Illinois has become the third state to pass comprehensive legislation regulating powerful artificial intelligence models, advancing a bill that requires major AI developers to adopt transparency frameworks and submit to independent audits. Senate Bill 315 passed the Illinois Senate 52-5 this week, joining California and New York in establishing what lawmakers hope will become a de facto national standard for AI governance.

The bill targets the largest AI companies, those with revenues exceeding $500 million, and requires them to create and publish transparency frameworks explaining how they measure model capabilities, assess catastrophic risk potential, and respond to safety incidents. It also mandates third-party audits to verify compliance, a requirement that goes further than similar laws in California and New York.

What Triggered the Shift Toward AI Regulation?

The urgency behind these state-level efforts reflects a critical gap in federal oversight. President Donald Trump previously discouraged states from regulating AI, but state lawmakers cited the lack of federal movement as justification for moving forward. More recently, Trump floated the possibility of a second AI-related executive order that would direct developers on how to report powerful models to federal officials, signaling a potential shift in Washington's approach.

A specific incident accelerated the conversation. Anthropic's Mythos program, which uses the company's Claude AI model to identify software vulnerabilities, demonstrated the dual-use risk inherent in advanced AI systems. According to reporting on the program, Anthropic began using Claude to find vulnerabilities about a year ago, discovered roughly 20 in Firefox three months ago, and is now finding tens of thousands. The concern wasn't just the AI's capability, but the obvious next question: if AI can find vulnerabilities at that scale and speed, what prevents someone from using it to exploit them ?

"Three of the leading frontier AI companies have reported in their own safety evaluations that their models could provide meaningful assistance in building a biological weapon," stated Scott Wisor, policy director for Secure AI, a nonprofit seeking meaningful AI regulations.

Scott Wisor, Policy Director, Secure AI

That revelation prompted a rapid recalibration in Washington. The federal posture shifted from hands-off to asking hard questions about whether the most powerful systems should undergo government review before public release. Some policymakers even floated an FDA-style model requiring federal sign-off before frontier AI systems ship.

How Does Illinois's Bill Differ From Other State Laws?

While Illinois's SB 315 mirrors the structure of California's and New York's laws, it includes one significant addition: mandatory third-party audits. These audits are designed to ensure compliance with the transparency framework requirements. However, this provision became contentious during committee deliberations.

Amendments clarified who is allowed to conduct third-party audits, what the audits should include, and protocols for protecting proprietary information. The effective deadline was extended from 2027 to 2028, giving companies additional time to prepare. The bill also requires large frontier developers to file disclosure statements and pay fees, while clarifying that no civil liability is created for compliance efforts.

• Revenue Threshold: The bill targets companies with revenues exceeding $500 million, a threshold designed to capture only the largest AI entities while allowing smaller companies to continue innovating without regulatory burden.
• Transparency Requirements: Developers must explain how they apply industry standards, measure model capabilities, assess catastrophic risk potential, and identify and respond to safety incidents.
• Third-Party Auditing: Unlike California and New York laws, Illinois requires independent audits to verify compliance, a more stringent requirement that raised concerns about startup costs.
• Disclosure and Fees: Large frontier developers must file disclosure statements and pay fees, with the effective date pushed to 2028 to allow preparation time.

What Are Industry Concerns About the Regulation?

The auditing requirement sparked pushback from startup advocates. Jeremy Kudon, executive director of the American Innovators Network, a coalition of startups and small AI companies, warned that third-party audits represent an "expensive requirement" for startups with few or no lawyers on staff. These companies would need to divert capital toward legal and compliance costs rather than innovation.

"They're gonna have to rely and use their much-needed capital to pay for lawyers and lobbyists simply to comply with these laws, when their whole goal is to help innovate and to make AI more accessible to everyone," said Jeremy Kudon, executive director of the American Innovators Network.

Jeremy Kudon, Executive Director, American Innovators Network

Industry representatives also expressed concern that Illinois's deviations from California and New York could undermine the goal of establishing a unified national standard. TechNet's representative noted that Illinois would be "requiring private actors to make highly subjective determinations requiring AI safety compliance without established national standards, certifications, or clear regulatory guardrails".

Another concern centers on the $500 million revenue threshold. As AI becomes more prevalent and companies grow faster, this threshold may become less relevant. Kudon noted that "as AI grows faster and faster, $500 million dollars in revenue is actually not that much money," and smaller companies adapting or building on frontier models could eventually fall into the regulatory scope.

Kudon

Why Do Experts Say This Is Just the Beginning?

Despite the bill's passage, experts emphasize that these requirements represent a modest baseline rather than comprehensive governance. Jonathan Iwry, a fellow at the Wharton Accountable AI Lab at the University of Pennsylvania, noted that "even the companies developing them seem unable to reliably predict or control the systems' behavior." Against that backdrop, transparency, testing, and auditing should be understood as foundational safeguards rather than the upper limit of accountability.

"It's important to keep perspective about how modest many of these requirements still are relative to the scale of the technology involved. Requirements like transparency, testing and auditing should probably be understood as foundational safeguards rather than the upper limit of accountability," explained Jonathan Iwry, fellow at the Wharton Accountable AI Lab.

Jonathan Iwry, Fellow, Wharton Accountable AI Lab, University of Pennsylvania

The pace of AI development compounds the challenge. Every four months, model capabilities double, according to Wisor. This means legislation that takes months or years to pass becomes outdated quickly. Iwry framed the real question facing policymakers: "whether these laws ultimately serve as a springboard toward stronger, more mature forms of AI governance, or instead allow what are relatively modest baseline accountability standards to get locked in as the long-term norm".

How Should Policymakers and Industry Move Forward?

• Establish Interoperable Audit Standards: Develop common methodologies for auditing AI systems across different domains, allowing jurisdictions to measure whether their rules are actually working rather than requiring identical regulations everywhere.
• Create Continuous Monitoring Mechanisms: Move beyond pre-deployment testing toward real-time monitoring and circuit breakers that can catch problems as they emerge, compensating for the difficulty of anticipating every scenario in advance.
• Clarify Liability and Accountability: Define who is responsible when AI systems make mistakes, send money to the wrong place, or get exploited by bad actors, providing the legal clarity that allows responsible institutions to innovate with confidence.
• Balance Innovation with Safety: Set clear guardrails that protect consumers while giving responsible institutions room to develop and deploy AI tools, rather than allowing ambiguity to slow adoption or increase litigation risk.

The Illinois bill represents a pragmatic decision to pursue incremental progress on a rapidly moving target. OpenAI and Anthropic both testified in support, with OpenAI emphasizing the effort to create a national standard focused on the "most capable" models and the worst potential harms. That approach allows smaller companies to thrive while still protecting consumers.

As more states and the federal government grapple with AI governance, the challenge remains clear: how to regulate technology that evolves faster than institutions can adapt, while preserving the innovation that makes AI valuable in the first place. Illinois's bill is a step forward, but experts agree the conversation is far from over.