Where AI Risk Lives Now

Two structural shifts in the last 48 hours pushed more AI risk onto the buyer side of the table. Thursday, Trump pulled the AI security executive order hours before signing, after the federal review window had already been negotiated from 90 days to 14. Wednesday, SpaceX's S-1 made the explicit case that AI economics gets decided at the infrastructure layer, not the model layer. Two different protagonists, one implication for the buyer: the backstops you assumed aren't where they used to be.

Fourteen Was the Compromise

Donald Trump pulled the AI security executive order he was scheduled to sign Thursday, hours before the event, after weeks of negotiation between the White House, the Office of the National Cyber Director, and frontier AI labs. The version that landed on his desk required companies to submit advanced models to a federal review for security vulnerabilities ahead of public release. The window had already been negotiated down from 90 days to as few as 14. Trump pulled the whole package because, in his own words, the language "could have been a blocker" to the United States staying ahead of China.

The headline isn't that the order died. The headline is what got killed: even the 14-day version.

The original draft called for up to 90 days of pre-release federal review. Industry pushed for 14. That 76-day compression was the entire bargaining outcome between the safety wing of the administration, led by the National Cyber Director, and the labs at the table. Anthropic's Mythos and OpenAI's GPT-5.5 Cyber were the specific frontier systems that reportedly triggered the security concern, both already in production. The 14-day version meant labs would have given the government two weeks to test for offensive cyber capabilities in a model before deployment. Even that was rejected.

What stays in place after yesterday is a status quo where the gap between a frontier model finishing training and that model entering production runs on lab self-attestation, not on third-party review. Until a successor order lands and goes into effect, there's no federal process that sits between a frontier model and a customer-facing deployment. That's a structural fact about where AI risk lives now, not a partisan one.

The standard read on this is exactly partisan: pro-regulation observers see a White House captured by industry, anti-regulation observers see a president defending American competitiveness, and both camps will write that take by Monday. The structural read is different. The administration negotiated down to 14 days of review, then declined even that. The revealed preference is zero days, and release pace becomes the policy by inference from the bargaining itself.

For buyers, the implication is concrete. Any procurement template, vendor due-diligence framework, or compliance posture that explicitly or implicitly referenced "federal pre-release AI review" as a backstop on frontier-model risk has nothing behind it. Financial services compliance teams who flagged Mythos or GPT-5.5 Cyber adoption as "pending federal review" need to retire that line. Healthcare AI procurement anchored to forthcoming government certification doesn't have anything to wait for. Critical-infrastructure firms that included federal vulnerability disclosure in their threat models have to source those disclosures somewhere else, because they aren't going to come from a federal process that doesn't exist.

The steelman holds. The Office of the National Cyber Director signaled it's working on additional AI security initiatives, and a revised order could land in a different form within weeks. The political coalition that produced the original (the safety wing of the White House plus labs willing to accept 14 days of review) is intact. The work product doesn't vanish. Those are real possibilities, not stretch scenarios.

But the precedent is set. A sitting US president was willing to pull a fully-negotiated security executive order, on the morning of its signing, on the argument that fourteen days of review "gets in the way" of leading. Any future order on AI safety has to clear that bar before it reaches a desk. The pace-over-review preference is now the default, not the exception, and every buyer's risk model needs to be rebuilt on that default.

What to Do With This

Audit every internal document that references "federal AI review" or "government safety certification" as a control. If your team built deployment criteria, vendor due-diligence templates, or compliance attestations on that assumption between 2024 and now, those controls need to be rewritten as internal processes by the end of June.

Two specific moves. First, for any frontier-model deployment, replace the "pending federal review" line with a documented internal red-team and a model-card review you can defend in a procurement audit. Second, write into your frontier-vendor contracts an explicit disclosure clause for any internal pre-release security review the lab performed. The labs won't volunteer that; it has to be in writing.