New Executive Order Marks a Shift Toward Hands-On AI Oversight

Major Questions: An Administrative Law and Regulatory Blog

By Eun Young Choi Alexis C. Archer Aaron Sobel Sam Callahan Bonnie E. Devany

On June 2, 2026, President Trump signed an Executive Order entitled Promoting Advanced Artificial Intelligence Innovation and Security (the EO) that marks his administration’s most significant step toward federal oversight of artificial intelligence — inserting the government directly into the frontier of the artificial intelligence (AI) development process. The EO directs agencies to establish a voluntary framework for developers to provide the government with pre-release access to those models, directs the hardening of government and critical infrastructure networks, and establishes AI-enabled cybercrime as a U.S. Department of Justice (DOJ) enforcement priority.

The new federal framework responds to the increasing cybersecurity risks posed by rapid advances in AI. Recent frontier models have made it possible to identify and operationalize software vulnerabilities at unprecedented speed — a capability that, in the wrong hands, could allow malicious actors to discover and exploit security flaws far faster than defenders can detect and patch them. And the problem is slated to get worse. Right now, the AI systems most capable of rapidly identifying and exploiting these vulnerabilities are available only to a small number of companies that have agreed to restrict how they are used. But as AI technology continues to advance, other systems will develop similar capabilities — and not all of them will be subject to the same restrictions. When that happens, the same tools that today help defenders find security flaws will be available to hackers, criminal organizations, and other threat actors as well. The new EO is an attempt to get ahead of that curve, both by giving the government early visibility into frontier AI capabilities and by hardening the systems most likely to be targeted. It comes against the backdrop of public reporting regarding efforts by the White House and industry to limit the availability of frontier AI systems capable of autonomously identifying high-severity cyber vulnerabilities to a restricted number of organizations.

The EO marks a notable departure for an administration that has otherwise taken a deregulatory, “innovation first” approach to AI. As we have written about previously, President Trump, early in his second term, revoked the Biden administration’s AI Executive Order and has consistently resisted proposals that could be viewed as potentially impeding AI innovation and development, as reflected in policy issuances such as the July 2025 America’s AI Action Plan and the December 2025 Executive Order entitled Ensuring a National Policy Framework for Artificial Intelligence. An earlier version of this latest EO was pulled on May 21 after the president reportedly raised concerns that the draft EO would hinder U.S. frontier AI companies in their competition with Chinese models. That earlier draft reportedly would have asked developers to share covered models with the government for up to 90 days before release; the signed version cut that window to 30 days. The signed version made some concessions to those concerns, but the core architecture — including classified government review of frontier models — survived intact.

The EO warrants close attention for organizations across the board — both for what it does and for what it signals about where federal AI policy is headed.

Mechanics of the Executive Order

The EO has three principal components: a cybersecurity directive aimed at hardening government networks and critical infrastructure (Section 2), a framework governing the “covered frontier models” (Section 3), and a directive to DOJ to prioritize criminal enforcement against AI-enabled cybercrime (Section 4). Sections 3 and 4 bear directly on AI developers and the companies whose cybersecurity depends on staying ahead of AI-enabled cyber threats.

Most significantly, Section 3 launches a government-run process to identify the most advanced AI models and, for the first time, insert the federal government into the development pipeline before those models reach the public. First, Section 3 directs a group of agencies — including U.S. Department of the Treasury (Treasury), National Security Agency (NSA), and Cybersecurity and Infrastructure Security Agency (CISA), in consultation with senior White House officials and the National Institute of Standards and Technology — to establish, within 60 days, a classified benchmarking process to determine which AI models qualify as “covered frontier models.” The NSA will have final say over which models meet that threshold. Second, the EO directs those agencies to establish a “voluntary framework” under which developers of covered models would be able to engage the government to determine whether models under development qualify as “covered frontier models,” provide the government with access for up to 30 days before the planned release of those models to other trusted partners, and collaborate with the federal government to select the trusted partners that will receive early access ahead of launch.

The EO is careful to emphasize that this framework is voluntary: Section 3(c) states that nothing in the provision “shall be construed to authorize the creation of a mandatory governmental licensing, preclearance, or permitting requirement for the development, publication, release, or distribution of new AI models, including frontier models.” But the EO is also silent on what consequences, formal or otherwise, non-participation might carry — and that silence could leave room for agencies to develop incentives for participation.

Whereas Section 3 focuses on the development pipeline, Section 2 prioritizes the protection of federal systems. Within 30 days, the Committee on National Security Systems and the Secretary of War must take steps to prioritize the cyber defense of national security and Department of War systems. The Secretary of Homeland Security, through CISA, must issue binding operational directives or other guidance to expedite the cyber defense of civilian federal systems, support AI-enabled defensive tools, and facilitate access to cybersecurity tools and services for federal agencies, state and local authorities, and critical-infrastructure operators. The EO also directs the Secretary of the Treasury, in consultation with national security and cybersecurity officials, to form an AI cybersecurity clearinghouse. That clearinghouse is intended to coordinate software-vulnerability scanning, validation, remediation, and patch distribution in voluntary collaboration with the AI industry and operators of critical infrastructure. The Office of Management and Budget also must determine whether existing grant programs can support applicants developing advanced AI vulnerability-detection tools, and the Office of Personnel Management must expand cybersecurity hiring and placement pathways.

Section 4 then targets the threat actors themselves. It directs the Attorney General to prioritize enforcement of the Computer Fraud and Abuse Act (18 U.S.C. § 1030), wire fraud (18 U.S.C. § 1343), identity fraud (18 U.S.C. § 1028), and “all other applicable Federal criminal laws” against anyone who uses AI to illegally access or damage a computer without authorization, or who uses AI in the course of such illegal access to further any other crime. Section 4 does not create new criminal offenses, but it establishes AI-enabled cybercrime as a top DOJ enforcement priority.

Takeaways for Organizations

For AI developers, Section 3 creates a framework that will require careful evaluation, even though participation is voluntary. The 60-day window for creating a benchmarking process and voluntary framework means the details of these mechanisms are still being worked out and may be subject to interagency negotiation or influence from market participants. Moreover, many practical questions remain open during this window, such as how the Treasury-led clearinghouse will be reconciled with existing sector information-sharing bodies (such as FS-ISAC), or what liability, Freedom of Information Act, and privilege protections may apply if the Cybersecurity Information Sharing Act of 2015 — which lapsed in 2025 and is currently only reauthorized through September 30, 2026 — sunsets just as these frameworks are being established. Developers should also pay close attention to any incentive structures that agencies build around the voluntary framework, especially as standards developed through voluntary mechanisms may become benchmarks or requirements in future regulatory schemes or in the government procurement context.

For critical infrastructure operators, financial institutions, healthcare systems, and other organizations, the EO is designed to protect the cybersecurity provisions in Section 2, and enforcement priorities reflected in Section 4 are welcome but will take time to stand up. But the AI capabilities that prompted this EO are not waiting for Washington to settle its regulatory framework. Malicious actors are already using AI tools to discover and weaponize software vulnerabilities faster than most organizations can patch them. Organizations should assume that they are vulnerable to an increased cadence of AI-enabled cyberattacks, and should take concrete steps now to shore up their resilience — including, for instance, working to reduce their external attack surface; accelerating and automating the patching of internet-facing systems; hardening identity with phishing-resistant authentication and least-privilege, zero-trust controls; shifting from signature-based to behavior-based detection backed by strong logging; and maintaining tested, segmented backups, and rehearsed incident-response plans. And companies that become victims of AI-enabled intrusions and choose to report to law enforcement will hopefully benefit from heightened DOJ and Federal Bureau of Investigation resourcing and prioritization.

We will continue to monitor the release of this EO and any implementing guidance. For questions about this or related developments, please contact the authors or any member of Arnold & Porter’s interdisciplinary Artificial Intelligence team, or its White Collar Defense & Investigations and Privacy, Cybersecurity, and Data Strategy practice groups.

© Arnold & Porter Kaye Scholer LLP 2026 All Rights Reserved. This Blog post is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.