Illinois Enacts First U.S. Law Requiring AI Safety Audits for Large Models
The legislation follows similar statutes adopted in California (SB‑53) and New York (the Responsible AI Safety and Education Act). It expands those models’ transparency and accountability requirements by adding a requirement for annual independent audits and stricter incident‑reporting timelines. The bill was passed with broad bipartisan support: the Illinois Senate approved it 52‑5 and the House voted 110‑0.
Under the new rules, developers must release an AI framework that explains how they identify and assess “catastrophic risk,” defined as an incident that could cause death or serious injury to more than 50 people or $1 million in property damage. They must report any incident that could harm the state within 72 hours, or within 24 hours if the risk is imminent. The framework must also address potential misuse for chemical, biological, nuclear weapons, or large‑scale cyber‑attacks.
The law introduces civil penalties administered by the attorney general’s office: up to $1 million for a first violation and up to $3 million for subsequent violations. Illinois’ requirement for annual third‑party audits is the first of its kind in the United States; New York’s law requires only a single audit when a model first meets the threshold.
Industry reaction has been mixed. OpenAI and Anthropic publicly supported the bill, citing the need for a coordinated state‑driven approach to AI safety. Anthropic’s representatives were present at the signing ceremony. TechNet, a coalition of technology executives, expressed concern that the audit requirement could impose “highly subjective determinations” without established national standards. TechNet’s representative Ninia Linero noted that the law could create compliance burdens for private actors.
Senator Mary Edly‑Allen, the bill’s sponsor, emphasized the urgency of protecting the public from potential AI harms. Representative Daniel Didech highlighted real‑world incidents, including an AI‑inspired mass shooting and a cyber‑attack on a municipal water utility, to illustrate the stakes. The bill’s supporters argue that the regulation mirrors the safeguards that accompanied the introduction of automobiles, electricity, and air travel.
The law’s passage is part of a broader state‑driven movement to establish a national framework for AI safety. According to the bill’s text, the three states—Illinois, California, and New York—represent roughly 40 % of the U.S. AI market, giving the legislation de facto national influence.
The Illinois law will require AI developers to comply with the safety framework and to undergo independent audits each year. The law’s enforcement mechanisms and penalties are designed to encourage compliance and to deter unsafe practices. The legislation is expected to shape how large AI companies, including OpenAI, Anthropic, Meta, and Google, develop and deploy frontier models.
As the AI industry continues to evolve, the Illinois law sets a precedent for other states and may influence federal policy. The law’s effectiveness will depend on the cooperation of developers, auditors, and regulators, and on how the industry adapts to the new compliance requirements.
The law’s implementation will begin on January 1, 2028. Until then, developers of large AI models will need to prepare documentation, incident‑reporting procedures, and audit arrangements to meet the upcoming standards.