A Tap on the Brakes?

US President Donald Trump’s new artificial intelligence (AI) and cybersecurity risk executive order (EO) signals a small but meaningful shift in his administration’s approach to technology regulation. The White House now acknowledges that government can play a role in promoting security. 

The EO aims to bolster federal cyber capacity and improve coordination of government and industry AI cybersecurity efforts. It also instructs the attorney general to prioritize enforcement of cybersecurity laws and creates a 30-day window in which AI companies may voluntarily submit their frontier models for pre-release review.

Three takeaways stand out.

• The administration’s AI regulation posture is moving away from an all gas-no brakes rhetoric. Two factors are at play here: the midterms and Mythos. Regarding the first, US public sentiment on AI is unfavorable. Recent polling shows nearly twice as many voters have negative views of AI than positive, and concern about AI in public life has increased since 2021. A MAGA faction, led by Steve Bannon, urged Trump to vet AI models and not allow “unelected elites to experiment on the public without safeguards or accountability". Regarding the second, Anthropic’s Claude Mythos preview in April exposed AI’s potential for finding cybersecurity vulnerabilities. Mythos was a wake-up call to review models and bolster cybersecurity capabilities.
• The EO is far from an AI regulatory U-turn. It begins, “the United States continues to lead the world in Artificial Intelligence … because we refuse to stifle this innovation with overly burdensome regulation” and makes explicit that “nothing in this section [“Secure Frontier Model Deployment”] shall be construed to authorize the creation of a mandatory [requirement]”. Trump postponed the signing of an earlier draft because he “[didn’t] want to do anything that’s going to get in the way of” the United States’ global AI leadership. The final draft shortened the model review period from 90 days after pushback from AI companies. The EO still falls far short of the EU’s AI Act, which requires model evaluations for advanced AI.
• The order includes steps in the right direction for promoting AI security, but its impact hinges on industry cooperation and bolstered federal capacity. The directive stipulates the development of a cyber capability benchmarking process and of thresholds to determine covered frontier models. Both will provide clarity and consistency on risk assessment. Improved coordination of cross-government AI cybersecurity efforts and strengthening the cybersecurity of critical infrastructure will address key gaps in cyber resilience.

Participation in the pre-deployment model testing is voluntary, and the results will be classified, leaving much of the EO’s effect in the hands of frontier model developers. Staff capacity and expertise in relevant government agencies may be another barrier to impact, especially given the short review period. The Cybersecurity and Infrastructure Security Agency under the Trump administration has 2,200 staff, down from 3,400, and the Center for AI Standards and Innovation has only between 20 and 30 full-time employees. The attrition in both will not be countered by the EO’s stipulation to expand the number of cybersecurity experts, reportedly by 800, in a newly created Tech Force.

The EO may be an important step toward addressing AI risks and cybersecurity resilience, but only if the obstacles to its effectiveness are overcome.

The views expressed herein are those solely of the author(s). GMF as an institution does not take positions.