New Executive Order Sets Voluntary Framework For AI Oversight And Cybersecurity

The White House recently issued an executive order establishing a voluntary federal framework for prerelease access to certain advanced AI models, with the goal of strengthening national cybersecurity while preserving innovation. The order — titled “Promoting Advanced Artificial Intelligence Innovation and Security” and signed on June 2, 2026 — marks a notable departure for an administration that revoked the Biden-era AI Executive Order on its first day in office and has consistently resisted proposals viewed as potentially impeding AI innovation.

The catalyst for the shift was the emergence of frontier AI models capable of autonomously identifying and exploiting high-severity software vulnerabilities at scale, including Anthropic’s Claude Mythos and OpenAI’s GPT-5.5-Cyber, which reshaped the administration’s calculus on the need for government engagement with frontier AI development. The order asks developers of “covered frontier models” to provide the government a short prerelease review window and directs the build-out of classified benchmarking to assess advanced cyber capabilities and the creation of a Department of Treasury (“Treasury”)-led “cybersecurity clearinghouse” to coordinate and deconflict scanning for software vulnerabilities, validate such vulnerabilities, and prioritize remediation and distribution of vulnerability patches for widely used software products.

Under the order, AI developers are asked to voluntarily provide the federal government access to covered frontier models for up to 30 days before release to other trusted partners as part of a narrowed prerelease testing window that replaced a previously contemplated 90-day review period, and the order does not mandate that companies share or submit models. The order expressly states that nothing in it authorizes creation of a mandatory governmental licensing, preclearance, or permitting requirement for development, publication, release, or distribution of new AI models, including frontier models. Although the framework is expressly voluntary, participation may prove closer to de facto mandatory in practice given the risks of national security scrutiny and reputational cost of non-participation. Developers who do participate will be afforded confidentiality, cybersecurity, insider-risk, and intellectual-property protections, though the specifics of those protections — including safeguards for model weights and trade secrets — will be determined through the implementation process. The order also provides that participating developers may collaborate with the federal government to select “trusted partners” that will receive early access to covered frontier models to promote secure innovation and strengthen the cybersecurity of critical infrastructure, effectively giving the government a role in determining not only whether a model warrants special treatment but also who gets early access to it.

The order also moves federal agencies toward common evaluation criteria for high-risk capabilities. Within 60 days of the order, Treasury, the National Security Agency (“NSA”), the Cybersecurity and Infrastructure Security Agency (“CISA”), the National Institute of Standards and Technology (“NIST”), and White House officials are required to “develop and maintain a classified benchmarking process to assess advanced cyber capabilities of AI models and to determine when a model should be treated as a ‘covered frontier model.’” The Director of the NSA will have final authority over which models meet that threshold. In parallel, the order contemplates a classified process, run through national security components, for evaluating frontier cyber capabilities.

While some top tech executives have praised the order as an important step that would balance A.I. safety and innovation, other commentators have questioned Treasury’s designation as the lead agency given that neither AI nor cybersecurity are among its core competencies, and participants will need to consider how the new clearinghouse interacts with existing sector-specific information-sharing bodies such as FS-ISAC.

The entities most directly affected are organizations at the intersection of frontier AI development and national security. AI developers and model providers of covered frontier models face voluntary 30-day prerelease access requests and potential participation in classified benchmarking. Critical infrastructure operators are likely to engage with the clearinghouse and may receive coordinated vulnerability disclosures and patch guidance. Federal departments and contractors operating national security systems will encounter expanded AI-related cybersecurity activities under the order.

Separately, the order directs the Attorney General to prioritize enforcement of existing federal criminal statutes — including the Computer Fraud and Abuse Act (18 U.S.C. § 1030), wire fraud (18 U.S.C. § 1343), and identity fraud (18 U.S.C. § 1028) — against anyone who uses AI to illegally access or damage a computer system without authorization, or who employs AI agents to unlawfully access data for use in a criminal purpose. Companies with exposure to government investigations or white-collar enforcement should take note of this prioritization.

To prepare for the imminent changes, companies should take the following steps. First, organizations developing or deploying advanced AI models should assess now whether their models are likely to meet the “covered frontier model” threshold and evaluate what participation in the voluntary framework would mean for their development timelines. Second, developers considering participation should carefully evaluate the terms on which prerelease information sharing will occur, including what materials will be shared, who will receive them, and whether adequate protections for model weights, trade secrets, and other proprietary information will be in place. Third, critical infrastructure operators should monitor developments related to the Treasury-led clearinghouse and consider engaging proactively with the agencies designing the voluntary framework to position themselves for trusted-partner designation. Fourth, all stakeholders should monitor forthcoming agency guidance — due within 30 days for the clearinghouse and CISA directives, and within 60 days for benchmarking criteria and the scoping of “covered frontier models.” Companies should also track congressional activity on AI issues, as lawmakers on both sides have strong incentives to act ahead of the midterm elections, and should account for the continued proliferation of state-level AI legislation when developing compliance strategies.

If your company is developing, deploying, or relying on AI systems — or reevaluating existing AI strategies in light of increasing federal and state activity — we can help you anticipate regulatory change, manage legal risk, and position your business for continued innovation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.