Three States Write the Rules on Powerful AI Before Washington Does

Illinois, New York, and California have passed disclosure laws covering the most advanced AI systems. The patchwork that results will cost companies money and leave ordinary users with unanswered questions.

ThreatVectr Newsdesk· 3 min read
Aerial 16:9 view of a large modern glass office complex at dusk, lights glowing from within, surrounded by a network of faintly glowing lines radiating outward
Share

Key points

  • Illinois Governor JB Pritzker signed Senate Bill 315, the Artificial Intelligence Safety Measures Act, which takes effect in January 2027 and covers AI developers earning more than $500 million a year.
  • New York's RAISE Act (Responsible AI Safety and Education Act), signed in December 2024, also takes effect on January 1, 2027, and creates an oversight office inside the state's Department of Financial Services.
  • California Governor Gavin Newsom signed the Frontier Artificial Intelligence Act last September, giving that state the earliest framework of the three.
  • All three laws require companies to report critical safety incidents within 72 hours (Illinois and New York) or 15 days (California), shrinking to 24 hours if lives are at immediate risk.
  • The White House has published only a voluntary framework so far, with no binding federal regulation in place.

For most of the past three years, the companies building the world's most powerful AI systems answered to nobody in particular. That is starting to change, state by state.

Illinois, New York, and California have each passed laws that put new obligations on the developers of what regulators call "frontier" AI, meaning the most advanced, most capable models at the cutting edge of what the technology can do. Think the systems behind ChatGPT or the tools major banks and hospitals are quietly folding into their daily operations.

The Illinois law requires any developer earning more than $500 million a year from frontier AI to build a detailed safety framework, covering everything from disaster-scenario testing to cybersecurity controls, and to publish transparency reports before releasing any new or significantly updated model. New York's law stands up a dedicated oversight office. California's act, signed first, set the template the others built on.

All three take effect in January 2027. None of them cover the federal government, which has so far offered only a voluntary framework with no penalties attached.

Why does this matter to people who don't work in tech?

It matters because the AI systems these laws target are already woven into services ordinary people depend on every day. Payroll software, hospital scheduling tools, customer-support lines: many of these run on frontier AI models, sometimes several at once, and the companies using them may not even know which ones.

Recently, one security report cited what researchers described as the first AI-executed ransomware attack, where ransomware is malicious software that locks an organisation's files until a payment is made. Separately, a model called Mythos has been shown able to find and exploit zero-day vulnerabilities, meaning software flaws that the software maker has not yet discovered or patched. These are not hypothetical risks.

Sachin Jade, chief product officer at security firm Cyware, told Dark Reading the laws are a necessary start but leave a significant gap: they apply to the big developers, not to the businesses or individuals who use the AI those developers build. If a company has woven a frontier model into its payroll system, or a developer has modified an open-source model for their own product, the new rules offer little clear guidance on what happens next.

For businesses using AI tools right now, Jade's practical advice is straightforward. Know which AI models your vendors are running inside the software you pay for. Keep an audit trail of what each AI tool is authorised to do. Build a record of your AI-related risks and treat visibility, meaning the ability to see what is happening inside your systems, as the foundation everything else rests on.

The three laws are not identical, and that patchwork will force companies operating across state lines to produce separate compliance reports for each jurisdiction, raising costs. Standardisation will take time. For now, the rulebook exists, it is just written in three different dialects.

© 2026 Threat Vectr