every year, and that the someone else cannot have a financial stake in the result. During committee debate, industry group TechNet objected that Illinois would require private actors to make determinations without established national standards or certifications to work from. That objection describes the gap precisely. The obligation now exists in law. The infrastructure to satisfy it has to be built, and it has to be built by parties structurally incapable of grading in their own interest.
Illinois is the third state to set frontier model standards, after California SB 53 and the New York RAISE Act. Lawmakers estimate the three states account for roughly 40 percent of the United States AI market, which makes the combined effect a de facto national floor rather than a state-by-state patchwork.
The statute requires an independent auditor with no financial conflict.
The reasonable care standard means evidence matters. An AVAAS impact assessment with causal attribution is documented evidence of diligence that regulators can review.
Certify Your AI →