1. Home
  2. |Insights
  3. |Illinois Imposes Transparency and Safety Obligations on Frontier AI Systems

Illinois Imposes Transparency and Safety Obligations on Frontier AI Systems

What You Need to Know

  • Key takeaway #1

    Illinois has joined California and New York in adopting legislation to establish transparency and safety standards for the most powerful AI systems in the world.

  • Key takeaway #2

    Illinois goes further than other states by establishing the first requirement for third-party audits of large frontier developers.

  • Key takeaway #3

    Even without federal action, California, New York, and Illinois have created what is essentially a national framework for AI safety and transparency.

Client Alert | 7 min read | 07.08.26

On July 6, 2026, Illinois Governor JB Pritzker signed SB 315, the Artificial Intelligence (AI) Safety Measures Act (the Illinois Act), to establish a framework for AI safety, transparency, and accountability for the world’s most powerful AI models. The governor’s approval follows unanimous passage of the bill by the Illinois House and nearly-unanimous support in the Illinois Senate in May. 

With the adoption of the Illinois Act, a de facto national framework for regulating cutting-edge AI systems is emerging from state capitals across the country, not from Washington, D.C. Illinois joins California, which enacted the Transparency in Frontier Artificial Intelligence Act (TFAIA) in September 2025; and New York, which enacted the Responsible AI Safety and Education (RAISE) Act in December 2025, in imposing a suite of obligations on developers of frontier models: transparency reports, AI safety frameworks, incident reporting requirements, and whistleblower protections. Illinois goes a step further than the Empire State and the Golden State by mandating annual independent third-party audits.

With federal AI legislation unlikely in the near-term, these three states have effectively created a national compliance standard. Leading AI developers have taken note. For example, OpenAI endorsed SB 315, describing it as “one of the strongest frontier AI safety laws in the country,” and acknowledged that California, New York, and Illinois “are beginning to create a de facto national framework.” On the same day Illinois’s House unanimously passed SB 315, OpenAI released its Frontier Governance Framework, a voluntary governance structure expressly designed to align with the requirements of these three states, signaling that the industry may be moving to conform to the emerging state standard in the absence of federal action.

Narrowly Defined “Frontier Models”

The obligations in the Illinois Act, California TFAIA, and New York RAISE Act attach to a narrow and technically defined class of AI systems. All define a “frontier model” as one trained using more than 1026 floating-point operations (FLOPs), a mathematical baseline used to define the number of operations on which the AI model was trained.

By comparison, the EU AI Act’s threshold is 1025 FLOPs for its regulations of a “general-purpose AI model,” meaning that the Illinois Act creates a higher compute threshold and thus regulates fewer models. This higher threshold is also the same used for certain obligations in President Biden’s now-rescinded 2023 Executive Order on AI; a recent Trump administration executive order establishing a voluntary regulatory regime for “frontier models” did not define the training compute power for covered models, deferring the determination to the director of the National Security Agency.

Today, only a handful of models currently exceed the 1026 FLOPs threshold, but analysts project approximately 30 such models will by 2027, and over 200 by 2030.

Notably, the geographic reach of these laws is not limited to developers based in those states. Any developer whose models are accessible to users in California, New York, or Illinois — effectively, any major frontier developer in the world — is subject to the new safety law under its text.

California’s TFAIA was a model for the Illinois Act. Like TFAIA, SB 315 imposes obligations on “frontier developers,” defined as anyone who trains a “frontier model,” and greater obligations on “large frontier developers,” which are frontier developers with annual gross revenues in excess of $500 million over the preceding calendar year.

Core Obligations

The Illinois Act imposes several important requirements on both frontier developers and large frontier developers and vests the Illinois Emergency Management Agency (Agency) and the Illinois attorney general with oversight and enforcement powers:

    • AI Safety Frameworks: Beginning January 1, 2028, large frontier developers must publish, implement, and annually update a framework documenting how they: assess and mitigate catastrophic risks associated with their models; incorporate national, international, and industry-consensus best practices; deploy cybersecurity practices to secure the models; identify and respond to critical safety incidents; and share the results of third-party evaluations.

      The Act defines “critical safety incident” to include the unauthorized access or modification of the model weights, harm resulting from catastrophic risk, the loss of control of a frontier model causing death or injury, or a frontier model that “uses deceptive techniques” to subvert the  developer’s control to increase catastrophic risk. It defines “catastrophic risk” as foreseeable and material risk that the model will lead to the death of injury of more than 50 people or more than $1 billion in property damage, provide “expert-level” assistance in the creation of a weapon of mass destruction, engage in conduct without meaningful human oversight, or evade the control of the developer or user.
    • Transparency Reports: Before deploying a new model or “substantially” modifying an existing one (what constitutes “substantial” is not defined), frontier and large frontier developers must publish a transparency report listing the frontier developer’s website and a mechanism for the public to communicate with the frontier developer; the model’s release date, languages, and modalities supported (e.g., text or audio); the model’s intended uses; and “generally applicable restrictions,” on the model. A frontier developer may satisfy these obligations if they include this information “as part of a larger document, including a system card or model card …” The Illinois Act also encourages but does “not require[]” frontier developers to make disclosures “consistent with, or superior to, industry best practices.”

      SB 315 also requires large frontier developers to include summaries of assessments of catastrophic risks from the frontier model; the results of the assessments; the extent to which third-party evaluators were involved in those assessments; and other steps taken to fulfill the requirements of the company’s AI safety framework.
    • Independent Third-Party Audits: In a first — not mirrored in either California or New York — the Illinois Act requires, beginning January 1, 2028, large frontier developers to undergo annual audits by independent third parties examining model risks and mitigations. The third party must conduct audits “consistent with generally accepted auditing standards and best practices,” and neither the auditor nor the large frontier developer may have a financial interest in the other party. The large frontier developer must publish a “high-level summary” of the audit report on its website within 30 days of receiving it and must provide a copy of the report to the Agency and the Illinois attorney general, upon request.
    • Critical Safety Incident Reporting: The Agency must establish a mechanism for frontier developers or a member of the public to report a critical safety incident, and a frontier developer must report any critical safety incidents relating to its model(s) to the Agency and the attorney general within 72 hours of the frontier developer learning facts “sufficient to establish a reasonable belief that a critical safety incident has occurred.” The time window reduces to only 24 hours if the frontier developer discovers that the incident “poses an imminent risk of death or serious physical injury …”
    • Whistleblower Protections: The Illinois Act prohibits retaliation against employees, contractors, and affiliates who report safety concerns or legal violations related to the frontier developer’s activities, and requires internal anonymous reporting channels.
    • Enforcement: The Illinois Act vests enforcement authority in the Illinois attorney general, who may seek civil penalties for noncompliance. Like the TFAIA and the RAISE Act, the Illinois Act does not establish a private right of action to enforce the provisions of the act that do not involve whistleblower protections.

Next Steps

    • Assess applicability now. If your organization is approaching the 1026 FLOPs training compute threshold, begin compliance planning. The regulated population will grow rapidly in the coming years.
    • Build a unified multistate compliance framework. The core obligations across the three states are sufficiently aligned to support a single integrated program covering AI safety frameworks, transparency reports, incident response, audit protocols, and whistleblower policies.
    • Prepare for the audit requirement. Illinois’s mandatory annual third-party audit obligation is the most demanding element of the framework. Developers should begin identifying qualified evaluators and scoping what a credible audit engagement would require.
    • Design safety incident response around the most stringent timeline. Illinois’ 24-hour window for imminent-risk incidents establishes the most demanding timeline. Incident detection and escalation processes should be built to meet it.
    • Watch for federal moves. Developments in Washington may further complicate (or simplify) the emerging national standard imposed by bellwether states. In December 2025, the White House issued an executive order, on the heels of the TFAIA and the RAISE Act, directing the Federal Communications Commission (FCC) to begin a process to determine whether to adopt a federal reporting standard for AI models that would purport to preempt state laws. FCC action remains to be seen, and it is unclear whether an FCC-issued reporting standard, or a subsequent executive order directly on the issue, could effectively preempt state laws and survive legal challenges, absent a clear congressional delegation of powers. The prospect of any proposed federal legislation is likely to turn on whether Congress can navigate the lively debate among legislators over whether such federal-level lawmaking should preempt state AI laws like the Illinois Act.

Crowell & Moring will continue to monitor these state and federal efforts to regulate AI. For further information, please contact our team.

Contacts

Insights

Client Alert | 1 min read | 07.08.26

CAS Board Publishes Final Rule Rescinding CAS 404, 408, 409, and 4117

As part of its ongoing effort to conform the Cost Accounting Standards (“CAS”) to generally accepted accounting principles (“GAAP”), the CAS Board published a final rule rescinding CAS 408 (Accounting for costs of compensated personal absence) and CAS 411 (Accounting for acquisition costs of material).  The CAS Board also rescinded CAS 404 (Capitalization of tangible assets) and CAS 409 (Depreciation of tangible capital assets) but retained certain requirements of CAS 404 and 409, which will be located in new paragraphs of CAS 405 (Accounting for unallowable costs).  Specifically, the CAS Board retained the requirements currently located at CAS 404-50(d)(1), CAS 409-50(e)(5), CAS 409-50(j)(1), and CAS 409-50(j)(4), which the CAS Board explained are necessary to protect the Government’s interests.  Otherwise, the CAS Board determined that the requirements of CAS 404, 408, 409, and 411 overlapped with GAAP such that GAAP “may be applied reasonably as a substitute for CAS to support contract cost and pricing.”...