The Trump administration on June 2 released an executive order (EO) on AI requiring that, on a voluntary basis, frontier AI companies would let the government review their models within 30 days of public releaseThe government originally wanted a 90-day review period and the industry was reportedly looking for 14 days, so some security pros saw a 30-day review as favorable.“Thirty days is sufficient because the risks being assessed — bioweapons, hacking capabilities, and foreign policy threats — are known categories,” said Klaas Meinke, head of AI for Hadrian. “Once a framework exists, these evaluations are fairly straightforward: the responsibility falls on evaluators to apply it efficiently.”Meinke said NIST already offers an established framework for assessing the risks and capabilities of new AI models, so this EO doesn't introduce a fundamentally new approach: it just shifts the emphasis toward a voluntary framework — which, given the current political context, is probably the most notable change.John Watters, chief executive officer at iCOUNTER, said 30 days represents a reasonable starting point, but the bigger question is what we’re trying to learn during that period? Watters said evaluating a frontier model’s potential role in cyber operations requires more than technical testing — it requires understanding how adversaries could operationalize those capabilities at scale and how quickly they can compress the time between discovery, exploitation, and impact.“One of the defining challenges of AI in cybersecurity is time compression,” said Watters. “Tasks that once took days, weeks, or months can now be executed in hours or minutes. The review period should focus not only on what a model is capable of, but how dramatically it changes the speed at which threats can be identified, adapted, and operationalized. As for the voluntary nature of the framework, participation may not be mandatory, but market pressure, national security concerns, and public trust are powerful motivators.”Diana Kelley, chief information security officer at Noma Security, pointed out that voluntary security programs can work, but only when they create real accountability.We’ve seen this in cyber before, said Kelley: coordinated vulnerability disclosure began largely as voluntary cooperation between researchers and vendors, but it became more effective when organizations added clear intake channels, response timelines, safe harbor language, and public accountability.Kelley added that post-incident review models such as the Cyber Safety Review Board are also useful: they don’t regulate directly, but they can still create pressure, shared lessons and concrete recommendations. Industry frameworks like the NIST Cybersecurity Framework and the Secure Software Development Framework are also voluntary in many contexts, but they gain teeth when procurement, audits, insurers, customers and regulators start expecting them.“For frontier AI, a 90-day government review could be useful as one checkpoint, but evaluating model safety is complex and ongoing,” said Kelley. “The risks evolve after release, especially when models are connected to agents, code execution, enterprise data, identity systems or critical infrastructure workflows. Review needs to account for how the model is deployed, what it can access, how much autonomy it has, and what guardrails are actually enforced in production.”Doc McConnell, head of policy and compliance at Finite State, said this EO acknowledges the central role that frontier models will play in critical infrastructure cybersecurity, but it reinforces the approach that we’ve seen so far from AI labs: limiting access to the most capable tools to a small group of companies and government agencies, while excluding most cybersecurity practitioners.“Meanwhile, malicious actors are finding new ways to leverage available AI tooling to accelerate and enhance their attacks,” said McConnell. “The cybersecurity community is strongest when it works together — transparently identifying, managing, and discussing the risks that affect all technology users. The path to stronger cybersecurity is more information sharing, not less. Classified benchmarking, nondisclosure requirements, and early access pilots will delay getting these models into the hands of the cyber defenders who can put them to use today.”Jacob Krell, senior director for secure AI solutions and cybersecurity at Suzu Labs, said the tension here is hard to ignore: the administration asked for greater federal oversight of frontier AI models because of cybersecurity and national security concerns, while also proposing significant reductions to CISA, the nation’s lead civilian cyber defense agency.“If the U.S. wants more oversight of advanced AI because these systems can materially change the cyber threat landscape, that oversight needs to be matched with durable cyber capacity, clear governance, and trusted public-private coordination,” said Krell. “Cutting CISA while expanding AI security review risks creating a framework that is ambitious on paper but thin operationally.”
AI/ML, Government security, Government Regulations
Trump executive order on AI calls for voluntary 30-day review period
(Adobe Stock)
An In-Depth Guide to AI
Get essential knowledge and practical strategies to use AI to better your security program.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds