Trump Signs AI Security Order Requiring 30-Day Review of Frontier Models

President Donald Trump on June 2 signed a long‑awaited ³ titled "Promoting Advanced Artificial Intelligence Innovation and Security" that requests AI companies voluntarily provide the federal government access to "covered frontier models" for a cybersecurity review up to 30 days before release. The order marks a significant shift for an administration that has until now resisted regulating artificial intelligence, according to the.⁴

The order directs the Treasury Department to form an AI cybersecurity clearinghouse that coordinates vulnerability scanning across software systems, discovers and validates vulnerabilities, and prioritizes remediation. It also tasks the Cybersecurity and Infrastructure Security Agency (CISA) with releasing binding operational directives to expedite cyber defense of federal systems within 30 days.

The executive order comes directly in response to Anthropic's release of Claude Mythos, a model so powerful at identifying security vulnerabilities in software that Anthropic itself warned it could lead to a cybersecurity "reckoning," according to the.¹ Mythos can autonomously identify and exploit hidden vulnerabilities in real‑world software — a capability that alarmed national security officials.

The order reflects "an administration trying to sustain its deregulatory, innovation‑first posture while confronting the novel cyber risks posed by powerful new tools like Anthropic's Claude Mythos Preview," wrote CFR experts Matthew Ferren and Vinh Nguyen in their.⁴

CNN reported that Anthropic announced Mythos would be released "to all our customers in the coming weeks," heightening the urgency for federal oversight.

The executive order establishes several concrete mechanisms, as detailed by the:³

• Voluntary pre‑release access: AI developers are requested to give the government access to frontier models up to 30 days before releasing them to "other trusted partners." The NSA will run a classified process for designating which models qualify as what the ³ calls "covered frontier models."
• Treasury‑led clearinghouse: Within 30 days, the Treasury Secretary must form a public‑private clearinghouse that coordinates vulnerability scanning across widely used software and distributes patches.
• CISA directives: The Homeland Security Secretary must release binding operational directives to harden civilian federal systems against AI‑enabled threats and expand federal cybersecurity services to critical infrastructure operators — including rural hospitals, community banks, and local utilities.
• Workforce expansion: The Office of Personnel Management must expand cybersecurity hiring pathways within 60 days.

Legal firm Ropes & Gray described the framework as "voluntary with mandatory implications," noting that while participation is technically optional, companies that refuse may face reputational and regulatory pressure.

The original draft of this executive order proposed a 90‑day review window, but that version was pulled after concerns it would "blunt U.S. labs' competitiveness with China," according to CFR. The signed order cuts the period to 30 days.

The theory behind the window is straightforward: give defenders a head start. "The goal is for defenders to find and fix critical vulnerabilities faster than adversaries can exploit them," CFR's Ferren wrote. But he warned that "consistent patching remains an unsolved problem, particularly for open‑source projects and under‑resourced critical infrastructure operators."

The order is also notable for assigning the Treasury Department — rather than CISA or the Office of the National Cyber Director — a leading operational role. CFR noted this may reflect that Treasury is "one of the few places where institutional capacity remains" after the administration cut the federal cybersecurity workforce substantially over the past year and a half.

For developers and teams building with frontier AI models, the executive order introduces several practical considerations:

• Access timing: If you rely on early access or preview releases of frontier models from labs like Anthropic, Google, or OpenAI, expect a potential 30‑day delay while the government conducts its cybersecurity review. Labs that participate voluntarily may stagger releases — government reviewers first, then trusted partners, then general availability.
• Compliance surface area: While the order is currently voluntary, the legal analysis from Ropes & Gray warns that mandatory requirements could follow. Builders integrating frontier models into products should track which models are designated as "covered" by the NSA's classified process.
• Vulnerability disclosure: The Treasury clearinghouse will coordinate vulnerability discovery and patching. If you maintain open‑source projects or infrastructure that frontier models can analyze, your codebase may be scanned. Being responsive to patches will matter more than ever.
• International dimension: The order explicitly frames AI security as a competitive issue with China. Builders at U.S. companies working with international teams should expect scrutiny of model access across borders.

The order has drawn mixed reactions. Supporters see it as a pragmatic middle ground — voluntary enough to avoid stifling innovation, structured enough to address real national security concerns. Critics argue the voluntary nature means bad actors face no barrier, while the 30‑day window may not be enough time for meaningful security review.

"Even when well implemented, pre‑deployment testing has limits," CFR's Ferren wrote. "It will likely prove difficult to develop models that are incapable of malicious hacking yet remain commercially compelling."

Bloomberg reported that the administration deliberately omitted mandatory pre‑release testing requirements, a concession to AI companies that argued compulsory reviews would slow U.S. innovation relative to competitors. But the order's structure — voluntary today, potentially mandatory tomorrow — is widely seen as a signal to the industry that federal oversight is coming, and companies should prepare.

This executive order is part of a rapid acceleration in AI governance in 2026. It follows Anthropic's IPO filing, OpenAI's confidential IPO filing a week later, and the impending SpaceX public listing — a trio of trillion‑dollar tech debuts that have focused Washington's attention on AI's national security implications.

The order arrives alongside a Breaking Defense report that the White House issued a separate National Security Presidential Memorandum urging closer collaboration with AI companies — "as long as they're compliant," Breaking Defense reported — aiming — "as long as they're compliant" — aiming to avoid a repeat of what one official called the "Anthropic debacle" around Mythos.

For builders, the message is clear: the era of completely unregulated frontier AI deployment is ending. The question is not whether oversight arrives, but what form it takes — and whether the 30‑day review window grows teeth in future iterations.