Trump Executive Order on AI: Voluntary Framework, Cybersecurity Focus, and Key Takeaways

On June 2, 2026, President Trump issued a new Executive Order (EO), "Promoting Advanced Artificial Intelligence Innovation and Security." The order arrives after the President's recent decision to postpone its signing. As foreshadowed in the leaked draft, the EO reflects the Trump Administration’s stated priority of advancing AI innovation while acknowledging that “advanced AI capabilities make our Nation stronger,” but also “introduce new national security considerations” that require coordinated action across government. Below we summarize the EO's key provisions, compare them to the Biden administration's broader AI framework, and draw out the practical implications for developers and critical infrastructure operators.

What Clients Need to Know

• The EO is narrowly focused on cybersecurity and national security. This marks a notable shift from the Biden administration's broad AI governance framework.
• No new mandatory obligations for AI developers. The frontier model framework is expressly voluntary and preclearance is prohibited.
• Designation thresholds for "covered frontier models" will be set through a classified NSA process. Developers will have little visibility into where that line falls.
• The AG is directed to prioritize enforcement of existing computer fraud laws against AI-enabled attacks. No new crimes created, but this is a noteworthy prosecutorial signal.
• Developers who opt into the voluntary framework should plan for a 30-day pre-release government access window.
• Critical infrastructure operators (hospitals, community banks, utilities) should track CISA Binding Operational Directives. These carry real compliance weight even if clearinghouse participation is voluntary.

Section 2: Upgrading American Systems for Advanced AI

Section 2 details the bulk of EO’s cybersecurity mandates. 

By July 2, 2026 (within 30 days):

• Cyber Defense Prioritization (Sec. 2(a)). The Committee on National Security Systems is directed to prioritize the cyber defense of National Security Systems^[1], taking “appropriate and expeditious action” consistent with the order's purpose. We note that this directive is open-ended, likely leaving implementation to the Committee's discretion.
• Department of War (Sec. 2(b)). The Secretary of War is similarly directed to prioritize cyber defense of Department of War information systems. As with Section 2(a), the order does not prescribe specific measures.
• CISA Directives (Sec. 2(c)). The Secretary of Homeland Security, acting through the Director of the Cybersecurity and Infrastructure Security Agency (CISA) and in consultation with the OMB Director, the Assistant to the President for National Security Affairs, and the National Cyber Director, must release Binding Operational Directives^[2] and other guidance to:
  • (i) expedite and prioritize cyber defense of civilian federal information systems;
  • (ii) establish or expand federal programs and cybersecurity services that enhance AI-enabled defensive tools; and
  • (iii) facilitate access to cybersecurity tools and services, including, where appropriate, “covered frontier models,” for federal agencies, State and local authorities, and operators of critical infrastructure such as rural hospitals, community banks, and local utilities.
• AI Cybersecurity Clearinghouse (Sec. 2(d)). The Secretary of the Treasury, in consultation with the National Cyber Director, the NSA Director, and CISA, must form an AI cybersecurity clearinghouse. The clearinghouse will operate in voluntary collaboration with the AI industry and critical infrastructure operators. Its functions include coordinating and deconflicting software vulnerability scanning, discovering and validating vulnerabilities, and coordinating and prioritizing remediation and patch distribution. Notably, industry participation in the clearinghouse is voluntary.
• Federal Grant Funding Review (Sec. 2(e)). The OMB Director, in coordination with the National Cyber Director and CISA, must determine whether any federal grant programs have available and relevant funding that can be directed toward applicants developing advanced AI vulnerability detection tools.

By July 31, 2026 (within 60 days)

• Cybersecurity Workforce Expansion (Sec. 2(f)). The Director of the Office of Personnel Management must expand the U.S. Tech Force Information Cybersecurity Specialist hiring and placement pathways.

Section 3: Secure Frontier Model Deployment

Section 3 contains provisions that warrants close attention for AI developers. Namely, by July 31, 2026 (within 60 days), a multi-agency group led by the Secretary of the Treasury, the Secretary of War through the Director of NSA, and the Secretary of Homeland Security through the Director of CISA (in consultation with the White House Chief of Staff through the National Cyber Director, the Assistant to the President for Science and Technology (APST), and the Secretary of Commerce through the Director of the National Institute of Standards and Technology, and in coordination with other agencies, as appropriate) must:

• Classified Benchmarking Process (Sec. 3(a)). Develop and maintain a classified benchmarking process to assess AI models' advanced cyber capabilities and determine the threshold for "covered frontier model" designation. The Director of the NSA is empowered to make the designation determination, consulting with the National Cyber Director, APST, Director of CISA, and other Department of War representatives. Assessments may be shared with AI developers and researchers as appropriate.
  • Notably, the EO does not provide a definition for "covered frontier model"; instead, the threshold is determined by the classified benchmarking process itself which gives this multi-agency group significant discretion over scope.
• Voluntary Developer Framework (Sec. 3(b)). Design a voluntary framework enabling developers to:
  • Sec. 3(b)(i). Work with the government to determine whether a model under development meets "covered frontier model" designation.
  • Sec. 3(b)(ii). Grant the federal government access to covered frontier models for up to 30 days before release to trusted partners, subject to confidentiality, cybersecurity, insider-risk, and intellectual-property protection, use, and nondisclosure requirements.
    • Notably, this narrows the review window from the leaked draft’s 90-day period, limiting the government’s exclusive early access.
  • Sec. 3(b)(iii). Collaborate with the federal government to select trusted partners for early access, promoting secure innovation, and critical infrastructure cybersecurity.
• No Mandatory Licensing or Preclearance (Sec. 3(c)). The EO explicitly prohibits mandatory governmental licensing, preclearance, or permitting requirements for AI model development, publication, release, or distribution.

Section 4: Addressing Criminal Use of AI

Section 4 directs the AG to prioritize enforcement of existing federal criminal laws (specifically: 18 U.S.C. §§ 1028 (identity fraud), 1030 (computer fraud and unauthorized access), and 1343 (wire fraud)) against the use of AI to unlawfully access or damage computers, or to facilitate related criminal conduct. Notably, this section does not create new offenses but instead signals the Administration's prosecutorial priorities. The EO clarifies that this enforcement priority extends to breaches of public or private IT systems and the use of AI agents to unlawfully obtain data for criminal purposes.

Comparison to Biden Executive Order 14110

While both aimed at addressing AI cybersecurity and resilience, President Trump's EO diverges notably from President Biden's October 30, 2023 EO 14110, "Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence". The latter EO has since been rescinded; however, we believe following differences are noteworthy as they underscore a fundamental shift in regulatory approach. 

• Scope: Biden's EO sought to establish a comprehensive AI safety framework addressing risks across multiple domains (including AI safety and security, privacy, civil rights and algorithmic discrimination, worker protection, competition policy, and international AI governance). The Trump EO is considerably narrower, centered on cybersecurity and national security. For example, the AI cybersecurity clearinghouse under Sec. 2(d) is focused specifically on vulnerability scanning, validation, and patch coordination. This is a notable difference when compared to Biden's broad framework covering everything from healthcare and housing to civil rights enforcement and international standards development.
• AI Red-Teaming and Safety Testing: Biden's EO defined "AI red-teaming" as structured adversarial testing to find flaws and vulnerabilities in AI systems, directing NIST to issue guidelines for dual-use foundation model developers and requiring them to report red-team results to the federal government. The Trump EO contains no red-teaming or NIST testing mandate. Rather, its classified benchmarking process assesses cyber capability thresholds for model designation, a government-driven evaluation, not a developer testing obligation.
• Mandatory vs. Voluntary Developer Obligations: Biden's EO invoked the Defense Production Act to require developers of covered dual-use foundation models to provide ongoing information on training activities, model weights, security measures, and red-team results to the federal government. The Trump EO’s developer framework is expressly voluntary, with Section 3(c) explicitly foreclosing any reading of it as a mandatory preclearance regime.

Implications and Key Takeaways

For AI developers, this EO continues to impose no new affirmative obligations under the current framework. However, the implementation of this EO will be shaped by how the multi-agency group designs the framework under Section 3(b), and that process remains ongoing. We will continue to monitor implementation guidance and agency action as they develop. In the meantime, a few takeaways for our clients:

• No mandatory licensing or permitting. The EO forecloses any reading of Section 3 that would require preclearance or government approval before release. Participation in the covered frontier model framework, including the pre-release access window, is expressly voluntary, and developers are not required to engage with the government prior to releasing a model.
• Designation thresholds will not be publicly visible. The NSA will run a classified benchmarking process to determine thresholds, meaning developers will likely have no insight into where that line is drawn. Clients developing or deploying advanced AI models should monitor how the government communicates designation determinations and what engagement channels become available under the voluntary framework.
• Plan for the 30-day window now. Developers who opt into the voluntary framework under Section 3(b)(ii) need to build that window into their release timelines. The confidentiality, cybersecurity, insider-risk, and IP protections that attach to government access will need to be operationalized through the framework — and those details are not yet specified in the order itself.
• New government touchpoints for critical infrastructure operators. The AI cybersecurity clearinghouse (Sec. 2(d)) and CISA Binding Operational Directives (Sec. 2(c)) create fresh contact points between government and operators (specifically named: rural hospitals, community banks, and local utilities specifically named). Clearinghouse participation is voluntary, but the Binding Operational Directives carry compliance weight for civilian federal systems and may drive sector-specific guidance.