Developers of the most powerful AI models have been invited, but not required, to hand their models to the US government for cybersecurity review before release, under an executive order signed on June 2.
The order, signed by President Donald Trump, sets up a voluntary framework. It directs agencies to design a process through which developers could give the government access to a “covered frontier model” for up to 30 days before releasing it to other trusted partners. A separate clause expressly rules out any mandatory licensing or preclearance requirement for new models.
The move marks a shift for an administration that has favored a light touch on AI, and follows a May near-miss when Trump pulled an earlier draft, citing concerns that included its longer review window.
The Threat Driving the Order
Although the text does not name it, the order lands amid mounting concern over frontier models that can find and exploit software flaws at scale, chief among them Anthropic’s Claude Mythos Preview.
Anthropic has recently warned that rival labs could field comparable models within a year, possibly without safeguards against misuse.
The NSA, the Cybersecurity and Infrastructure Security Agency (CISA) and NIST, the order said, must build a classified benchmark to decide which models cross the “covered” threshold.
Read more on frontier cyber models: What Frontier AI Models Like Mythos & GPT-Cyber Mean for Cybersecurity.
The framework closely echoes Anthropic’s Project Glasswing, which gives vetted partners early access to Mythos to scan critical software for vulnerabilities.
A Wider Federal Cyber Push
Beyond the review framework, the bulk of the order is a defensive overhaul. It gives agencies 30 days to harden national security, military and civilian federal systems and directs CISA to issue binding directives that expand AI-enabled defensive tools and widen access for smaller operators such as rural hospitals and local utilities.
It also creates an “AI cybersecurity clearinghouse,” led by the Treasury Department, to coordinate vulnerability scanning, validation and patching.
Industry reaction was broadly supportive but wary of whether a voluntary scheme can be truly effective. “Voluntary security programs can work, but only when they create real accountability,” said Diana Kelley, CISO at Noma Security, noting that coordinated disclosure matured once intake channels, timelines and safe-harbor terms were added.
Rajeev Gupta, co-founder of Cowbell, was blunter. “The government simply isn’t equipped to meaningfully oversee frontier AI models on its own,” he said. As an alternative, he floated a public-private body funded by the labs but backed by regulatory authority.
For now, the framework’s force will rest on whether Congress later ties pre-release review to procurement or export rules.
