The coverage of Illinois Senate Bill 315 points at the frontier labs. OpenAI and Anthropic both backed it. The revenue threshold that triggers the law sits above half a billion dollars. Governor JB Pritzker signed it on July 9, 2026, and Illinois became the third state to regulate the companies building the largest AI models, after California and New York moved first.
For an insurance carrier, that framing invites a quick filing decision: someone else's problem. The revenue gate alone puts nearly every insurer out of scope. The word worth stopping on is "audit." With SB 315, Illinois became the first state in the country to write an independent, annual, third-party AI audit into statute, and that requirement describes where insurance regulation is already heading.
What the Artificial Intelligence Safety Measures Act requires
SB 315, the Artificial Intelligence Safety Measures Act, became Public Act 104-0538. It binds a narrow class the statute calls a "large frontier developer": a company that trains a foundation model using more than 10^26 floating-point operations, a measure of raw training compute, and whose corporate family reported more than $500 million in gross revenue the prior year. Both tests have to be met. That combination describes a handful of companies, none of them insurers.
For those companies, the substantive obligations start January 1, 2028, though the Act itself takes effect a year earlier on January 1, 2027. Each large frontier developer has to write and publish a safety framework describing how it assesses catastrophic risk, defined in the statute as a foreseeable, material risk that a model contributes to the death of or serious injury to more than 50 people, or more than $1 billion in damage, from a single incident. Developers file transparency reports at deployment, report critical safety incidents within 72 hours (24 hours when there is imminent risk of death or serious physical injury), and face civil penalties the attorney general can seek: up to $1 million for a first violation and $3 million for each one after.
The provision without precedent is the audit. Beginning in 2028, a large frontier developer has to retain an independent third party every year to audit its compliance, then publish a redacted version of that audit and transmit it to the state. New York's RAISE Act, signed months earlier, asked for a single audit. Illinois made it annual and recurring.
Illinois now runs two AI accountability regimes
Illinois insurers already operate under one AI rulebook. In March 2024, the Illinois Department of Insurance issued Company Bulletin 2024-08, adopting the NAIC Model Bulletin on the Use of AI Systems by Insurers. That bulletin tells every carrier holding an Illinois certificate of authority that decisions affecting consumers have to comply with state insurance law no matter what produced them, and it expects each insurer to maintain a written AI Systems program sized to the harm a model could cause. We covered what that requires on our Illinois insurance AI governance page.
SB 315 sits in a different part of the code and answers to the attorney general rather than the insurance regulator. Its subject is the small set of companies that build frontier models. Insurers deploy AI inside an already-regulated business, which puts them outside its reach. The two laws share no text and no enforcement path.
What they share is a premise: an organization running consequential AI should be able to produce documented evidence, on demand, that it governs the systems it operates. Company Bulletin 2024-08 asks for program documentation an examiner can request; SB 315 goes further and requires a published framework plus a standing annual audit. One premise, two audiences, both now law in a single state.
Three states, one rising standard of proof
The three state laws build on each other. California's SB 53, signed in September 2025, required large developers to publish a safety framework. Three months later, New York's RAISE Act added an independent audit to that baseline. Illinois went further and made the audit annual. Each law raised the evidentiary bar the last one set, and the direction is consistent: away from self-attestation, toward independent verification on a schedule.
That direction does not stop at frontier developers, because it did not start with them. Insurance regulators have been moving the same way for two years. The NAIC's AI Systems Evaluation Tool, now piloting across a dozen states, asks carriers to produce model inventories, governance documentation, bias testing results, and data lineage on a regulator's timeline. Reinsurers are writing AI governance representations into treaty renewals. Market conduct examinations now ask to see the evidence behind an AI-driven decision rather than a policy asserting one exists.
A carrier watching Illinois pass SB 315 is watching the same standard of proof its own regulators are adopting, applied first to the companies least able to argue they cannot meet it. Frontier developers drew that requirement first because they are the most visible and best resourced, and the expectation reaches carriers next through the channels already pointed at them.
What carriers should build now
For a carrier, the value in SB 315 is what it previews. Your own regulator is converging on the same requirement from a different direction, so the work worth doing is building the capability the law assumes.
Start with an inventory. Most carriers cannot produce a complete list of every AI and machine learning system running across underwriting, claims, pricing, fraud, and service, including the vendor-embedded models nobody internally files under "AI." That list is the first thing an examiner asks for and the first thing an audit tests. Evaluation establishes what each system does, and where it fails, before it reaches production.
The harder gap is between policy and proof. A governance policy and a quarterly committee are a starting point; what an audit or an examination actually tests is whether the controls produced records, meaning bias testing results with dates, performance monitoring across segments, decision logs, and incident histories. Continuous supervision generates that record as a byproduct of running the system, which beats reconstructing it under a deadline. When the evidence has to leave the building for a regulator, a reinsurer, or an independent auditor, Trust Reports package it in the form those parties expect.
This posture applies well beyond Illinois, insurance, or the $500 million threshold. It is where every version of AI accountability now points, and the carriers who build it will be ready for whichever regime reaches them first. For a wider view of how these obligations are landing state by state, our guide to 2026 state AI regulations tracks the moving pieces.
Read the fine print
SB 315 will not appear on an Illinois carrier's compliance calendar. No insurer trains frontier models, and the attorney general's enforcement runs toward companies with different problems. Filed as someone else's law, it is easy to skip.
The word to read is still "audit." Illinois just made independent, recurring, third-party AI verification a statutory expectation for the first time in the country, and every signal from the insurance side of the regulatory apparatus says the same standard is coming for carriers through Company Bulletin 2024-08, NAIC examinations, and the counterparties who reinsure the risk. The carriers who treat audit as an event will scramble to assemble evidence when a regulator, a reinsurer, or an auditor demands it. The ones already running the supervision that produces that evidence will simply export it. That gap is worth closing now, while closing it is still a choice.
If you want to see what audit-ready looks like before someone asks you to prove it, contact us.
Sources
- Illinois Governor Signs AI Regulation Bill That Aims to Mitigate Risks, Insurance Journal / Capitol News Illinois, July 9, 2026
- Illinois Senate Bill 315, Artificial Intelligence Safety Measures Act (enrolled full text), Public Act 104-0538
- Illinois Department of Insurance, Company Bulletin 2024-08, March 13, 2024
- NAIC Model Bulletin on the Use of AI Systems by Insurers, December 4, 2023