Skip to main content

Illinois Enacts Artificial Intelligence Safety Measures Act

On July 6, 2026, Illinois Governor, JB Pritzker, signed the Artificial Intelligence Safety Measures Act (the Act), imposing governance, transparency, audit, and incident-reporting obligations on developers of advanced AI models. The Act focuses on “frontier models” and places the most obligations on “large frontier developers” with annual gross revenues exceeding $500 million. The Act takes effect Jan. 1, 2027, with many substantive compliance obligations beginning in 2028. 

Key Takeaways 

  • Applies primarily to developers of highly capable “frontier models.” 
  • Creates mandatory AI governance and risk-management requirements. 
  • Requires public transparency reports for new frontier models. 
  • Mandates annual independent third-party audits for large frontier developers. 
  • Imposes 72-hour reporting obligations for certain AI safety incidents and 24-hour reporting for incidents posing imminent risks of death or serious injury. 
  • Establishes whistleblower protections for employees raising AI safety concerns. 
  • Authorizes enforcement by the Illinois Attorney General, with penalties of up to $1 million for a first violation and up to $3 million for subsequent violations.

Who Is Covered? 

The Act applies to developers of “frontier models,” defined as foundation models trained above specified computational thresholds. A “large frontier developer” is a frontier developer that, together with its affiliates, generated more than $500 million in annual gross revenue during the preceding calendar year. 

The Act targets developers of advanced frontier AI models rather than typical AI users or companies that deploy AI tools.

Required Frontier AI Framework 

Beginning Jan. 1, 2028, large frontier developers must develop, implement, comply with, and publicly post a written Frontier AI Framework addressing: 

  • Adoption of national, international, and industry standards. 
  • Processes for assessing whether a model poses a “catastrophic risk.” 
  • Risk mitigation measures. 
  • Deployment review and approval procedures. 
  • Use of independent third-party evaluators. 
  • Framework update procedures. 
  • Cybersecurity protections for unreleased model weights. 
  • Identification and response procedures for critical safety incidents. 
  • Internal governance and accountability mechanisms. 
  • Management of risks arising from internal use of frontier models.

The framework must be reviewed at least annually, and material changes must be publicly disclosed within 30 days, along with a justification for the modification. 

Transparency Reporting Requirements 

Before, or at the time of, deployment of a new or substantially modified frontier model, developers must publish a transparency report containing: 

  • Release date. 
  • Supported languages. 
  • Output modalities. 
  • Intended uses. 
  • Applicable use restrictions. 
  • Contact mechanism and website for the developer.

Large frontier developers face additional disclosure obligations and must summarize: 

  • Catastrophic risk assessments. 
  • Assessment results. 
  • The involvement of third-party evaluators. 
  • Steps taken to comply with the Frontier AI Framework.

Annual Independent Audits 

Starting Jan. 1, 2028, (or within 90 days after becoming a large frontier developer), covered companies must retain an independent third party to conduct annual compliance audits. Among other requirements:

  • Auditors must have demonstrated frontier-model safety expertise. 
  • Auditors must be independent and free from financial conflicts. 
  • Audit reports must evaluate substantial compliance with the Act and assess internal controls. 

A high-level summary of audit findings and a redacted audit report must be publicly posted and submitted to the Illinois Emergency Management Agency and Office of Homeland Security (the Agency) and the Illinois Attorney General within 30 days after receipt.

Incident Reporting Obligations 

The Act creates a new category of “critical safety incidents,” which includes, among other things: 

  • Certain unauthorized access to frontier-model weights. 
  • Harm arising from the materialization of a catastrophic risk. 
  • Loss of control of a frontier model causing death or bodily injury. 
  • Deceptive model behavior that materially increases catastrophic risk.

Developers must report critical safety incidents to the Agency and the Illinois Attorney General within 72 hours after learning facts sufficient to reasonably believe an incident occurred. 

If an incident poses an imminent risk of death or serious physical injury, disclosure must be made to appropriate authorities within 24 hours. 

Registration and Disclosure Requirements 

Beginning Jan. 1, 2027, large frontier developers may not develop, deploy, or operate a frontier model in Illinois without maintaining a current disclosure statement on file with the Agency and paying required fees.

Required disclosures include: 

  • Corporate identity information. 
  • Illinois business locations. 
  • Certain ownership information. 
  • Designated regulatory contacts.

If a large frontier developer develops, deploys, or operates a frontier model in Illinois without a current disclosure statement, submits false information, or fails to pay required assessments, the Agency may impose: 

  • $1,000 per day for failing to file required disclosures or correct false information; and 
  • Recovery of unpaid assessments and fees. 

The Act separately prohibits: 

  • Materially false or misleading statements regarding catastrophic risks posed by frontier models. 
  • Materially false or misleading statements regarding a large frontier developer’s implementation of or compliance with its Frontier AI Framework.

A limited “safe harbor” applies to statements made in good faith and reasonable under the circumstances.

Whistleblower Protections 

The Act prohibits retaliation against covered employees who report: 

  • Conduct creating a substantial public safety risk arising from catastrophic AI risk; or 
  • Violations of the Act.

Large frontier developers must also implement internal reporting channels for anonymous safety-related disclosures and provide notice of employee rights. 

Enforcement and Penalties 

The Illinois Attorney General has exclusive authority to enforce the Act, and there is no private right of action. A large frontier developer may face civil penalties for: 

  • Failing to publish or submit required reports or disclosures. 
  • Making prohibited false or misleading statements regarding catastrophic risks or compliance. 
  • Failing to obtain required independent audits. 
  • Failing to report critical safety incidents. 
  • Failing to comply with its own published Frontier AI Framework.

Civil penalties may reach: 

  • Up to $1 million for a first violation. 
  • Up to $3 million for each subsequent violation. 

The statute ties enforcement not only to statutory requirements but also to compliance with the developer’s own publicly disclosed AI governance framework, creating potential exposure where a company’s practices diverge from its published commitments.

Practical Implications 

Although the Act targets frontier-model developers rather than ordinary AI users, it represents a shift toward state-level regulation of advanced AI systems. Organizations developing or deploying large foundation models may wish to assess whether they fall within the Act’s scope and should consider establishing governance, risk assessment, audit, transparency, incident-response, and whistleblower compliance programs in advance of the 2028 implementation deadlines.