Illinois SB 315 Passes Legislature: America's First AI Audit Requirement (And What It Means for Accounting Firms)

Illinois SB 315 Passes Legislature: America's First AI Audit Requirement (And What It Means for Accounting Firms)

The vote was 110-0.

On May 27, 2026, the Illinois House passed SB 315 — the AI Safety Measures Act — without a single dissenting vote. Governor Pritzker, who publicly endorsed the bill, is expected to sign it before June 2. When he does, Illinois becomes the first state in the country to require mandatory annual third-party safety audits of frontier AI systems. America's biggest AI companies — OpenAI, Anthropic, Google DeepMind, Meta — are now on notice.

Your professional services firm is not the covered entity. But you need to understand what this law does, because it changes how you evaluate AI vendors, and — if you're an accounting firm with tech sector clients — it may open a new service line you haven't considered yet.

---

What SB 315 Actually Requires

Illinois SB 315 is not a general AI regulation for all businesses. It targets AI developers — companies that build large-scale foundation models. The bill covers what it calls "frontier AI systems": models trained on computing resources above a defined threshold, which in practice means OpenAI (GPT-4, o3), Anthropic (Claude), Google DeepMind (Gemini), Meta (Llama), and their peers.

Under SB 315, covered AI developers must:

• Submit to annual third-party safety audits conducted by independent auditors. The auditors evaluate governance frameworks, risk controls, alignment and safety testing results, and incident response protocols.
• Publish an annual safety report summarizing audit findings, known capabilities and limitations, and whistleblower contact channels. These reports will be publicly available.
• Maintain whistleblower protections for employees at covered companies who report safety concerns.
• Face civil penalties for violations of the audit and disclosure requirements.

The methodology for these audits is still being written. Right now, a handful of specialized AI evaluation organizations — METR, Transluce, and AVERI among them — have early experience in this space. But the landscape is wide open.

What SB 315 does NOT do: It does not regulate professional services firms that use AI tools. If your 12-person accounting firm uses Karbon AI, or your law firm runs contracts through Harvey, you are not a covered entity under this bill. You are a downstream user of AI systems built by covered companies.

That distinction matters — but it doesn't mean you can ignore SB 315.

---

The New Service Line: AI Safety Auditing

Here is what most coverage of SB 315 is missing: the audit requirement creates a real, emerging service line for accounting firms.

Every covered AI developer now needs an independent annual safety audit. The skills required for that audit — governance review, risk controls assessment, documentation analysis, structured audit reporting — are skills accounting firms already have. You do this for financial statements, for SOC 2 reports, for internal control assessments. You know how to structure a formal audit process. You know how to document findings in a way that holds up under scrutiny.

The Big Four have already started positioning for AI safety auditing at the enterprise level. But the methodology is not standardized, the market is not locked up, and the accounting firms that build AI audit capabilities now — not in 2028 — will be ahead of the curve when this becomes a standard line item for tech sector clients.

What would AI safety auditing actually involve for an accounting firm?

• Governance review: Does the AI developer have documented policies for how models are trained, tested, and deployed? Are there clear escalation paths for safety incidents?
• Risk controls assessment: What safeguards exist against model misuse, data leakage, or harmful outputs? Are those controls tested regularly?
• Documentation analysis: Are training data sources documented? Are testing results preserved in auditable form?
• Alignment and safety testing review: Has the developer tested for known failure modes? What third-party testing has been conducted independently?
• Report preparation: Structured findings in the format required by SB 315 — capabilities and limitations, test results, audit outcomes, incident response protocols.

This is not a service line for every accounting firm. It is a fit for firms that already serve tech sector clients — software companies, AI startups, venture-backed businesses — and have partners or managers with an interest in building AI audit expertise.

The window for early movers is real: the audit standards are still being written. Accounting firms that invest in this now will help shape the methodology, rather than compete on price to execute a commodity audit five years from now.

For a broader look at how professional services firms can build on AI capabilities — not just audit them — see our guide to AI tools for small professional services firms.

---

What Accounting Firms Using AI Vendors Need to Do Now

Even if you are not building an AI audit practice, SB 315 changes how you should think about your AI vendors. Annual published safety reports from OpenAI, Anthropic, and others are now coming. That is a transparency gain for every firm that uses their tools.

Three steps for accounting firms using AI tools in their practice:

1. Ask your vendor about their SB 315 compliance timeline.

When you next renew your Harvey, CoCounsel, Copilot, or Karbon AI contract, add one question to your renewal checklist: "What is your SB 315 compliance timeline, and when will your first annual safety report be available?" This is a reasonable buyer's due diligence question. Vendors that answer confidently have thought about it. Vendors that go quiet or give vague answers have not.

2. Review your vendor contracts for indemnification provisions.

SB 315 applies to AI developers, not to the firms using their tools. But audit findings — particularly findings that reveal known risks or failures — can affect your understanding of your indemnification position. Review your vendor contracts to understand: if a safety audit reveals that a tool you relied on had a known failure mode, what protection do you have? This is a question for your legal counsel at next review, not an emergency. But it is on the checklist now.

3. Build the annual safety report review into your AI governance calendar.

Treat it like a SOC 2 report for a cloud vendor: when it comes out, someone at your firm reads it and documents what was found. This takes an hour per vendor, once a year. It creates an evidence trail that you exercised reasonable oversight of your AI tools — which is increasingly what professional responsibility standards will require.

---

What Law Firms Using Legal AI Need to Check

Law firms face a related set of questions after SB 315.

If your firm uses Harvey, CoCounsel, or Microsoft 365 Copilot for legal research, contract review, or drafting — your vendor is either a covered entity under SB 315 or uses underlying models from covered entities. In practice, annual safety audits and published safety reports are coming for the AI your firm relies on.

Practical vendor questions for law firms:

• Ask your legal AI vendor: "Will your SB 315 safety plan be available before my next contract renewal?" If they don't know, that tells you something.
• Review your engagement letter and malpractice coverage: do either reference AI tool reliability? They may need to after published audit findings become available.
• Add "annual vendor safety report review" to your firm's professional responsibility calendar. If your state bar has issued or is considering AI usage guidance, safety report findings are exactly the kind of documentation that demonstrates reasonable oversight.

For context on the broader state-by-state regulatory picture your firm is navigating, see our multi-state AI compliance guide for professional services firms.

---

Illinois Leads. Others Will Follow.

The 110-0 House vote is not a partisan signal. It is a signal that AI safety auditing requirements have political consensus in at least one major state — and where Illinois goes in AI regulation, other states tend to follow. Colorado, California, and New York are all watching.

For professional services firm owners, SB 315 is a two-part story. Part one: your AI vendors are now accountable for annual independent audits, and you will be able to read the results. That is good for you as a buyer. Part two: if you run an accounting firm with tech sector clients and you are looking for the next service line — the one that will matter in 2027 and 2028 as AI audit becomes standard — the methodology is being written right now, and the early movers have an advantage.

The action this week is not complicated: add three questions to your next vendor renewal checklist, and if you're in accounting with tech clients, spend 30 minutes reading about AI evaluation methodology. METR publishes its evaluation frameworks publicly. That is the starting line.

---

FAQ: Illinois SB 315 and Professional Services Firms

Does Illinois SB 315 apply to professional services firms that use AI?

No. SB 315 covers AI developers — companies that build frontier AI models, such as OpenAI, Anthropic, Google DeepMind, and Meta. Professional services firms that use AI tools like Harvey, CoCounsel, or Copilot are downstream users, not covered entities. However, your AI vendors must comply, which means annual safety audits and published safety plans become available to you as a buyer.

Which AI companies are covered by Illinois SB 315?

The bill covers developers of "frontier AI systems" — large-scale AI models trained on significant computing resources. In practice: OpenAI, Anthropic, Google DeepMind, Meta AI, and similar frontier AI labs. The covered threshold is designed to target companies developing the underlying foundation models, not application-layer firms using APIs.

Could accounting firms provide AI safety audit services under SB 315?

Yes, potentially. The bill requires annual third-party safety audits conducted by independent auditors. The skills required — governance review, risk controls assessment, documentation analysis, structured audit reporting — overlap significantly with existing accounting firm capabilities. The methodology for AI safety audits is still being standardized; early-mover accounting firms with tech sector clients should begin researching AI evaluation methodologies now.

What does Illinois SB 315 require AI companies to publish?

Annual safety reports describing: the system's intended capabilities and known limitations, alignment and safety testing results, third-party audit findings, incident response protocols, and whistleblower contact channels. These disclosures will be publicly available — a transparency gain for professional services firms evaluating AI vendors.

What should professional services firms do about their AI vendor contracts after SB 315?

Three steps: (1) Ask your vendor for their SB 315 compliance timeline and when their first annual safety report will be published. (2) Review contract indemnification provisions to understand how vendor audit findings — or failures — affect your liability. (3) Build the annual safety report review into your firm's AI governance calendar, treating it like a SOC 2 report for a cloud vendor.

---

Stay ahead of AI regulation and its impact on your firm. Subscribe to The Crossing Report — weekly intelligence for professional services firm owners making the crossing to the new way of doing business.