White House briefs AI developers on 90-day model review plan
Serge Bulaev
The White House recently told major AI developers about a voluntary plan that may let government agencies review new AI models for up to 90 days before they are released. The main framework for these reviews, announced in March 2026, is not a binding rule but signals a shift toward federal standards and may become expected for big projects. Developers are encouraged to build internal review processes, follow security testing steps, and prepare documents for potential government checks. There are ongoing concerns about how to keep trade secrets safe during reviews, so companies may use secure methods to share only necessary information. Experts suggest that careful compliance with these reviews might help companies show they are ready for regulators and customers.
The White House has briefed major AI developers on a voluntary 90-day model review plan, signaling a significant shift toward federal standards for frontier AI systems. While not yet a binding rule, this pre-release inspection scheme is prompting companies to prepare for a new era of government oversight. This guide explains the emerging federal playbook and how AI product teams can build internal processes to navigate it, reduce launch delays, and manage risk.
How the Federal Framework is Shaping Expectations
The proposed voluntary program allows the U.S. government to inspect 'covered frontier models' for up to 90 days before their public release. The goal is to identify and mitigate national security risks early. While participation is not mandatory, it is expected to become standard practice for major AI releases.
According to industry reports, the administration is developing this voluntary review program, giving the government 90 days to examine "covered frontier models" before public release. This initiative builds on broader federal AI policy discussions that prioritize safety, liability, and coordination across government agencies.
Key takeaways for AI companies include:
- Voluntary but Expected: While participation is optional, it is likely to become a de facto industry standard for major model releases.
- Liability and Safe Harbor: The administration has signaled that robust safety measures could lead to future liability limitations for developers, creating a strong incentive for compliance.
- Defining "Frontier": With no formal thresholds yet published, development teams are responsible for self-assessing if their models qualify as "frontier" systems subject to review.
Building an Internal Review Playbook
An effective internal review playbook should align with established cybersecurity and red-teaming frameworks, such as those defined by NIST. To prepare for a potential government review, product security leads should operationalize a process that includes:
- Define Scope: Map model capabilities to potential harms and clearly document out-of-scope activities.
- Conduct Adversarial Testing: Combine automated and human-led red-teaming, logging all interactions to ensure reproducibility of findings.
- Automate Regression Tests: For each identified vulnerability, create an automated test to prevent regressions.
- Prepare Submission Packet: Compile a concise dossier including a system card, risk matrix, red-team report, and mitigation summary.
- Plan for Remediation: Schedule a retesting window to ensure all identified issues can be fixed and validated within the government's 90-day review period.
Adopting short, iterative feedback loops enables teams to resolve critical issues in days rather than weeks, significantly minimizing the risk of launch delays.
Guarding Confidential Intellectual Property
Protecting intellectual property during a government review is a primary concern for developers. The challenge lies in balancing regulatory transparency with the need to protect trade secrets. Practical safeguards include using secure sandboxes, minimizing data exposure, and leveraging privacy-enhancing technologies to grant reviewers necessary insights without revealing core IP.
The table below maps common risks to recommended safeguards.
| Risk during review | Recommended safeguard |
|---|---|
| Training-data disclosure | Anonymize or aggregate sensitive datasets |
| Weight or architecture leaks | Use controlled access rooms and on-premise sandboxes |
| Output ownership disputes | Maintain invention logs and human authorship records |
| Cross-border requests | Apply jurisdiction-specific disclosure protocols |
Post-Review Remediation and Evidence Management
After a government assessment, teams will likely receive recommended actions. Establishing a centralized evidence repository is crucial for managing remediation smoothly. This system should capture versioned model artifacts, test logs, and change approvals. Once fixes are implemented, teams must rerun the original attack vectors and add new regression tests to validate the changes.
This disciplined approach transforms compliance from a regulatory burden into a powerful competitive advantage, demonstrating trustworthiness and readiness to regulators, enterprise customers, and insurers.
What is the 90-day pre-release review the White House is asking AI companies to follow?
The administration is floating a voluntary program under which builders of frontier models would share their systems with government experts up to 90 days before public launch. The goal is to spot national-security, cyber-security, and misuse risks early, not to approve or reject models. Because the plan is expected to be enacted through a future executive order, it is not yet a legal requirement, but early engagement is being encouraged.
Which models are expected to fall under this advance-review process?
No final threshold has been published, but briefings have focused on frontier or foundation-scale models - systems whose capabilities significantly exceed current industry baselines. If your roadmap includes training runs above roughly 10^26 FLOP, or models intended for high-risk autonomy, code generation, or biological design, treat them as likely candidates for the program.
What deliverables should teams prepare ahead of a possible review?
Internal playbooks should be able to produce on short notice:
- Model cards that describe intended use, limitations, and evaluation results.
- Red-team reports with attack chains, success rates, and residual-risk statements.
- Safety test logs covering prompt injection, tool misuse, data-extraction attempts, and alignment checks.
- Confidentiality handling plan that spells out data minimization, access tiers, and destruction timelines.
How can companies protect trade secrets while still complying?
The most practical safeguards are:
- Share only weights or APIs in a controlled sandbox, not full training corpora.
- Use on-prem or encrypted-cloud enclaves for government reviewers, with audit trails.
- Embed contractual clauses that limit retention, require destruction of artifacts, and clarify IP ownership.
- Strip or synthesize sensitive datasets when demonstration of capability is sufficient.
What operational steps reduce launch delays if the 90-day window becomes mandatory?
Adopt a "review-ready by default" culture:
1. Run internal red-team cycles as part of each sprint so artifacts mature continuously.
2. Maintain living documentation - every architecture change automatically updates model cards.
3. Keep a 90-day release calendar that gates big training jobs so evaluation finishes before marketing schedules lock.
4. Assign a cross-functional review desk (legal, security, policy) that can package materials for government or enterprise customers within days, not weeks.
Early investment in these workflows turns compliance from a schedule risk into a competitive signal of trustworthiness for partners and large customers.