President Donald Trump has issued an executive order creating a voluntary system for federal review of the most advanced frontier AI models before they’re released to the public.
The order gives government agencies a 30-day period to evaluate potential national security and cybersecurity threats associated with these state-of-the-art systems.
AI developers are not required to participate, a choice intended to avoid stifling innovation and undermining US technological leadership, especially in competition with China.
The action comes in response to concerns raised by models like Anthropic’s Claude Mythos, which showed sophisticated abilities in identifying security vulnerabilities.
Industry experts have weighed in on multiple aspects of the new AI executive order, from its voluntary approach to the balance between fostering innovation and ensuring security, as well as possible gaps in implementation.
And the reactions start rolling in…
Tonya Ugoretz, Cyber & Privacy Innovation Institute Leader, PwC:
“This new Executive Order on AI charts a course for leveraging America’s advantage in AI innovation to bolster national and economic security by protecting US critical infrastructure. For businesses, the EO continues the direction outlined in the administration’s Cyber Strategy: the private sector will play a central role in the next chapter of national cyber defense.
A critical question will be how findings from the select organizations granted early access to models will trickle down to the far larger pool of companies and municipalities with fewer resources. I’m encouraged that the EO references rural hospitals, community banks, and local utilities as entities the proposed clearinghouse aims to assist. But smaller organizations may find it challenging to process and act on the intelligence shared with them.
Those and other organizations shouldn’t sit back and wait for vulnerability alerts, patches, and funding streams to materialize. The time is now to strengthen core cybersecurity practices, weave AI risk into current governance frameworks, deploy AI tools for internal defensive scanning, and build the capability to respond swiftly to newly discovered vulnerabilities. If carried out with transparency, this EO could represent a meaningful step toward closing AI’s trust gap and establishing international standards that allies will embrace and adversaries will be held to account for.”
Chris Boehm, Field CTO, Zero Networks:
“The order isn’t compulsory. Beyond maintaining good relations with the public sector, a company has little incentive to expose its own model’s flaws unless there’s a political benefit to doing so. And most of these firms make a deliberate effort to steer clear of the policy arena altogether. Both realities lead to the same conclusion: without any enforcement mechanism, the framework loses its effectiveness before it even begins. We’ve already witnessed this pattern. The Cybersecurity Information Sharing Act of 2015 created a voluntary threat-sharing program supported by liability protections rather than mandates, and participation steadily dwindled in the years that followed. Voluntary participation plus good intentions doesn’t translate into widespread adoption.
“I’m pleased to see the benchmarking component. That said, the objective appears less like establishing a safety threshold and more like making a judgment call about which models the government should adopt. That positions it as a signal about where future funding will be directed, since whichever companies meet the benchmark will secure the contracts and attract the investment that follows.”
Bill Robbins, CEO, Menlo Security:
“President Trump’s executive order marks a significant milestone as Washington recognizes that deploying the most powerful AI models carries genuine security risks demanding federal scrutiny before public release. The order directs the government to establish a benchmarking process for evaluating the advanced cyber capabilities of AI models, but it only deals with what models look like before deployment. That addresses just one piece of the puzzle. What it leaves unaddressed is how those models behave once they’re functioning as agents within enterprise infrastructure.
“The real blind spot in this executive order is agent runtime. AI agents are now logging into enterprise systems, transferring sensitive data, and making independent decisions without any human oversight. A pre-release benchmark can’t account for this behavior, because that behavior only emerges once the agent is actively deployed. CISOs and CEOs can’t afford to wait for Washington to close this gap — they need governance, visibility, and control at the point where agents operate. So while pre-release vetting of models through this executive order is essential, enterprises must also put additional safeguards in place at the execution layer.”
Mike McNeil, CEO and Co-Founder, Fleet Device Management:
“The greatest danger is that the approval process turns into a tool for regulatory capture. Once Washington begins labeling certain models as exceptionally powerful or sensitive, that label itself becomes a competitive edge in the market, and companies will inevitably pour resources into shaping the process to their benefit.
I don’t anticipate this will significantly slow the speed of AI advancement. These models will continue to improve no matter what. My real worry is that it shifts the focus toward lobbying and cultivating government connections rather than tackling genuine security challenges. What organizations truly need are stronger defensive strategies to counter AI-driven attacks that are becoming cheaper, speedier, and widely available — not fancier labels.”
Devin Maguire, Senior Manager, Product Marketing, Cycode:
“The executive order highlights the U.S. government’s growing concerns about the cybersecurity risks posed by cutting-edge AI models. Granting the government early access to benchmark models and helping prepare cyber defenses is a reasonable move, but since it’s entirely voluntary, it won’t stop the deployment of frontier models equipped with sophisticated offensive cyber capabilities.
Simply having access to these advanced AI models isn’t a cure-all. While the Glasswing program offers organizations early access to uncover vulnerabilities using AI, identifying weaknesses isn’t the hardest part of security. The real challenge lies in managing vulnerabilities at scale — prioritizing them and patching them against rapidly shrinking exploit timelines. That demands more than just access to frontier models. It requires the capability to handle vulnerabilities discovered by both AI and conventional scanning tools, and to coordinate and automate fixes as quickly as, or faster than, attackers can create and launch exploits.
Glasswing partners who gain access to Mythos are smart to look beyond the model itself, reinforcing their cyber infrastructure and how they orchestrate the remediation of identified risks. The executive order is a harbinger of what lies ahead. Those organizations that have already laid the operational groundwork will be best equipped to respond when the time comes.”
John Walsh, Field CTO for Government, FinServ, Manufacturing, Retail/Transportation & OT/IoT, IGEL Technology:
“The executive order mirrors a broader truth: AI governance is evolving into a security issue, not merely a topic of policy debate. Conducting pre-release reviews of advanced models may help surface certain risks sooner, but regulated industries still require security frameworks that minimize exposure at the point where work actually takes place. For most organizations, that point is the endpoint — where users, applications, identity, data, and AI-powered workflows converge.
Security teams shouldn’t rely solely on policy frameworks to close that gap. They need endpoint environments that are built to limit attack surface by design, maintain a known and controlled state, and restrict what can persist locally if something goes wrong. That’s the practical posture enterprises require as AI-enabled applications grow more prevalent — not a substitute for regulation, but an architectural backbone that keeps organizations secure while governance frameworks continue to develop.”
Robert Costello, Chief Digital and Information Officer, Merlin Group:
“The speed of AI progress is outpacing anything witnessed in prior technology revolutions, so it’s reassuring to see American AI firms collaborating with the Trump administration to strike a balance between cyber safety and the rapid innovation that sustains our technological edge.
The current review period marks a highly positive development, giving federal authorities a meaningful opportunity to evaluate upcoming releases and work alongside cybersecurity industry partners on potential concerns before they escalate.
I’m eager to see how this unfolds in the months ahead.”
Ben Bernstein, Cybersecurity Advisor, Huntress:
“My immediate takeaway is that the strongest model here can be found in the success of industry information-sharing efforts like ISACs. Sectors such as financial services, energy, and other critical infrastructure have long benefited from coordinated threat intelligence sharing and vulnerability disclosure. No single organization has visibility into the entire threat landscape, so defenders are most effective when they work together.
The proposed AI cybersecurity
The clearinghouse operates on a similar principle and could enhance the process of identifying and addressing vulnerabilities. However, consolidating data on cutting-edge AI capabilities and major security flaws also makes it a prime target for hostile nation-states, meaning its security and oversight will be critically important.
I have more doubts about the benchmarking element. The cybersecurity field has consistently found that assessing security is often more challenging than enhancing it. Cyber capabilities aren’t a simple on/off switch, and it’s tough to gauge how much a model truly speeds up a skilled attacker using just a benchmark. The concern is that benchmarking turns into a box-ticking exercise rather than a genuine indicator of real-world danger.
On the whole, the collaborative approach is logical and has solid roots in cybersecurity practices. The more pressing questions are whether benchmarking can faithfully mirror actual threats and whether the advantages of centralized coordination justify the dangers of establishing a high-value target.”
Justin Beals, CEO & Founder, Strike Graph:
“The administration is correct that excessive regulation can hinder America’s AI competitiveness—we’ve directly observed how disjointed, unpredictable compliance demands slow down innovation and place unnecessary strain on organizations striving to develop responsibly. But stripping away safeguards without substituting them with clear, enforceable standards doesn’t eliminate risk; it simply shifts it onto the companies and consumers left dealing with the fallout when things go wrong.
What the sector truly needs isn’t less oversight—it’s more intelligent oversight. Our research revealed that 68% of compliance leaders consider predictability in government policy to be extremely important. Constant policy swings between administrations don’t provide businesses with the stability they need to develop AI programs that are both innovative and secure.
The true measure of this executive order will be whether it speeds up the creation of a unified federal framework or opens a gap that malicious actors take advantage of. If the aim is American AI leadership, that leadership must be founded on trust—and trust demands evidence, not just approval.”
Rajeev Gupta, Co-Founder & CPO, Cowbell:
“The larger problem is that the government simply lacks the capacity to effectively oversee frontier AI models by itself. Even with a 30-day review period, it’s uncertain which agency would possess the technical know-how and personnel required to properly assess these systems at the speed AI is evolving.
A more practical approach would be a public-private partnership where top AI labs contribute funding, expertise, and technical resources, while the government offers regulatory authority and enforcement power. There’s a proven model for this: following the Three Mile Island incident, the nuclear sector established the Institute of Nuclear Power Operations (INPO), which ultimately enforced safety standards more stringently than regulators could alone.
AI may need a comparable structure. Backing an independent organization that helps guarantee accountability should be seen as a fundamental cost of operating at the frontier level, not merely as a regulatory obligation.”
Related: Industry Reactions to Iran Hacking ICS in Critical Infrastructure: Feedback Friday
