Illinois, California, and New York cover an estimated 40% of the U.S. AI market under substantively similar safety laws, while Congress has passed nothing comparable.
Without Congress passing a federal AI safety law, Illinois, California, and New York have now written one together. The three states cover an estimated 40% of the U.S. AI market under substantively similar statutes, and the largest AI developers must comply regardless of what happens in Washington. Illinois Governor JB Pritzker completed that floor on Monday by signing SB 0315, the Artificial Intelligence Safety Measures Act, according to statehouse coverage.
The Illinois law establishes two substantive obligations. Any developer crossing the $500 million annual revenue threshold, or running training jobs above a defined compute-power floor, must submit to annual independent third-party safety audits, per the bill's enrolled text. The same developers also must report incidents in which their models materially assisted with cyberattacks or with chemical, biological, radiological, or nuclear (CBRN) weapons work. California's SB 53 and New York's Responsible AI Safety and Education Act carry the same audits-and-reporting skeleton. A single compliance program across all three is the practical outcome the architects intended; each jurisdiction keeps its own enforcement agency, but the substantive obligations line up.
For a major AI lab, the constraint is geographic. Pull out of Illinois, California, or New York and the developer loses access to roughly 40% of U.S. customers, according to the state-level market estimates cited by Illinois. Stay in and accept the audits. There is no federal preemption argument to invoke, because Congress has passed nothing to preempt.
Compute and revenue gates target frontier AI, the largest and most capable model systems rather than the long tail of startups and academic releases. The $500 million annual revenue trigger and the training-compute floor are designed to reach only the biggest AI developers, leaving everyone else outside the compliance regime.
Illinois is selling SB 0315 as both a state-level protection and a national template. Pritzker, in the written statement announcing the signing, framed federal inaction as a known problem. "Congress and the president ought to be passing similar legislation," he said, "but they've so far been unwilling, because many are captive to special interests that profit from the industry having no rules." That critique doubles as an argument for the three-state strategy: with the federal track stalled, states with the largest AI markets do the work instead.
California's SB 53 set the first template, and New York's responsible-AI regime followed within months. Illinois wrote its bill to interoperate rather than to diverge, which is why audit cadence and reporting triggers line up cleanly across the three. Each state holds its own penalty structure. The harmonization is in the obligations developers face, not in the regulatory machinery behind them.
The unresolved question is second-order. Any federal bill that eventually passes will need to either match the three-state floor, which would federalize independent audits of frontier systems, or deliberately roll it back, which would be a politically expensive choice for whichever Congress attempts it. For now, the largest U.S. AI developers are about to live with binding annual audits and CBRN-and-cyber incident reporting in three states at once, a regime that did not exist a year ago.