Skip to main content
Cybersecurity

US Invites AI Developers to Voluntary Cybersecurity Review

Government representative and AI developers collaborate around a covered AI model, laptops, and notes in a conference room.

"Voluntary security programs can work, but only when they create real accountability," said Diana Kelley, CISO at Noma Security.

President Donald Trump's voluntary framework: 30-day reviews, no preclearance

On June 2, President Donald Trump signed an executive order that invites — but does not require — developers of the most powerful AI models to give the U.S. government access to a "covered frontier model" for up to 30 days before releasing it to other trusted partners. The order establishes a voluntary process for pre-release review and includes a separate clause that expressly rules out any mandatory licensing or preclearance requirement for new models.

The measure marks a shift for an administration that the text says has "favored a light touch on AI," and it follows a near-miss in May when the president pulled an earlier draft, citing concerns that included a longer review window than the new order allows.

Anthropic's Claude Mythos Preview and the threat of flaw‑finding models

Although the order's text does not name a specific product, it lands amid mounting concern over frontier models that can find and exploit software flaws at scale — concerns the source identifies as chief among them Anthropic's Claude Mythos Preview. Anthropic has warned that rival labs could field comparable models within a year, possibly without safeguards against misuse.

The framework in the order closely echoes Anthropic's Project Glasswing, a program that gives vetted partners early access to Mythos to scan critical software for vulnerabilities. That resemblance helps explain the administration's focus on a narrow "covered" threshold for the most capable models.

NSA, CISA and NIST must build a classified benchmark

The order tasks the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) with creating a classified benchmark to decide which models cross the "covered" threshold. That benchmark will determine which frontier models are eligible for the voluntary, pre-release review window laid out in the order.

Federal cybersecurity measures: 30-day hardening, CISA directives, Treasury clearinghouse

Beyond the voluntary review mechanism, the bulk of the executive order is a defensive cybersecurity overhaul. Agencies are given 30 days to harden national security, military and civilian federal systems. The order directs CISA to issue binding directives that expand AI-enabled defensive tools and widen access to those tools for smaller operators, explicitly naming rural hospitals and local utilities as beneficiaries.

The order also creates an "AI cybersecurity clearinghouse," led by the Treasury Department, to coordinate vulnerability scanning, validation and patching — effectively centralizing government activity around discovery and remediation of AI-related vulnerabilities.

Industry reaction — Noma Security, Cowbell, and the limits of voluntariness

Industry response, as recorded in the reporting, was broadly supportive of a security-focused approach but wary about whether a voluntary scheme can be effective. Diana Kelley of Noma Security emphasized the need for accountability, noting that coordinated disclosure matured only after intake channels, timelines and safe-harbor terms were added.

Rajeev Gupta, co‑founder of Cowbell, was more blunt: "The government simply isn't equipped to meaningfully oversee frontier AI models on its own," he said, and he floated an alternative — a public‑private body funded by the labs but backed by regulatory authority. For now, the order's practical force will depend on whether Congress links pre-release review to procurement or export rules.

How rural hospitals, local utilities, and Congress are positioned

  • Rural hospitals and local utilities: The order directs CISA to expand access to AI-enabled defensive tools to smaller operators such as these organizations, potentially widening their access to vulnerability scanning and remediation services coordinated by the Treasury-led clearinghouse.
  • Congress: The order leaves open a decisive political lever. The administration's voluntary framework could gain real teeth if Congress later ties pre-release review to federal procurement or export controls — a development the source identifies as the likely determinant of the program's long-term effectiveness.
  • Federal cybersecurity teams: Agencies have a compressed timeline — 30 days to harden systems per the order — and must work with NSA, CISA and NIST to operationalize a classified benchmark for what counts as a "covered frontier model."

The executive order is at once modest and consequential: modest in preserving voluntariness and expressly rejecting mandatory preclearance, consequential in assigning agencies tight deadlines, a classified benchmark and a Treasury-led clearinghouse. Its success will hinge on the classified criteria those agencies develop and whether Congress couples voluntary review with procurement or export levers. The near-miss in May — when an earlier draft was pulled over its longer review window — is a reminder that the mechanics of review, timing and authority remain political as well as technical.

Source: Infosecurity Magazine — Trump Signs Order Inviting Voluntary Review of Frontier AI Models