Who Are Independent Verification Organizations and What Do They Audit? 

The laissez-faire era of federal AI policy is ending, at least for the largest, most powerful models. 

In early June 2026, the U.S. House released the discussion draft of the “Great American AI Act,” led by Representatives Jay Obernolte (R-CA) and Lori Trahan (D-MA). While the bill touches on everything from workforce development to federal content moderation oversight, its centerpiece is a new federal mandate that could reshape how foundation model developers prove their safety: the introduction of Independent Verification Organizations (IVOs). 

For the first time, federal law would require large AI model developers to undergo semi-annual third-party audits conducted by specialized, state-licensed entities. And while the details are still being hammered out in legislative discussion, one thing is already clear: every major foundation model developer will eventually need IVOs to conduct compliance audits. And every company deploying those models will need to demonstrate they’ve done their due diligence. 

What this means operationally is less obvious. This post unpacks the emerging IVO regime, what IVOs will likely audit, and where the governance infrastructure gaps are. 

The Federal Shift: From Guidance to Verification 

For the first years of the AI era, federal policy toward foundation models took what the Obernolte-Trahan framework calls a “laissez-faire” approach. The White House 2023 Executive Order emphasized industry-led standards and voluntary testing. The Commerce Department’s Center for AI Standards and Innovation was authorized to convene developers, not to enforce compliance. 

That changed in early 2026. President Trump signed an executive order pivoting federal oversight toward the national security implications of frontier AI models. The Obernolte-Trahan draft formalizes and dramatically expands this approach, but with a crucial twist: instead of creating a new federal agency with veto power over model releases, it delegates auditing to the private sector through state-licensed IVOs. 

This is post-training, post-release oversight. And it’s designed to be complementary, not preemptive: the federal framework preempts state developer obligations for three years, but allows state laws regulating AI deployment and use to proliferate. The message is clear: standardize foundation model safety at the federal level, but leave everything downstream to the states. 

This creates an immediate problem: developers need IVOs, and IVOs need to know what to audit. 

What Is an Independent Verification Organization? 

The draft bill defines IVOs as state-licensed entities authorized to conduct mandatory audits of large foundation model developers. But the framework says almost nothing about what that actually means operationally. 

Here’s what we know from the draft: 

• Who gets audited: Large foundation model developers, likely defined by model scale, capability, or computational investment. (The exact threshold is undefined; expect fierce debate.) 

• How often: Semi-annual audits, meaning developers must maintain continuous compliance readiness. 

• Who conducts them: State-licensed independent auditors with no direct business relationship to the developer being audited. 

• What they verify: “Compliance” with transparency, incident reporting, and whistleblower protection obligations—but the draft doesn’t specify what evidence proves compliance. 

• Liability shield: IVOs get protection from civil liability for their audit conclusions, reducing exposure and encouraging third parties to enter the market. 

• Funding and oversight: The Commerce Department’s Center for AI Standards and Innovation will oversee the IVO ecosystem and receive $100 million annually to build standards and manage the program. 

What the draft doesn’t say is critical: What exactly constitutes compliance evidence? 

The Operational Gap: What Do IVOs Actually Audit? 

This is where the framework becomes a governance design problem rather than just a regulatory announcement. 

The draft bill requires IVOs to verify that developers comply with three things: 

1. Transparency obligations: Disclosure of training data sources, model capabilities, and known limitations. 

2. Incident reporting: Notification requirements for serious harms or misuses. 

3. Whistleblower protections: Internal channels for employees to report safety concerns. 

But “transparency,” “incident reporting,” and “whistleblower protections” are frameworks, not specifications. In practice, IVOs will need to answer questions like: 

• What constitutes sufficient disclosure of training data? A manifest of sources? Chain-of-custody documentation? Qualitative assessment of bias and poisoning risks? 

• What’s a “serious harm” requiring incident reporting? The model was misused in a fraud scheme (developer’s responsibility)? The model produced an unsafe output that someone could exploit (capability question)? Both? 

• How do you verify a whistleblower protection program is credible? Annual attestations? Third-party anonymous survey? Log audit trails of internal reports? 

• How do you audit continuous compliance? Do you re-verify everything every six months, or do you focus on incremental changes and new deployments? 

These are not rhetorical questions. They’re the operational core of what IVOs will do. And they’re almost entirely undefined in the legislative draft. 

This is where existing governance frameworks become practical: they provide the taxonomies and evidence structures that IVOs will need to operationalize. But even those frameworks were designed for risk governance, not regulatory audit. Translating them into audit specifications is a separate problem. 

Why This Matters Now: The Evidence Readiness Problem 

Here’s the practical implication: developers need to start generating, organizing, and continuously maintaining compliance evidence now, before IVO auditing specifications are finalized. 

Why? Because semi-annual audits mean you can’t wait until audit time to scramble together documentation. You need: 

• Immutable evidence trails: Records of what training data was used, when it was used, and what due diligence was conducted. These can’t be reconstructed retroactively; they need to be logged as they happen. 

• Governance workflows: Approval chains and sign-offs for deployment decisions, incident determinations, and whistleblower escalations. These need to be embedded in operational process, not added as an afterthought. 

• Continuous compliance readiness: The ability to generate audit-ready reports on demand, not in a panic 30 days before the semi-annual audit deadline. 

• Auditability of the audit process itself: IVOs will likely need to verify that evidence logs weren’t tampered with. Cryptographic proof of immutability (or at minimum, strong access controls and change logs) will matter. 

State-level foundation model laws—particularly Illinois SB 315—already require third-party audits, but with annual rather than semi-annual cadence and lower liability caps. Companies preparing for federal compliance should look at what Illinois-regulated developers are learning: evidence collection and governance process design are the real operational load. 

Two Sides of the IVO Market 

Here’s where the governance infrastructure opportunity opens up. 

The IVO ecosystem will create two related but distinct markets: 

1. IVOs as Auditors (Service Provider) 

Someone needs to build and license IVO firms. These entities will need to: 

• Develop audit methodologies that translate ambiguous legislative requirements into testable specifications 

• Conduct risk assessments of model training, deployment, and incident response procedures 

• Verify the completeness and integrity of compliance evidence 

• Issue attestations that carry legal weight and insurer credibility 

• Manage their own liability exposure and insurance 

This is a professional services market, similar to the SOC 2 audit space or the emerging AI ethics/safety consultant ecosystem. Early-stage opportunities exist for firms building IVO audit frameworks, but the real market likely requires scale, domain expertise, and regulatory trust. 

2. Governance Infrastructure for Developers (Internal Readiness) 

Developers and deployers need platforms to: 

• Collect, organize, and cryptographically secure compliance evidence as decisions are made, not after 

• Implement governance workflows (risk approvals, incident determinations, escalations) that are audit-ready by design 

• Generate compliance reports on demand that reference immutable evidence logs 

• Track changes, approvals, and decision justifications in formats IVOs will likely request 

• Demonstrate that governance processes weren’t bypassed or corrupted 

This is the operational governance problem. It’s not compliance documentation; it’s governance infrastructure embedded in how an organization makes decisions about AI risk. 

Airia’s Positioning in the IVO Ecosystem 

The Airia Active Governance Platform sits at the intersection of these two markets. 

For IVOs and auditors: Airia provides the audit-ready evidence infrastructure that IVOs will need to verify. When an IVO audits a developer, they’ll be asking: Can you show me immutable evidence of your training data vetting? Your incident classification decisions? Your escalation workflows? Your whistleblower reports and how you resolved them? Developers using Airia’s stage-based governance workflows with evidence immutability can produce these records directly, without reconstructing them from scattered systems. This makes IVO audits faster, more defensible, and less resource-intensive for both auditor and auditee. 

For developers and deployers: Airia is a platform to move from compliance scrambling to continuous governance readiness. Rather than treating IVO compliance as a temporary audit prep project, organizations using Airia embed governance into their operational decision-making. Approval workflows for model deployments, incident classification workflows, risk assessments become the primary record, and they’re automatically audit-ready. The evidence doesn’t exist for the audit; the audit verifies the evidence that naturally exists from doing governance right. 

This is the difference between compliance documentation (writing it when you need it) and active governance (doing it as part of your operational discipline). 

What’s Not Yet Defined—and Why That’s Important 

The IVO framework is still legislative discussion draft. Before it becomes law, several critical questions will be resolved (or won’t be, creating ongoing ambiguity): 

• Who qualifies as a “large” developer requiring IVO audits? The bill is silent. Expect the threshold to be defined through regulation or Commerce Department guidance, likely tied to model scale or compute spend. 

• What audit standards will IVOs follow? The draft doesn’t reference NIST AI RMF, ISO 42001, or any specific framework. If different IVOs develop different standards, compliance becomes fragmented. If the government mandates a standard, expect fierce debate about which one. 

• How will federal-state coordination work? If Illinois requires annual audits and the federal framework requires semi-annual audits, what happens in Illinois? Do developers do both? One subsumes the other? The three-year preemption sunset creates temporal complexity here. 

• What liability does a “verified” finding create? If an IVO audits a developer and signs off, what happens when that developer later uses the model unsafely? Does the IVO attestation create legal liability for deployers who relied on it? This question will shape how risk-averse IVOs are. 

Companies should be tracking these question marks, because the answers will shape what “IVO-ready” actually means. 

What Organizations Should Do Now 

If you’re a foundation model developer or a significant deployer, the IVO framework creates two immediate imperatives: 

1. Start treating evidence collection as governance infrastructure, not compliance administration. 

Don’t wait for IVO audit specifications to be finalized. Begin now to implement: 

• Immutable logging of governance decisions (model selections, capability assessments, deployment approvals) 

• Structured incident classification workflows (is this a training data issue, a capability issue, a deployment issue?) 

• Risk approval chains with documented justifications 

• Audit trails that track who accessed evidence, when, and what they changed 

The platform and process choices you make now will shape your IVO readiness later. Building from a compliance documentation mindset (I’ll write the evidence when I need it) will be more expensive and less credible than building from an active governance mindset (the evidence exists because governance happened properly). 

2. Track the regulatory developments and map them to your governance architecture. 

• Monitor the Obernolte-Trahan bill as it moves through the legislative process 

• Read the Commerce Department’s guidance as it emerges on IVO licensing and oversight 

• Watch how state frameworks (Illinois, California, New York) resolve federal-state coordination issues 

• Engage with early IVO firms to understand what audit methodologies they’re developing 

The initial IVO audits are likely 18-24 months away. That’s enough time to implement governance infrastructure, but not enough time to do it casually. 

The Larger Governance Architecture 

The IVO framework represents a shift from “the government tells you what to do” to “the government certifies auditors who verify you’re doing it.” It’s post-training, private-sector oversight with federal coordination. 

That model has advantages: it’s faster than agency rulemaking, it leverages private sector expertise, it avoids creating a powerful new federal agency. But it also creates coordination problems: What happens when IVOs develop inconsistent standards? What happens when liability uncertainty makes IVOs overcautious or under-resourced? What happens to developers in the 18-month gap between legislation and IVO availability? 

These are not Airia’s problems to solve alone. But they’re the governance infrastructure problems that platforms like Airia are designed to address: making it operationally feasible for organizations to comply with ambiguous frameworks by embedding governance into decision-making. 

Ready to be IVO audit-ready from day one? If your enterprise needs to move from compliance scrambling to continuous governance readiness, request a demo to see how Airia embeds audit-ready evidence trails, governance workflows, and immutable compliance records into your AI operations—so when IVO audits arrive, you’re already prepared.

Sources:
This post is based on the Obernolte-Trahan “Great American AI Act” discussion draft (June 2026) and analysis by Cobun Zweifel-Keegan for the IAPP.