Trump's voluntary AI review creates an illusion of government oversight

On June 2, 2026, Trump signed an executive order directing the NSA to develop a classified benchmarking process for identifying 'covered frontier models' with advanced cyber capabilities. Developers can voluntarily submit models for up to 30 days of government review before public release. The order explicitly prohibits mandatory licensing, preclearance, or permitting. This is not regulation. It is a request dressed up as policy, and it will not work.

The order's core mechanism is straightforward on paper. Within 60 days (deadline August 1), the NSA must define which models qualify as 'covered frontier models' based on cyber capabilities. Labs can then opt in to a 30-day pre-release review window with confidentiality protections. The Treasury Department must establish a voluntary cybersecurity clearinghouse within 30 days. CISA must issue Binding Operational Directives to modernize federal cyber defense and expand frontier model access to state and local governments, rural hospitals, and utilities. The framing is partnership, not enforcement.

The immediate trigger was Anthropic's Claude Mythos Preview, which discovered thousands of zero-day vulnerabilities autonomously in weeks. The initial 50 partners in Project Glasswing surfaced 10,000 high-severity flaws, including exploits in OpenBSD (undetected for 27 years), FFmpeg (16 years), and Linux kernel privilege escalation chains. Anthropic expanded Glasswing to 200 organizations across 15 countries on June 3, the day after the order. The government saw frontier AI models discovering vulnerabilities faster than humans could patch them and moved to create a preview mechanism.

But the order arrived after Trump had already postponed signing it once, on May 21, stating it would 'get in the way' of US competitiveness with China. The final version is narrower than the initial draft. There is no mandatory preclearance, no licensing requirement, no legal penalty for declining. Participation is voluntary. This is the critical flaw. In high-stakes domains where voluntary compliance has been tested, race-to-the-bottom dynamics dominate. Financial regulation, environmental compliance, nuclear security: all have learned that when non-compliance becomes a competitive advantage, actors choose advantage.

## The classified threshold problem

The benchmarking process is classified. Only the NSA knows which models meet the 'covered' threshold. This creates information asymmetry that makes the framework unverifiable. Congress cannot audit whether the threshold is being applied consistently. Industry cannot know whether it is being gamed. The public cannot assess whether the government is actually seeing what it claims to see. A framework that hides its own criteria is not a framework; it is a black box with a press release.

This opacity serves a purpose for the administration: it allows the government to claim oversight while avoiding the appearance of regulation. But it also means that labs can make strategic decisions about participation based on incomplete information. If Anthropic does not know exactly what triggers the 'covered' designation, it can calculate the probability of being caught declining review and price that against the competitive advantage of faster release. The order creates incentives for strategic non-participation.

## The 30-day window is inadequate

Anthropic's Glasswing partners took weeks to surface 10,000 vulnerabilities in Mythos. The government's 30-day window is not a security gate; it is a gesture. The NSA will not have the time, personnel, or infrastructure to conduct the kind of sustained red-teaming that Glasswing's 50 initial partners performed. The order assumes that 30 days of government review will catch threats that weeks of distributed partner testing barely scratched. This is not a realistic assumption.

The order's language about 'protections for confidentiality, cybersecurity, insider risk, IP, and nondisclosure' further constrains what government reviewers can actually do. They cannot share findings with the broader security community. They cannot publish advisories. They cannot coordinate with private researchers. The review window becomes a private audit that benefits the government's own cyber defense but does not improve the security posture of the internet as a whole. A 30-day private review of a model with 10,000+ zero-days is security theater.

## The two-tier fragmentation

Anthropic's simultaneous expansion of Glasswing and the Trump order's signing creates a de facto two-tier system. Mythos-class models get restricted access for government and critical infrastructure. Public models remain unrestricted. The field fragments into restricted and unrestricted tiers, with different security standards, different review processes, and different access controls. This is not consolidation; it is fragmentation masquerading as governance.

The clearinghouse mechanism compounds this. Treasury Department coordination with the National Vulnerability Database creates institutional overlap with an existing system that already faces backlog and funding pressure. The order does not allocate new resources; it creates new coordination layers. Duplicate effort without resolving resource constraints is not a solution.

## The incentive inversion

Labs will treat voluntary participation as a marketing signal. Anthropic filed for an IPO valued at 900 billion dollars on June 3, the day after the order. Government review becomes a trust-building mechanism that increases valuation, not a security gate that constrains release. The order's intent inverts: instead of the government preventing unsafe releases, the government's blessing becomes a competitive advantage in capital markets. Labs will participate when participation is profitable and decline when it is not.

Trump's postponement in May made the administration's priority explicit: competitiveness with China matters more than comprehensive oversight. The final order reflects this. A framework that is voluntary, unverifiable, and under-resourced is not designed to catch frontier AI models with dangerous capabilities. It is designed to allow them to be released while creating the appearance of government control. This is the opposite of safety. It is liability transfer with optics.

## What to watch

Track whether Anthropic, OpenAI, and other labs voluntarily participate in the 30-day review window or decline. If participation is selective, the framework has failed as a security mechanism. Watch whether the NSA's classified benchmarking process leaks or becomes subject to FOIA requests; if the threshold remains secret for more than six months, the framework is unaccountable. Monitor whether California's SB 53 state-level requirements conflict with federal voluntary participation, forcing labs to choose between state and federal compliance. Finally, track whether the Treasury clearinghouse actually reduces vulnerability patch time or becomes another bureaucratic layer. The order's success depends on whether soft governance can work at the frontier. The evidence suggests it cannot.