Here’s what’s on our plate today:

• 🧪 Illinois wants to audit AI before anyone knows what that means.

• 📰 OpenAI files for IPO, Safari gets an AI overhaul, and TCS bets on AI agents.

• 🧠 Brain Snack: When incumbents cheer the rules, watch who pays for them.

• 🗳️ Poll: Is Illinois's AI audit law smart or premature?

Let’s dive in. No floaties needed…

The Laboratory

TL;DR

• First-of-its-kind law: SB315 requires large frontier developers (over $500M in revenue) to undergo annual independent safety audits, a first for the industry.

• The 1929 parallel: Like post-crash financial audits, the law names the institution before the standards, profession, or methods exist.

• Two audits, one word: Checking whether a lab followed its framework differs from testing whether the model is dangerous. SB315 targets governance, a field still taking shape.

• Incumbents win: OpenAI and Anthropic backed it because it codifies what they already do, landing hard on challengers, making regulation a moat.

• The real bet: Illinois isn’t testing whether labs pass. It’s betting it can will a profession into existence before AI outruns its overseers.

Illinois wants to audit AI before anyone knows what an AI audit is

Over the past couple of decades, social media platforms around the world have demonstrated how difficult it is to regulate an industry that grew and thrived without regulation in its early days. Today, that story is being retold with the twist that the technology and the industry being regulated could be even more difficult for both the public and regulators to comprehend.

The speed at which artificial intelligence has advanced over the past couple of years is not just a testament to human ability to develop technologies, but also a regulatory challenge.

Since social media reshaped the world long before lawmakers seriously examined its consequences, a handful of legislators are now trying to avoid repeating that mistake with AI. Yet the challenge is that AI is much earlier in its development than social media was when the first major hearings began, meaning regulators are, for once, attempting to write rules before the technology has fully matured. The problem is that many of the risks driving concern remain largely hypothetical rather than proven. Crafting regulation at this stage, therefore, requires defining standards before anyone knows with certainty what should be measured, which harms deserve the most scrutiny, or who is qualified to conduct that scrutiny. As a result, most states that have ventured into AI regulation have settled on a more limited approach, requiring companies to disclose and document their own safety practices rather than subjecting those practices to independent evaluation.

But now, the U.S. state of Illinois has decided to go further.

Illinois’ regulatory experiment

Illinois lawmakers passed SB315, the Artificial Intelligence Safety Measures Act, and Governor JB Pritzker has said he will sign it. The law would require developers of the most capable AI systems to undergo annual independent audits of their safety practices.

Yet the legislation arrives at an unusual moment. Unlike social media, where serious oversight largely followed years of widespread adoption, lawmakers are attempting to regulate AI while the technology is still taking shape. The challenge is that no one yet knows exactly what the most consequential systems will look like, how they will be deployed, or which risks will prove most significant in practice. Policymakers are therefore being asked to establish rules before there is broad agreement on precisely what should be regulated. In effect, they are trying to build guardrails for a technology whose destination remains uncertain even as its development accelerates.

This situation raises a more fundamental question: what standards will companies be expected to meet to clear these audits?

The audit before the auditors

What lawmakers in Illinois are attempting to do is nothing new; in fact, it has been attempted before within the U.S.

Nearly a century ago, after the 1929 crash, the United States decided that companies could no longer be trusted to vouch for their own books and required public firms to submit to independent financial audits.

And just as it is today, the requirement arrived well before the machinery needed to fulfill it had materialized. At the time, uniform accounting standards, a credentialed profession of auditors, and a shared understanding of what an audit actually examined all had to be assembled over the decades that followed. The law spoke the practice into existence, then waited years for it to become real. Illinois has done something similar for AI safety, and the gap between naming the institution and building it is the entire story.

It becomes clearer once you look at what the legislation actually requires. Right now, the mechanics appear to be narrow by design. SB315 applies only to the largest labs, the “large frontier developers,” meaning companies that train the most computationally intensive models and generate more than $500M in annual revenue. Under the bill, each company must publish a safety framework, report serious incidents to the state within 72 hours, protect whistleblowers from retaliation, and, most notably, retain an independent third party each year to verify that it is following its stated safety commitments. According to Wired, no independent body had previously been required to hold an AI lab accountable to the safety claims it makes about itself.

When regulation helps the incumbents

On paper, that sounds like precisely the sort of oversight large technology companies would be expected to resist. Yet the reaction from the industry’s leading firms was notable for how little opposition it generated. OpenAI and Anthropic both supported the bill, and Anthropic’s Cesar Fernandez told Wired that it formalizes practices that leading labs already follow voluntarily while helping “establish a baseline that every leading AI developer is expected to meet.”

Sit with that endorsement for a moment, and the logic becomes apparent. A rule that codifies what the front-runners already do lands lightly on them and more heavily on anyone trying to catch up. In that sense, safety regulation begins to look less like a constraint and more like a competitive instrument. The support tells you that the largest labs are comfortable with the idea of an audit. What it does not tell you is exactly what that audit is supposed to be.

What exactly is being audited?

That ambiguity around what an audit will actually look like is where the comparison to financial auditing becomes genuinely useful. An audit means very little until there is agreement about what it examines, and in AI safety, two very different inspections hide behind the same word. One asks whether a company did what its own safety framework promised, a review of processes, documentation, and governance that would look familiar to an accountant. The other asks whether the model itself is dangerous, requiring technical evaluations of capabilities and risks, including whether it can assist with activities such as building weapons or conducting cyberattacks.

By OpenAI’s own description of the external testing it commissions, most existing external assessments are designed to measure specific model capabilities or risks, such as biosecurity, cybersecurity, deception, or autonomous behavior. SB315 is aimed at something different. Rather than scrutinizing the model itself, it focuses on the processes and governance structures surrounding its development and deployment. The difficulty is that while technical evaluations have become increasingly sophisticated, the field of governance auditing for frontier AI remains far less mature.

And this is not simply an observation from outside critics. The industry’s own institutions acknowledge that the infrastructure needed to conduct these reviews is still taking shape. The Frontier Model Forum, an industry body founded by the largest AI labs, describes the third-party assessment ecosystem as “relatively nascent,” with few organizations equipped to do the work and with methodologies and accreditation standards still in their early stages. The state is therefore requiring annual independent audits of AI safety governance at precisely the moment when the profession needs to perform them, and the standards needed to guide them remain largely unformed.

The significance of that timing becomes clearer when compared with the states that moved first. According to Wired, California and New York, which currently have the strongest AI safety laws in the country, require companies to disclose how their models are safeguarded and to report incidents when they occur. Neither requires an outside auditor to verify those disclosures. Disclosure asks a company to describe itself, which can be done using the tools already available. Verification asks an independent party to confirm that description, which is much harder when nobody has yet agreed on what a satisfactory answer looks like.

Trying not to repeat the social media mistake

That uncertainty about what auditors will actually be looking at and what standards companies will have to adhere to in order to clear audits is ultimately what makes the law interesting. Social media spent years reshaping politics, public discourse, and everyday life before regulators began to govern it seriously. By then, lawmakers were attempting to impose oversight on systems that had already become deeply embedded in society.

The real experiment in Illinois is not whether AI companies can pass annual audits. It is whether a state can create the conditions for an entirely new profession to emerge. Nearly a century ago, financial auditing became a cornerstone of modern capitalism because regulators demanded it before the field was fully formed. Illinois is betting that AI safety can follow the same path. The question is whether the auditors will arrive before the technology they are meant to oversee moves beyond their reach.

Brain Snack (for Builders)

Wednesday Poll

Quick Bits, No Fluff

• OpenAI files for IPO: Following Anthropic, OpenAI has confidentially filed for an IPO, setting up a market debut that could become one of the most consequential listings in tech history.

• Safari gets an AI overhaul: Apple is bringing AI features and new extensions to Safari, a quiet but significant move to keep its browser relevant in the agentic era.

• TCS bets on AI agents: TCS's chairman expects the firm to deploy as many AI agents as it has employees, a striking signal of how fast services giants are restructuring around automation.

Meme Of The Day

The Toolkit

• Dust: No-code platform for building custom AI agents that connect to your company's tools and data, so teams can automate workflows without engineering.

• Krea: Real-time AI image and video generator with a creative-first interface, great for designers who want to actually steer the output instead of fighting prompts.

• Lavender: AI sales email coach that scores your drafts in real time and suggests rewrites to lift reply rates. 

Rate This Edition