ARTICLE

Most AI Policies Wouldn’t Survive an Audit

By Nahteava
July 16, 2026

On July 6, Illinois Governor JB Pritzker signed SB 315, the Artificial Intelligence Safety Measures Act. It’s the first state law requiring frontier AI developers to go through an independent, third-party safety audit. Starting in 2028, developers with more than $500 million in revenue will need to hire an outside auditor with real AI safety credentials, grant unredacted access to whatever the audit requires, and publish the results. Once the report is done, the company has 30 days to post a public summary and send copies to the Illinois Attorney General and the state’s Emergency Management Agency.

That law only applies to a narrow slice of companies. But it’s not really about Illinois. Congress is working through the Great American AI Act right now, which would require frontier developers nationwide to disclose model details and get audited by designated Independent Verification Organizations. The EU’s AI Act is doing something similar for 2026, building out independent capacity to evaluate advanced models before they can go to market. Different governments, same idea taking shape: a written AI policy isn’t going to cut it anymore. Companies are going to have to prove what they’re doing to someone who doesn’t work there.

The Part Most Companies Aren’t Ready For

Littler’s 2026 Annual Employer Survey found that 68% of employers now have a formal AI governance policy. That’s up from 38% just last year, which sounds like real movement.

Except when you look closer, the numbers get worse fast. Less than half of those companies have actually built out the things an audit would check for. Vendor vetting procedures. Training on the specific tools people are using. An actual person or committee responsible for AI oversight. Only around 55% even have a formal process for reviewing and approving new AI tools before they’re used. Most companies have a document. Far fewer have anything resembling a working program behind it.

You can already see this gap showing up in places that matter. 72% of S&P 500 companies now disclose at least one material AI risk, up from just 12% back in 2023. Insurers are paying attention too, and general counsel are being told to look hard at AI-specific coverage as more standard policies start writing AI exclusions into the fine print. Regulators, auditors, insurers, customers running vendor security reviews, your own board eventually. The list of people who might ask “can you actually show me this program” keeps growing.

A Policy On Paper Isn’t The Same Thing As Being Ready

A written policy tells you what a company says it does. An audit, whether it’s required by law, written into a contract, or something the company chooses to run on itself, tells you what it can actually prove. Right now, most companies can only answer the first question. Look at how Illinois structured its law, and you get a preview of what the second question looks like in practice: auditors aren’t there to grade intentions. They check for substantial compliance, they flag material gaps, and someone signs their name to the result.

None of this requires a company to be a “covered developer” under some specific statute to matter. The honest version of the question is simpler than that. Where’s the actual gap between what your AI policy says and what’s happening day to day with vendor selection, employee training, use-case approval, and risk monitoring? Most companies don’t find out until a regulator, an insurer, or a customer’s security team forces the issue.

Better to find out on your own terms first.

Where We Come In

Our AI policy, governance, and risk assessment questionnaires exist for exactly this reason. They give you a structured way to see where your program actually stands against the standard that regulators, auditors, and insurers are all converging on, before one of them checks for you instead. If you want a full readiness review or just want to pressure-test one piece of it (policy, governance structure, or risk exposure), we can help you figure out where to start.

Sources: Illinois SB 315 — Crowell & Moring; Illinois becomes first state to require third-party AI audits — The Hill; Gov. Pritzker signs AI Safety Law; Littler Annual Employer Survey 2026 — HR Dive; AI Risk Disclosures in the S&P 500 — Harvard Corp Gov; Gartner: AI Insurance to Mitigate AI Risks; 2026 Year in Preview: AI Regulatory Developments — Wilson Sonsini

Let’s Build What’s Next – Together