On June 2, 2026, the White House signed an Executive Order directing federal agencies to harden their systems with AI-enabled cyber defenses and to stand up a new AI cybersecurity clearinghouse — most of it on a 30-day clock. Here’s what the EO requires and how Tenable can help.

On June 2, 2026, the President signed an Executive Order (EO) titled “Promoting Advanced Artificial Intelligence Innovation and Security.” The direction is clear and the calls to action are fast-moving. Within 30 days: 

• Federal agencies must begin hardening their information systems with AI-enabled cyber defenses.
• CISA must issue new directives or guidance for civilian agencies.
• The Department of the Treasury (Treasury), with the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA), must stand up a new AI cybersecurity clearinghouse focused on finding and fixing software vulnerabilities. 

Within 60 days, Treasury, with the Department of War (DoW), NSA and CISA, in consultation with the White House and other agencies, must establish a classified benchmarking process to assess the capabilities of frontier AI models through voluntary collaboration with AI developers.

While the Executive Order applies to U.S. federal agencies, the need to prepare for changes in the threat landscape brought about by the advanced cyber capabilities of frontier AI models applies to any organization that needs to manage cyber risk. Here’s a breakdown of what the AI EO requires, the deadlines that matter, and where Tenable fits.

What the AI Executive Order requires

The EO’s operative provisions sit in Section 2 (“Upgrading American systems for advanced AI”) and Section 3 (“Secure frontier model deployment”). The cybersecurity core is in Section 2.

Within 30 days: 

National security and defense systems. The Committee on National Security Systems must prioritize the cyber defense of National Security Systems (NSS) and the Secretary of War must do the same for DoW information systems (Section 2(a) and 2(b)).

Civilian federal systems and critical infrastructure. CISA, in consultation with the Office of Management and Budget (OMB), the Assistant to the President for National Security Affairs, and the National Cyber Director, must release Binding Operational Directives (BODs) “and other guidance as appropriate” to:

• Expedite and prioritize the cyber defense of civilian federal information systems.
• Establish or expand federal programs and services that enhance AI-enabled defensive tools.
• Facilitate access to cybersecurity tools and services, including where appropriate, covered frontier models, for agencies, state and local authorities, and critical infrastructure operators such as rural hospitals, community banks, and local utilities.

Worth noting, while the EO directs CISA to release BODs or other guidance for federal civilian agencies, the specific implementation directives are not yet known (Section 2(c)).

The AI cybersecurity clearinghouse. The Secretary of the Treasury, with the National Cyber Director, NSA, and CISA, must form an AI cybersecurity clearinghouse, in voluntary collaboration with the AI industry and critical infrastructure operators. The EO tasks the clearinghouse with three concrete functions, per Section 2(d): 

• Coordinate and deconflict scanning for software vulnerabilities
• Discover and validate those vulnerabilities
• Coordinate and prioritize the remediation and distribution of vulnerability patches. 

Grant funding for AI vulnerability detection. OMB, with the National Cyber Director and CISA, must determine whether existing federal grant programs have funding that can be directed toward applicants developing advanced AI vulnerability detection (Section 2(e)).

Within 60 days: 

Cybersecurity workforce. The Office of Personnel Management must expand hiring and placement pathways for cybersecurity specialists through the United States Tech Force (Section 2(f)). 

Secure frontier model deployment. Treasury, NSA, and CISA, in consultation with NIST and others, must develop a classified benchmarking process to assess the advanced cyber capabilities of AI models. They must also set the threshold for designating a “covered frontier model,” and design a voluntary framework through which developers can give the government up to 30 days of pre-release access to those models. The Executive Order is explicit that it does not create any mandatory licensing, preclearance, or permitting requirement for AI models (Section 3).

No fixed deadline:

Criminal enforcement. The EO directs the Attorney General to prioritize enforcement against those who use AI to illegally access or damage computer systems (Section 4).

For federal cybersecurity leaders, this is less a future-state policy document than a near-term planning trigger. Watch for CISA’s issuance of BODs and other guidance, and for readouts on the clearinghouse, during June and July.

How Tenable can help

The EO’s center of gravity — finding software vulnerabilities, validating them, prioritizing them, and driving remediation — is the work Tenable's platform is built to do. While the AI Executive Order focuses on vulnerability discovery, validation, prioritization, and remediation, the benefit of the Tenable One Exposure Management Platform is that it addresses vulnerabilities alongside other security weaknesses, including misconfigurations of AI systems and overpermissioned AI agents, to serve as the system of action for mitigating cyber exposure and reducing cyber risk across organizations’ expanding attack surfaces. Below, learn how specific Tenable capabilities map to the EO’s requirements.

Continuous vulnerability detection across the attack surface

Sections 2(a) through 2(d) turn on the ability to find vulnerabilities across a wide range of systems continuously. Tenable One Vulnerability Management and Tenable Security Center provide network-based and agent-based assessment across IT assets, with credentialed scanning for greater depth. Tenable One Cloud Exposure extends that visibility to cloud workloads and configurations, and Tenable One Attack Surface Management maps internet-facing assets that agencies may not know they have. 

For agencies operating classified or air-gapped environments — relevant to the National Security Systems named in Section 2(a) — Tenable Enclave Security is built to run vulnerability and configuration assessment inside those boundaries.

Risk-based prioritization, not “patch everything”

Section 2(d) doesn’t only call for discovering vulnerabilities — it calls for prioritizing them for remediation. That distinction matters because no agency can patch everything at once.

Tenable’s Vulnerability Priority Rating (VPR) uses machine learning, trained on the company’s corpus of more than 1.7 trillion security findings accumulated over more than 25 years of continuous scanning, to forecast which vulnerabilities are most likely to be exploited, so defenders can focus on the smaller set that represents real, immediate risk. By leveraging AI-generated features and expert intelligence from Tenable's Research Special Operations team, VPR helps organizations pinpoint the critical 1.6% of vulnerabilities that represent actual business risk. Tenable also ingests CISA’s Known Exploited Vulnerabilities (KEV) catalog — the continuously updated, authoritative list of Common Vulnerabilities and Exposures (CVEs) under active exploitation — directly into prioritization, aligning remediation guidance to the same source CISA uses to track risk across the federal enterprise. 

AI-enabled defensive tooling

Section 2(c) directs CISA to establish or expand programs that enhance AI-enabled defensive tools. As frontier AI models accelerate the rate at which vulnerabilities can be discovered and exploited, the traditional window for manual remediation is rapidly closing. The June 2026 AI Executive Order recognizes this shift, directing federal agencies to counter machine-speed threats with AI-enabled cyber defenses within 30 days.

Tenable Hexa AI, the agentic engine of the Tenable One Exposure Management Platform, is designed to help counter machine-speed threats, supercharge productivity, and accelerate risk reduction by automating multi-step remediation workflows. Security teams can leverage pre-built agents directly in the user interface or build custom agents via the Model Context Protocol (MCP), turning exposure intelligence into decisive action at machine speed. 

At the same time, as agencies build custom models or adopt third-party tools like ChatGPT and Copilot, they fundamentally expand their attack surface. It is now critical to protect enterprise AI, shadow AI, training data, and underlying infrastructure from emerging threats like adversarial attacks, data poisoning, and model theft. Tenable secures this expanding attack surface with Tenable One AI Exposure, which is designed to help agencies see, manage, and control the risks introduced by generative AI. Tenable One AI Exposure allows agencies to discover and inventory AI tools and libraries, and apply AI usage policies across the environment — a growing requirement as agencies adopt AI and need to account for it as part of their attack surface. By addressing critical supply chain vulnerabilities and a lack of identity controls, Tenable actively closes the growing AI exposure gap to ensure agencies can adopt new technologies without introducing unmanaged business risk. 

Recognized by Gartner as the company to beat for AI-powered exposure assessment, Tenable has cemented its role as the go-to platform for organizations looking to stay ahead of risk in an increasingly AI-driven threat environment. 

Discovering and validating vulnerabilities at scale

The vulnerability and patching clearinghouse provision is arguably the most operationally consequential requirement in the AI Executive Order because it describes a capability, not a policy: the need to coordinate vulnerability scanning, discover and validate vulnerabilities, and prioritize remediation. That is the work the Tenable One platform and research organization are built to do, and the AI-enabled dimension of that work is already in production.

For scanning at scale, the Tenable platform (including Tenable One Vulnerability Management, Tenable Security Center, Tenable Nessus, Tenable One Cloud Exposure, and Tenable One OT Exposure) handles millions of daily scans across critical infrastructure using non-intrusive methods, which is essential for avoiding disruption in government environments.

In vulnerability discovery and validation, Tenable Research has publicly disclosed over 450 zero-day vulnerabilities and tracks 1,000 zero-days tagged all-time. Additionally, the Tenable Research team tracks more than 2,000 vulnerabilities which have been verified to be exploited in the wild. The team uses a hybrid intelligence model that combines expert analysis with large language models, resulting in a curated library of over 11,000 CVEs enriched with exploitation evidence and threat actor links and that operates independently of the National Vulnerability Database (NVD).

For vulnerability prioritization and remediation, Tenable's Vulnerability Priority Rating (VPR) provides an advantage by not relying on NVD severity scores, a key consideration given recent changes limiting NVD enrichment. Tenable Research consistently identifies actively exploited vulnerabilities a median of seven days before they appear on CISA’s Known Exploited Vulnerabilities catalog. In addition, Tenable Hexa AI automates remediation workflows, and Tenable One AI Exposure helps agencies inventory AI tools and libraries, addressing the expanding attack surface.

Protecting critical infrastructure: hospitals, banks, and utilities

Section 2(c)(iii) directs CISA to facilitate access to cybersecurity tools for rural hospitals, community banks, and local utilities. Note the verb facilitate: this is an access-and-incentive provision, not a mandate imposed on those operators. Many of these organizations have historically lacked the budget and staff for enterprise-grade vulnerability management.

Tenable One OT Exposure is built for the operational technology environments common in utilities and healthcare delivery, including industrial control systems and SCADA networks. It has been listed on CISA’s Continuous Diagnostics and Mitigation (CDM) Approved Products List since October 2021. Tenable's research into threat activity targeting operational technology at water and energy utilities gives these operators current, actionable context for the risks this provision is meant to address.

Funding the work: grant programs under Section 2(e)

Section 2(e) directs OMB to identify federal grant funding that can be steered toward advanced AI vulnerability detection. Several existing programs already fund this kind of work, including the State and Local Cybersecurity Grant Program (SLCGP) and the Department of Energy's Rural and Municipal Utility Advanced Cybersecurity Grant (RMUC) program. Tenable solutions help fulfill SLCGP requirements, and Tenable works with public sector customers and channel partners to align purchases to available grant funding. 

Security for AI and AI for cybersecurity

The June 2026 Executive Order moves AI policy toward operational cybersecurity, and it does so on a short clock. The provisions that matter most — continuous detection, validation, risk-based prioritization, and remediation — describe the discipline of exposure management. Agencies that already have those practices and tools in place will be best positioned to meet the EO’s requirements as CISA, Treasury, and OMB translate it into specific directives, programs, and funding over the coming weeks.

Learn more

Tenable resources:

• Exposure Management for federal government agencies
• Tenable One Exposure Management Platform
• Tenable One Vulnerability Management
• Tenable One OT Exposure
• Tenable Vulnerability Priority Rating (VPR) Solution Overview

Government resources:

• Executive Order, "Promoting Advanced Artificial Intelligence Innovation and Security" (June 2, 2026)
• President Trump's Cyber Strategy for America (March 2026)
• CISA Known Exploited Vulnerabilities Catalog
• State and Local Cybersecurity Grant Program
• DOE Rural and Municipal Utility Advanced Cybersecurity Grant (RMUC) Program