Last week we wrote about an executive order that, borrowing the line two podcast hosts had used for the administration's permissive posture toward frontier-model risk, did not survive contact with reality. The collision they predicted arrived, but the order did not. The President scrubbed the signing ceremony by phone in the hours before it was scheduled, explaining the next morning that an order of that kind "gets in the way" of leading China.

In a mild twist, the order ended up surviving after all. On June 2, 2026, the President signed Promoting Advanced Artificial Intelligence Innovation and Security, a document that tracks the withdrawn May draft in all material respects. The one change that matters is arithmetic. The pre-release window during which frontier developers were voluntarily asked to let the government have a look at their most capable models has been cut from up to ninety days to up to thirty. The disagreement that nearly killed the order was not resolved so much as papered over, and the difference was carved out of the provision that asked the most of the industry.

What the Order Does

The stated policy is to "modernize government and private sector information systems and harden them against external threats," protect American intellectual property "from exploitation and theft by adversaries," and “cultivate America's advanced AI-enabled capabilities," all in service of an "America First cybersecurity effort that enhances both our national security and our global AI dominance." The framing is familiar: the United States leads in AI, the order says, "because we refuse to stifle this innovation with overly burdensome regulation."

The mechanics follow in four parts. Section 2 directs the Committee on National Security Systems and the Department of War to prioritize the cyber defense of their own systems within thirty days, and tasks the Department of Homeland Security and CISA with issuing binding operational directives, standing up AI-enabled defensive programs, and pushing cybersecurity tools out to state and local operators of critical infrastructure. It also creates an “AI cybersecurity clearinghouse” (led, somewhat unexpectedly, by the Treasury Department) to coordinate vulnerability scanning, validation, and patch distribution in "voluntary collaboration" with the AI industry and infrastructure operators.

Section 3 is the heart of the order. Within sixty days, the government is to build a classified benchmarking process to measure models' advanced cyber capabilities and set the threshold at which a system becomes a "covered frontier model," which is a designation the National Security Agency will make. Alongside it sits a voluntary framework under which developers (1) help the government decide whether a model under development crosses that threshold, and (2) grant the government access to covered models for up to thirty days before they are released “to other trusted partners,” wrapped in confidentiality, insider-risk, and IP protections. The order is then careful to disclaim what it is not. Nothing in it authorizes "a mandatory governmental licensing, preclearance, or permitting requirement." Officials had earlier floated an “FDA for AI,” which the text of the revived order all but forecloses.

Section 4 is the part with real teeth. The Attorney General is directed to prioritize enforcement of 18 U.S.C. §§ 1028, 1030, and 1343 (identity fraud, the Computer Fraud and Abuse Act, and wire fraud) against anyone who uses AI to access or damage computers without authorization, "including employing AI agents to unlawfully access data or information that is subsequently used for a criminal or unlawful purpose." It is the only provision that runs outward, toward private conduct, rather than inward toward agency tasking. And it is pointed squarely at agentic misuse.

The Shape of Oversight, Without the Obligation

Everything consequential in the frontier-model section runs on the developers' consent. The government will define the threshold, designate the covered models, and review them before release, but only after the labs help it draw the line, and only if they choose to open the window. It is a governance architecture in which the regulated party conditions the regulator's field of view on its own willingness to be seen.

That arrangement collides with a structural fact about frontier systems: the government cannot assess what it cannot see, and a model's most dangerous capabilities are visible, in the first instance, only to the lab that built it. A voluntary access window converts that opacity into observability only to the extent the developers decide to open it, and only for the thirty days they are now asked to, rather than the ninety the May draft contemplated. What the government receives, in practice, is episodic visibility into a subset of frontier models, but not continuous supervisory authority over how they are built or deployed.

We have written before about the distance between logging activity and exercising oversight, and between the record that proves a process ran and the supervision that would have caught it going wrong. A voluntary pre-release review framework sits squarely in that gap. It has the shape of oversight, featuring a benchmarking methodology, a designation authority, a clearinghouse and an access window. What it lacks is the feature that, in ordinary regulatory settings, separates oversight from observation: the ability to say no.

The ninety-to-thirty compression is a tell. If the review window were performing meaningful safety work, cutting it by two-thirds would be a real concession of that work. The administration made the cut precisely because the window was understood (particularly by the people who objected to it) as a tax on competitiveness rather than a safeguard. Governance by phone call, as Lawfare aptly titled its analysis, describes not only how the order nearly died in May, but how the framework it creates is built to operate (that is, through relationships and goodwill rather than enforceable obligation). The coverage question runs deeper still. The window is keyed to release “to other trusted partners,” not to public release, and “trusted partners” is an undefined category, so the developer retains substantial control over when, or whether, the clock starts. And the developers most likely to volunteer are those who already run internal safety evaluations, making the window largely duplicative where it functions.

The Anthropic Dimension

There is an irony worth naming. The lab that supplied much of the pressure behind this order is also its most prominent supporter. Anthropic's Mythos model is capable enough at finding and exploiting software vulnerabilities that the company withheld it from general release, not by locking it away but by distributing it through a controlled program, Project Glasswing, whose membership it sets and screens. On the very day the President signed the order, Anthropic expanded that program to roughly 150 new organizations across more than fifteen countries. And within hours of the signing, the company called the order "an important step" and pledged to help implement it.

The endorsement is rational, of course. A voluntary framework, designed in consultation with the labs and free of licensing or penalties, is about the most accommodating posture a safety-conscious developer could hope for from an administration otherwise committed to deregulation. The federal framework, in effect, codifies an arrangement the industry had already built for itself: voluntary access, on terms the developer sets, on a schedule the developer controls. It is also, as that same company's safety advocates have long argued in other contexts, an open question whether voluntary commitments survive the moment they become inconvenient. And because the framework runs on consent, it will tend to attract the developers whose internal governance already contemplates pre-release evaluation, while saying comparatively little about the actors competing on speed rather than assurance (the ones least likely to volunteer).

The relationship underneath the handshake is also more ambivalent than the mutual enthusiasm suggests. This is the same Anthropic the Pentagon designated a "supply-chain risk" in February (a standoff we have covered in this blog) after the company declined to relax its restrictions on mass surveillance and autonomous weapons, even as the government kept using its model. The collaboration this order envisions is being built on a foundation that is, at best, unsettled.

What It Means for Your Organization

For organizations deploying frontier-derived systems, the order changes the federal posture without redrawing the compliance map. There is now a federal cybersecurity framework. But at the frontier, it is voluntary, and it is aimed at the developers of covered models, not at the enterprises that license and deploy them. For most deployers, it imposes no new obligations.

The exception is Section 4, the order's only outward-facing mandate, and its reach is worth sitting with. The enforcement priority expressly contemplates "AI agents" used to access systems or data unlawfully, which means the order's sharpest edge points at agentic misuse, a theme we have returned to repeatedly. Organizations building or running agentic systems should read Section 4 as a signal of where federal criminal exposure is consolidating: around the CFAA and the wire-fraud statute, where the line between authorized and unauthorized access is already contested, and where an autonomous agent acting at machine speed does not make that line any clearer.

The exposure is not limited to deliberate misuse. An autonomous agent that exceeds its authorization profile, calling a third-party API beyond its license or reaching data it was never scoped to touch, can wander into the same statutory territory at machine speed and without anyone intending it. Criminal liability under the CFAA still turns on intent, and the Supreme Court's decision in Van Buren narrowed what "exceeds authorized access" means, so genuinely inadvertent drift is unlikely to land as a federal prosecution. But an enforcement priority aimed squarely at agentic access raises the stakes of how precisely an agent's permissions are scoped, logged, and bounded, and it turns the authorization boundary from an engineering detail into a compliance artifact.

The governance vacuum we described last week has not closed. State law remains the most binding instrument in force and, unlike the federal framework, it does not condition its obligations on developer consent. California's SB 53 is the most developed of these regimes, and a collaborative, voluntary federal cybersecurity order does little to preempt or displace it (The administration's separate campaign against state AI laws, which we covered in November, proceeds on its own track). Counsel building compliance frameworks should not mistake a federal cybersecurity order for federal AI regulation. It is not one.

The Question, Partly Answered

The question we left open last week was whether the United States had concluded that maintaining strategic advantage matters more than building governance institutions before frontier systems become too embedded to constrain. The June 2 order is a partial answer. The institutions are, in fact, being built, including a clearinghouse, a benchmarking process, a designation authority. But they are being built as an invitation rather than an obligation, and that is its own kind of answer. An invitation works only so long as the parties care to accept it. The order asks the most capable AI developers in the world to show the government their most dangerous models, for thirty days, because it would be good of them to. For now, they are saying yes. The framework's durability is a function of how long that remains true, and of what happens the first time the answer is no.

---

For questions about AI governance, frontier-model deployment risk and federal and state regulatory exposure, please contact the Jones Walker Privacy, Data Strategy and Artificial Intelligence team. And stay tuned for continued insights from the AI Law and Policy Navigator.