On July 6, 2026, Illinois Governor JB Pritzker signed Senate Bill 315, the Artificial Intelligence Safety Measures Act (the “Act”), into law, making Illinois the third state, after California and New York, to enact comprehensive safety and transparency requirements for developers of the largest AI systems. The Act positions Illinois as an aggressive player in the fast-growing patchwork of state-level AI regulation, and notably goes further than similar statutes in one key respect: it is the first in the nation to mandate annual independent third-party audits of covered developers' safety practices.
The Act, certain provisions of which start to become effective on January 1, 2027, passed the General Assembly with bipartisan support and drew backing from both AI safety advocates and industry players.
Who Is Covered
The Act applies to "frontier developers," defined as companies that train AI models using more than 10^26 integer or floating-point operations of computing power, with the most substantial obligations reserved for "large frontier developers," defined as frontier developers (together with affiliates) with more than $500 million in annual gross revenue in the preceding calendar year.
Key Obligations
Frontier AI Framework: Beginning January 1, 2028, large frontier developers must publish and maintain a "frontier AI framework" describing how:
- The large frontier developer incorporates relevant national and international best standards and industry practices into its frontier AI framework;
- It defines and evaluates thresholds, including any tiered thresholds, for determining whether a frontier model could pose catastrophic risk;
- It applies mitigations based on those assessments;
- It reviews both the assessments and the adequacy of mitigations when deciding whether to deploy a model or use it extensively internally;
- It uses independent third parties to evaluate catastrophic risks and the effectiveness of mitigations;
- It revisits and updates the framework over time, including what triggers updates and how it determines when a frontier model has been substantially modified enough to require renewed review;
- It implements cybersecurity practices to protect unreleased model weights from unauthorized modification or transfer by internal or external parties;
- It identifies and responds to critical safety incidents;
- It institutes internal governance practices to ensure implementation of these processes;
- It assesses and manages catastrophic risk arising from internal use of its frontier models, including risks that a model could circumvent oversight mechanisms.
Frameworks must be reviewed at least annually, with material updates published within 30 days.
Transparency Reports: Before, or concurrently with, deploying a new or substantially modified frontier model, developers must publish a transparency report covering, among other requirements, intended uses, supported languages and modalities, and points of contact. Large frontier developers must also summarize their catastrophic-risk assessments and the extent of third-party involvement in those assessments.
Independent Audits: Starting in 2028, large frontier developers must retain independent third parties to annually audit compliance. Audit reports, summarized and appropriately redacted, must be published and shared with the Illinois Emergency Management Agency and Office of Homeland Security (the “Agency”) and the Illinois Attorney General.
Critical Safety Incident Reporting: Developers must report "critical safety incidents," including harm resulting from the materialization of a catastrophic risk or if, outside a controlled test, the frontier model uses deception against its developer to evade oversight or controls in a way that shows a materially higher risk of catastrophic harm. Reports must be made to the Agency and Attorney General within 72 hours of learning facts sufficient to establish a reasonable belief that such an incident occurred, or within 24 hours if the incident poses an imminent risk of death or serious injury.
Whistleblower and Internal Reporting Protections: The Act bars developers from contractually or otherwise preventing, or retaliating against, “covered employees” that report safety concerns or violations of the Act to regulators, and requires large frontier developers to maintain an anonymous internal reporting channel with monthly status updates to the reporting employee.
Disclosure and Registration: Beginning January 1, 2027, large frontier developers must file an annual disclosure statement with the Agency. Disclosures must cover corporate identity, ownership, and points of contact, and developers must pay associated fees before developing, deploying or operating a frontier model in Illinois.
Internal Use Risk Reporting: A large frontier developer must provide the Agency with a summary of any assessment of catastrophic risk arising from internal use of its frontier models every three months (or on another reasonable schedule the developer submits in writing to the Agency and the Attorney General and the Agency accepts), with written updates as appropriate.
False or Misleading Statements: A frontier developer shall not make a materially false or misleading statement about catastrophic risk from its frontier models or about its management of catastrophic risk. A large frontier developer also may not make a materially false or misleading statement about its implementation of, or compliance with, its frontier AI framework.
Enforcement: The Attorney General has exclusive authority to bring civil enforcement actions. Violations, including false or misleading statements about catastrophic risk, failure to conduct required audits or failure to report critical safety incidents carry civil penalties of up to $1 million for a first violation and up to $3 million for subsequent violations. The Act does not create a private right of action.
Implications for AI Developers: Companies developing frontier-scale models should begin evaluating whether they meet the Act’s revenue and compute thresholds in advance of the Act’s effective date. Given the law's alignment with, and expansion upon, similar frameworks in California and New York, multistate developers may find it efficient to build compliance programs designed around the strictest common denominator across all three regimes, particularly the audit and incident-reporting timelines.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron P. Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- Age Appropriate Design Code
- Age Verification
- Alabama
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence (AI)
- Attorney General
- Audit
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CalPrivacy
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Centre for Information Policy Leadership (CIPL)
- Chatbot
- Children’s Online Privacy Protection Act (COPPA)
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Consumer Rights
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cross-Border Data Transfer
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Breach
- Data Brokers
- Data Controller
- Data Localization
- Data Minimization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Protection Officer
- Data Security
- Data Transfer
- David Dumont
- David Vladeck
- Deceptive Trade Practices
- Delaware
- Denmark
- Department of Commerce
- Department of Defense
- Department of Health and Human Services
- Department of Homeland Security (DHS)
- Department of Justice
- Department of the Treasury
- Design
- Digital Markets Act
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DORA
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Electronic Protected Health Information
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- Financial Data
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Genetic Data
- Geofencing
- Geolocation
- Geolocation Data
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Grok
- Hacker
- Hawaii
- Health Data
- HIPAA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Large Language Model
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Louisiana
- Madrid Resolution
- Maine
- Malaysia
- Maryland
- Massachusetts
- Meta
- Mexico
- Michigan
- Microsoft
- Minnesota
- Missouri
- Mobile
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- North Dakota
- North Korea
- Norway
- Obama Administration
- OCPA
- OECD
- Office for Civil Rights (OCR)
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Online Behavioral Advertising
- Online Privacy
- Opt-In Consent
- Opt-Out
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Poland
- PRISM
- Privacy
- Privacy and Information Security Law
- Privacy By Design
- Privacy Notice
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Profiling
- Protected Health Information
- Purpose Limitation
- Ransomware
- Record Retention
- Red Flags Rule
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk Assessment
- Risk-Based Approach
- ROSCA
- Rosemary Jay
- Russia
- Safe Harbor
- Salesforce
- Sanctions
- Schrems
- Scott Kimpel
- SECURE Data Act
- Securities and Exchange Commission
- Security Rule
- Senate
- Sensitive Data
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Surveillance Pricing
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code