Illinois Advances Frontier AI Transparency And Audit Requirements

On May 29, 2026, the Illinois General Assembly passed Senate Bill 315 (SB 315), which, when effective, would impose public transparency, critical safety incident reporting, and annual independent third-party audit obligations on certain “large frontier developers” of artificial intelligence (AI). The obligations that this bill imposes, once Illinois Governor Pritzker signs it into law, are closely aligned with similar state laws such as California’s Transparency in Frontier Artificial Intelligence Act and New York’s RAISE Act, while introducing a first-of-its-kind requirement for annual third-party auditing and critical safety reporting.

If enacted, the law will become effective on January 1, 2027, with the transparency reporting and audit requirements coming into effect on January 1, 2028. The law will be enforced by the Illinois attorney general and by the Illinois Emergency Management Agency and Office of Homeland Security. There is no private right of action included in the bill.

In Depth

The Illinois bill applies to “large frontier developers” developing “frontier models.” A “large frontier developer” is a business that had annual gross revenue of more than $500 million in the preceding calendar year and is developing a “frontier model” that meets a computer power threshold (i.e., computing power greater than 10^26. This threshold mirrors the threshold set in Executive Order 14110 (Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence), which required models of this computational strength to comply with its reporting requirements.

Critical safety incident reporting

SB 315 provides that a frontier developer must report [CL8.1]a “critical safety incident” to the Illinois attorney general and the Emergency Management Agency and Office of Homeland Security within 72 hours of learning facts sufficient to establish a reasonable belief that a critical safety incident has occurred. The bill further states that the disclosure timeline moves to 24 hours if the incident is tied to imminent risk of death or serious physical injury and that the disclosure must now be made to the appropriate law enforcement or public safety agency with jurisdiction based on the nature of the incident and as required by law.

A critical safety incident is any event involving a frontier model where:

1. The model’s weights are accessed, modified, or exfiltrated without authorization, resulting in death or bodily injury;
2. Harm occurs because a catastrophic risk materializes;
3. There is a loss of control of the model that causes death or bodily injury; or
4. The model uses deceptive techniques to subvert its developer’s controls or monitoring (outside of an evaluation designed to trigger that behavior) in a way that shows a materially increased catastrophic risk.

The report must contain the following: (1) the date of the critical safety incident, (2) the reasons the incident qualifies as a critical safety incident, and (3) a short and plain statement describing the critical safety incident.

Transparency

Annual transparency framework reviews: The Illinois bill provides that beginning January 1, 2028, a large frontier developer would be required to write, implement, comply with, and clearly and conspicuously publish on its website a “frontier AI framework,” with annual reviews.

SB 315 states that the framework must describe the developer’s approach to specified topics, including:

1. The incorporation of national and international standards of industry-consensus best practices of its frontier AI framework,
2. The threshold used to identify when a frontier model has catastrophic risk capabilities,
3. Catastrophic risk mitigation and review of mitigation processes before model deployment,
4. Third-party assessments of the potential of catastrophic risks,
5. Cybersecurity to protect unreleased weights,
6. Incident response,
7. Internal governance, and
8. Internal-use catastrophic risk (including risk of a model circumventing oversight mechanisms).

Additionally, a developer must review or update the framework at least annually and must publish a modified framework if there is a material modification.

Pre-deployment transparency reports: The bill additionally requires that a transparency report be posted on the developer’s website before or when deploying a new (or substantially modified) frontier model. The report must list the developer’s website, a means of contacting the developer, the model’s release date, supported languages, supported output types (modalities), intended uses, and general use restrictions/conditions.

If the developer is a large frontier developer, the report must also include machine-readable summaries of its catastrophic risk assessments (and results), third-party evaluator involvement, and other steps taken to fulfill the requirements of the developer’s public frontier AI framework.

Auditing

Beginning January 1, 2028, or 90 days after a developer first becomes a large frontier developer, the developer must annually hire an independent third party to audit their compliance with the Illinois law. The bill provides specific independence criteria, including that there can be no financial interest between auditor and developer other than payment for the service, although payment cannot depend on the audit results. Additionally, the auditor must be given access to reasonably necessary materials, including unredacted materials, subject to reasonable security protocols.

The auditor will issue a report describing whether the developer has substantially complied with the requirements of this law, any material deviations (with rationale and recommendations), internal controls, a list of the personnel involved in the audit, the procedure for managing conflicts of interests of the audit personnel, details of the methodology of the audit, and a lead-auditor certification signature. Large frontier developers must keep an unredacted report copy for the duration of the model‘s deployment plus five years. Additionally, within 30 days of receiving the audit, a developer must (1) post a high-level findings summary plus a copy of the report (with appropriate redactions regarding trade secrets, cybersecurity, and public and national security) on its website and (2) send the redacted report to the Illinois attorney general and the Emergency Management Agency and Office of Homeland Security.

Fines and enforcement

Large frontier developers may face civil penalties for key compliance failures – such as not publishing/transmitting required documents, making a prohibited misleading statement under §10(f), failing to obtain the required independent audit under §10(d), failing to report a critical safety incident under §15, or failing to follow their own frontier AI framework. Fines are set at $1 million for a first violation and up to $3 million each for subsequent violations, and enforcement is vested exclusively with the Illinois attorney general. The bill does not provide for a private right of action, and collected penalties go to the Attorney General Court Ordered and Voluntary Compliance Payment Projects Fund, a special fund of the Illinois State Treasury that receives monetary settlements and civil penalties from consumer protection and corporate lawsuits handled by the state’s attorney general.

Separately, starting January 1, 2027, a large frontier developer generally may not develop, deploy, or operate a frontier model in Illinois without a current disclosure statement on file with the Emergency Management Agency and Office of Homeland Security and payment of the required (unspecified) fee. SB 315 authorizes daily penalties (up to $1,000/day) tied to disclosure failures, including failing to file required disclosures or correct false information.

In addition to the obligations described above, the bill imposes further requirements for frontier models, including interoperability obligations and whistleblower protections for employees.

Key takeaways

If enacted, SB 315 would create new, public-facing compliance obligations for “large frontier developers” in Illinois, including transparency reporting, rapid critical safety incident reporting, and annual independent third-party audits. The bill also pairs these duties with significant civil penalties enforced exclusively by the Illinois attorney general (with no private right of action), plus separate disclosure-filing requirements and daily penalties beginning January 1, 2027.

If you have questions about SB 315, please contact any of the authors or your regular McDermott lawyer.

Lucas Cortínez, a summer associate in the New York office, contributed to this client alert.