The White House's new executive order on AI and cybersecurity adds another layer to the debate over how advanced AI models should be developed, evaluated and deployed. The order establishes a voluntary framework for reviewing frontier AI models before public release, reflecting growing concern about the cybersecurity implications of increasingly capable systems.
While supporters see it as a practical step toward improving visibility into emerging risks, others question whether voluntary oversight can keep pace with the speed of AI development.
Industry leaders are also weighing what the move means for enterprise security, critical infrastructure and the future of AI governance.
Jay Bavisi, Founder and Group President, EC-Council, said:
"The White House is building a voluntary clearinghouse for American AI models, but nobody's asking the obvious question: who's vetting the Chinese or the international ones? DeepSeek, Qwen, and a dozen other open-source models are already running on American cloud platforms at a fraction of the cost, and Chinese-origin models went from 2% to 45% of global API traffic in a single year. China is producing nearly four times more STEM graduates than the U.S. annually and trained DeepSeek V3 for under $6 million on chips we tried to keep out of their hands. A domestic-only framework doesn't match the threat. But more regulation isn't the answer either.
Americans don't build great things because the government told them to. They build great things because they chose to. That's why we brought together AI leaders from Citi, SAP, KPMG, Microsoft, Salesforce, JPMorgan Chase, Deloitte, and IBM to build the Adopt. Defend. Govern. Framework, which was released for free on May 28: three pillars, twelve minimum controls, nine governance surfaces, aligned to the EU AI Act, ISO 42001, and NIST AI RMF. The real question isn't whether Washington can keep up with AI. It can't. The question is whether American enterprises will lead on AI governance voluntarily, or wait for a rule that's already obsolete by the time the ink dries."
Shayne Higdon, CEO, Wallarm, said:
"This executive order recognizes AI security as national infrastructure, which is a positive step. Standing up a vulnerability clearinghouse and pushing AI-enabled defensive tools to rural hospitals, community banks, and local utilities is the right thing to do because most simply do not have the budget for this kind of technology.
It is also significant that the order remains voluntary rather than creating a licensing regime. Section 3(c) explicitly bars mandatory government preclearance for new models, allowing the country to strengthen its security posture while preserving the ability of developers to innovate and compete with China. Getting both in one order is harder than it sounds.
That said, almost all of this depends on voluntary collaboration. Whether it works comes down to whether frontier labs and critical infrastructure operators actually show up. Good intentions, unproven mechanism. Naming AI-agent attacks as a criminal enforcement priority is overdue and puts the law where the threat actually is. At the same time, a government vulnerability clearinghouse that scans, validates, and stockpiles flaws before patching is a double-edged sword. Concentrating that knowledge creates a high-value target and raises legitimate questions about how those vulnerabilities are handled before they are fixed.
The same concern applies to classified benchmarking of model capabilities by the NSA. It is sensible from a security standpoint, but light on transparency, and reasonable people will question where that line should be drawn."
Craig Riddell, Global Field CISO, Wallarm, said:
"The most important signal in this executive order is that advanced AI systems are now being treated as a national security issue. We've spent years treating AI as a technology discussion, and governments are now treating it like critical infrastructure.
The challenge will be balancing innovation with security. Organisations need to avoid turning model reviews into a compliance exercise and instead focus on understanding what these systems are actually capable of doing, how they can be abused, and how they interact with the rest of the enterprise attack surface. The future of AI security won't just be about regulating models and more about securing the ecosystems, APIs, agents, and workflows built around them."
Javed Hasan, CEO and Co-Founder, Lineaje, said:
"AI innovation is moving faster than the security models built to govern it.
The new Executive Order reinforces a critical point: AI advancement and AI security have to move together, especially as federal systems and critical infrastructure rely more on advanced models, AI-generated software, and agentic capabilities.
Frontier AI models and AI-generated code have changed the AppSec problem. Vulnerability management has scaled, but so has the attack surface. Code is arriving faster than teams can verify its origin and embedded threats.
That makes software lineage and continuous remediation essential. Security teams need to trace where code comes from, understand what is inside it, and eliminate vulnerabilities before they become operational risk.
The standard sought should be to reach zero vulnerabilities, which requires continuous visibility, validation, and elimination of software risk across the full lifecycle. AI adoption only creates durable value when it is matched by integrity, governance, and proactive security."
Ron Reiter, Co-Founder & CTO, Sentra, said:
"Frontier AI models are changing the timeline for security teams. As they become more capable, they can help find weaknesses faster, including overshared data, stale permissions and poorly governed repositories that already exist inside enterprise environments.
Policy efforts around AI models are important, but organizations cannot wait for regulation to solve the data exposure problem. AI innovation will continue to move quickly, and new models will keep interacting with enterprise data through copilots, agents and connected workflows.
The first step for enterprises is to get their data ready for that reality. Security teams need to know what sensitive data exists, where it lives, who can access it and how it is being used. Accurate classification, continuous visibility and data-aware access governance give organizations a way to protect sensitive data even as AI capabilities continue to advance."
Jess Hammond, Senior Director, Product Management (AI), Protegrity, said:
"It's becoming more clear that regulation is necessary, but caution must still be used so as not to stifle progress. It's no surprise that the government is asking for advanced access to models. This is a protective measure. For example, how will their own systems be impacted by vulnerability discovery as new models become more powerful?"
Jay Martin, Chief Information Security Officer, Blue Mantis, said:
"Unlike the EU AI Regulation, which has been in place since 2024 and binds AI use globally, the US lacks any centralized AI federal regulations that protect US citizens from potential AI overreach, including real-time facial recognition in public areas. The Executive Order is a first step toward attempting to establish safeguards ahead of publicly releasing powerful frontier models like Anthropic's Mythos and OpenAI's Daybreak.
These models have been widely viewed as a potential 'day of reckoning' for cybersecurity with their ability to autonomously discover and exploit vulnerabilities at a speed and scale that vastly outpaces current defenses, while also exposing long-standing weaknesses faster than organizations can fix them. The EO calls for AI companies to voluntarily provide access to 'covered' frontier models 30 days prior to release to promote secure innovation and strengthen critical infrastructure prior to release. The risks of AI development without adequate guardrails have been well documented.
This Executive Order represents a step in the right direction, but it must go further to protect the privacy of U.S. citizens while avoiding unnecessary constraints on innovation and speed to market in an intensely competitive global environment. The global reality is clear. Countries that advance AI capabilities without comparable safeguards not only increase their own risk but may also introduce systemic risk worldwide. This needs to be addressed at a more global level."
Taken together, these perspectives reflect a broader shift in how advanced AI systems are being viewed across government and industry. The discussion is no longer limited to model performance or competitive advantage. Questions around software integrity, data security, critical infrastructure resilience and governance are becoming part of the conversation as organizations prepare for increasingly capable AI systems.
While opinions differ on the best path forward, experts agree that security considerations will need to evolve alongside the technology itself.