A new executive order directs federal agencies to strengthen cybersecurity infrastructure and establishes a voluntary framework to evaluate frontier AI models, such as Anthropic's Claude Mythos, prior to public release.
The directive follows several structural shifts within the cybersecurity community under President Donald Trump's second term, including the closure of the Cyber Safety Review Board, staffing reductions at the Cybersecurity and Infrastructure Security Agency (CISA), budget reallocations, and the administration's withdrawal from the RSAC Conference.
The new order, "Promoting Advanced Artificial Intelligence Innovation and Security," outlines a formal approach to federal cyber defense and AI evaluation that could influence how private sector security teams operate. Section 2, "Upgrading American Systems for Advanced AI," directs the Committee on National Security Systems and Secretary of Defense Pete Hegseth to prioritize the cyber defense of National Security Systems within 30 days.
Furthermore, the Department of Homeland Security (DHS), the Office of Management and Budget (OMB), the Assistant to the President for National Security Affairs, and the National Cyber Director are instructed to expedite the cyber defense of civilian federal government information systems. This includes establishing or expanding federal programs to deploy AI-enabled defensive tools.
The executive order also support access to cybersecurity tools and services—including covered frontier models—for state and local authorities, as well as critical infrastructure operators such as community banks, rural hospitals, and local utilities.
Rob T. Lee, chief AI officer at SANS Institute, described the promised government investment in cybersecurity and critical infrastructure as "a genuine public good." He noted that the success of these initiatives will depend heavily on implementation. "Implementation means collaboration between the agencies who will build the work with the private sector instead of handing it down," Lee said.
To support these efforts, the executive order mandates that the OMB create new placement pathways for cybersecurity specialists in the federal government within 60 days.
Devin Maguire, senior manager of product marketing at Cycode, observed that the executive order serves as a clear signal of the government's recognition of the cyber capabilities associated with frontier AI models, as well as the immediate risks they present to organizational security.
Voluntary framework for early AI access
The order establishes a voluntary framework allowing AI developers to provide the federal government with secure early access to covered frontier models. These models will be evaluated against a new set of classified standards developed under the order. Participation is optional; companies are not required to obtain government pre-approval before releasing frontier models to the public.
Tonya Ugoretz, leader of the PwC Cyber & Privacy Innovation Institute and a former FBI official, noted that the voluntary review process gives developers an opportunity to identify security concerns prior to release and help shape future AI deployment standards.
"There is also a practical consideration: companies want predictable relationships with policymakers and regulators, particularly in a rapidly evolving area like frontier AI," Ugoretz said. "While the framework is voluntary, I expect there will be strong incentives for companies operating at the leading edge of model development to participate. Not doing so could increase calls for mandatory regulation."
Peter Girnus, senior threat researcher at Trend Micro's Zero Day Initiative, noted in a thread posted to X that while early access is technically optional, companies evaluating participation are simultaneously bidding on federal contracts and managing long-term relationships with intelligence agencies, which creates a strong practical incentive to volunteer.
The government will also establish an AI Cybersecurity Clearinghouse. This central hub will coordinate information sharing regarding AI-related vulnerability remediation and assist in addressing software vulnerabilities at scale.
These developments occur shortly after Anthropic released Claude Mythos, a large language model capable of identifying critical vulnerabilities and generating security testing inputs with minimal prompt engineering. In March, the Department of Defense designated Anthropic as a supply chain risk to national security.
The executive order also directs the attorney general to prioritize enforcement against individuals who utilize AI to access or damage computer systems without authorization, or who use AI to further unlawful access.
Daniel Kroese, vice president of public policy and government affairs at Palo Alto Networks, stated that the executive order "will marshal much-needed system hardening against the threat of adversarial use of advanced AI."
Guidance for security practitioners
While most private organizations will not receive early access to frontier capabilities through the government program, Ugoretz noted that they will ultimately benefit from the process.
"The challenge will be security teams' capacity to absorb and act on the anticipated stream of vulnerability information and patches the new government clearinghouse is directed to distribute," she explained. "These teams shouldn't wait for the spigot to turn on. They should act now to reinforce cybersecurity fundamentals, integrate AI risk into existing governance processes, turn AI tools inward for defensive scanning, and build capacity to respond quickly to discovered vulnerabilities."
Lee emphasized that the executive order supports ongoing work within the security community but does not replace internal security programs. The immediate operational impact will depend on an organization's access tier to these AI models.
"If you end up a trusted partner, you get coordinated patches early. If you don't, you plan for the public-disclosure pace, which, in practice, means patches arriving in clusters across several vendors at once," Lee said. He noted that the primary constraint for teams is now verification and deployment capacity, rather than vulnerability discovery.
"The baseline work is the same as it was the week the Mythos paper came out: point AI agents at your own code, put AI tooling into your defensive workflows, harden the fundamentals, speed up procurement for defensive tech, and rewrite incident response playbooks for the day that several critical patches landing on the same morning."