Illinois SB 315’s mandatory third-party AI audit requirement creates an impossible compliance burden — there are no recognized auditing standards, certified auditors or established methodologies for frontier model safety audits, yet companies would face penalties up to $3 million for noncompliance by January 2028. The bill also relies on vague, undefined terms like “unreasonable catastrophic risk” and “meaningful human oversight” that neither companies nor auditors can meaningfully interpret or measure.
NetChoice Testimony in Opposition to Illinois SB 315, the Artificial Intelligence Safety Measures Act
May 26, 2026
Dear Chair Williams, Vice-Chair Rita and Members of the House Executive Committee:
On behalf of NetChoice, a trade association working to make the Internet safe for free enterprise and free expression, we write in opposition to Senate Bill 315. While we support thoughtful approaches to artificial intelligence governance that promote trust and accountability, this bill contains a critically flawed mandatory third-party audit requirement that creates an impossible compliance obligation on an unrealistic timeline. The bill mandates obligations that the regulated community and the auditing profession cannot feasibly meet.
SB 315 Fundamental Flaw: Mandating Nonexistent Infrastructure
Section 10(d) of the bill mandates that beginning January 1, 2028—less than two years away—large frontier developers must annually retain third parties to perform independent audits of compliance. These audits must be conducted consistent with generally accepted auditing standards and best practices by entities possessing ‘demonstrated competence to perform the audit, including experience employing or contracting with individuals who possess technical expertise in the safety of frontier models.’
While it is theoretically possible that such entities could eventually emerge, the bill does not create any pathway or timeline for developing the necessary infrastructure. This is not a complaint that the market needs time to develop—it is a more fundamental problem: the statute mandates compliance with audit requirements that have no defined methodology, contain no standards for what audits should assess, include no framework for certifying auditors and contemplate no approach for how generally accepted auditing standards for frontier model safety would be developed.
Currently, no credible or standardized ecosystem exists to conduct the type of independent audits envisioned under the legislation. There are no broadly recognized certification standards, no licensing structures and no established oversight mechanisms for entities seeking to perform AI safety compliance audits. The bill contains no framework for certifying qualified auditors, establishes no standards for what audits should assess and does not create a methodology for evaluating compliance. The statute requires that audits be conducted according to ‘generally accepted auditing standards and best practices,’ yet no such standards currently exist for frontier model safety. These standards do not exist because they have not been developed by standards-setting organizations, regulatory bodies or the industry itself. Companies cannot comply with auditing standards that do not yet exist. They cannot hire auditors to perform audits that have no defined methodology. They cannot provide evidence of compliance with requirements that have not been specified.
The bill creates a scenario where large frontier developers must make an impossible choice: either attempt to hire non-existent auditors to perform undefined audits against non-existent standards, or risk civil penalties up to three million dollars for noncompliance with an unattainable requirement. This serves no legitimate consumer protection purpose and instead creates legal jeopardy that will chill investment and development in Illinois and potentially across the country.
Vague and Broad Definitions Create Impossible Compliance Obligations
Beyond the lack of auditing infrastructure, the bill imposes compliance obligations based on undefined and extraordinarily broad terms. Companies cannot comply with legal requirements when the requirements themselves are unintelligible or so expansive that ordinary business activities could trigger them. The bill prohibits deploying models if doing so would pose ‘unreasonable catastrophic risk,’ yet provides no standard for determining what makes a risk ‘unreasonable’ versus acceptable. Is a 0.1% chance reasonable? 0.01%? The bill is silent. Companies must make deployment decisions under legal rules that do not exist, facing potential penalties for getting the judgment call wrong.
The bill also defines ‘catastrophic risk’ to include AI ‘engaging in conduct with no meaningful human oversight’ that constitutes criminal activity. But what constitutes ‘meaningful’ oversight? Must a human review every decision? Every tenth decision? Can remote monitoring suffice? The statute provides no answers. Similarly, child safety risk includes AI behavior that would cause ‘severe emotional distress’ if done by a human. Emotional distress is inherently subjective—what causes severe distress to one child may not to another. Companies cannot audit or certify compliance with requirements based on subjective reactions that vary by individual child. This vagueness means that virtually any interaction an AI system has with a minor that the child found upsetting could potentially create liability.
Even if qualified auditors existed and auditing standards were established, auditors could not meaningfully assess compliance with undefined requirements. An auditor cannot determine whether a company has complied with a ‘no unreasonable risk’ standard when ‘unreasonable’ is undefined. An auditor cannot certify ‘meaningful human oversight’ when ‘meaningful’ has not been specified. The audit requirement becomes theater—creating the appearance of accountability without any real ability to assess compliance. When combined with the audit mandate, these vague definitions create a perfect storm: companies face audit obligations based on non-existent auditors with undefined standards, all to demonstrate compliance with requirements that have not been clearly specified. This is not regulation, it is legal chaos.
SB 315’s Auditing Requirement Will Chill Innovation
The audit requirements create a broader chilling effect on frontier AI innovation. Frontier AI development requires substantial capital investment in research, talent and computational resources. Each dollar spent on compliance activities, whether it is hiring external auditors, conducting internal assessments or managing regulatory affairs, is a dollar not spent on advancing AI capabilities and safety research. For companies developing frontier models in Illinois, the undefined and potentially expensive audit requirements create additional cost burdens that competitors in jurisdictions with clearer standards do not face.
Venture capital and institutional investors evaluate opportunities based on regulatory clarity and predictability. When considering funding a frontier AI company in Illinois, investors must factor in unknown compliance costs, undefined audit standards and penalties for non-compliance. This regulatory uncertainty creates a significant discount on expected returns, making Illinois a less attractive location for frontier AI development. Startups and smaller companies face disproportionate harm from compliance burdens that large incumbents can more easily absorb. Top researchers will gravitate toward opportunities in jurisdictions with greater regulatory certainty. If Illinois imposes uncertain, expensive compliance requirements while other states develop clear frameworks or impose none, frontier AI development will move to more hospitable jurisdictions—representing a lost opportunity for Illinois to compete for high-value technology jobs and economic growth in a critical emerging industry.
Conclusion
NetChoice respectfully urges the Committee to oppose SB 315 or, at the very least remove the audit provisions in SB 315 entirely. Illinois could also choose to commission an independent study to determine whether the auditing infrastructure, technical standards and qualified evaluators necessary to implement Section 10(d) actually exist or can realistically be established. Any audit requirements should be effective only after such an assessment is completed and the necessary foundational elements have been developed.
NetChoice stands ready to work with the General Assembly on workable and effective AI policy solutions that promote genuine consumer protection without creating legal jeopardy for innovation. As always, we offer ourselves as a resource to discuss any of these issues with you in further detail, and we appreciate the opportunity to provide you with our thoughts on this important matter (The views of NetChoice expressed here do not necessarily represent the views of NetChoice members.).
Sincerely,
Amy Bos
Vice President of Government Affairs, NetChoice
NetChoice is a trade association that works to make the internet safe for free enterprise and free expression.