The framework involves major AI developers including OpenAI, Anthropic, and Google, who participate voluntarily in benchmarking to evaluate "advanced cyber capabilities" and determine model classification. The National Security Agency leads model assessment, while the Department of Defense receives prioritized cybersecurity protections. The Cybersecurity and Infrastructure Security Agency and Department of Treasury—tasked with establishing an "AI cybersecurity clearinghouse" for vulnerability scanning—round out the federal apparatus. The order explicitly preserves Congressional authority over licensing and permitting, deferring regulatory expansion to the legislative branch.
The order represents a policy reversal from the administration's previous deregulatory stance. It formalizes what were previously informal agreements between the government and AI firms, though the final version softened from an earlier draft that would have allowed 90 days for assessment. The White House postponed the signing last month over concerns that stricter timelines would undermine U.S. competitiveness against China. The policy follows a December 2025 executive order establishing a national AI framework designed to prevent conflicting state regulations.
For corporate legal teams, Section 4's criminal enforcement focus eliminates the traditional "wait and see" approach. General counsel must now proactively establish governance standards for AI agent deployment to avoid liability exposure. The voluntary structure provides some flexibility, but the federal baseline for AI agent regulation—combined with explicit enforcement priorities—signals that companies cannot rely on regulatory ambiguity to shield questionable practices.