In three weeks, the most consequential document in AI evaluation goes into effect, and nobody outside a cleared facility will ever read it.
On June 2, President Trump signed Executive Order 14409, “Promoting Advanced Artificial Intelligence Innovation and Security.” Its centerpiece carries a 60-day fuse: by August 1, 2026, the Treasury, the NSA, and CISA — coordinating with the National Cyber Director, the White House science office, and NIST — must stand up a classified benchmarking process that measures the advanced cyber capabilities of AI models and defines the threshold at which a system becomes a “covered frontier model.” The NSA Director makes the designation calls.
Alongside it, and on the same deadline, comes a voluntary framework inviting developers to hand the federal government access to covered models for up to 30 days before public release.
This piece explains what the order actually does, why “voluntary” is doing unusual work in that sentence, what it means depending on where you sit — and why the right European answer is the opposite instrument: benchmarks that anyone can read.
The August 1 Deadline:
Benchmarks Become a National-Security Instrument — a Classified One
EO 14409 · signed June 2, 2026 · what actually changes, who feels it, and the European counter-move
The fuse
Two blocs, opposite horns of the same dilemma
US: sophisticated & classified
Measures the right thing (offensive capability) but cannot be reviewed, replicated, or challenged. Steelman: a public cyber benchmark is also an instruction manual for adversaries.
EU: crude & public
Arguably measures the wrong thing (compute, not capability) — but it’s public, contestable, and identical for every party. Legitimacy over precision.
Three seats at the table
Opt-in calculus before Aug 1: 30 days of government access to weights and prompts vs. trusted-partner procurement upside. IP and NDA questions unresolved.
A pre-release window is meaningless for weights on a public hub — and no US framework binds Hangzhou. The asymmetry is the design’s quiet destabilizer.
Launch timing may stagger; US designation becomes de facto capability certification; and benchmark-gating becomes politically normal — precedent cuts both ways.
The European answer: not a classified benchmark with a circle of stars on it — public, replicable, defense-relevant evaluation anyone can inspect. Whoever writes the benchmark defines “capable” and “dangerous.” After Aug 1, one definition goes behind a vault door. Europe should answer in public — that’s the VigilSAR-Bench thesis.

Evals for AI Engineers: Systematically Measuring and Improving AI Applications
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What the order actually establishes
Strip the framing language and EO 14409 does four concrete things. It creates the classified cyber-capability benchmark and the covered-frontier-model designation process (due August 1). It builds the voluntary pre-release access framework — 30 days of government evaluation before deployment, with assessments shared back to developers and researchers “as appropriate” (also August 1). It establishes an AI cybersecurity clearinghouse under Treasury to pool vulnerability intelligence between the AI industry and critical-infrastructure operators. And it directs money and hiring toward AI vulnerability-detection tooling and federal cyber talent.
Two pieces of context matter for reading it honestly. First, this order is a second attempt — an earlier version was reportedly pulled over concerns it would hinder US competitiveness, and the surviving text leans hard on voluntary-collaboration language rather than mandates. Second, this is a notable posture shift for an administration that had championed a hands-off approach to AI governance; the order moves the NSA and Treasury into central oversight roles that simply didn’t exist for AI six months ago.

Cybersecurity & Networking Poster – The OSI Model Reference Guide, IT Classroom Decor and Tech Enthusiast Wall Art(Unframed,12X18inch(30X45cm))
- White Margin for Framing: 0.6in (1.5cm) white border
- Durable Canvas Material: Resistant to humidity and environmental damage
- Color Variations: Slight color differences due to monitor settings
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
“Voluntary,” with an asterisk the size of a procurement budget
The order disclaims mandatory licensing, and participation in the pre-release framework is formally opt-in. Legal analysts reading it for government-contracts clients have already spotted the real mechanism: designation as a “trusted partner” — the status that flows from participating — is likely to become a meaningful differentiator in federal acquisitions once the framework hardens. If the largest buyer of technology on earth prefers vendors who opted in, the distinction between voluntary and mandatory becomes an accounting question.
There’s also precedent suggesting the government’s willingness to act when its benchmarks flash red. A Congressional Research Service brief on the order notes, as context for its policy discussion, the administration’s earlier move requiring Anthropic to suspend access to a frontier AI model that showed advanced cyber capabilities — reported here neutrally, as the CRS presents it. Whatever one thinks of that specific intervention, it establishes the operational reality: capability assessments already have teeth, and the EO now formalizes the measuring instrument. Congress, per the same brief, may yet debate whether voluntary engagement should give way to federal testing requirements before release — which would convert this framework’s skeleton into a true pre-release approval regime. Today’s Signal column takes that question up directly.

NanoPi R76S Mini Router, RK3576 Octa-Core SoC with AI Model, LPDDR4X 4GB RAM 64GB eMMC, 6TOPS NPU,Dual 2.5G Ethernet, Support M.2 Wi-Fi Module (None M.2 WiFi, LPDDR4X 4GB, Standard)
- Open-source IoT Gateway: Supports multiple OS and Ethernet ports
- Enhanced Bandwidth: 50% increased bandwidth for high performance
- Powerful Octa-Core CPU: RK3576 with Cortex-A72 and A53 cores
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
The classified-goalposts problem
Here is the structural choice worth arguing about: the benchmark criteria will be classified. Developers “will not see the goalposts,” as one law-firm analysis put it — a company can be designated a covered frontier model by a process it cannot inspect, against thresholds it cannot know, with consequences for its market access.
Steelman the classification decision, because it isn’t stupid: a public cyber-capability benchmark is also an instruction manual. Publishing exactly which offensive capabilities the NSA tests for, and at what threshold, hands adversaries a target list and invites teaching-to-the-test in the worst possible domain. Classified evaluation of dual-use capability is how every other weapons-adjacent technology is assessed; from that angle, AI is finally being treated like what its cyber capabilities are.
And now the counter, which I find weightier: benchmarks are the closest thing AI governance has to an epistemic foundation, and this order establishes the most consequential benchmark in the field as one that cannot be reviewed, replicated, or challenged. A classified benchmark can quietly drift, encode vendor-favorable assumptions, or be simply wrong — and no researcher will ever falsify it. Contrast the European approach: the EU AI Act’s systemic-risk threshold for general-purpose models — 10²⁵ FLOPs of training compute — is crude, widely criticized, and arguably measures the wrong thing. But it is public, contestable, and identical for every party. Crude-and-public versus sophisticated-and-classified is a genuine dilemma, not a gotcha; the two blocs have now formally chosen opposite horns.

Digital Citizenship & AI Safety Workbook for Tweens: Privacy, AI, Scams, Cyberbullying, Screen Balance and Safer Online Choices for Kids Ages 9–12
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What it means, three seats at the table
For US frontier developers, the calculus lands before August 1: opting in means 30 days of government access to weights, system prompts, and possibly fine-tuning data, with unresolved questions about IP in derivative artifacts, NDA scope, and personnel vetting — against the upside of trusted-partner status and preferred federal placement. Counsel earns its fees this month.
For the open-weight world — including the Chinese release cadence this week’s dispatches have tracked — the framework mostly shrugs. A 30-day pre-release window is meaningless for a model whose weights appear on a public hub at announcement, and no US voluntary framework binds a lab in Hangzhou. If covered-model designation ever grows export-control consequences, the pressure lands asymmetrically on the American labs that can be regulated, while the open frontier keeps shipping. That asymmetry is the quiet destabilizer in the whole design, and it went essentially unaddressed in the order.
For European buyers and vendors, three spillovers. Model availability: pre-release federal evaluation windows may stagger global launch timing for US models — mild, but real for anyone building on frontier APIs. Signal value: covered-frontier-model designation will function internationally as a de facto capability certification, whether Washington intends it or not. And precedent: the EO makes benchmark-based gating politically normal. When Brussels next revises its own evaluation obligations, “the Americans already do this, classified, through the NSA” becomes an argument in the room — for better and worse.
The European answer: evaluation as public infrastructure
Which brings me to the project this piece has been circling. If the American instrument is classified benchmarking wired to national-security machinery, the European counter-instrument shouldn’t be a classified benchmark with a circle of stars on it. It should be the opposite: public, replicable, defense-relevant evaluation that any procurement officer, journalist, or parliament can inspect.
That’s the thesis behind VigilSAR-Bench, the open benchmark I’m building for defense-relevant AI tasks with an ISR signature track — of a piece with this week’s Corvus argument that openly demonstrated capability is what lets institutions evaluate vendors without security clearances. Europe’s structural advantage in AI governance was never speed; it’s legitimacy. Public benchmarks are how you spend that advantage. A continent that just spent this spring proving it will pay for sovereign infrastructure (Munich, the Gigafactory, the Palantir exits) should be equally deliberate about sovereign measurement — because whoever writes the benchmark defines what “capable” and “dangerous” mean, and as of August 1, one definition of both goes behind a vault door.
Bull, bear, verdict
Bull case for the EO: it’s the first serious institutional acknowledgment that frontier-model capability assessment is a national-security function, it builds real machinery (clearinghouse, talent, funding) rather than just rhetoric, and the voluntary structure avoids the innovation-chilling mandate its pulled predecessor risked.
Bear case: classified goalposts are unfalsifiable goalposts, voluntary-plus-procurement-pressure is regulation without regulation’s accountability, the open-weight asymmetry undermines the security logic, and concentrating designation power in the NSA makes the most consequential judgment in AI — “is this model dangerous?” — a classified executive determination with no appeal.
Both are true at once. What’s certain is the date: after August 1, the question “how capable is this model?” has, for the first time, an official answer some people are not allowed to hear. Europe should take note — and answer in public.
Sources: Executive Order 14409 analyses by Morrison Foerster, Wiley, Latham & Watkins, Holland & Knight, and Government Contracts Law (June 2026); Congressional Research Service brief IF13268 via EveryCRSReport (July 2026, incl. the reported Anthropic suspension as CRS context); IBM Think news summary (June 2026); EU AI Act systemic-risk threshold per Latham & Watkins comparison.