Reuters: Trump order could give U.S. 90 days’ access to new AI models

Reuters reports that U.S. President Donald Trump is expected to sign an executive order on AI and cybersecurity as soon as Thursday. The core is not a simple ban. It is a pre-release process for the most advanced AI models.

According to two sources cited by Reuters, the order would create a voluntary framework for AI developers to engage with the U.S. government before covered models are released publicly. Developers would be asked to provide models to the government 90 days before release. Critical infrastructure providers, including banks, could also receive pre-public access.

That sounds procedural. It is more than that. It signals a shift in how frontier models are treated. They are increasingly viewed as infrastructure with security consequences, not only as software products with launch dates.

Reuters links the planned order to pressure from parts of Trump’s political base seeking stricter oversight of new AI systems. On the other side are technology investors and industry allies who prefer voluntary cooperation over mandatory regulation. A White House spokesperson called any discussion of policy details “speculation”. That caveat matters. The final order has not been published.

Still, the direction is clear enough for business leaders to pay attention. If the U.S. builds a practice in which government and critical infrastructure actors see models before public release, it changes how large organisations should buy, test and govern AI.

From product launch to pre-release control

The context is the emergence of systems such as Anthropic’s Mythos and OpenAI’s GPT-5.5-Cyber. Reuters writes that companies have warned that newer models could amplify complex cyberattacks, while some cybersecurity executives say those fears are overstated.

The point is not whether one model changes the threat landscape overnight. The point is that governments, banks and security teams are now discussing AI launches as risk events. A model can gain new capabilities in code, vulnerability discovery, social engineering, automated reconnaissance or agentic workflows. Waiting for a vendor blog post is not enough when those systems touch operational infrastructure.

For banks, energy companies, telecoms, healthcare and public-sector organisations, vendor launch discipline becomes part of enterprise risk management. The question is no longer only which model performs best. The question is what the vendor knew before launch, who had access to evaluation data, how vulnerabilities are disclosed, and whether customers can slow, freeze or limit deployment if the model’s risk profile changes.

What leaders should ask vendors

Norwegian and European organisations do not need to copy U.S. policy. They should learn from why this discussion is happening now. AI models are moving closer to developer environments, SOC workflows, customer operations, payment flows, case handling and internal knowledge systems. Once they receive tool access, network access and agent roles, model-release risk becomes operational risk.

CIOs and CISOs should ask sharper questions in vendor conversations:

• Will the organisation receive advance notice when a model or agent platform gains materially new capabilities?
• Are there documented safety tests for cyber misuse, prompt injection, data leakage and autonomous tool use?
• Can the customer freeze a model version, limit rollout or require new approval after major changes?
• What logs, evaluation reports and incident data can the vendor share when something goes wrong?
• Who is accountable if a model used in a critical process changes behaviour after an update?

These are procurement and governance questions, not just technical questions. They belong in contracts, risk committees and board material.

The U.S. is moving faster on one operational question

Europe is working through the AI Act, high-risk classifications and provider obligations. That creates a broad legal framework. The U.S. discussion described by Reuters points to a more operational question: what happens before a new frontier model is released?

That matters in Europe because the main model providers are global. A Norwegian bank may use the same model that U.S. authorities consider security-sensitive. A Norwegian development team may get access to the same coding agent that U.S. security officials want reviewed before release.

If the U.S. establishes a norm for 90 days of pre-release access, it may become a reference point in contracts and enterprise customer demands outside the U.S. Large customers will ask why they do not receive similar warning, test data or control options.

Do not wait for final regulation

The wrong response is to treat this as a Washington policy story only. The operational lesson is simpler: AI launches need to enter change management.

When a vendor upgrades a model used in code, customer data, security analysis or decision support, that should be treated more like a production change than a feature announcement. It needs risk assessment, approval, logging, rollback planning and clear boundaries around which processes the model can affect.

The Reuters report shows that the line between AI product, cybersecurity and national infrastructure is narrowing. For leaders, the conclusion is practical: demand better advance warning, build internal test regimes and do not let a vendor’s release pace become your organisation’s risk pace.

Sources and media

• Primary source: Reuters, “Trump to sign order on AI oversight as security fears mount among supporters”, published May 20, 2026: https://www.reuters.com/legal/litigation/trump-sign-order-ai-oversight-security-fears-mount-among-supporters-2026-05-20/
• Reuters lists Karen Freifeld and Courtney Rozen as byline. The article is based on two sources familiar with the plan. The White House described discussion of policy details as speculation, which is reflected in the framing.
• Thumbnail: OpenAI Image 2 / hogby.ai.