Illinois Approves SB 315, Imposing Annual Independent Audit on Anthropic, OpenAI, and Google DeepMind

On 27 May, the Illinois House of Representatives passed SB 315, the Artificial Intelligence Safety Measures Act, by a vote of 110 to 0, and sent it to Governor J.B. Pritzker's desk, who has publicly stated he will sign it. The Senate had approved the bill on 21 May. Illinois becomes the third state in the United States to regulate developers of frontier models, following New York, which passed the RAISE Act, and California, which approved the Transparency in Frontier AI Act (SB 53).

The Heart of the Legislation: Annual Independent Audit

SB 315 mandates "covered developers" to annually engage independent third-party auditors to assess their internal security protocols. The definition includes companies that train models exceeding compute limits set by the law, currently encompassing OpenAI, Anthropic, Google DeepMind, xAI, Meta AI, and Mistral. The auditor will have access to process documentation, results of adversarial tests, and capacity metrics, as noted by the Transparency Coalition.

The law establishes four concrete operational obligations. The first is to disclose audit reports with a level of detail defined by the Illinois Department of Innovation and Technology. The second is to report critical security incidents within a short window, as outlined in complementary regulations. The third is to submit periodic risk summaries for internal use, in a format similar to the voluntary Responsible Scaling Policy reports from Anthropic. The fourth is to maintain records for inspection. Civil penalties are monetary and scale with the company's annual revenue.

The American Mosaic and Comparison with Brussels

The combination of the RAISE Act in New York, SB 53 in California, and now SB 315 in Illinois covers three of the five largest state economies and a majority of the declared computing capacity by the six targeted labs. For CISOs of American banks, the next round of model provider assessments will have to compare independent reports across the three jurisdictions. The most visible difference is the trigger: California focuses on trained compute, New York on reportable incidents, while Illinois mandates a fixed annual cadence with an independent audit.

The European perspective shifts in tone. The European Union postponed the enforcement of requirements for Annex III high-risk AI under the Digital Omnibus until 2 December 2027, and the obligation to create at least one national sandbox has been pushed to 2 August 2027. The practical result is that for 12 to 18 months, the American state benchmark will be closer to a continuous auditing regime than the European federal benchmark. French and German companies that have been banking on "EU first" compliance now need to construct an American dossier before the European one. According to Brando Benifei, the Member of the European Parliament rapporteur for the AI Act, in an interview with Politico, "the European delay creates space for third parties to truly define the global standard for model auditing".

What Changes for Consultancies, Banks, and Software Giants

The Big Four, MBB, Accenture, and Capgemini already had "responsible AI" teams ramping up for the European regime. SB 315 opens an immediate revenue stream: auditing security protocols in covered frontier labs. KPMG, Deloitte, and PwC, with auditing licenses in the United States, are positioned to compete for mandates, but the text of the law requires functional independence of the auditor concerning technology contracts. PwC, which maintains a business partnership with OpenAI in the enterprise space, and Deloitte, with a resale partnership with Anthropic, will need to structure internal firewalls before competing for an independent audit contract.

For Brazilian and European banks using OpenAI or Anthropic in production, the annual public report becomes a direct input for vendor risk assessment. Itaú, Bradesco, BTG Pactual, and Nubank in Brazil, Deutsche Bank, BBVA, ING, Santander, and UBS in Europe, Mizuho and MUFG in Japan, all run critical pipelines on frontier models via AWS Bedrock or Azure OpenAI. The operational risk committee will need to incorporate this new source into the quarterly review cycle.

The Timeline Defining Risk Perception

The Illinois Department of Innovation and Technology needs to publish complementary regulations within a timeframe defined by the text of the law, and the first audit window opens 12 months after the law is signed. For frontier labs still debating internally which documents can be made public without exposing competitive risk, the clock began ticking on 27 May. For corporate clients that signed MSAs with a "best industry practice" clause in AI security, the definition of what constitutes "industry practice" will be audited for the first time by an independent third party, with compulsory publication.

The next assessment will come from the White House. The federal administration has indicated to labs that it prefers a national standard, but has not sent a corresponding bill to Congress. Each state that passes its own law reduces the political margin for federal harmonisation, and Illinois consolidates the scenario in which the state regime has effectively become the de facto standard.