First US law mandating annual third-party AI safety audits. Frontier AI developer obligations mapped to SWT3 witness procedures.
Who this is for: AI safety teams at frontier AI developers, third-party AI auditors, compliance officers at companies building or deploying large-scale AI models, and legal counsel advising on AI safety obligations.
Status: Passed Illinois House 110-0 on May 27, 2026. Passed Illinois Senate. Governor Pritzker has indicated he will sign. Effective date: 2028. Enforcement: Illinois Attorney General, civil penalties up to $3M per violation.
The Illinois AI Safety Measures Act (SB 315) is the first US law to mandate annual independent third-party audits of frontier AI safety protocols. It applies to large AI developers with more than $500 million in annual gross revenue that build models meeting a frontier-scale compute threshold, effectively targeting companies like OpenAI, Anthropic, Google, and Meta.
Even if your organization is not a frontier AI developer, SB 315 establishes audit standards and evidence expectations that will cascade to deployers and downstream users of frontier models. Third-party auditors conducting these assessments will need structured, verifiable evidence from the AI systems they evaluate.
| Obligation | Requirement | Detail |
|---|---|---|
| Annual third-party audit | Independent safety audit of AI systems | Qualified third-party auditors with access to systems and documentation. Results published. |
| Frontier AI risk framework | Published risk assessment framework | Must address catastrophic risk, mitigations, cybersecurity, internal governance, and third-party evaluations. |
| 72-hour incident reporting | Report AI safety incidents within 72 hours | Covers incidents involving catastrophic risk, safety failures, or material harm. |
| Cybersecurity requirements | Cybersecurity controls for AI systems | Part of the frontier AI risk framework. |
| Internal model governance | Controls for internal use of frontier models | Risk assessment for internal deployments, not just customer-facing. |
| Third-party evaluations | External red team and safety testing | Independent adversarial testing required as part of risk framework. |
| Whistleblower protections | Internal reporting mechanisms | Employees protected for reporting safety concerns. |
| Public disclosure | Risk framework publicly available | Transparency about safety protocols and risk management. |
Each SB 315 obligation maps to SWT3 procedures that produce cryptographic witness anchors as auditable evidence.
| SB 315 Obligation | SWT3 Procedure | What It Witnesses | Evidence Produced |
|---|---|---|---|
| Annual third-party audit | AI-AUDIT.1 | Audit log integrity verified | Anchor with entry count, tamper detection result, log format |
| Performance validation | AI-PERF.1 | Model performance against declared benchmarks | Anchor with metrics evaluated, passing count, benchmark type |
| Catastrophic risk assessment | AI-SAFE.1 | Safe state transition capability | Anchor with trigger code, actions suspended, recovery status |
| 72-hour incident reporting | AI-INCIDENT.1 | Incident classification and authority notification | Anchor with severity, notification status, incident type |
| Risk mitigations (drift) | AI-DRIFT.1 | Model drift detection and monitoring | Anchor with metrics evaluated, drift count, drift type |
| Risk mitigations (robustness) | AI-ROBUST.1 | Adversarial robustness testing | Anchor with perturbations tested, survival count, type |
| Cybersecurity framework | AI-CYBER.1 | Security assessment against recognized frameworks | Anchor with controls assessed, compliant count, framework |
| Adversarial detection | AI-SEC.1 | Runtime adversarial threat scanning | Anchor with scan results, threats detected |
| Model integrity | AI-MDL.1 | Model weight hash matches approved registry | Anchor with model hash, version identifier |
| Weight verification | AI-MDL.5 | Weight file SHA-256 hash verified | Anchor with file hash, match status |
| Component inventory | AI-SBOM.1 | AI bill of materials documented | Anchor with component count, hash, format |
| Third-party evaluations | AI-REDTEAM.1 | Adversarial test campaign results | Anchor with tests run, findings count, severity |
| Internal model use risks | AI-INF.1 | Inference provenance for all model use | Anchor with model hash, prompt hash, response hash |
| Whistleblower reporting | AI-VIO.1 | Policy violation record with severity | Anchor with violation type, severity, remediation status |
| Public risk framework | AI-TRANS.1 | Transparency disclosure published | Anchor with disclosure type, recipient, timestamp |
SB 315 requires: Annual independent third-party audits of frontier AI safety protocols, with qualified auditors given access to systems and documentation. Audit results must be published.
How SWT3 addresses it: witnessAuditIntegrity() verifies the audit log has not been tampered with, providing the auditor with a cryptographically verifiable starting point. witnessPerformance() records the model's performance metrics against declared benchmarks. Together, they give the third-party auditor both the integrity of the evidence and the substance of the evaluation.
Export the witness ledger for the audit period. AI-AUDIT.1 anchors prove log integrity. AI-PERF.1 anchors show performance evaluation cadence and results. Each anchor's SHA-256 fingerprint is independently recomputable.
SB 315 requires: AI safety incidents involving catastrophic risk, safety failures, or material harm must be reported within 72 hours.
How SWT3 addresses it: witnessIncident() creates an anchor with severity classification (low through critical), incident type (safety, rights, security, performance, bias), and authority notification status (notified or pending). The timestamp on the anchor proves when the incident was recorded, supporting the 72-hour reporting timeline.
AI-INCIDENT.1 anchors with authority_notified = 1 prove timely reporting. Compare anchor timestamp to incident discovery date to verify the 72-hour window was met.
SB 315 requires: External red team and safety testing as part of the frontier AI risk framework. Cybersecurity controls must be documented and assessed.
How SWT3 addresses it: Three procedures create a layered adversarial evidence chain. witnessRedTeam() documents structured test campaigns with scope and findings. witnessRobustness() records perturbation survival rates. witnessSecurityScan() detects runtime adversarial inputs. Each produces a cryptographic anchor the auditor can independently verify.
AI-REDTEAM.1 anchors prove adversarial campaigns were conducted with documented scope. AI-ROBUST.1 anchors show perturbation types and survival rates. AI-SEC.1 anchors prove runtime detection is active. Cross-reference timestamps to show testing cadence.
SB 315 requires: Frontier AI risk framework must address catastrophic risk assessment and mitigation measures.
How SWT3 addresses it: witnessSafeState() records that stop/interrupt mechanisms exist, how they were triggered (manual, threshold, policy, external), how many actions were suspended, and whether recovery is available. This proves the system can reach a safe state when catastrophic risk is detected.
AI-SAFE.1 anchors prove safe state capability exists and has been exercised. The trigger_code field shows proactive (threshold) vs. reactive (chain_break) transitions. Recovery_available confirms the system can resume after safe state.
Two SWT3 industry profiles include the procedures needed for SB 315 compliance evidence:
| Profile | Focus | SB 315 Coverage | Command |
|---|---|---|---|
defense-govcon | Maximum assurance (CL3, hardware attestation) | 16 procedures, full audit + security + supply chain | swt3 init --profile defense-govcon |
autonomous-systems | Safety-critical systems (CL2, high-density witnessing) | 16 procedures, full safety + robustness + incident | swt3 init --profile autonomous-systems |
For organizations that deploy (but do not develop) frontier models, the profile selection depends on your industry. See the Quickstart Guide for the full profile list.
| Auditor Question | Where to Look |
|---|---|
| When was the last third-party safety audit? | AI-AUDIT.1 anchors in the witness ledger. Filter by date range to show audit cadence and integrity verification results. |
| How do you detect and report safety incidents within 72 hours? | AI-INCIDENT.1 anchors with severity and authority_notified fields. Timestamp proves reporting timeline. |
| What adversarial testing have you conducted? | AI-REDTEAM.1 anchors with campaign scope, findings count, and severity. Cross-reference with AI-ROBUST.1 for perturbation testing. |
| How do you verify model integrity before deployment? | AI-MDL.1 + AI-MDL.5 anchors showing weight hash verification at every deployment. AI-SBOM.1 for component inventory. |
| What is your catastrophic risk mitigation capability? | AI-SAFE.1 anchors proving stop/interrupt mechanisms exist, have been tested, and recovery paths are documented. |
| How do you monitor for model drift and degradation? | AI-DRIFT.1 anchors with drift metrics, thresholds, and type classification. Continuous monitoring evidence chain. |
| Is your risk framework publicly available? | AI-TRANS.1 anchors recording public disclosure events with type and recipient metadata. |
| Do employees have protected channels for safety reporting? | AI-VIO.1 anchors recording policy violation reports with severity classification and remediation status. |
Full SDK documentation: sovereign.tenova.io/docs
Create a free account: sovereign.tenova.io/signup