Illinois SB 315: Frontier AI Safety Audits Become State Law
Illinois lawmakers passed SB 315 this week, requiring frontier AI companies including OpenAI, Anthropic, and Google DeepMind to have safety practices audited by third parties. What it changes and how it stacks against Colorado and California.
Illinois became the latest US state to put frontier-AI oversight into statute when its legislature passed SB 315 this week. If signed by the governor — and current signalling out of Springfield suggests it will be — the law requires OpenAI, Anthropic, Google DeepMind, and any other developer training models above a defined compute threshold to have their internal safety practices reviewed by qualified third-party auditors. SB 315 sits between California’s vetoed SB 1047 and Colorado’s quieter SB 24-205 in scope, and it is the most credible state-level safety-audit mandate in force in the United States so far.
What SB 315 actually requires#
The substantive requirements break into four areas.
Designated covered developers. Any company training a foundation model above a compute-cost or parameter threshold that has business operations in Illinois falls under the law. The thresholds were drafted to capture OpenAI, Anthropic, Google DeepMind, Meta AI, xAI, and Mistral while leaving the broader open-source community alone. The precise numbers will move; the policy intent is clear.
Third-party audit obligation. Covered developers must contract with an approved auditor — a category that mirrors the Big Four accounting model and the established cybersecurity audit firms — to review safety policies, evaluation results, red-team findings, and incident-response procedures. The audit report goes to an Illinois oversight body, with a redacted version published.
Pre-deployment evaluation publication. Before deploying a new frontier model that is generally available to Illinois residents, the developer must publish capabilities and risk evaluations covering categories defined in the statute — substantially broader than the EU AI Act high-risk categories.
Incident reporting. Material safety incidents, including jailbreaks that produce dangerous outputs, must be reported to the oversight body within a defined window. The window is shorter than the EU AI Act’s, which has been a source of pre-passage industry pushback.
How SB 315 compares with Colorado and California#
The US state-level picture in mid-2026 now has three meaningfully-different reference points.
Colorado SB 24-205, which took effect in February 2026, focuses on consumer-facing AI used in consequential decisions — employment, housing, financial services, education. It imposes documentation and impact-assessment obligations on deployers, not just developers. It does not require third-party audits.
California SB 1047 would have imposed safety-test obligations on frontier developers but was vetoed by Governor Newsom in September 2024. The successor effort moved most of the substantive content into administrative rulemaking rather than statute, which has been moving slowly.
Illinois SB 315 is closer in shape to a hybrid: it borrows the developer-focused frame from SB 1047 but adds the third-party-audit machinery that SB 1047 did not have. The audit requirement is the single most consequential difference because it externalises the safety-evaluation accountability in a way that the other two laws do not.
The practical effect for a frontier developer is that operating compliantly in Illinois now requires a serious internal-audit and external-auditor relationship, the same way operating compliantly with Sarbanes-Oxley requires an external auditor relationship. That is a meaningful new operating cost.
What this means for enterprise AI buyers#
Most pdpspectra readers are not OpenAI or Anthropic; they are enterprise organisations buying AI capabilities from those vendors. SB 315 affects you in three ways.
Vendor diligence becomes evidence-based. When OpenAI or Anthropic respond to your security questionnaire with “we follow industry-standard safety practices,” they will now be backed by a third-party audit report. The redacted public version will be a reference document. Procurement teams should add a line item to the vendor questionnaire asking for the most recent audit findings and the remediation timeline for any material findings.
Incident reporting flows downhill. When a covered developer reports a material safety incident to Illinois, that incident is likely to affect downstream users. The vendor notification path needs to include enterprise customers using the affected model. Service-level agreements signed before mid-2026 may not contemplate this; renewal cycles should.
State-level patchwork is real. Illinois joins Colorado as the second state with substantive AI-governance machinery in force. Texas, Connecticut, New York, and Washington all have active legislation. Building an internal AI-governance function that satisfies the strictest applicable state is a more sensible posture than mapping per-state requirements.
The federal question SB 315 forces#
The traditional argument against state-level technology regulation is that interstate commerce should be regulated federally. The counter-argument that has carried the day for state privacy laws — that federal Congress will not act, so states must — is the same argument carrying SB 315 and the Colorado act. The Trump administration has signalled it favours federal preemption of state AI laws, but the legislative path is not clear and the next Congress is the earliest plausible vehicle.
In the meantime, the operating reality for frontier developers and the enterprise buyers downstream of them is that Illinois SB 315 sets a floor, Colorado SB 24-205 sets a parallel floor for consumer-facing decisions, and the EU AI Act sets a separate floor for European operations. Build your governance program against the union of those.
What to do in the next 90 days#
For enterprise compliance leads and AI engineering managers:
- Identify which of your AI vendors are likely covered by SB 315. The big six are obvious. The next tier (Cohere, Aleph Alpha, AI21, Inflection’s surviving assets at Microsoft) needs case-by-case analysis.
- Update vendor diligence checklists to ask for audit posture, expected first-audit timeline, and historical incident-reporting record.
- For organisations operating in Illinois, line up internal counsel review of how SB 315’s requirements interact with sector-specific obligations (HIPAA, GLBA, FERPA, NIST 800-53 for federal contractors).
- For organisations operating in multiple states, treat Illinois and Colorado as the binding-floor jurisdictions for the next 24 months and design the governance program around them.
Where pdpspectra fits#
Our AI compliance and governance practice helps enterprise teams design AI-governance programs that satisfy the patchwork of state and federal requirements without building per-state machinery. We also help with vendor diligence on covered frontier developers and with the procurement-cycle work of updating contracts to reflect the new accountability environment.
Related reading: the US state AI regulation post, the EU AI Act enforcement post, and the AI red teaming post.
State-level audit obligations are now the floor, not the ceiling. Talk to our team about your AI compliance posture.