The directive involves the White House, National Security Agency, Department of Homeland Security/CISA, Treasury Department, Commerce Department/NIST, and a newly created Center for AI Standards and Innovation. The Attorney General is separately directed to prioritize criminal enforcement against AI-enabled hacking and cybercrime. The policy targets only the most advanced systems capable of posing genuine security threats.
The final order represents a significant retreat from earlier drafts. An earlier version contemplated a 90-day review window, but industry pushback—including from former AI and crypto czar David Sacks—led to the voluntary, 30-day structure now in place. The administration faced competing pressures to establish federal oversight of frontier AI while avoiding regulation that could slow development.
The voluntary framework leaves the government with minimal enforcement leverage. Companies can decline participation entirely or ignore government concerns without consequence. This structure has drawn criticism as industry self-regulation masquerading as oversight, though administration officials characterize it as a balanced cybersecurity measure. Attorneys tracking AI regulation should monitor whether companies actually participate and whether the government attempts to formalize or strengthen the process.