bloomberg.com web signal

Trump signs AI cybersecurity order with 90-day model review

regulation safety cybersecurity ai-regulation cybersecurity government

Key insights

  • The 90-day pre-release review is voluntary, giving the government advance access but no formal veto power over frontier model launches.
  • AI companies are being formally integrated into federal cyber information-sharing programs previously limited to traditional critical infrastructure sectors.
  • The directive targets Pentagon hardening, cyber hiring expansion, and protection for hospitals and banks, broadening AI policy beyond tech industry scope.

Why this matters

Frontier labs now face a concrete, if voluntary, government touchpoint before major releases, which will reshape internal release timelines and create new compliance functions inside AI companies that didn't exist six months ago. The inclusion of AI firms in federal information-sharing programs sets a structural precedent that could harden into mandatory participation under a future order or statute. For founders building on top of frontier models, any government-driven delay or modification to a pre-release model ripples directly into product roadmaps and customer commitments.

Summary

Trump is signing an executive order Thursday that pulls AI companies into the federal cybersecurity apparatus for the first time, pairing an overhaul of government information-sharing programs with a voluntary 90-day pre-release review window for frontier models. The order asks frontier labs to give federal agencies at least 90 days of advance access before any major model goes public. That window isn't a veto or mandatory approval gate, but it gives agencies time to assess national security implications before public release. Separately, the directive modernizes existing cyber threat information-sharing channels to formally include AI developers as participants alongside traditional critical infrastructure sectors. Essentially: (OpenAI, Anthropic, Google DeepMind) are being brought into a government review loop that previously didn't include them. - Pentagon security hardening and expanded cyber workforce hiring are named targets of the directive. - Hospitals and banks are called out specifically for infrastructure protection requirements. - Tech executives were invited to the signing ceremony, signaling the administration is treating this as a cooperative framework rather than a regulatory crackdown. The order stops short of mandatory federal model approval, which means its real teeth depend entirely on whether labs treat the 90-day window as a genuine obligation or a soft suggestion.

Potential risks and opportunities

Risks

  • Frontier labs (Anthropic, OpenAI, Google DeepMind) that treat the 90-day window as optional could face retroactive mandatory requirements if a future Congress legislates the framework into law with teeth.
  • Hospital and bank infrastructure operators named in the directive face near-term audit pressure from regulators who may interpret the order as triggering existing sector-specific compliance obligations.
  • If a frontier model released without the voluntary review is later linked to a security incident, the lab faces significant reputational and potentially legal exposure from having bypassed a government-invited process.

Opportunities

  • Federal cybersecurity contractors (Booz Allen Hamilton, Leidos, SAIC) are positioned to capture new contracts as agencies build out the internal capacity needed to actually review frontier models during the 90-day window.
  • AI red-teaming and model evaluation firms (Scale AI, Conjecture, ARC Evals) gain direct leverage as the likely third-party evaluators agencies will rely on to assess pre-release models under time pressure.
  • Cyber workforce expansion mandated by the directive opens a near-term hiring and training market for AI-security upskilling platforms targeting federal employees and contractors.

What we don't know yet

  • Which agencies receive the 90-day pre-release access and what specific criteria or personnel conduct the review is not defined in current reporting.
  • Whether the voluntary 90-day window applies to fine-tuned variants and API-released capability updates, or only to full frontier model releases, remains unspecified.
  • No enforcement mechanism or consequence for labs that skip the voluntary review has been publicly detailed, leaving compliance incentives unclear.

Originally reported by bloomberg.com

Read the original article →

Original headline: Trump Set to Sign AI Cybersecurity Directive Thursday, Combining Info-Sharing Overhaul With Voluntary 90-Day Frontier Model Pre-Release Review