Singularity.Kiwi

AI progress, with honesty.
Government building with regulatory documents and AI safety framework, documentary photography style, muted colors
News 30 May 2026

Illinois Just Made History: First US State to Mandate Third-Party AI Safety Audits

While Congress twiddles its thumbs and the White House actively opposes regulation, Illinois just passed the most enforceable AI safety bill in America. First mandatory third-party audits. First whistleblower protections. And both OpenAI and Anthropic actually want it.

AI RegulationAI SafetyIllinoisSB 315Third-Party Audits

Answer-First Lead

Illinois just passed SB 315 — the first US state legislation requiring independent third-party safety audits of frontier AI companies. The bill cleared the House 110-0 and the Senate 52-5. Governor JB Pritzker says he’ll sign it. Starting January 2028, companies earning over $500M in revenue must publish safety frameworks, submit to annual independent audits, report safety incidents within 72 hours (24 hours if there’s risk of death), and protect whistleblowers. The Illinois attorney general can levy civil penalties up to $3 million per violation.

🔍 THE BOTTOM LINE

States are regulating AI because Congress won’t — and Illinois just raised the bar higher than anyone else.

What SB 315 Actually Does

The bill targets “frontier AI developers” — companies with more than $500 million in annual gross revenue building the most capable AI models. That’s essentially OpenAI, Anthropic, Google, Meta, and a handful of others. Here’s what it requires:

1. Public safety frameworks. Companies must create, publish, and annually update a transparency framework explaining how they apply industry standards, measure model capabilities, assess catastrophic risks, and respond to safety incidents.

2. Independent third-party audits — the first mandate of its kind. Every year, companies must retain an independent auditor to verify their safety mechanisms actually work. This is the provision that makes SB 315 genuinely different from California’s and New York’s laws, which require safety plans but not independent verification. As Senate sponsor Mary Edly-Allen put it: “We need to have outside reporting rather than reporting from within.”

3. Incident reporting. Safety incidents must be reported to state officials within 72 hours. If there’s risk of serious injury or death, that drops to 24 hours.

4. Whistleblower protections. Employees at AI companies get legal protection for reporting safety concerns — another US first for AI legislation.

5. Civil penalties. The Illinois attorney general has exclusive enforcement authority, with penalties up to $3 million per violation.

The effective date was pushed from 2027 to 2028 after negotiations, and amendments clarified that the bill doesn’t create a pathway for private citizens to sue.

The Unusual Coalition

Here’s what makes this bill genuinely surprising: OpenAI and Anthropic supported it.

OpenAI spokesperson Jamie Radice called it “thoughtful framework for frontier AI safety” that establishes “clear expectations around safety, transparency, incident reporting, and accountability.” Anthropic’s Cesar Fernandez said the bill “takes the safety practices leading labs already follow voluntarily — publishing a safety framework, transparent reporting, protecting whistleblowers — and helps establish a baseline that every leading AI developer is expected to meet.”

Why would the two biggest AI companies in America back regulation? Two reasons:

  1. Preemptive compliance. Both companies already publish safety plans and claim to follow responsible practices. Legislation that codifies what they’re already doing — while forcing competitors to do the same — levels the playing field.

  2. Uniformity over patchwork. If every state passes slightly different rules, compliance becomes a nightmare. A standardised framework across California, New York, and now Illinois creates a de facto national standard. As OpenAI’s VP of global policy Ann O’Leary put it: “In the absence of federal action, state efforts like this one in Illinois — alongside legislation already in place in California and New York — are helping to create a de facto nationwide approach.”

But not everyone’s on board. TechNet, a coalition of tech executives, opposed the third-party audit requirement, arguing it forces “private actors to make highly subjective determinations requiring AI safety compliance without established national standards, certifications, or clear regulatory guardrails.” CCIA, another trade group, also pushed back. Google, xAI, and Meta didn’t respond to requests for comment.

The White House has actively opposed similar provisions, arguing regulation could “hamstring America’s AI industry.”

Why Illinois, Why Now

The bill’s sponsor, Rep. Daniel Didech, was blunt: “The states shouldn’t be doing this. The best way to regulate these types of catastrophic risks would be a federal approach.”

But Congress hasn’t acted. The technology is moving faster than legislation ever has — as Sen. Edly-Allen noted, it took Netflix 10 years to reach 100 million users, Facebook 4.5 years, and ChatGPT just two months.

The timing is sharp. SB 315 passed days after President Trump scrapped a planned executive order that would have established a voluntary safety testing framework for leading AI companies. The draft order would have allowed government agencies to vet advanced AI models before public release. Instead, nothing.

Illinois is now the third state to regulate frontier AI, after California and New York. But it goes further than both by making independent audits mandatory, not optional.

The Audit Question Nobody Can Fully Answer

The third-party audit requirement is the bill’s most significant — and most contentious — provision. TechNet’s concern isn’t unreasonable: who qualifies as an independent AI safety auditor? There’s no established certification, no recognised professional body, and no national standards for what an audit should even cover.

Didech said he looked into this: “Given the fact that there is already a developing robust ecosystem of these small boutique firms, and also the large international accounting firms that have the capabilities to perform these audits, we were comfortable keeping it in the bill.”

That’s… a bet. The Big Four accounting firms have audit infrastructure, but AI safety auditing is fundamentally different from financial auditing. A financial audit checks whether numbers add up. An AI safety audit has to assess whether a company’s risk mitigation actually works for systems that are constantly being updated, fine-tuned, and deployed in contexts the company may not fully control.

Later amendments tried to address this — clarifying third-party qualifications, what audits should include, and protocols for protecting proprietary information. But the gap between “we require audits” and “we know what a good audit looks like” is real.

This is worth watching. If the audit requirement produces meaningful scrutiny, every other state will copy it. If it becomes a checkbox exercise — hire a friendly firm, get a clean report, file it — it’ll be worse than nothing, because it’ll create the illusion of oversight without the substance.

What This Means for NZ

New Zealand currently has no equivalent legislation. The AI regulation gap between Australia and NZ is already significant, and Illinois just widened it further. If the US is heading toward de facto national AI safety standards via state legislation — with audit requirements, whistleblower protections, and mandatory incident reporting — NZ companies building or deploying frontier models will eventually need to comply with these rules to operate in US markets.

The 134 AI education bills across 31 US states show that state-level AI legislation isn’t slowing down. The question for NZ isn’t whether to regulate — it’s how far behind we’re willing to fall before we start.

❓ Frequently Asked Questions

Q: How is this different from California’s and New York’s AI laws? Illinois is the first to mandate independent third-party audits. California and New York require safety plans and transparency, but don’t require outside verification that companies are actually following their own plans.

Q: Who counts as a “frontier AI developer”? Companies with more than $500 million in annual gross revenue that develop the most capable AI models. The bill uses both revenue and compute thresholds to define who’s covered.

Q: When does this take effect? January 1, 2028 — pushed back from the original 2027 date after negotiations with stakeholders.

Q: What happens if a company violates the law? The Illinois attorney general can pursue civil penalties of up to $3 million per violation. The bill does not create a private right of action — individuals can’t sue.

🔍 THE BOTTOM LINE

Illinois just proved that AI regulation doesn’t need Congress. A 110-0 vote with support from the two biggest AI companies in the world is about as bipartisan as American politics gets in 2026. The real test isn’t whether the law passes — it’s whether those third-party audits have teeth. If they do, every state will copy Illinois. If they don’t, we’ll have the regulatory theatre version of safety, and that’s more dangerous than no regulation at all.

SOURCES

  • NBC News — Illinois Legislature passes historic AI bill
  • Capitol News Illinois — Behind the scenes of Illinois’ AI regulatory negotiations
  • Illinois Times — Illinois lawmakers pass landmark AI accountability bill
Sources: NBC News, Capitol News Illinois, Illinois Times

Related Articles