Trump Executive Order on Voluntary AI Safety Testing

Six weeks before the signing, Anthropic ran a closed preview of a system it calls Mythos for senior administration officials. The demo did not show a chatbot writing malware on request — it showed a model autonomously chaining its own exploits across every major operating system and browser, surfacing previously undocumented bugs including a 27-year-old flaw in OpenBSD ^[9]. According to reporting from CNBC and Axios, the audience that mattered most was Vice President Vance and Treasury Secretary Bessent, both of whom had until then treated AI safety regulation as a Biden-era political artifact ^[9][11]. Mythos collapsed that frame: a frontier lab had, in private, demonstrated that its system could function as an autonomous offensive cyber actor, and the labs themselves were openly worried about the implications.

That is the only context in which the rest of the order's strange shape makes sense. Trump had spent his first year in office tearing up Biden's mandatory red-teaming rules, scrapping the original signing of a heavier EO on May 21 because he feared regulation would 'get in the way' of the U.S. lead over China ^[3][12]. The June 2 order is the reconciliation: a voluntary framework that admits the cyber-offense problem Mythos surfaced is real, while still refusing to do anything that looks like the Biden regime. CFR's Matthew Ferren reads the EO as 'an attempt to engineer a cybersecurity window of opportunity' ^[2]— narrow, defensive, and built around the specific failure mode the April demo made undeniable rather than a general theory of AI risk.

The headline framing is that the order is voluntary, and the text goes out of its way to foreclose mandatory licensing: 'Nothing in this section shall be construed to authorize the creation of a mandatory governmental licensing, preclearance, or permitting requirement' ^[1]. White House officials underscored the point at signing — 'We are NOT conducting oversight of all new models, as that level of government overreach would have chilling effects on free speech and innovation' ^[3]. Industry got further concessions on the way: the 30-day pre-release window was negotiated down from a 90-day May draft, with OpenAI, Anthropic, and Google reportedly pushing for as little as 14 days ^[5][10].

But the architectural hinge of the order is not whether labs opt in. It is the classified threshold that decides which models qualify as 'covered frontier models' in the first place — a definition NSA, Treasury, and CISA must produce within 60 days, with the criteria themselves classified ^[1][13]. Once that threshold is set, NSA effectively picks the 'trusted partners' that sit inside the regime. Cato's Juan Londoño zeroes in on exactly this design choice, warning that the absence of public criteria 'gives the executive a great deal of discretion' ^[5]. In other words: opt-in is the public-facing layer, but the real lever — who gets classified in, who gets left out — never goes through Congress, never goes through notice-and-comment, and never even goes through an unclassified rule. That is the part of the EO doing the work.

The implementation question is uglier than the design question. The agency tapped to co-author the classified benchmark and help run Treasury's new clearinghouse is CISA — the same Cybersecurity and Infrastructure Security Agency that the administration cut by roughly a third over the course of 2025, with another $707 million reduction and up to 766 FTE eliminations on the table in the next budget ^[4][8]. DOGE-era separations across the federal workforce now exceed 270,000 ^[14]. Senator Mark Warner's framing is precise: the White House 'belatedly discovered the need to redo something it hastily dismantled in its first year' ^[4].

The Institute for Security and Technology's Nick Leiserson goes further, telling Cybersecurity Dive that 'neither AI nor cybersecurity are core competencies of the Treasury Department' and that 'the cuts the administration made to cybersecurity agencies are coming home to roost' ^[4]. The structural problem is not ideological but operational: a classified benchmarking process for frontier AI requires staff who can both read model weights and read CVEs, and that overlap is exactly the talent CISA has been bleeding. Treasury is being asked to spin up a clearinghouse in 30 days; agencies are supposed to deliver a working classified benchmark in 60. Unboxfuture's analysis warns the predictable failure mode is performative oversight — labs writing their own report cards because no one inside government has the bandwidth to grade them, with a 30-day window that is in any case 'too short for serious procurement/security review' ^[6].

The most telling thing about the opposition coalition is who is in it. Senate Democrats like Warner attack the order from the left for being toothless. The libertarian Cato Institute attacks it from the right because the classified threshold concentrates discretion in the executive. The Center for Democracy and Technology — civil-liberties posture — attacks it from the middle, with VP Policy Samir Jain warning that the EO 'should not become a mechanism for the Administration to punish companies for political or other arbitrary reasons' ^[5]. Former FTC Chief Technologist Neil Chilson, from a pro-market vantage point, lands in the same place: the framework 'could be used to pick winners and losers, or to give short-term national security concerns excessive weight' ^[5]. The convergence is not on whether frontier AI needs governance — it is on the specific risk that classified criteria plus NSA-chosen partners equals unaccountable executive discretion.

The community reaction maps onto the same fault line. On X, White House AI and Crypto Czar David Sacks framed the EO as a pro-innovation win while California Governor Gavin Newsom conceded the administration had pivoted on AI safety but argued the order falls short. The most analytically sharp Reddit conversation surfaced in r/LocalLLaMA, where the dominant frame was regulatory capture — the argument that voluntary frameworks co-designed with the three largest labs are how capture gets built. AI Business's analysis of the model-exclusivity angle reinforces the open-source community's worry: government early access to frontier cyber capabilities risks tipping the defender-vs-attacker balance if those benchmarks ever leak, while smaller labs and open-weights projects are simply outside the room where the threshold gets drawn ^[7]. That alignment — Cato, CDT, Senate Democrats, and the open-source AI community arriving at the same critique from different directions — is the strongest signal that the EO's design problem is not partisan but structural.