The White House AI security order puts frontier models on a 30-day review track
The White House AI security order ties CISA guidance, a Treasury-led vulnerability clearinghouse, classified cyber benchmarks, and pre-release frontier model access into 30-day and 60-day deadlines.
- What happened: The White House published the June 2, 2026 executive order
Promoting Advanced Artificial Intelligence Innovation and Security.- It sets 30-day deadlines for CISA cyber guidance and a Treasury-led AI cybersecurity clearinghouse, plus 60-day deadlines for classified cyber benchmarks and a voluntary pre-release access framework.
- Frontier model release: Developers can work with the federal government to determine whether a model is a
covered frontier modeland may give government evaluators up to 30 days of access before release to trusted partners. - Builder impact: Vulnerability scanning, validation, patch priority, and release governance are moving into the same operating frame as critical infrastructure defense.
- The order says it does not create mandatory licensing or preclearance, but release checklists for high-capability models now have a new policy contact point.
- Watch: The practical details depend on follow-on CISA, Treasury, NSA, and NIST work due within the next 30 to 60 days.
The White House published the executive order Promoting Advanced Artificial Intelligence Innovation and Security on June 2, 2026. The opening language frames the order as a way to promote American AI innovation while strengthening national security and cybersecurity. For AI developers and security teams, the concrete part is the calendar. Within 30 days, the order asks for CISA guidance and a Treasury-led AI cybersecurity clearinghouse. Within 60 days, it asks national security agencies to design classified cyber benchmarks and a voluntary framework for pre-release access to certain frontier models.
The order is not well described by the sentence "the United States is deregulating AI." It warns against excessive regulation that could slow American developers and researchers, while also saying advanced AI capabilities create new national security considerations. The mechanism is not a new licensing regime. The order instead uses operational tools: cyber defense directives, vulnerability coordination, classified benchmarks, trusted partner access, and law enforcement prioritization for AI-enabled computer misuse.
CISA guidance and a clearinghouse move first
The first deadline is 30 days. Section 2 tells federal agencies to prioritize cyber defense for Committee on National Security Systems and Department of War information systems. It also tells CISA to quickly issue Binding Operational Directives and guidance for civilian federal government information systems. The target is broader than federal networks alone. The order names agencies, state and local authorities, rural hospitals, community banks, and local utilities as examples of operators that should be helped to access AI-enabled cybersecurity tools and services.
The more direct clause for software and security teams is Section 2(d). The Treasury Secretary, in consultation with the National Cyber Director, NSA, and CISA, must establish an AI cybersecurity clearinghouse. The order describes four functions: coordinating and deconflicting software vulnerability scanning, discovering and validating vulnerabilities, prioritizing remediation, and coordinating the distribution of vulnerability patches.
| Deadline | Actor | Order requirement | Builder contact point |
|---|---|---|---|
| 30 days | CISA, OMB, National Cyber Director | Federal system defense guidance and wider access to AI-enabled defensive tools | Security requirements from government and critical infrastructure customers may move faster. |
| 30 days | Treasury, NSA, CISA | Creation of an AI cybersecurity clearinghouse | Vulnerability reporting, validation, and patch routing become centrally coordinated concerns. |
| 60 days | Treasury, NSA, CISA, NIST | Classified benchmark process for advanced cyber capabilities | Model release risk may be evaluated outside public benchmarks. |
| 60 days | AI developers, Federal Government | Voluntary framework for up to 30 days of government access before trusted partner release | Frontier model launch planning gets a federal security touchpoint. |
In that table, the word "clearinghouse" matters. It sounds softer than a regulator, but the function is stronger than a discussion forum. Recent AI security work, including Anthropic's Project Glasswing, showed that discovering possible vulnerabilities is not the only bottleneck. Verification, disclosure, patching, and duplicate handling are often slower than the model. The White House order takes that operational bottleneck and gives it a federal coordination path.
The phrase "deconflicting software vulnerability scanning" points at a practical failure mode. If AI systems can generate vulnerability candidates at scale, multiple organizations can scan the same code, submit overlapping reports, or send maintainers low-quality findings from different pipelines. A clearinghouse can help only if it reduces duplicate pressure and routes validated reports toward the teams that can fix them.
The order does not yet specify an API, portal, reporting schema, CVE relationship, or maintainer workflow. The 30-day deadline is more likely to produce an operating structure and agency responsibilities than a mature product. Software vendors, open-source maintainers, cloud providers, and critical infrastructure operators still need to watch the follow-on guidance before they know what they will be asked to submit or receive.
Covered frontier models are defined around cyber capability
The second track is model evaluation. Section 3 tells Treasury, NSA inside the Department of War, and CISA to create a classified benchmarking process within 60 days. The consultation list includes the White House Chief of Staff, the National Cyber Director, APST, and the Commerce Department's NIST. The goal is to assess advanced cyber capabilities in AI models and decide which threshold should make a model a covered frontier model.
That sentence creates a concrete release question for AI labs. A high public coding benchmark score and a classified government finding on cyber capability are not the same thing. The order says the NSA Director makes the designation decision in consultation with the National Cyber Director, APST, CISA Director, and Department of War officials. NIST appears in the benchmark and standards context, but the designation process sits close to national security agencies.
The structure resembles the direction of recent cyber model evaluations. Public exploit benchmarks can test whether a model can reproduce vulnerabilities, build exploit chains, or reason through simulated targets. The executive order implies that some of that assessment will move into classified settings, where targets, tasks, scoring rules, and risk thresholds are not necessarily public.
For model developers, the hardest issue is not the label "covered." It is the uncertainty around the criteria. The order does not yet say which models cross the threshold, how it treats cyber-specialized fine-tunes versus general-purpose frontier models, whether tool-using agent scaffolds are included, or whether open-weight releases and hosted APIs are handled the same way. Those questions belong to the 60-day framework.
Voluntary access still changes the launch checklist
Section 3(b) asks for a voluntary framework. Developers can cooperate with the federal government to determine whether a model under development may qualify as a covered frontier model. For covered models, the framework may give the government access for up to 30 days before the model is made available to trusted partners. That access is supposed to be governed by confidentiality, cybersecurity, insider-risk, intellectual-property protection, use, and nondisclosure requirements.
The order carefully draws one boundary. Section 3(c) says the clause must not be interpreted to authorize mandatory governmental licensing, preclearance, or permitting requirements for developing, publishing, releasing, or distributing new AI models. In plain terms, the order does not say that every frontier model needs government approval before launch.
Operationally, however, release checklists can still change. A frontier model developer that sells to the federal government or critical infrastructure customers may need an internal record explaining why a model does or does not appear to meet the covered threshold. If the company believes the threshold may apply, launch planning may need a 30-day evaluation window, NDAs, insider-risk controls, evaluation endpoints, logging rules, model snapshot freezes, and a government contact path.
This is a common pattern in U.S. AI policy: a rule can shape behavior through procurement and security operations even when it avoids a formal licensing system. The order says it is not creating mandatory preclearance. At the same time, it asks the government to expand defensive access for critical infrastructure and to design early access for high-capability models. Legal, security, public policy, and evaluation teams will have more to review before a launch button is pressed.
Patch distribution is now part of the policy target
The order fits the direction of recent AI security news. In May 2026, Anthropic's Project Glasswing initial update said about 50 partners had used Claude Mythos Preview to identify more than 10,000 high or critical vulnerabilities. The same update described 23,019 potential vulnerability candidates across more than 1,000 open-source projects and named validation, disclosure, and patching as bottlenecks.
The White House order does not name Anthropic, Mythos, or any competing model. Still, the clearinghouse clause turns the same operational problem into federal language. If AI finds vulnerabilities faster, someone must decide how to avoid duplicate scanning, validate findings, prioritize patches, and get defensive services to operators such as rural hospitals and local utilities that may not have large security teams.
That pressure reaches AppSec vendors and agent security products. A scanner that only says "we found a lot of bugs" will not be enough for a government clearinghouse or critical infrastructure buyer. Reports will need reproducible evidence, severity rationale, duplicate collapse, affected version ranges, exploitability proof, patch suggestions, advisory status, and regression tests. As report volume rises, low-quality AI-generated bug reports can consume more maintainer time than they save.
AI agent crime gets explicit language
Section 4 turns to law enforcement. It directs the Attorney General to prioritize enforcement of 18 U.S.C. 1028, 1030, 1343, and other federal laws against people who use AI to gain unauthorized access to computers or damage systems. It also includes people who use AI during illegal access to commit other crimes. The text specifically mentions public and private information technology systems, and it includes AI agents used to access data or information for criminal or otherwise unlawful purposes.
This does not create a new criminal statute. It directs enforcement priority under existing laws such as the Computer Fraud and Abuse Act and wire fraud. The explicit phrase "AI agents" still matters for product builders. Agent products that use browsers, SaaS tools, code hosts, databases, internal admin panels, or shell commands need clearer abuse monitoring and customer terms. "The model did it" is unlikely to function as a defense when a user directed or enabled the action.
Logs also become more consequential. In the context of Section 4, tool invocation logs and user identity are incident response evidence. Target systems, permission grants, output hashes, and external request metadata can matter when a company has to distinguish lawful automation from unauthorized access. Privacy and customer confidentiality rules prevent indiscriminate collection, but no logs at all make abuse claims and false accusations harder to separate.
The unanswered questions between labs and government
The largest unresolved area is the voluntary framework. First, if covered frontier model designations are tied to a classified benchmark, developers outside the government may struggle to understand why a model qualifies. The order says assessments should be shared with AI developers and researchers as appropriate, but the government is unlikely to disclose every classified task. A useful process will need an explainable designation summary that gives labs enough information to remediate or challenge the result without exposing the benchmark.
Second, 30-day government access requires model security and IP protection at the same time. Section 3(b) lists confidentiality, cybersecurity, insider-risk, intellectual-property protection, and nondisclosure in one clause. A developer will need to decide how to isolate the evaluation endpoint, whether capability can be assessed without weight access, how prompts and outputs are retained, and whether evaluation transcripts create later discovery or FOIA concerns.
Third, the term "trusted partners" needs definition. The early access clause links government review to release before trusted partners receive the model. In practice, government evaluators, AI developers, and critical infrastructure operators may look at the same model from different risk angles. Electric utilities, water systems, hospitals, financial institutions, and telecom operators may care less about headline model scores than about data boundaries, deployment support, emergency patch workflows, and misuse monitoring.
Fourth, the clearinghouse must decide how to treat open-source maintainers. If AI-generated findings concentrate on critical dependencies, maintainers can receive simultaneous contact from government agencies, security vendors, AI labs, downstream vendors, and cloud providers. A clearinghouse helps only if it brings report formats, duplicate handling, embargo coordination, maintainer consent, and funding support into the same process.
What non-U.S. builder teams should track
The order is U.S. federal policy, but the impact can reach companies outside the United States. An AI model developer, AppSec vendor, or agent security company in another country may still sell to U.S. government-adjacent buyers, critical infrastructure operators, cloud marketplaces, or partner channels. Follow-on guidance can show up later inside procurement questionnaires and enterprise security reviews.
The first item to track is cyber capability evaluation. Teams should distinguish ordinary code generation, vulnerability reproduction, exploit chain construction, and tool-using agent behavior in their internal evaluations. Public benchmark scores, internal red-team results, and agent-mode results should be recorded separately. When a government or enterprise customer asks whether a model could qualify as a covered frontier model, the answer needs evidence.
The second item is the vulnerability report workflow. If an AI scanner or coding agent creates vulnerability candidates, each report should include reproduction steps, affected versions, severity rationale, false-positive review, a patch candidate, and a regression test. Whatever format the clearinghouse eventually uses, structured reports will be easier to route than raw AI output.
The third item is agent abuse logging. If an AI agent signs into external systems, retrieves data, or executes shell commands, authorization and execution logs should be separated and retained under a clear policy. Enterprise customers are likely to ask for role-based access control, exportable audit logs, webhooks, and SIEM integrations. The product design challenge is to leave enough evidence for abuse investigation while minimizing unnecessary customer-data collection.
The fourth item is release governance. Frontier model release documentation can no longer stop at a model card and a pricing page. Cybersecurity evaluations, misuse safeguards, trusted partner access, government contact points, incident disclosure procedures, and IP protection controls may all belong in the launch packet. The executive order says it is not a mandatory licensing system, but these documents can still become part of trust in U.S. government and critical infrastructure markets.
No licensing regime, but a baseline is forming
The political language of the executive order emphasizes AI dominance and reduced regulatory burden. The operating clauses are more specific. CISA has 30 days to produce guidance. Treasury has 30 days to stand up an AI cybersecurity clearinghouse. NSA, CISA, Treasury, and NIST have 60 days to design a covered frontier model benchmark process and voluntary access framework. Those dates give AI companies and security teams a concrete follow-up calendar.
The notable change is that model capability and vulnerability operations now sit in the same policy document. If frontier models can find and exploit vulnerabilities more effectively, the government cannot treat that capability only as a threat to block. Critical infrastructure defense may need access to the same capability. That is why the order groups pre-release access, classified benchmarks, vulnerability clearinghouse functions, and patch distribution into one administrative timeline.
Builders do not need to resolve the political argument around the order before acting. The practical work is to watch what CISA, Treasury, NSA, and NIST publish over the next 30 to 60 days and map it to data submission, evaluation, logging, and patch workflows. The operational standard in AI security is shifting from "the model found a vulnerability" to "the finding was validated, prioritized, patched, and distributed through a process someone can audit."