President Donald Trump has signed an executive order establishing a voluntary framework for federal vetting of the most advanced frontier AI models before their public release.
The directive provides government agencies with a 30-day testing window to assess potential national security and cybersecurity risks posed by these cutting-edge systems.
Participation remains optional for AI developers to avoid hindering innovation and US technological competitiveness, particularly against rivals like China.
The move follows concerns over models such as Anthropic’s Claude Mythos, which demonstrated advanced capabilities in vulnerability discovery.
Industry professionals have commented on various aspects of the new AI executive order, including its voluntary nature, the balance between innovation and security, and potential implementation gaps.
And the feedback begins…
Tonya Ugoretz, Cyber & Privacy Innovation Institute Leader, PwC:
“The new Executive Order on AI is a roadmap for using America’s lead in AI innovation to strengthen national and economic security by securing US critical infrastructure. For companies, the EO extends the direction signaled in the administration’s Cyber Strategy: the private sector will be key participants in the next era of national cyber defense.
A key test will be how discoveries from the select organizations with early model access will cascade to the much larger, less resourced population of companies and municipalities. I’m heartened that the EO mentions rural hospitals, community banks, and local utilities as organizations the proposed clearinghouse intends to support. But smaller operators may struggle to absorb and act on the information shared with them.
Those and other organizations shouldn’t wait for the vulnerability, patch, and grant funding spigots to turn on. The window is now to reinforce cybersecurity fundamentals, integrate AI risk into existing governance processes, turn AI tools inward for defensive scanning, and build the capacity to respond quickly to discovered vulnerabilities. If implemented with transparency, this EO could be a credible step toward addressing AI’s trust deficit and setting international norms that allies will follow and adversaries will be held accountable for.”
Chris Boehm, Field CTO, Zero Networks:
“The order isn’t mandatory. Outside of preserving goodwill with the public sector, a company has no real reason to surface its own model’s weaknesses unless there’s a political upside to doing so. And most of these companies work hard to stay out of the policy arena in the first place. Both of those things point to the same conclusion: without any level of enforcement, the framework loses its value before it gets going. We have already seen this play out. The Cybersecurity Information Sharing Act of 2015 set up a voluntary threat-sharing program backed by liability protection instead of a mandate, and participation steadily collapsed over the years that followed. Voluntary plus good intentions does not equal adoption.
I’m glad to see the benchmarking. That said, the goal looks less like a safety bar and more like a value judgment about which models the government should use. That makes it a signal about where future investment will flow, since whoever clears the benchmark gets the contracts and the capital that follows.”
Bill Robbins, CEO, Menlo Security:
“President Trump’s executive order is a meaningful step as Washington acknowledges that the release of the most powerful AI models poses real security risks that require the scrutiny of federal agencies before they reach the public. The order calls for the government to develop a benchmarking process to determine the advanced cyber capabilities of AI models, but it only addresses what models look like before they ship. That’s only part of the problem. What it doesn’t address is what those models do once they’re operating as agents inside enterprise infrastructure.
The real gap in this executive order is agent runtime. AI agents are now authenticating to enterprise systems, moving sensitive data, and making autonomous decisions with no human in the loop. A pre-release benchmark can’t capture this behavior, because that behavior only exists once the agent is deployed. CISOs and CEOs can’t afford to wait for Washington to catch up, and they need governance, visibility, and control where the agents act. So, while this executive order pre-release vetting of models is critical, enterprises need to implement additional controls at the execution layer.”
Mike McNeil, CEO and Co-Founder, Fleet Device Management:
“The biggest risk here is that the approval process becomes a vehicle for regulatory capture. Once Washington starts designating certain models as uniquely powerful or sensitive, that designation becomes a marketing advantage, and companies will naturally invest in influencing the process.
I don’t expect this to have much impact on the pace of AI innovation. The models are going to keep getting better regardless. My concern is that it creates incentives around lobbying and government relationships instead of solving actual security problems. Organizations need better ways to defend themselves as AI makes sophisticated attacks cheaper, faster, and more accessible, not better labels.”
Devin Maguire, Senior Manager, Product Marketing, Cycode:
“The executive order reflects the U.S. government’s concern over the cyber risks of advanced AI models. Providing the government with advanced access to benchmark models and prepare cyber defenses is a sensible step, but it is voluntary and will not prevent the release of frontier models with advanced cyber offense capabilities.
Access to these Advanced AI models is not a panacea. Participation in Glasswing gives organizations advanced access to find vulnerabilities with AI, but finding vulnerabilities is not the primary challenge in security. Managing vulnerabilities at scale to triage and fix them against shrinking exploit windows is the crux of the challenge, and that requires more than access to frontier models. It requires the ability to manage vulnerabilities identified by both AI and traditional scanning tools, and to orchestrate and automate remediation actions as fast, or faster, than attackers can develop and deploy exploits.
Glasswing partners with access to Mythos are rightly looking beyond the model itself, shoring up their cyber infrastructure and how they orchestrate remediation of identified risks. The executive order is a signal of what’s coming. The organizations best positioned to respond will be those that have already built the operational foundation to act on it.”
John Walsh, Field CTO for Government, FinServ, Manufacturing, Retail/Transportation & OT/IoT, IGEL Technology:
“The executive order reflects a broader reality: AI governance is becoming a security concern, not only a policy debate. Pre-release review of advanced models may help identify certain risks earlier, but regulated industries still need security architectures that reduce exposure at the point where work actually happens. For many organizations, that point is the endpoint, where users, applications, identity, data, and AI-enabled workflows intersect.
Security teams should not wait for policy frameworks alone to close that gap. They need endpoint environments that reduce attack surface by design, preserve a known and governed state, and limit what can persist locally if something goes wrong. That is the practical security posture enterprises need as AI-enabled applications become more common: not a replacement for regulation, but an architectural foundation that helps organizations stay protected while governance continues to evolve.”
Robert Costello, Chief Digital and Information Officer, Merlin Group:
“The pace of AI advancement is eclipsing anything we saw in previous technology revolutions, so it’s encouraging to see American AI companies working collaboratively with the Trump administration to balance cyber safety with rapid innovation that helps maintain our technology superiority.
The current review period is a tremendously positive step, giving the federal government a meaningful window to assess upcoming releases and work with cyber industry counterparts on concerns before they become problems.
I look forward to seeing how this plays out over the coming months.”
Ben Bernstein, Cybersecurity Advisor, Huntress:
“My initial reaction is that the strongest precedent here is the success of industry information-sharing efforts like ISACs. Financial services, energy, and other critical infrastructure sectors have benefited from coordinated threat intelligence sharing and vulnerability disclosure for years. No single organization sees the entire threat landscape, so defenders are often strongest when they collaborate.
The proposed AI cybersecurity clearinghouse follows that same philosophy and could improve vulnerability discovery and remediation. However, centralizing information about frontier AI capabilities and critical vulnerabilities also creates an attractive target for nation-state adversaries, so its security and governance will matter enormously.
I’m more skeptical of the benchmarking component. The cybersecurity industry has learned repeatedly that measuring security is often harder than improving it. Cyber capability isn’t a binary threshold, and it’s difficult to capture how much a model actually accelerates a skilled attacker through a benchmark alone. The risk is that benchmarking becomes a compliance exercise rather than a meaningful measure of real-world risk.
Overall, the collaboration aspect makes sense and has strong precedent in cybersecurity. The bigger questions are whether benchmarking can accurately reflect real-world threats and whether the benefits of centralized coordination outweigh the risks of creating a high-value target.”
Justin Beals, CEO & Founder, Strike Graph:
“The administration is right that overregulation can stifle American AI competitiveness—we’ve seen firsthand how fragmented, unpredictable compliance requirements slow innovation and create unnecessary burden for organizations trying to build responsibly. But removing guardrails without replacing them with clear, enforceable standards doesn’t reduce risk; it just redistributes it onto the companies and consumers that end up holding the bag when something goes wrong.
What the industry actually needs isn’t less governance—it’s smarter governance. Our own research found that 68% of compliance leaders say predictability in government policy is extremely important to them. Constant whiplash between administrations doesn’t give businesses the certainty they need to build AI programs that are both innovative and secure.
The real test of this executive order will be whether it accelerates a coherent federal framework or creates a vacuum that bad actors exploit. If the goal is American AI leadership, that leadership has to be built on trust—and trust requires proof, not just permission.”
Rajeev Gupta, Co-Founder & CPO, Cowbell:
“The bigger issue is that the government simply isn’t equipped to meaningfully oversee frontier AI models on its own. Even with a 30-day review window, it’s unclear which agency would have the technical expertise and staffing needed to properly evaluate these systems at the pace AI is advancing.
A more effective model would be a public-private consortium where leading AI labs contribute funding, talent, and technical resources, while the government provides regulatory authority and enforcement. There’s precedent for this approach: after the Three Mile Island incident, the nuclear industry created the Institute of Nuclear Power Operations (INPO), which ultimately became more rigorous in enforcing safety standards than regulators alone.
AI may require a similar framework. Supporting an independent body that helps ensure accountability should be viewed as a core cost of operating at frontier scale, and not just as a regulatory burden.”
Related: Industry Reactions to Iran Hacking ICS in Critical Infrastructure: Feedback Friday
