Illinois just signed a landmark AI law: what it actually regulates

- Governor JB Pritzker signed Illinois Senate Bill 315, the Artificial Intelligence Safety Measures Act, on 6 July 2026, covering AI developers with more than $500 million in annual revenue trained on very large compute.
- Covered developers must publish a catastrophic risk framework, report serious incidents within 72 hours (24 for imminent danger), and undergo an independent audit every year from 2028, a first-in-the-nation annual requirement.
- The law does not ban any AI model. Enforcement runs through the Illinois Attorney General, with civil penalties up to $1 million for a first offence and $3 million for repeat violations.
- Illinois joins California and New York in a group lawmakers say controls roughly 40 per cent of the US AI market, filling a gap left by the absence of federal AI legislation.
- OpenAI and Anthropic both supported the bill; TechNet, an industry coalition, raised concerns about subjective audit standards.
A representative from Anthropic stood in the room on Monday as Illinois governor JB Pritzker signed a bill regulating companies exactly like Anthropic. Senate Bill 315, the Artificial Intelligence Safety Measures Act, answers a question the US Congress has spent years avoiding: what should the law demand of the small number of firms building the most powerful AI models. According to Capitol News Illinois and Southern Illinois Now, which covered the signing, the law does not ban anything. It requires the largest developers to publish how they assess catastrophic risk, report serious incidents on a tight clock, and submit to an independent audit every single year.
What does the law actually require?
The Act applies only to the biggest AI developers: those whose models generate more than $500 million in annual revenue and are trained using what the bill calls massive computing power. Everyone else, including most startups, universities and academic labs, sits outside its scope entirely.
Covered developers must publish a public framework explaining how they identify and manage what the law calls catastrophic risk, defined precisely as the likelihood of an incident causing death or serious injury to more than fifty people, or more than $1 million in property damage. That framework has to address the possibility that a model could help someone build a chemical, biological or nuclear weapon, or carry out a large-scale cyber-attack.
If an incident with that kind of potential occurs, developers have 72 hours to report it once they identify it, or 24 hours if it poses an imminent risk of death or serious injury. Illinois adds one requirement neither California’s SB-53 nor New York’s Responsible AI Safety and Education Act includes: a mandatory independent third-party audit every year, not just once when a company first qualifies. The Illinois Attorney General enforces all of this with civil penalties of up to $1 million for a first offence and up to $3 million for repeat violations, and employees who report safety concerns to state or federal authorities are protected from retaliation.
None of it takes effect immediately. The law’s obligations begin on 1 January 2028, eighteen months from now, which gives both regulators and developers a long runway before any of it is actually enforced.
Why does a state law matter more than it sounds?
Illinois, California and New York together hold roughly a fifth of the US population but, according to estimates cited by the bill’s supporters, around 40 per cent of the country’s AI market. With Congress still not having passed comparable federal legislation, that concentration means three state legislatures are, in practice, setting the baseline rules for an industry that operates nationally. A company cannot easily build a rigorous safety framework for California and a laxer one for everywhere else; the largest, most-regulated state effectively becomes the standard the whole market has to meet.
Senate sponsor Mary Edly-Allen framed the urgency in blunt terms: “We are not willing to wait for Congress to act.” House sponsor Daniel Didech argued the risks the bill targets are no longer hypothetical, pointing to what he described as the first AI-inspired mass shooting and an AI system used to attack a municipal water and drainage utility. He also referenced Anthropic’s Mythos model, describing it as one the company itself had said was too capable a cyberweapon to release publicly, an example Anthropic did not dispute at a signing its own representative attended.
Not everyone welcomed the bill. TechNet, a coalition of technology executives, warned during committee hearings that the law effectively asks private auditors to make what it called highly subjective safety determinations without any established national standards or certifications to work from. That is a fair concern to sit alongside the law’s stated aims. An annual audit is only as good as the standard it is measured against, and Illinois has written the requirement into law before that standard fully exists anywhere. Whether the audits produce real accountability, or a compliance exercise whose rigour varies by auditor, is something the years of audits after 2028 will actually test, not something this signing settles.
The most striking detail from Monday was who did not object. OpenAI and Anthropic both backed the bill, the very industry the law is meant to hold accountable, which says something about where frontier AI developers now expect regulation to land regardless of who writes it first. Illinois has not banned advanced AI, or even slowed it down before 2028. It has bet that transparency and an outside check, applied every year to the handful of companies capable of causing the most harm, is a workable substitute for a federal law that still, after everything, does not exist.
Source: Southern Illinois Now / Capitol News Illinois