While President Donald Trump’s June 2 executive order indicates that cybersecurity and AI models are increasingly intertwined, it shouldn’t prevent enterprises from performing their due diligence. Moreover, the order seemingly excludes some enterprises from accessing AI tools, while giving others early access.
Titled “Promoting Advanced Artificial Intelligence Innovation and Security,” the EO establishes a voluntary cybersecurity review framework, in which AI developers can grant the federal government and some trusted partners access to their models 30 days before they deploy them for security assessment. The order also tasks the Treasury Department with establishing an AI “cybersecurity clearinghouse” to collaborate with tech firms and infrastructure operators to spot, validate and patch software flaws that AI models find.
“The order is better understood as a cybersecurity preparedness measure than as an AI industrial strategy,” said Kashyap Kompella, CEO and founder of RPA2AI Research. He added that the government’s approach is to “preserve private sector speed while giving the government advance warning when frontier models may create serious cyber risks.”
A Move to Secure AI Models
The EO comes amid increasing concerns that AI models are becoming so powerful that cybersecurity teams will not be able to keep up with the threats posed by bad actors using AI to exploit security holes. The growing concerns come after Anthropic introduced Claude Mythos, an advanced LLM that it categorized as a model with agentic and autonomous cybersecurity capabilities that can process entire cyberattack chains and write code to exploit bugs. Following Anthropic Mythos, OpenAI also introduced GPT-5.5-Cyber along with a new initiative called Daybreak similar to Anthropic’s Project Glasswing; both plans are designed to limit cybersecurity damage.
“The order can improve trust and reduce the risks of major AI-enabled cyber incidents,” Kompella said.
The EO also gives model developers strong incentives to maintain relationships with Washington, D.C., he added.
“Public sector AI is a large opportunity, and cooperation on cybersecurity and national security can become a useful market signal,” Kompella said. However, some vendors may choose to bypass the process, leaving the government with fewer tools to prevent the release of risky models. This means the government still must rely on other means to review these models, such as procurement rules, cybersecurity benchmarks, export controls, sectoral regulation, post-release enforcement, and reputational pressure.
Therefore, the EO “is better understood as an emerging oversight framework rather than a comprehensive AI regulatory regime,” Kompella added.
There is too much reliance on the companies to choose to adhere to these rules because the voluntary nature of the process “relies on technology corporations to be civically minded,” said James Cooper, professor at California Western School of Law.
“That’s a very tall order in the global AI race with such life-changing (good and bad) possibilities,” Cooper said. “Every legal system in order to be effective requires not just norms and rules, but also institutions to enforce those rules.”
Moreover, the 30-day review period is not sufficient, even though the government can identify cybersecurity risks and dangerous capability jumps during that window, Kompella said.
“Large AI buying decisions do not happen that quickly,” he said, adding that procurement, compliance, security review, and integration planning typically take much longer. “A 30-day review should therefore be seen as an initial risk assessment rather than full certification.”
Providing Access to a Select Few
Another challenge is that the EO only provides access to capable AI models such as Mythos to a few companies and government agencies, while still excluding most cybersecurity leaders, which is the wrong approach, said Doc McConnell, head of Policy and Compliance at Finite State, a cybersecurity and software supply chain risk vendor.
“The attempt to hold this information back to prevent our most powerful cyber defense tools is creating a barrier for people who are following the rules,” McConnell said. While cyber leaders are unable to access these defensive tools, bad actors will find ways to circumvent the controls and access the models that help them reach their ultimate targets.
“Whenever we have this type of asymmetry in the cybersecurity system … it tends to advantage the bad actors at the expense of cyber defenders,” McConnell said. He added that the AI tools and models should be made broadly available.
“[Cyber defenders] are already under attack,” McConnell continued. “They’re already experiencing that massive increase in the volume and sophistication of attacks, and we need to arm them with the right tools so that they can protect themselves and the data and the systems that they’re responsible for.”
A Possible Consensus
Therefore, he said that it is important for federal organizations and departments, such as the federal government’s Cybersecurity and Infrastructure Security Agency ), to remember that it’s best when “they see their role as information sharing.” He added that the agencies work best when they collect information from a wide range of sources and use expert analysis to determine which information to pass along to other organizations as quickly as possible.
For other enterprises, it’s best to start incorporating the models already available in the market into their workflows, cybersecurity monitoring capabilities and operations now, McConnell said.
“They should be building AI into that to make sure that they’re responding as quickly and efficiently as possible,” he said.
Enterprises should also perform their own risk assessment, Kompella said. He said that enterprises still need their own security mechanisms and should make sure that AI tools and agents are deployed with clear access controls, logging and human approval for sensitive actions.
“A federal review should not be treated as a substitute for enterprise-specific risk assessment,” he said. “Enterprises remain responsible for how AI is procured, configured, monitored and governed inside their own environments.”
