[SECTION 1: WHERE THINGS STAND]
The bill isn’t signed. That distinction matters less than it usually would.
Governor JB Pritzker has publicly stated his intent to sign Illinois SB 315, a position that, in legislative practice, converts a passed bill into a planning fact. Compliance teams don’t wait for ink when the Governor has already spoken. Broadband Breakfast’s May 29 report confirmed the passage vote (110-0 House, 52-5 Senate) and Pritzker’s stated position. The Illinois General Assembly’s official bill status page lists the bill as having passed both chambers, with the last action dated May 29.
Near-certainty isn’t certainty. But for the purposes of compliance program design, it’s close enough to start.
The effective date is reportedly January 1 of the year following signing, with the specific year requiring editorial confirmation against the bill text before appearing in deadline-facing materials. That confirmation matters, because the difference between 18 months and 30 months of runway changes how aggressively compliance teams need to move right now.
[SECTION 2: WHO’S COVERED AND WHAT THEY OWE]
Start with the threshold, because the law’s obligations don’t apply to everyone.
SB 315 reportedly applies to AI developers above a gross revenue threshold of $500 million annually, per reporting, a figure that requires confirmation against the bill text before use in formal compliance determinations. If accurate, that threshold concentrates the law’s obligations on a specific tier: the handful of organizations with both the resources to build frontier models and the scale to generate that level of revenue. OpenAI, Anthropic, Google DeepMind, Meta AI, and xAI would be the most obvious candidates; whether smaller frontier developers fall in or out depends on the precise threshold language.
For covered developers, SB 315 creates three distinct obligations.
Frontier AI safety framework
The bill requires covered companies to create, publish, and annually update a safety framework addressing severe or catastrophic risks from their models, per Broadband Breakfast’s confirmed reporting. The specific components the bill enumerates, the exact categories of risk, cybersecurity requirements, and internal-use risk provisions, require the full bill text for precise characterization. What’s confirmed is the core structure: a documented, published framework that gets updated on a recurring annual schedule.
Annual independent third-party audits
This is the provision that has no precedent in U.S. AI legislation. Per Broadband Breakfast, the bill would mandate annual independent third-party audits of safety protocols to verify compliance with the framework. Independent and third-party are doing significant work in that sentence. The auditor can’t be affiliated with the developer. The audit cycle is annual, not one-time. And the audit is specifically of safety protocols, not a general compliance review.
72-hour incident reporting
Critical safety incidents must reportedly be reported to the Illinois Emergency Management Agency within 72 hours of discovery, per reporting. This requirement is corroborated by multiple sources, though the specific definition of “critical safety incident” and the precise IEMA filing mechanism require the bill text for compliance planning purposes.
Enforcement reportedly sits exclusively with the Illinois Attorney General, with civil penalties reportedly reaching up to $3 million per violation, and the bill reportedly does not create a private right of action. These figures come from legal analysis attributed to IAPP, whose source URL was not confirmed in our verification process, treat them as per reporting until confirmed against the bill text or a verified IAPP publication.
Illinois SB 315, Stakeholder Positions
SB 315 Compliance Build, Pre-Signature Priority Actions
- Confirm applicability: verify whether your organization meets the reported $500M gross revenue threshold against the full bill text
- Begin frontier AI safety framework scoping: identify which model risks fall within 'catastrophic' categories and what documentation each requires
- Audit market assessment: identify which third-party firms are developing frontier AI safety audit capability and initiate preliminary conversations
- Incident detection infrastructure review: assess whether current systems can support a 72-hour reporting window to IEMA (pending bill text confirmation of the requirement)
- Confirm effective year: editorial/legal team must verify the effective year against the Illinois General Assembly's bill text before building deadline timelines
[SECTION 3: THE AUDIT ECOSYSTEM GAP]
Here’s what compliance teams need to understand before anything else: the annual audit requirement assumes an audit industry that doesn’t exist at scale.
Third-party AI safety auditing is not a mature market. A small number of firms, primarily academic spinouts, specialized boutiques, and some of the larger professional services firms beginning to build AI assurance practices, are developing the capability to evaluate frontier AI safety protocols. None of them have done this at the volume SB 315’s annual audit cycle would require across the covered developer population.
This isn’t speculation. The hub’s prior coverage of the compliance audit ecosystem, including the $36M Zalos seed round to build audit infrastructure, reflects a market in formation, not in operation. Zalos and similar early-stage players are building toward a capability that SB 315’s timeline assumes will be ready. Whether that assumption holds depends on how quickly the audit market can scale qualified capacity.
The practical implication for covered developers: the available pool of qualified third-party auditors is likely to be competed over by every covered company simultaneously, beginning when the law takes effect. Organizations that identify and begin relationship-building with qualified auditors before the effective date have a structural advantage over those that wait.
Don’t expect a mature vendor market to appear on its own timeline. Developers have reason to accelerate it, which means reaching out to nascent audit providers now, participating in the development of audit standards, and building internal documentation that reduces the burden on external auditors when the time comes.
[SECTION 4: ENFORCEMENT ARCHITECTURE]
Exclusive AG enforcement with no private right of action is a specific architectural choice, and it carries consequences for how compliance risk materializes.
No private right of action means affected individuals, competitors, and advocacy organizations can’t sue directly under SB 315. Enforcement is channeled entirely through the Illinois Attorney General’s office. That concentrates enforcement power but also creates a single point of prioritization: the AG’s office will set the enforcement agenda, and it won’t be able to pursue every potential violation simultaneously.
This structure has precedent in state consumer protection law. It doesn’t mean enforcement is toothless, the AG’s office can move on high-profile cases and use individual actions to establish deterrent precedent. But it does mean enforcement velocity is limited by the AG’s capacity and political priorities.
Covered developers should note that concentrated enforcement doesn’t mean predictable enforcement. A new AG can reprioritize. A high-profile AI safety incident can accelerate action. The absence of private plaintiffs removes one source of unpredictability while leaving another fully intact.
Per reporting attributed to IAPP analysis, civil penalties reach up to $3 million per violation. Confirm against the bill text before building this figure into formal risk assessments, but treat it as an order of magnitude that compliance investment should be measured against.
Unanswered Questions
- Does the $500M gross revenue threshold apply globally or only to Illinois-derived revenue, and does it include affiliate revenue?
- What documentation format and evidentiary standard will satisfy the annual 'update' requirement for the frontier AI framework?
- Which auditors will be recognized as qualified independent third parties under SB 315, and is there a certification or accreditation requirement?
- How will the 72-hour IEMA reporting window interact with attorney-client privilege and incident response protocols?
Analysis
SB 315's annual audit mandate creates a structural demand signal for a frontier AI safety audit market that is currently in early formation. The organizations that invest in auditor relationships now, before the law is signed and the competitive scramble for audit capacity begins, are making a compliance investment that will have value regardless of how federal preemption legislation develops. Audit documentation, safety framework infrastructure, and incident reporting capacity are transferable across regulatory regimes.
[SECTION 5: PLANNING TIMELINE]
The effective date is the anchoring fact here, and it’s the one that needs the most urgent confirmation.
Working backward from a January 1 effective date: a frontier AI safety framework published and ready for audit requires documentation work, internal review, and legal sign-off. An annual audit cycle requires an auditor identified, contracted, and prepared. A 72-hour incident reporting capability requires a detection infrastructure, escalation protocol, and a tested IEMA filing mechanism.
None of those happen in the final quarter before the effective date. The organizations positioned to comply on day one will be those that treat the pre-signature window as month one of an 18-to-30-month compliance build.
The hub’s prior analysis of building a compliance program for a patchwork landscape applies directly here. SB 315 doesn’t exist in isolation, it joins Colorado’s SB 26-189 and Connecticut’s workplace AI law in a state-level framework that covered developers have to manage simultaneously. The companies treating each state law as a separate compliance silo are already behind the ones building a unified compliance architecture flexible enough to absorb new requirements.
Illinois is adding a third vertex. More will follow.
The real question is whether the White House’s stated preference for federal AI preemption – documented in prior hub coverage, arrives before or after SB 315’s effective date. If federal preemption legislation passes and supersedes state laws, SB 315’s compliance infrastructure may be reoriented rather than abandoned. Framework documentation, audit relationships, and incident reporting capacity are transferable. The organizations that build them under SB 315 will have an advantage regardless of what federal law eventually looks like.
The audit ecosystem won’t be ready on its own. The compliance program clock is already running. Covered developers who act before the signature convert uncertainty into advantage, those who wait for full legal certainty will find themselves competing for scarce auditor capacity in a market they had years to shape.