AI Regulation Compliance Professional Services 2026 State AI Chatbot Laws Professional Services 2026

Illinois Just Passed the First Mandatory AI Audit Law in the US — Here's What It Means for Your Firm's Vendors

May 27, 20265 min readBy The Crossing Report

The Illinois House passed SB 315 — the AI Safety Measures Act — 110-0 on May 27, 2026. Governor JB Pritzker has signaled he will sign it. If signed, it takes effect January 1, 2027.

This is the first law in the United States to require frontier AI developers to submit to mandatory annual independent safety audits.

Your firm is not the target. Your firm's AI vendors are — and that distinction matters more than most coverage suggests.

What Illinois SB 315 Does

The AI Safety Measures Act requires frontier AI developers to do three things starting January 1, 2027:

Publish an annual safety plan. Companies must publicly document how they identify and mitigate severe or catastrophic risks from their AI systems — including risks like large-scale manipulation, critical infrastructure disruption, or uncontrolled AI behavior.

Submit to an annual independent third-party safety audit. The auditor must be independent of the company. Audit results must be published. This is the first requirement of its kind in US law.

Protect employees who raise safety concerns. The law creates formal whistleblower protections for employees who flag safety issues internally or report violations to regulators. Civil penalties apply to companies that retaliate.

Who Is Covered

SB 315 targets frontier AI developers — the companies that build and operate the large-scale AI models at the foundation of the tools your firm uses.

That means OpenAI (GPT-4o, o3), Anthropic (Claude), Google (Gemini), Meta (Llama), and xAI (Grok). The law is scoped to companies developing AI models above specific compute and capability thresholds — effectively the leading AI labs.

What this means for the tools your firm uses: If your firm uses Harvey (built on Anthropic's Claude), CoCounsel (built on OpenAI's GPT-4), Microsoft 365 Copilot (built on Azure OpenAI), or similar legal and accounting AI tools — the underlying model providers will be required to undergo annual audits and publish safety plans.

What This Means for Your Firm

SB 315 creates no compliance obligations for professional services firms. You are not an AI developer. Nothing about how you use your tools needs to change.

What does change: the procurement conversation.

Before SB 315, asking your AI vendor about their safety practices was optional due diligence — useful for risk-conscious firms, easy for vendors to brush off. After SB 315 is signed, the question has a regulatory anchor. Vendors using covered model providers will be required to have answers.

Two questions to add to your AI vendor review:

When is your first independent safety audit scheduled, and who will conduct it?
Where will you publish your annual safety plan so I can review it?

Vendors built on OpenAI, Anthropic, or Google should be able to answer both questions by the time the law takes effect. If a vendor can't answer — or hedges — that tells you something useful before you've committed client data to their system.

This is not about compliance. It's about having a baseline expectation from the companies whose tools you're embedding in your client workflows.

The Confidence Signal Hidden in This Law

A meaningful share of firm owners have not adopted AI tools, and a large part of the hesitation is trust. "Who is checking these companies? How do I know the tool is reliable?"

SB 315 is the beginning of a structural answer to that question.

Starting in 2027, the largest AI companies in the country will be required to publish their safety plans and submit to independent third-party audits. That is accountability infrastructure that did not exist 12 months ago.

For the firm owner who has been watching AI from the sidelines: this is not a reason to rush into adoption. It is a signal that the "no one is watching these companies" concern now has a concrete response — and that response will get more detailed as audits are published and firms can review them.

Where SB 315 Fits in the Broader Illinois Picture

The Illinois spring 2026 legislative session produced two distinct categories of AI regulation:

SB 315 — AI developer accountability. Targets the companies building the tools, not the firms using them. Passed both chambers. Awaiting Pritzker's signature.

SB 317 and SB 316 — AI chatbot disclosure and crisis referral. These bills target businesses that use AI to communicate with clients — including professional services firms. We covered the compliance checklist for SB 317 and SB 316 here. As of late May 2026, both bills were still pending the House vote before the May 31 session deadline.

The bills operate on different timelines and target different parties. SB 315 is confirmed passage pending signature. SB 317 and SB 316 are unresolved.

Where Illinois Fits in the National Picture

Illinois is not operating alone. The direction across US states is consistent: AI tools used in consequential settings — legal, financial, employment — will face increasing scrutiny at both the developer level and the user level.

Connecticut's AI employment law (SB 5) is already signed with an October 1, 2026 compliance deadline for firms using AI in hiring decisions. Colorado's SB26-189 took effect with a January 1, 2027 compliance date for high-risk algorithmic systems. The multi-state compliance picture for professional services firms is evolving quickly.

Illinois SB 315 adds a new layer: accountability at the developer level. As other states watch Illinois's approach, similar audit requirements at the developer level are likely to follow.

One Action for This Week

If you are currently using or evaluating an AI tool for your firm — whether it's Harvey, CoCounsel, Copilot, or any tool built on a major model provider — send one question to your vendor or account representative:

"Illinois just passed an AI safety audit law effective January 1, 2027. Will your company be required to publish an annual safety plan and independent audit results? Where should I look for those when they're available?"

The answer tells you two things: whether the vendor has thought through their regulatory posture, and whether you have a reliable way to track their safety disclosures going forward. Both are useful to know before you're a year deeper into that relationship.

You are not asking them to do anything new. You are building a due diligence touchpoint for a relationship that touches your clients' data.

The Crossing Co covers AI adoption and regulation for professional services firm owners. Subscribe to the weekly Crossing Report for the intelligence your firm needs to make the crossing.

Frequently Asked Questions

Does Illinois SB 315 apply to my professional services firm?

No. SB 315 applies to frontier AI developers — companies like OpenAI, Anthropic, Google, Meta, and xAI that build large-scale AI models. A law firm, accounting firm, consulting firm, staffing agency, or marketing agency is not an AI developer and is not covered by SB 315. Your compliance obligations in Illinois center on SB 317 (chatbot disclosure) and SB 316 (crisis referral protocols), both still pending the House vote as of late May 2026.

What does Illinois SB 315 require AI companies to do?

SB 315 requires frontier AI developers to: (1) publish an annual safety plan addressing severe and catastrophic risks from their AI systems, (2) submit to an annual independent third-party safety audit, and (3) publish the audit results. The law also creates whistleblower protections for employees who raise AI safety concerns. Civil penalties apply for violations. Effective January 1, 2027 if signed by Governor Pritzker.

Which AI companies are covered by Illinois SB 315?

The law targets developers of frontier AI models — the largest AI labs in operation. Companies in scope would include OpenAI (GPT-4o, o3), Anthropic (Claude), Google (Gemini), Meta (Llama), and xAI (Grok). If your firm uses products built on these models — Harvey (built on Claude), CoCounsel (built on GPT-4), Microsoft 365 Copilot (Azure OpenAI), or similar tools — the underlying model providers will be subject to mandatory annual audits.

What questions should professional services firms ask their AI vendors because of SB 315?

Add two questions to your AI vendor review: (1) When is your first independent safety audit scheduled, and who will conduct it? (2) Where will you publish your annual safety plan? Vendors built on OpenAI, Anthropic, or Google's underlying models should be able to answer both. If a vendor can't answer — or hedges — that's useful information before you route client data through their system.

What is the difference between Illinois SB 315 and SB 317?

These are two different bills targeting different parties. SB 315 (AI Safety Measures Act) targets AI developers — the companies building the underlying AI models. It requires annual audits and published safety plans. SB 317 (Consumer AI Chatbot Disclosure Act) targets businesses using AI chatbots to communicate with clients — including professional services firms — and requires chatbot disclosure at the start of every conversation. SB 315 passed both chambers as of May 27, 2026. SB 317 was still pending the House vote as of the same date.

Is Illinois the first state to require mandatory AI audits?

Yes. If Governor Pritzker signs SB 315 as signaled, Illinois will become the first US state to require frontier AI developers to submit to mandatory annual independent safety audits. California's AI Safety Act (SB 1047) passed the legislature but was vetoed in 2024. Colorado's AI law (SB26-189) addresses high-risk algorithmic systems used in employment and credit decisions, but does not mandate developer-level audits. Illinois SB 315 is the first to require independent third-party audits of the AI developers themselves.

Get the weekly briefing

AI adoption intelligence for accounting, law, and consulting firms. Free to start.

Free weekly digest. No spam. Unsubscribe anytime.