What SB315 Actually Locks In
On July 6, 2026, Governor JB Pritzker signed Illinois SB315 (the Artificial Intelligence Safety Measures Act), the first U.S. state law requiring "large frontier developers" — those with at least $500 million in annual revenue — to publish and annually update a safety framework, and to undergo an independent third-party audit every year. A triggering incident must be reported within 72 hours of discovery, or 24 hours if it poses imminent risk of death or serious injury; violations carry civil penalties of $1 million for a first offense and $3 million for each one after. The law takes effect January 1, 2028, passed the House 110-0, and drew public support from both OpenAI and Anthropic during the process.
Why Teams Below the Revenue Line Aren't Off the Hook
A triggering incident is defined as one likely to cause death or injury to more than 50 people, or more than $1 million in property damage — language that reads like it targets a handful of frontier labs. But the effect travels further: enterprise procurement teams are already adding incident detection-to-report time, third-party audit history, and the existence of a whistleblower channel to vendor questionnaires, so agent vendors well under the revenue threshold get asked for the same paperwork. The law's numbers are becoming the de facto floor for procurement, regardless of who it legally binds.
Turning the Statute Into a Team SLA: An Agent Incident-Response Checklist
The law's 24/72-hour structure translates directly into an internal severity ladder. For agents that take high-stakes actions — payments, healthcare, legal — set "critical" (financial or physical harm to a user) at 30 minutes to internal escalation and 24 hours to customer notice, and "major" (broad user impact, an error-rate spike) at 4 hours to internal report and 72 hours to external notice.
Treat audit-readiness as its own deliverable: refresh the safety framework document quarterly and rehearse a third-party audit semiannually, so becoming a regulated entity — or simply facing an enterprise questionnaire — never catches you with a documentation gap.
The most common failure is burning the clock deciding whether something even counts as a reportable incident. Argue over the definition after the fact and the 72-hour window is already half gone; teams that never fixed severity criteria in a table beforehand repeat this delay every time.
The second failure is having no detection log at all, so there is no way to prove when you actually found the issue — without a start time, you cannot demonstrate the deadline was met. Build the recovery branch as automation: a critical-severity signal should drop the workflow into safe mode immediately, cap retries at three with exponential backoff, and block resumption without human approval.
Lock the log schema before you need it: detection time, severity, number of affected users, who was notified, mitigation taken, and a recurrence flag as required fields. Mask PII at write time so you can hand over evidence for an audit without exposing raw records.
Before shipping, run one tabletop exercise each for critical and major scenarios to confirm the reporting clock actually starts on cue. The whistleblower channel needs a named intake owner and a response deadline, not just a policy document, or reports get lost.
Track incident counts by severity and SLA compliance weekly, and keep a change log for threshold revisions separate from the incident log itself. That accumulated data becomes the next audit rehearsal's scenario set, and repeat SLA misses tell you which workflow to redesign first.
What to Apply First
Illinois SB315 carries no legal obligation for teams under $500 million in revenue, but the skeleton it establishes — a 24/72-hour reporting clock, an annual third-party audit, a whistleblower channel — arrives first through enterprise vendor questionnaires. Fix severity-based target times in a table, automate detection logging and the safe-mode cutover, and track weekly SLA compliance: the same checklist works whether or not you ever become a regulated entity.
References
Pritzker signs landmark AI regulation bill that aims to mitigate risks — Capitol News Illinois
Illinois governor signs AI safety law requiring audits of frontier models — StateScoop