AI Governance Institute logo
AI Governance Institute

Intelligence for Compliance and GRC Teams

Not sure where to start? Answer 3 questions and get a tailored compliance action plan.

What applies to me? →
Must ComplyRegulationUSHigh risk

Illinois Frontier Model Safety Audit Act

Issued by

Illinois State Legislature

liveEffective 2026-07-14IL-FMSAAVerified July 2026

The Illinois Frontier Model Safety Audit Act is the first U.S. state law mandating annual independent safety plan audits for developers of frontier AI models with more than $500 million in annual revenue. It applies to companies that develop large-scale AI models and requires them to maintain verified safety documentation subject to third-party audit. The law establishes a new state-level compliance baseline for AI safety in the United States.

Applies To

Large enterpriseAI developer

Overview

Enacted by the Illinois State Legislature, this law targets frontier AI model developers whose annual revenue exceeds $500 million, requiring them to undergo independent third-party safety audits on an annual basis. The audits must assess the adequacy and implementation of the developer's safety plans, including documentation of risk identification, mitigation measures, and incident response protocols. The law introduces audit trail requirements that extend to the underlying models powering autonomous and agentic AI systems, meaning its obligations have downstream relevance for enterprises deploying such models. Enforcement is administered at the state level, and non-compliant developers face exposure under Illinois law, though specific penalty schedules are subject to the enacted statutory text. The law represents a meaningful escalation in U.S. state-level AI governance, creating a compliance template that other states may adopt or reference. Developers and enterprise deployers using covered frontier models should anticipate audit-readiness requirements becoming a standard vendor and procurement consideration.

Key Requirements

  • Frontier AI model developers with annual revenue exceeding $500 million must conduct independent third-party safety audits on at least an annual cycle.
  • Developers must maintain and submit formal safety plans documenting risk identification, mitigation strategies, and incident response procedures.
  • Audit trails and safety verification records must be maintained for covered frontier models, including those powering agentic or autonomous AI systems.
  • Audits must be conducted by independent parties, meaning internal audit functions alone do not satisfy the requirement.
  • Non-compliant organizations are subject to enforcement action under Illinois state law; specific penalty thresholds are defined in the enacted statutory text.
  • Documentation produced through the audit process must be sufficient to demonstrate ongoing conformance, not merely point-in-time compliance.

What Your Organization Must Do

  • Determine whether your organization meets the $500 million revenue threshold and classify all frontier model development activities accordingly.
  • Engage a qualified independent third-party auditor and establish an annual audit schedule aligned with the law's requirements before the next compliance cycle.
  • Compile and formalize existing safety documentation into a structured safety plan that covers risk identification, mitigation, and incident response, suitable for third-party review.
  • Implement audit trail systems for all frontier models in production, including those used as foundations for agentic AI products or enterprise deployments.
  • Update vendor and procurement contracts to require frontier model suppliers to demonstrate compliance with this law and provide relevant audit documentation upon request.
  • Brief legal counsel and the board risk committee on Illinois-specific enforcement exposure and monitor for analogous legislation emerging in other U.S. states.

Playbook Guidance

Step-by-step implementation guidance for compliance teams.

Frequently Asked Questions

Does the Illinois Frontier Model Safety Audit Act apply to companies headquartered outside Illinois?
The law targets frontier AI model developers with annual revenue exceeding $500 million and is enforced under Illinois state law, meaning out-of-state developers whose models are deployed or sold in Illinois may face exposure. Organizations should assess applicability based on their development activities and Illinois nexus, not just headquarters location.
What is the compliance deadline for the Illinois Frontier Model Safety Audit Act?
The law has an effective date of July 14, 2026, meaning covered developers should initiate auditor selection, safety plan documentation, and audit trail implementation well in advance of that date to ensure audit-readiness by the first compliance cycle.
Can an internal audit team satisfy the third-party audit requirement under IL-FMSAA?
No. The law explicitly requires independent third-party auditors, meaning internal audit functions do not satisfy the obligation. Covered developers must engage a qualified external auditor with no organizational conflict of interest.
Does IL-FMSAA create compliance obligations for enterprises that deploy frontier models but do not develop them?
The primary obligations fall on developers, but the law extends audit trail requirements to models powering agentic and autonomous systems, giving it downstream relevance for enterprise deployers. Companies using covered frontier models should update procurement contracts to require suppliers to provide relevant audit documentation.
How does the Illinois Frontier Model Safety Audit Act compare to California SB 1047?
Both laws target large-scale frontier AI developers, but IL-FMSAA focuses specifically on mandating annual independent audits of safety plans, whereas California's SB 1047 (vetoed in 2024) proposed broader developer duties including pre-deployment safety certifications. IL-FMSAA represents a narrower, audit-centric compliance framework currently in draft review.
What specific penalties do developers face for non-compliance with IL-FMSAA?
The law establishes enforcement under Illinois state law, but specific penalty schedules are defined in the enacted statutory text rather than summarized in the draft. Compliance counsel should review the final statutory language directly to assess financial exposure and enforcement mechanisms.