The IT Nerd

In a policy shift, President Trump today signed an executive order asking technology companies to give the government access to frontier artificial intelligence models for 30 days before they’re released to the public. The EO also contained specific actions for the Department of War, Homeland Security, CISA, OMB, Director of Cybersecurity through the NSA.

Doc McConnell, Head of Policy and Compliance, Finite State (https://finitestate.io/)  

(former CISA Branch Chief; former Senior Advisor for Cybersecurity Policy, U.S. Office of Management and Budget, Executive Office of the President):

“This EO acknowledges the central role that frontier models will play in critical infrastructure cybersecurity, but it reinforces the approach that we’ve seen so far from AI labs: limiting access to the most capable tools to a small group of companies and government agencies, while excluding most cybersecurity practitioners. Meanwhile, malicious actors are finding new ways to leverage available AI tooling to accelerate and enhance their attacks.

“The cybersecurity community is strongest when it works together — transparently identifying, managing, and discussing the risks that affect all technology users. The path to stronger cybersecurity is more information sharing, not less. Classified benchmarking, nondisclosure requirements, and early access pilots will delay getting these models into the hands of the cyber defenders who can put them to use today.

“I encourage the federal government and the frontier labs to expand their outreach to the broader community. Better cybersecurity requires more transparency, more information-sharing, and more robust partnerships.”

Jacob Krell, Senior Director: Secure AI Solutions & Cybersecurity, Suzu Labs (https://suzulabs.com/home-suzu-labs ):

“The tension here is hard to ignore. The administration is asking for greater federal oversight of frontier AI models because of cybersecurity and national security concerns, while also proposing significant reductions to CISA, the nation’s lead civilian cyber defense agency. That creates a capacity question. Expanding the government’s role in AI security oversight while reducing resources available for cyber defense and risk management sends mixed signals about how these risks should be addressed.

“That tension becomes even sharper when viewed through the Anthropic and Mythos lens. Mythos appears to be one of the core catalysts for this shift, given its reported ability to assist with vulnerability discovery and cyber operations at a level that has raised concern across government and industry. At the same time, the Department of War has separately designated Anthropic as a supply chain risk to national security. So the government is, in effect, responding to the risk demonstrated by Anthropic’s frontier AI capability while also treating Anthropic itself as part of the supply chain risk conversation.

“That is the policy contradiction enterprises should watch. If the U.S. wants more oversight of advanced AI because these systems can materially change the cyber threat landscape, that oversight needs to be matched with durable cyber capacity, clear governance, and trusted public-private coordination. Cutting CISA while expanding AI security review risks creating a framework that is ambitious on paper but thin operationally. The FY2027 proposal reportedly includes a $707 million reduction to CISA, roughly 30% of its FY2025 budget.

“The concern is not regulation itself. The concern is whether regulation is being paired with the operational capability needed to make it effective. If U.S. companies face additional review requirements while foreign and open-weight models continue to move quickly, organizations may increasingly look elsewhere to maintain speed, cost efficiency, and competitive advantage.

“DeepSeek demonstrated how quickly that shift can happen. In a matter of weeks, it became one of the most downloaded AI applications in the United States and challenged assumptions about the cost and resources required to build advanced AI systems. The lesson is that capable alternatives already exist, and users are willing to adopt them when they provide sufficient value.

“The challenge for policymakers will be finding the right balance between security, innovation, and competitiveness. Effective oversight can improve trust and resilience, but if domestic AI becomes meaningfully harder to develop or deploy than foreign alternatives, the result may be to push adoption toward less transparent and less governable platforms rather than reducing risk overall.”

The real test will be if the executive order holds up to real and sustained scrutiny. We will wait and see on that front.

UPDATE: We have additional commentary start with Justin Beals, CEO & Founder, Strike Graph

“The administration is right that overregulation can stifle American AI competitiveness—we’ve seen firsthand how fragmented, unpredictable compliance requirements slow innovation and create unnecessary burden for organizations trying to build responsibly. But removing guardrails without replacing them with clear, enforceable standards doesn’t reduce risk; it just redistributes it onto the companies and consumers that end up holding the bag when something goes wrong.

What the industry actually needs isn’t less governance—it’s smarter governance. Our own research found that 68% of compliance leaders say predictability in government policy is extremely important to them. Constant whiplash between administrations doesn’t give businesses the certainty they need to build AI programs that are both innovative and secure.

The real test of this executive order will be whether it accelerates a coherent federal framework or creates a vacuum that bad actors exploit. If the goal is American AI leadership, that leadership has to be built on trust—and trust requires proof, not just permission.”

Dale Hoak, CISO, RegScale

“This executive order acknowledges something the security community has been warning about for months: frontier AI models are no longer theoretical business tools — they are becoming operational cyber capabilities. Models capable of discovering vulnerabilities, automating reconnaissance, writing exploit code, and accelerating offensive operations fundamentally change the threat landscape.

The reality is that voluntary testing alone will not solve the problem. Most organizations are already deploying AI faster than they can govern it. Security teams are struggling to maintain visibility into where AI is being used, what models are connected to sensitive data, and whether those systems are introducing new attack paths into the enterprise. AI governance cannot become another annual compliance checklist or point-in-time certification exercise—organizations need continuous monitoring, continuous validation, and automated assurance the same way they manage cloud infrastructure, identity, or endpoint security today.”

John Skinner, CEO, iCOUNTER

“This executive order acknowledges that frontier AI models are now part of the national security landscape. The concern is not simply what a model can generate, but how those capabilities could be operationalized by adversaries at scale. The key challenge moving forward will be ensuring that intelligence gathered through these evaluations translates into actionable risk mitigation—enabling both government and industry to counter emerging threats before they are widely weaponized.”

UPDATE #2: More comments. First from Josh Picolet, VP of Detection and Analysis, Team Cymru:

     “The cybersecurity implications of frontier AI models extend beyond the models themselves and into the infrastructure, ecosystems, and actors that will leverage them. Whether these systems are used for defense, vulnerability research, or offensive operations, defenders need visibility into the infrastructure supporting their deployment and abuse, which may result in continued logging visibility gaps plaguing defenders. The value of any evaluation framework will ultimately depend on how effectively it connects model capabilities to real-world threat intelligence. Understanding who is operationalizing these technologies, and how they are being deployed in the wild, will be critical to staying ahead of emerging threats.”

Gidi Cohen, CEO, Bonfy:

     “The executive order signed today reflects something the security community has understood for a while: frontier AI models are no longer just productivity tools. They are infrastructure with national security implications.

The order’s focus on benchmarking “advanced cyber capabilities” before release is a meaningful signal. But benchmarking a model in a controlled pre-release window is very different from governing what that model does once it’s running inside enterprise workflows at scale. The hard problem isn’t what a model can do in isolation. It’s what it does with real data, in real organizational contexts, on behalf of real users — often without anyone watching.

Governments and enterprises are grappling with the same underlying challenge: AI systems that were evaluated as safe at the configuration level can still behave in ways that violate policy, expose sensitive data, or act outside of business intent once deployed. That gap (between what a system is approved to do and what it actually does in production) is where the real risk lives.

Early access and capability benchmarking are a start. But the governance conversation needs to extend past the release gate and into runtime. Because that’s where AI meets data, and where policy either holds or it doesn’t.”

UPDATE #3: Rohit Dhamankar, VP of M&A and AI Strategy at Fortra adds this:

“Trump’s AI executive order signed today is more significant than the headlines suggest — and more honest than most policy in this space.The voluntary framing is intentional. Companies aren’t forced to hand over their models. The government gets a look, not a veto. Smart. Mandatory pre-clearance would have killed the order before the ink dried.The real motivation? When a frontier AI model starts finding decades-old software vulnerabilities at scale, Washington stops theorising about risk and starts writing orders. That’s what happened here.

30 days is a start. It was 90 days in the original draft — walked back, presumably to keep industry at the table. But let’s be clear: 30 days to test a frontier model against the software running your banks, hospitals and power grids is not a security programme. It’s a gesture toward one.

What’s actually needed is a permanent government lab — running the latest models continuously against critical infrastructure, finding vulnerabilities, patching them before adversaries get there first. Not a one-time pre-release review. A living, breathing capability that keeps pace with the models.

The order nods in that direction with an AI cybersecurity clearinghouse. Whether that becomes the real thing or a well-named filing cabinet depends entirely on execution.

I hope the lab is already being built. Because the models are not waiting for the bureaucracy to catch up — and neither are the adversaries watching this from the outside.”

UPDATE #4: Yagub Rahimov,CEO, Polygraf AI adds this:

     “This is not a SaaS rally. We are seeing real utility, real empowerment and that cuts both ways. The very same model that is empowering American companies and our warfighters will also be empowering the adversaries who are exploiting American technology to attack American interests. This is not speculation. This is the operational reality we are living in today in the “early” AI age.

Think about nuclear power. We all can agree about it being a transformative technology with clean energy, life-changing impact, a genuine leap for humanity. But the world collectively understood it very early on that you could not let it proliferate without constraint. Not because the technology was evil. Because the stakes demanded governance and control equal to its capability. With AI we are at that same inflection point.

Any technical expert, any cyber-aware thought leader with genuine national interest should support mandatory testing of high-impact models before public release. It is not just tech, we have moral and ethical obligations not just for ourselves but for our children and future generations.

But here is where I get to live up to my nickname “Mr. Paranoid”, and I think you should too.

Imagine a model passes a 90-day federal review. Clean bill of health, cleared for everyone. Then that model lands inside an enterprise environment where behavioral guardrails were never built. Then these agents are given rights to run against sensitive systems with no audit trail. Operators neither have clear visibility nor have they properly defined what a secure AI interaction should even look like at the workflow level. What do you think will happen next?

We cannot govern AI only at its origin point. We must govern it where it operates and what it operates on. I believe, the next executive action, and there will need to be one, must move downstream from model testing to deployment enforcement: inline, real-time behavioral controls that follow the model into production the same way a firewall follows network traffic. I believe this will come through within 12 months.

I also expect a significant wave of enterprises moving to airgapped, on-premise operations, partially or completely, precisely because they understand this gap and cannot wait for policy to close it. Compliance and security isn’t a checkbox anymore, it is the beginning and the end of everything.

Here is the final thing that keeps me up at night. Every infrastructure has gaps. Human security teams, constrained by resources and bandwidth, have missed and will miss some of them, guaranteed. But a fully automated model with massive computational power under a nation-state on a mission will not miss them. It will find every gap, systematically, at machine speed. The question is not whether those gaps get found. The question is who will find them first, a good actor or a bad one? And right now, my honest assessment is that bad actors are running faster in that race than we are prepared to admit.”