Trump Executive Order on AI and Cybersecurity: A Voluntary Framework for Frontier Models

Key Takeaways

On June 2, 2026, President Trump signed an Executive Order titled “Promoting Advanced Artificial Intelligence Innovation and Security,” integrating AI into federal cybersecurity while keeping the federal regulatory touch deliberately light.
The Order sets 30- and 60-day deadlines for CISA, the Treasury Department, and the NSA to harden federal and critical-infrastructure systems and to stand up an AI cybersecurity clearinghouse.
It establishes a voluntary framework under which developers of “covered frontier models” may give the government early access before release—expressly creating no mandatory licensing, pre-clearance, or permitting requirement.
It directs the Attorney General to prioritize prosecution of AI-enabled crimes under existing federal statutes.
The Order imposes no direct obligations on private companies, but AI developers, critical-infrastructure operators, and businesses deploying AI agents should track the agency guidance due within 30 to 60 days.

On June 2, 2026, President Donald J. Trump signed an Executive Order directing federal agencies to integrate artificial intelligence into the nation’s cybersecurity infrastructure. The Order instructs CISA, the NSA, and the Treasury Department to harden federal systems with AI-enabled tools, establishes a voluntary framework for engaging with the most advanced AI models before their release, and directs the Attorney General to prioritize prosecution of crimes committed using AI. It applies directly to the federal government, but its design — minimally burdensome and built on voluntary collaboration with industry — signals how the administration intends to balance AI innovation against emerging cyber risk.

Modernizing federal and critical-infrastructure systems. Within 30 days, CISA must issue Binding Operational Directives to strengthen the cyber defense of civilian federal systems and expand AI-enabled defensive tools, and must facilitate access to those tools for state and local authorities and critical-infrastructure operators such as rural hospitals, community banks, and local utilities. Also within 30 days, the Treasury Department must establish an AI Cybersecurity Clearinghouse — a voluntary, industry-collaborative hub for scanning, validating, and remediating software vulnerabilities. The Order further directs the Office of Management and Budget to assess whether federal grant funds are available for advanced AI vulnerability detection and expands federal hiring pathways for cybersecurity specialists.

A voluntary framework for frontier models. Within 60 days, the Treasury Department, the NSA, and CISA must develop a classified benchmarking process to assess the advanced cyber capabilities of AI models and set the threshold at which a model is designated a “covered frontier model.” Under the resulting voluntary framework, developers may give the government access to a covered model for up to 30 days before releasing it to trusted partners. The Order is explicit that it creates no mandatory licensing, pre-clearance, or permitting requirement for developing or releasing AI models, including frontier models.

Notably, the Order leaves “covered frontier model” undefined, deferring the threshold to the classified benchmarking process. Recent state legislation offers a reference point for where that line may fall: California’s Transparency in Frontier Artificial Intelligence Act, New York’s RAISE Act, and Illinois’s SB 315 each define a frontier model by training compute above 10^26 operations, and the EU AI Act treats general-purpose models trained above 10^25 FLOPs as posing systemic risk. The federal threshold will turn on cyber capability rather than raw compute, but these benchmarks frame the universe of models likely to be implicated.

Criminal enforcement priority. The Order directs the Attorney General to prioritize prosecution of anyone who uses AI to illegally access or damage computer systems, or who employs AI agents to unlawfully access data for a criminal purpose, under existing federal statutes — specifically 18 U.S.C. § 1028 (identity fraud), 18 U.S.C. § 1030 (the Computer Fraud and Abuse Act), and 18 U.S.C. § 1343 (wire fraud), among others. It creates no new causes of action and no new penalties; it directs prosecutorial priority toward conduct that is already unlawful.

The Order imposes no direct obligations on private companies, and it leaves most of the terms that will determine its practical impact to be defined in the coming weeks. For now, the near-term posture for most organizations is to monitor the agency guidance expected within 30 to 60 days. Several considerations warrant attention as the framework takes shape:

The Order reflects the administration’s stated preference for a lean framework: it leans on voluntary collaboration rather than mandates, and it prioritizes enforcement of existing law over new regulation. The substance, however, will be written in the guidance and benchmarking that agencies produce over the next two months. Companies developing, deploying, or relying on advanced AI should follow those developments closely as the framework moves from directive to detail.

Across the Bridge

‍
The Executive Order explicitly includes rural hospitals, community banks, and local utilities among the entities that CISA must support with AI-enabled cybersecurity tools. Puerto Rico has all three in abundance, and they operate under the same federal regulatory frameworks as their mainland counterparts. Puerto Rico-based organizations advising or operating in these sectors should begin assessing their AI readiness now, both as potential beneficiaries of federal cybersecurity resources and as entities that will increasingly be expected to demonstrate AI governance maturity in regulatory and procurement contexts.