TL;DR: Trump signed an AI executive order on June 2, 2026. Most mandatory requirements fall on federal agencies, not private companies. The order creates a voluntary 30-day pre-release model review and an AI cybersecurity clearinghouse. Federal contractors and frontier AI developers have the most to act on. For most compliance teams, the immediate task is reviewing your AI acceptable-use policy and confirming whether any of your contracts have AI-related federal nexus.
On June 2, 2026, President Trump signed an executive order titled "Promoting Advanced Artificial Intelligence Innovation and Security." The order was expected earlier but was delayed after an earlier draft - which gave the government up to 90 days to review frontier models before release - raised objections over innovation constraints. The final order cut that timeline to 30 days and made the review voluntary.
This piece covers what the order actually says, what is mandatory versus voluntary, who is affected, and what compliance teams should do in response.
What the order says
Three provisions make up the operational core of the June 2026 AI executive order.
Provision 1: Voluntary 30-day pre-release model review
Companies that develop frontier AI models - broadly, the most capable AI systems - are asked to submit those models to the federal government for review up to 30 days before public release. The government will test the models, primarily for cybersecurity and national security risks. The program is voluntary. The order explicitly rules out licensing requirements or mandatory permits for AI models.
The government plans to establish "trusted partners" from the AI industry who will gain early access to new models through this program. The framing is collaborative rather than regulatory: companies participate to stay ahead of security risks, not to satisfy a compliance gate.
Provision 2: AI cybersecurity clearinghouse
Within 30 days of the order, the Secretary of the Treasury (in consultation with other relevant agencies) must establish an AI cybersecurity clearinghouse. The clearinghouse will collect and share threat intelligence about AI-enabled attacks and vulnerabilities in AI systems across federal agencies and voluntary private-sector participants.
The clearinghouse is modeled on existing financial sector threat-sharing mechanisms. Participation for federal agencies is mandatory. Private companies can participate voluntarily.
Provision 3: AI cybersecurity benchmarks
Federal agencies must develop benchmarks to assess the cyber capabilities of AI models - both offensive (could this model assist attackers?) and defensive (how well can this model support security operations?). The benchmarks are meant to inform procurement decisions and the voluntary review program.
What is mandatory versus voluntary
The single most important thing to understand about this order is the mandatory/voluntary split.
| Requirement | Applies to | Mandatory or voluntary |
|---|---|---|
| 30-day pre-release model review | Frontier AI developers | Voluntary |
| AI cybersecurity clearinghouse participation | Federal agencies | Mandatory |
| AI cybersecurity clearinghouse participation | Private companies | Voluntary |
| AI cybersecurity benchmarks | Federal agencies | Mandatory |
| Trusted partner designation | AI companies that opt in | Voluntary |
| CFAA enforcement against AI-enabled attacks | All - this is existing law | Statutory (not new) |
Most of the order's mandatory provisions apply to the federal government itself, not to private companies. This is a deliberate choice that distinguishes it from the Biden 2023 order, which imposed mandatory reporting and testing requirements on AI developers above certain compute thresholds.
For a typical compliance team at a mid-size company, the order creates no new mandatory obligations - unless that company develops frontier AI models or holds federal contracts that involve AI.
Who is actually affected
Federal agencies: Facing the most immediate obligations. The 30-day clock on the cybersecurity clearinghouse started June 2. Agency CISOs and AI leads should already be coordinating with Treasury on clearinghouse participation requirements.
Frontier AI developers (OpenAI, Anthropic, Google, xAI, Meta AI): Facing voluntary asks with real incentives. Companies that participate in the trusted partner program gain early intelligence on how the government views their models' security risk profile - useful both commercially and for positioning in future procurement. Companies that decline to participate risk being outside the conversation when the government does start buying.
Federal contractors working on AI projects: Indirect but real exposure. Agency contracting officers will incorporate the new benchmarks and clearinghouse requirements into AI-related contract requirements. If your company provides AI tools, services, or AI-assisted work products to a federal agency, expect updated contract language around cybersecurity benchmarks within the next 6-12 months.
All other private companies: No direct obligations. The order does not impose reporting requirements, registration, or compliance gates on companies that are not federal contractors and do not develop frontier AI.
How this compares to Biden's 2023 AI executive order
Biden's October 2023 order required developers of frontier AI above certain compute thresholds to report safety test results to the government before public release, share red-team results with the government, and adhere to civil rights guidance across specific use cases including employment and housing.
The June 2026 order replaces the mandatory pre-release reporting with a voluntary 30-day review. It removes the compute-threshold trigger. It does not include civil rights guardrails or sector-specific provisions on employment or housing AI. The safety-first framing is gone; the innovation-first framing is explicit.
What both orders share: a belief that the federal government should have early visibility into the most capable AI systems, and that national security is the primary lens for federal AI oversight.
The net change for compliance teams: fewer federal requirements to track, but the remaining ones - especially around cybersecurity - are more operationally specific than the broad principles in the 2023 order.
The CFAA provision: what it does and does not mean
The order references the Computer Fraud and Abuse Act (CFAA) and directs enforcement against AI-enabled cyberattacks. This is worth noting carefully: the CFAA is existing federal law, not a new requirement created by the order. The EO directs the Department of Justice to prioritize AI-assisted attack prosecutions under the CFAA, but it does not change what the CFAA prohibits or who it covers.
For most compliance teams, this means: if your organization was already managing CFAA-relevant risk (protecting computer systems from unauthorized access), the order changes enforcement priority, not legal exposure. Companies that build or deploy AI tools used in offensive security testing should review their authorized-use guardrails.
What compliance teams should do
If you are a frontier AI developer: The 30-day voluntary review is a real decision. Participating builds a relationship with government security teams and positions you as a trusted partner. Not participating is also a choice - the order does not penalize non-participation - but it keeps you outside the intelligence-sharing loop. Your legal and policy team should assess the tradeoffs now, before the clearinghouse mechanisms are fully operational and participation terms harden.
If you hold federal contracts involving AI: Request updated AI security requirements from your contracting officer or anticipate them in your next contract renewal. Start documenting your AI tool inventory, the cybersecurity benchmarks you apply internally, and any existing threat-sharing practices. Contracts awarded after the clearinghouse is operational (by July 2, 2026) are more likely to include new AI security language.
If you are a compliance team at a non-government company: The immediate action is narrow: confirm you do not develop frontier AI and do not have federal contracts with AI components. If both are true, your direct exposure to this order is zero today. The second-order effect to watch: if the clearinghouse surfaces new AI vulnerability categories, that intelligence may eventually flow into NIST guidance and voluntary frameworks that indirectly shape industry standards.
For all companies: review your AI acceptable-use policy for language around AI-assisted cyberattacks. Most policies do not explicitly prohibit using AI tools to probe systems without authorization. Given the DOJ's new enforcement priority, making that prohibition explicit is low-cost and directly relevant.
Six-item compliance checklist
- Determine frontier AI status: Do you develop models at the compute scale that would qualify for the voluntary review program? If unclear, review NIST AI RMF definitions of "frontier AI."
- Audit federal contract exposure: List all active and pending federal contracts. Flag any with AI components or AI-adjacent scopes of work.
- Update AI acceptable-use policy: Add explicit prohibition on using company AI tools for unauthorized system access or AI-assisted cyberattacks.
- Review CFAA authorization documentation: If you run internal red-team or penetration testing using AI tools, confirm all authorization is documented in writing.
- Monitor clearinghouse participation terms: Treasury must publish clearinghouse requirements by July 2, 2026. Assign someone to track and evaluate voluntary participation.
- Brief leadership on mandatory vs. voluntary split: The most common misread of this order will be treating the voluntary model review as a compliance requirement. Make sure your leadership team understands what is actually required of your company.
