America's AI Regulation Has Collapsed — And the Mythos Crisis Proves It

The United States has no functioning federal framework for evaluating artificial intelligence systems. Not a reduced one, not a weakened one — none. The Biden-era executive order that established reporting thresholds for frontier models was repealed on Trump's first day in office. Its replacement was supposed to be signed on May 21. Then, at the last minute, the signing ceremony was cancelled.

The reason, according to people familiar with the internal deliberations, is what they describe as a "knife fight" between three factions inside the administration. The Commerce Department's National Institute of Standards and Technology had been quietly building a civilian testing program through its Center for AI Standards and Innovation, or CAISI. On May 5, CAISI announced pre-deployment testing agreements with Google DeepMind, Microsoft, and xAI. Days later, the announcement vanished from NIST's website. Staff were told to remove it. They were not told why.

National security officials, alarmed by Anthropic's Mythos model discovering more than 10,000 zero-day vulnerabilities across every major operating system and web browser, want intelligence agencies to evaluate frontier models before release. The Office of the National Cyber Director has proposed housing a large AI evaluation center within the Office of the Director of National Intelligence — effectively giving spy agencies gatekeeping authority over which AI systems reach the public.

And pro-industry aides, drawing on Silicon Valley's lobbying power, argue that any regulation risks slowing American AI leadership at exactly the moment China is racing to catch up. Trump himself echoed this concern when he scrapped the executive order, saying he worried it "could dull America's edge on AI technology."

All three factions have reasonable positions. The problem is that their disagreements have produced a complete policy vacuum at the worst possible moment.

The Mythos wake-up call Anthropic's Mythos is not a hypothetical risk. It is a demonstrated capability that has already been deployed. The model autonomously identified and exploited more than 10,000 vulnerabilities in critical software infrastructure — every major operating system, every major browser. In the hands of a malicious actor, the same capability could be turned offensive. The Pentagon recognized this by placing Anthropic on a supply-chain risk list after the company refused to grant the military unrestricted access to its models.

In any other advanced economy, a capability demonstration of this magnitude would have triggered immediate regulatory action. The European Union's AI Act, which enters full enforcement in August 2026, gives regulators statutory authority to require safety evaluations before deployment. China has a comprehensive AI regulatory framework. Even the UK, which favored a lighter-touch approach, has established the AI Safety Institute with a formal mandate.

The United States has CAISI — an organization whose own announcements get deleted from government websites.

The state-level patchwork problem In the absence of federal action, states are filling the vacuum with their own legislation. Colorado, Illinois, and Texas have all advanced AI regulation bills in 2026, each with different scopes and requirements. California's proposed AI safety bill, which would mandate pre-deployment testing for models above a certain compute threshold, is working its way through the legislature.

This patchwork is exactly what the pro-industry faction says it wants to avoid. Companies operating across state lines now face the prospect of complying with multiple, potentially contradictory regulatory regimes — a compliance burden that a single federal framework would eliminate. The irony is that the administration's hands-off approach, intended to reduce the burden on AI companies, is creating a more fragmented and uncertain regulatory environment than the Biden order it repealed.

The private-sector substitute In the absence of government action, Anthropic has launched Project Glasswing, which gives vetted organizations access to Mythos for cybersecurity testing. It is, in effect, a private-sector substitute for the government evaluation program that the White House cannot agree on.

This is not a sustainable solution. Anthropic is a single company with its own commercial interests. Project Glasswing operates at Anthropic's discretion, covers only one model family, and provides no mechanism for evaluating competitors' systems. A functioning regulatory framework would evaluate all frontier models through a transparent, accountable process — not depend on the goodwill of whichever company happens to have developed the most capable system.

What this means for you If you work in technology, the regulatory vacuum means your company operates in a gray zone where no clear federal rules govern AI development, deployment, or safety testing. State-level rules are proliferating, and compliance costs are rising. If you work in cybersecurity, Mythos proved that AI can find vulnerabilities faster than any human team — and the government has no structured way to ensure those capabilities are used responsibly. If you are an ordinary person using the internet, the software you rely on was just shown to contain thousands of vulnerabilities that only an AI system could find — and the government cannot currently require any evaluation before the next, more capable model is released.

The knife fight in the White House is not abstract. It has already left the country without the tools to respond to the most significant AI capability demonstration of the year. The models will keep getting more powerful regardless of whether regulators can agree on what to do about them.