Illinois made independent AI audits the law. Here’s who it binds.
On July 6, 2026, Governor JB Pritzker signed SB 315, the Artificial Intelligence Safety Measures Act. Per the Governor’s office, Illinois becomes the first state in the nation to require regular independent third-party safety audits of covered AI systems — oversight conducted by qualified experts without financial conflicts of interest. For the assurance profession, that sentence is a milestone. It is also considerably narrower than most coverage will suggest, and we would rather be the firm that tells you so plainly.
The law takes effect January 1, 2027. The independent third-party audit obligation on large frontier developers begins January 1, 2028.
What the law actually does
SB 315 sits alongside California’s SB 53 and New York’s RAISE Act as a frontier-developer law — transparency and safety obligations aimed at the companies training the largest models. Where Illinois goes further is the audit. California and New York require developers to publish safety frameworks and report incidents. Illinois requires that someone independent come in and check.
Audit reports carry a lead-auditor certification and a summary transmitted to the Illinois Attorney General and the Illinois Emergency Management Agency. The statutory bar for the auditor is threefold: demonstrated competence in frontier AI safety, work performed to generally accepted auditing standards, and no shared financial interest with the developer being audited.
Who it actually binds — and who it doesn’t
This is where most commentary will overreach, so let us be exact.
- The audit mandate reaches frontier developers — broadly, organizations training models above roughly 1026 FLOP, with the heaviest duties falling on “large” developers, defined by annual revenue above $500 million.
- It does not reach ordinary deployers. If you are a small or mid-sized business, a clinic, a lender, a manufacturer, or a regulated-industry company using AI — including vendor AI behind your own brand — SB 315 does not place an audit obligation on you.
If a consultant tells you that Illinois now requires your company to be audited, they are either misreading the statute or selling you something. Both are worth knowing.
The auditor question — and an honest disclosure about us
SB 315 makes “who is qualified to independently audit AI?” a statutory question for the first time. That matters enormously to this profession. But the credential the statute contemplates is frontier AI safety competence — the ability to evaluate the safety of a frontier model — and that is not the same credential as the AI management-system assurance chain: ISO/IEC 42001 (the AI management system), ISO/IEC 42006 (requirements for bodies certifying against it), and ANAB accreditation of those bodies.
Sentinel Assurance Group operates inside that management-system chain. We are not frontier-safety auditors, we will not present ourselves as SB 315 auditors, and we will not let a headline blur that line. Anyone who does is telling you more about their sales process than about the law.
An honest corollary: a mature, recognized frontier-model-safety-audit standard does not yet exist. Illinois has now created statutory demand for one. Watch that space — but do not let anyone pretend the standard is already here.
So why does it matter to you at all?
Because the principle is now law. For two years, the argument for independent assurance has been made in white papers and conference panels: that meaningful oversight of AI requires a third party with no financial stake in the outcome, and that self-attestation is not assurance. A major U.S. state has now written that into statute.
That has three practical consequences, even for companies SB 315 never touches:
- Independence becomes the default expectation. Once a legislature says conflicted oversight is not oversight, customers, insurers, and procurement teams start asking the same question of everyone — not just frontier labs.
- The direction of travel is now unmistakable. Transparency (CA, NY) → audit (IL). States tend to copy each other. The next wave will not stop at frontier developers.
- It answers the “nobody can actually certify this” objection — at least on the management-system side, where the ISO 42001 / 42006 / ANAB chain demonstrably exists and is maturing.
What to do now
1. Confirm scope honestly. Unless you are training frontier-scale models, SB 315’s audit duty is not yours. Do not budget for an audit you do not owe. 2. Ask the independence question of your own vendors. If your AI vendor is a frontier developer, their SB 315 posture is now part of your diligence trail. 3. Build the management-system foundation. Inventory, risk management, documented impact analysis, disclosure — the things every AI law rhymes on, and the things an independent assessor can actually evidence. 4. Distinguish assurance from attestation. When you tell a customer your AI is governed, be ready to show who checked, what they checked, and whether they had a stake in the answer.
An honest limitation
The signing date (July 6, 2026) is confirmed by the primary source — the Illinois Governor’s own announcement. The effective date (January 1, 2027) and the audit-obligation date (January 1, 2028), along with the FLOP and revenue thresholds, come from counsel analysis of the enacted text rather than from our own reading of the statute line by line; they are consistent across the write-ups we reviewed, but verify against the bill before relying on them. And we will repeat the point we would rather over-state than under-state: SB 315’s audit mandate is not a management-system certification requirement, and it is not aimed at you unless you build frontier models. Its value to most organizations is directional, not operational.
Illinois did not make AI audits mandatory for American business. It made independence a legal expectation for the companies with the most power to cause harm — and in doing so, it told the rest of the market where this is going. That is the part worth acting on.
This briefing is general information from Sentinel Assurance Group, not legal advice. Regulatory dates and requirements change — we maintain these briefings, but verify against primary sources and counsel before acting. Last reviewed July 14, 2026.
See how a Gap Assessment maps your exposure →Does any of this actually reach you?
Find out in 30 minutes.
The free AI Risk Exposure call maps your AI footprint to the obligations that genuinely apply — and, just as often, the ones that don’t.
Book the call →