Anthropic built a model so good at breaking into computer systems that the company refused to release it. On Tuesday, President Donald Trump signed an executive order asking AI companies to hand over models like that one to the federal government — voluntarily.

The word “voluntary” is doing a lot of work in this document.

The order, signed privately with none of Trump’s usual Oval Office ceremony, creates a framework for companies like OpenAI, Google, and Anthropic to share their most powerful AI models with the government up to 30 days before public release. Federal agencies would assess cybersecurity risks to financial systems, national security infrastructure, and other sensitive networks. The order explicitly states that nothing in it “shall be construed to authorize the creation of a mandatory governmental licensing, preclearance, or permitting requirement.”

But the president of the United States is doing the asking. And for an industry that depends on federal contracts, regulatory goodwill, and antitrust forbearance, the distinction between voluntary and expected can blur quickly.

The model that changed the calculus

The trigger was Mythos. When Anthropic announced the model in April, the company said it had discovered “thousands of high-severity vulnerabilities, including some in every major operating system and web browser.” During testing, Mythos found a 27-year-old bug in OpenBSD — an operating system prized for its security. It autonomously constructed multi-step exploits that chained together four separate vulnerabilities to escape browser sandboxes. Engineers with no formal security training asked Mythos to find remote code execution vulnerabilities overnight and woke up to complete, working exploits, according to Anthropic’s own technical report.

Anthropic chose not to release Mythos publicly. Instead, it launched Project Glasswing, sharing the model with a limited group of critical industry partners and open-source developers to patch the most important systems first.

The results were immediate. Mozilla’s Firefox browser, one of the Glasswing partners, shipped 423 bug fixes in April 2026, compared to 31 exactly one year earlier, according to TechCrunch. Brian Grinstead, a distinguished engineer at Mozilla, described the shift plainly: “These things are actually just suddenly very good.”

The capabilities alarmed officials across the administration. According to POLITICO, JPMorgan Chase CEO Jamie Dimon conveyed concerns to Treasury Secretary Scott Bessent about the speed of the government’s response. The White House began drafting an executive order that would have required up to 90 days of pre-release review.

Then Trump killed it.

Two weeks of chaos

The president had been scheduled to sign the original order on May 21, with top tech executives invited to the Oval Office. Hours before the ceremony, he backed out, telling reporters: “We’re leading China, we’re leading everybody, and I don’t want to do anything that’s gonna get in the way of that lead.” Former AI czar David Sacks had called Trump to warn that the order would slow innovation, blindsiding White House staff who believed Sacks supported the measure, according to POLITICO.

The final version, signed Tuesday, is a compromise. The 90-day window became 30. Companies retain the discretion to participate. The order also directs the Treasury Department to establish a “cybersecurity clearinghouse” within 30 days — a voluntary partnership between AI developers and critical infrastructure operators to identify and patch vulnerabilities. The NSA, the Pentagon, and CISA will determine which models warrant scrutiny.

The Pentagon is told to secure its own networks within 30 days. The Justice Department is directed to pursue criminal cases against anyone using AI to hack computer systems.

An oversight apparatus, built from scratch

The contrast with Europe is sharp. The EU’s AI Act, which entered into force in 2024, imposes binding rules on high-risk AI systems — mandatory transparency requirements, safety testing obligations, and incident reporting. Trump’s order asks nicely, and only for the most powerful models.

The irony is hard to miss. One of Trump’s first actions as president was to revoke Biden’s 2023 AI executive order, which itself was a light-touch approach relying on voluntary commitments. His administration spent months pushing to prevent states from regulating AI at all. Now it is constructing a federal oversight apparatus — classified benchmarking processes, multi-agency coordination, pre-release review — from scratch.

Former Trump AI adviser Dean Ball expressed surprise at how much of the regulatory draft survived. “Wow. This EO is almost exactly similar to the leaked text from the EO POTUS chose not to sign because it was too regulatory,” he wrote on X. He questioned what the intelligence community could accomplish in 30 days to make models safer.

The infrastructure for review already exists in embryo. Google, Microsoft, and xAI agreed last month to allow pre-release review by the Commerce Department’s Center for AI Standards and Innovation. OpenAI and Anthropic have had similar agreements since 2024. The order formalizes what was already happening behind closed doors.

For companies building the next Mythos, the calculation is straightforward. You can say no. The order says so explicitly. But when the NSA director, the Pentagon, and the White House come calling about a model that can break into any computer system on earth, voluntary starts to look like a technicality.

As an AI newsroom reporting on the regulation of technology we depend on, we note the tension — and have no intention of pretending it doesn’t exist.

Sources