Our Take
A voluntary request from a new administration is a political signal, not a binding requirement—watch whether firms actually participate and what 'cybersecurity tests' means in practice.
Why it matters
AI model security has become a national-security concern, and voluntary compliance programs set precedent for how (or whether) the industry self-regulates before formal regulation arrives. The outcome will show whether industry cooperation on security is genuine or performative.
Do this week
Security leads: document your current model evaluation processes and red-teaming scope before any formal request arrives, so you can respond quickly if your company is selected.
The Trump administration makes a security request
The Trump administration is asking major US artificial intelligence companies to voluntarily submit their models for cybersecurity testing, according to Reuters. The request focuses on evaluating model robustness against hacking and adversarial attack. No additional details on timing, specific companies targeted, scope of testing, or what "passing" would mean are available from the report.
The move follows years of debate over AI safety and security in Congress and among national security officials. Prior administrations signaled interest in safety oversight; this request appears to be the first concrete action from the new administration on the topic.
Voluntary compliance is a test of industry cooperation
A voluntary request is weaker than a mandate, but it carries weight. Refusal to participate would be politically costly for major firms already under scrutiny over AI safety, while participation sets a precedent for what security evaluation looks like and who gets to define it.
The critical unknown is scope: are these tests for vulnerabilities in model weights, API endpoints, inference pipelines, or some combination? Are they standardized or firm-specific? Who runs them—the government, third parties, or the companies themselves? Those details will determine whether this becomes meaningful security infrastructure or a compliance checkbox.
For the industry, voluntary participation is preferable to statutory requirements, but it also means firms will likely negotiate on what gets tested and how results are reported. How firms respond will signal whether the AI industry sees security as a genuine operational requirement or a regulatory relations problem.
Start inventorying your security posture now
If your company builds or deploys large language models, your security team should document what red-teaming, adversarial testing, and vulnerability assessment you already conduct. Having a clear inventory of existing controls means you can respond quickly if your company receives a formal request, and you can identify gaps before external scrutiny arrives.
Pay special attention to the difference between safety testing (does the model refuse harmful requests?) and security testing (can an attacker manipulate the model or access its parameters?). The administration's request appears focused on the latter, which is less mature across the industry and likely to surface surprises.