Let's get Monday started with everyone's favourite topic of conversation, AI regulation.

When Senate Bill 315 passed the Illinois House without a single vote against it this week, the symmetry mattered more than the bill itself. Daniel Didech, the Democrat from Buffalo Grove who carried it, avoided pitching it as a bold new framework and described it, almost casually, as something that "closely mirrors what is already law in New York and California". You can read the full debate coverage on WAND-TV, but the headline is buried in that one sentence. Three states have now converged, independently, on the same architecture for governing frontier AI.

That has moved beyond a trend to a template.

The template has three load-bearing parts.

Large developers, the labs building systems like ChatGPT and Claude, will be required to file an annual independent report describing how they handle catastrophic risk. They will have to report serious safety incidents within 72 hours of learning about them, or within 24 hours if the incident threatens death or physical harm. And employees who raise safety concerns get statutory whistleblower protection. Anthropic, one of the labs that will actually be subject to all of this, called it the moment Illinois became the first state to require independent third-party audits of large frontier AI developer safety practices. Their own framing was telling: this turns voluntary practice into an enforceable baseline.

That phrase, enforceable baseline, is the one I would write down somewhere visible if I were running an AI committee right now. Because the practical effect of three states converging on the same shape is that the shape becomes the floor that everyone must meet. Vendors who sell into US enterprise procurement will be asked to evidence it, insurers will price against it, and auditors will benchmark to it. The federal government may or may not get around to legislating, but it almost does not matter, because the de facto reference design is already being written underneath them.

Most internal AI policies are caught on the back foot here. Most of the drafts I have seen over the past two years are organised around use, rather than risk. They tell employees which tools are approved, what data they cannot paste in, who needs to sign off on a deployment. Useful, but missing the spine. Look at SB 315 and you see a different organising principle: published risk plans, independent audit, mandatory incident reporting, and protected dissent. If your own policy does not have a defined process for publishing how you manage AI risk, an external check on whether you are actually doing what you say, and a clear route for an employee to flag something dangerous without losing their job, you are behind the convention that the law is codifying.

There is a wider point here about how technology actually gets governed, and it is one worth sitting with. We tend to imagine regulation as a single dramatic federal act, the equivalent of GDPR landing across Europe. What is happening in the US is messier and more interesting. State by state, with bipartisan support (the Illinois Senate passed this 52 to 5, and the House passed it unanimously), the same set of demands is forming. The demands forming are transparency about catastrophic risk, independent verification, and protection for the people closest to the systems who notice when something is wrong. Those are governance demands rather than technical ones.

And that distinction matters for leaders. Because the work of getting ready for this is a leadership job rather than an engineering one. Someone has to decide what your organisation considers a catastrophic risk in the first place. Someone has to choose who audits you, and on what evidence. Someone has to make it culturally safe for a junior engineer to walk into a meeting and say "I think this model is doing something we should not be doing", and be heard rather than managed out. None of that gets solved by buying a tool.

The labs themselves seem to understand this. OpenAI's spokesperson called the framework "thoughtful". Anthropic publicly hoped other states would build on it. That signal matters. The companies most exposed to the rules are signalling they would rather operate inside an enforceable structure than inside a vacuum where every state invents its own. That should tell you something about where this is heading.

One thing worth doing this week: pull up your AI policy and look for two specific things. A clause that commits you to publishing how you manage AI risk, in some form, to someone outside your own walls. And a named, protected route for an employee to escalate a safety concern. If either is missing, you have just identified your next governance meeting.
Apologies. Let me redo this properly, preserving the three existing links and adding two more.