This week President Trump signed a long-anticipated executive order asking artificial intelligence (AI) companies to provide models to the federal government to assess their capabilities ahead of a full release. The order seemingly signaled a shift from the hands-off approach the White House had previously taken toward artificial intelligence.
The order asks companies, on a voluntary basis, to participate in a benchmarking process to assess a model’s “advanced cyber capabilities” and determine whether it should be considered a “covered frontier model.” It then asks for access to those models up to 30 days before the companies plan to release them more broadly, and enables the government to help select the “trusted partners” that will receive early access.
Although the order is thin on details, it seems to be weighing heavily on the minds of the cybersecurity community.
Marcus Fowler, CEO of Darktrace Federal
"Darktrace Federal welcomes the Administration’s continued focus on the cybersecurity implications of advanced AI and recognition of the critical role AI-powered cybersecurity will play in defending federal networks, critical infrastructure, and State and local authorities. As cyber threats continue to increase in speed, scale, and sophistication, defensive AI is becoming an essential capability for government agencies seeking to strengthen mission resilience and maintain a security advantage over AI-powered attackers.
"The next challenge is ensuring AI systems are deployed securely once they move into real operational environments. As AI becomes embedded across applications, cloud environments, autonomous agents, operational technology, and critical infrastructure workflows, organizations will need clearer visibility into how those systems behave, what data and resources they can access, and when activity moves outside expected parameters.
"The security conversation must extend beyond model development and testing to focus on the operational realities of AI deployment. NIST’s AI Agent Standards Initiative and forthcoming guidance from CISA and other federal stakeholders will be important in helping organizations establish practical frameworks for securing AI in production environments, including how AI systems and agents are identified, authorized, monitored, and governed throughout their lifecycle.
"The goal should be to support AI adoption while giving organizations the visibility, control, and confidence needed to manage new risks as they emerge."
Dave Gerry, CEO at Bugcrowd
"Across every industry, from criminal gangs to nation-state actors, attackers are utilizing AI to accelerate their pace and frequency of attacks, increasingly causing defenders to be outmatched like never before. Whether through internal security teams or outsourcing part of their security operations to managed services firms, security teams must rapidly ramp up their usage of AI in response to the increased threat environment.
'Any time that an administration is publicly prioritizing cybersecurity at a very strategic level is a positive sign for the industry and for broader national security implications. It’s a meaningful first step.
"Today, the biggest gap in the U.S. government’s approach to disrupting global cybercrime operations is speed. Adversaries move faster than the Government. This forces the Government to be in a constant state of catch up.
"The majority of federal cybersecurity policy is based on compliance frameworks, post-breach policy and incident response instead of proactive vulnerability discovery to avoid the issue before it happens. While we’ve seen things like bug bounty and vulnerability disclosure programs be successful all across the Federal Government, they’re still not standard practice or required for every agency or critical infrastructure operators.
"State and Local Governments are falling behind in terms of capability, capacity and funding. The Federal programs get the attention and funding, but the cybercriminal groups are disproportionately targeting smaller, less sophisticated organizations. The same is happening in the private sector across large versus small healthcare systems, large versus small utilities, etc.
"The biggest gap isn’t in strategy, it’s in the speed of operating. Adversaries today are operating at machine speed and the Government is operating at bureaucracy speed. Proactive security must become the default to help offset this velocity gap.
Diana Kelley, CISO, Noma Security
"Voluntary security programs can work, but only when they create real accountability. We’ve seen this in cyber before. Coordinated vulnerability disclosure began largely as voluntary cooperation between researchers and vendors, but it became more effective when organizations added clear intake channels, response timelines, safe harbor language and public accountability.
"Post-incident review models such as the Cyber Safety Review Board are also useful: they don’t regulate directly, but they can still create pressure, shared lessons and concrete recommendations. Industry frameworks like the NIST Cybersecurity Framework and the Secure Software Development Framework are also voluntary in many contexts, but they gain teeth when procurement, audits, insurers, customers and regulators start expecting them.
"For frontier AI, a 90-day government review could be useful as one checkpoint, but evaluating model safety is complex and ongoing. The risks evolve after release, especially when models are connected to agents, code execution, enterprise data, identity systems or critical infrastructure workflows. Review needs to account for how the model is deployed, what it can access, how much autonomy it has, and what guardrails are actually enforced in production."
Rajeev Gupta, Co-Founder & CPO, Cowbell
"The bigger issue is that the government simply isn’t equipped to meaningfully oversee frontier AI models on its own. Even with a 90-day review window, it’s unclear which agency would have the technical expertise and staffing needed to properly evaluate these systems at the pace AI is advancing.
"A more effective model would be a public-private consortium where leading AI labs contribute funding, talent, and technical resources, while the government provides regulatory authority and enforcement. There’s precedent for this approach: after the Three Mile Island incident, the nuclear industry created the Institute of Nuclear Power Operations (INPO), which ultimately became more rigorous in enforcing safety standards than regulators alone.
Collin Hogue-Spears, Senior Director of Solution Management, Black Duck
"Voluntary is not the policy floor. It is the legal ceiling on executive AI review without Congress. China required generative-AI service filings in 2023 through their Cyberspace Administration of China rules. The European Union made general-purpose AI documentation and cooperation obligations applicable in August 2025 under the AI Act. The United States is building a voluntary review lane because existing national-security statutes offer no obvious basis for compelled model submission.
"Mythos accelerated the administration’s return to pre-release model scrutiny, but the executive order expands the national-security audience, not the legal authority. It does not turn voluntary testing into a binding regime, and it does not create a national AI standard, and it does not displace the state-by-state rules already forming in Colorado, California, New York, Texas, and Virginia."
John Gallagher, Vice President, Viakoo
"We are still in the early stages of defining what constitutes 'safe use'. To be clear, advanced AI itself is a massive supply chain risk. If these "frontier" models are eventually integrated into operational technology (OT) or physical security systems (like smart cameras or building controllers), the integrity of the model itself becomes a critical OT security concern.
"Ensuring that an AI agent managing a physical network hasn't been "poisoned" or tricked into disabling security protocols is the next step in establishing the risk of using AI-enhanced OT systems. Anthropic's Claude Mythos is but one 'Frontier AI', and Project Glasswing is but one (narrow IT-focused) effort in reducing the risk of general availability.
"By working with all advanced AI models pre-production, the hope is much more broad efforts can be undertaken, such as testing against OT systems and establishing use-case specific guardrails."
Yagub Rahimov, CEO, Polygraf AI
"Any technical expert, any cyber-aware thought leader with genuine national interest should support mandatory testing of high-impact models before public release. It is not just tech, we have moral and ethical obligations not just for ourselves but for our children and future generations.
"But here is where I get to live up to my nickname 'Mr. Paranoid', and I think you should too.
"Imagine a model passes a 90-day federal review. Clean bill of health, cleared for everyone. Then that model lands inside an enterprise environment where behavioral guardrails were never built. Then these agents are given rights to run against sensitive systems with no audit trail.
"Operators neither have clear visibility nor have they properly defined what a secure AI interaction should even look like at the workflow level. What do you think will happen next?
"We cannot govern AI only at its origin point. We must govern it where it operates and what it operates on. I believe, the next executive action, and there will need to be one, must move downstream from model testing to deployment enforcement: inline, real-time behavioral controls that follow the model into production the same way a firewall follows network traffic. I believe this will come through within 12 months.
"I also expect a significant wave of enterprises moving to air-gapped, on-premise operations, partially or completely, precisely because they understand this gap and cannot wait for policy to close it. Compliance and security isn’t a checkbox anymore, it is the beginning and the end of everything.
"Here is the final thing that keeps me up at night. Every infrastructure has gaps. Human security teams, constrained by resources and bandwidth, have missed and will miss some of them, guaranteed. But a fully automated model with massive computational power under a nation-state on a mission will not miss them. It will find every gap, systematically, at machine speed.
"The question is not whether those gaps get found. The question is who will find them first, a good actor or a bad one? And right now, my honest assessment is that bad actors are running faster in that race than we are prepared to admit."
Gidi Cohen, CEO, Bonfy
"The executive order signed today reflects something the security community has understood for a while: frontier AI models are no longer just productivity tools. They are infrastructure with national security implications.
"Governments and enterprises are grappling with the same underlying challenge: AI systems that were evaluated as safe at the configuration level can still behave in ways that violate policy, expose sensitive data, or act outside of business intent once deployed. That gap (between what a system is approved to do and what it actually does in production) is where the real risk lives.
"Early access and capability benchmarking are a start. But the governance conversation needs to extend past the release gate and into runtime. Because that's where AI meets data, and where policy either holds or it doesn't."
Brian Cunningham, EVP, Strategy and Growth, QuSecure
"The United States has known for years that we must modernize the cryptographic foundations of our most critical systems. NSA’s CNSA 2.0, NIST’s post-quantum standards, and multiple federal directives have all pointed the same way. The challenge was never understanding the threat. It was executing the transition at scale across complex, long-lived government and critical infrastructure.
"What makes this order significant is that it confronts a new reality: AI is accelerating cyber operations while our underlying security infrastructure struggles to keep up. As decision cycles compress and machine-speed attacks grow more capable, organizations need security architectures that can evolve without disruption.
Cryptographic modernization is no longer optional. The organizations that succeed will be those that build agility into their security foundations now, before circumstances force them to do it later."
Rohit Dhamankar, VP of M&A and AI Strategy at Fortra
"Trump's AI executive order signed today is more significant than the headlines suggest — and more honest than most policy in this space. The voluntary framing is intentional. Companies aren't forced to hand over their models. The government gets a look, not a veto. Smart.
"Mandatory pre-clearance would have killed the order before the ink dried.The real motivation? When a frontier AI model starts finding decades-old software vulnerabilities at scale, Washington stops theorising about risk and starts writing orders. That's what happened here.
"30 days is a start. It was 90 days in the original draft — walked back, presumably to keep industry at the table. But let's be clear: 30 days to test a frontier model against the software running your banks, hospitals and power grids is not a security program. It's a gesture toward one.
"What's actually needed is a permanent government lab — running the latest models continuously against critical infrastructure, finding vulnerabilities, patching them before adversaries get there first. Not a one-time pre-release review. A living, breathing capability that keeps pace with the models.
Justin Beals, CEO & Founder, Strike Graph
"The administration is right that overregulation can stifle American AI competitiveness—we've seen firsthand how fragmented, unpredictable compliance requirements slow innovation and create unnecessary burden for organizations trying to build responsibly.
"But removing guardrails without replacing them with clear, enforceable standards doesn't reduce risk; it just redistributes it onto the companies and consumers that end up holding the bag when something goes wrong.
"What the industry actually needs isn't less governance—it's smarter governance. Our own research found that 68 percent of compliance leaders say predictability in government policy is extremely important to them. Constant whiplash between administrations doesn't give businesses the certainty they need to build AI programs that are both innovative and secure.
