Biden issues Executive Order on AI

President Biden’s Executive Order seeks not only to establish guardrails for managing AI risk but also to promote American innovation and leadership in the field.

The Executive Order focuses on eight main policy areas:

  • New standards for AI safety and security.
  • Promoting responsible innovation, competition, and collaboration.
  • Commitment to responsible development and use of AI in supporting workers.
  • Dedication to advancing equity and civil rights.
  • Protecting consumer interests in critical fields like health care, financial services, education, housing, law, and transportation.
  • Protecting Americans’ privacy and civil liberties.
  • Ensuring responsible and effective government use of AI.
  • Advancing American leadership in AI abroad.

Here are some of the most important highlights:

  • Guidelines, Standards, and Best Practices for AI Safety and Security. The Secretary of Commerce (through NIST), in coordination with the Secretaries of Energy and Homeland Security and the heads of other relevant agencies, must establish guidelines and best practices, including the following: (1) developing a companion resource to the NIST AI Risk Management Framework (NIST AI 100-1), for generative AI; (2) developing a companion resource to the Secure Software Development Framework to incorporate secure development practices for generative AI and for dual-use foundation models; and (3) launching an initiative to create guidance and benchmarks for evaluating and auditing AI capabilities, with a focus on capabilities through which AI could cause harm, such as in the areas of cybersecurity and biosecurity. The Secretary of Commerce must also establish appropriate guidelines, including appropriate procedures and processes, to enable AI developers to conduct red-teaming tests. (Red-teaming is the use of ethical hackers to test an entity’s system, allowing the entity to identify and resolve any vulnerabilities.)
  • AI Developer Cooperation with the Federal Government. Companies developing or demonstrating an intent to develop potential dual-use foundation models will be required, on an ongoing basis, to provide the federal government with information, reports, or records regarding the following: (1) any ongoing or planned activities related to training, developing, or producing dual-use foundation models, including the physical and cybersecurity protections taken to assure the integrity of that training process against sophisticated threats; (2) the ownership and possession of the model weights of any dual-use foundation models, and the physical and cybersecurity measures taken to protect those model weights; and (3) the results of any developed dual-use foundation model’s performance in relevant AI red-team testing based on guidance developed by NIST.
  • Large-Scale Computing Cluster Reporting. Companies, individuals, or other organizations or entities that acquire, develop, or possess a potential large-scale computing cluster will be required to report any such acquisition, development, or possession, including the existence and location of these clusters and the amount of total computing power available in each cluster. The relevant federal agencies will be responsible for defining the conditions for models and computing clusters that would be subject to this reporting requirement.
  • Regulations for U.S. Infrastructure-as-a-Service (IaaS) Providers regarding Foreign Transactions. The Executive Order directs the Secretary of Commerce to propose regulations that would require IaaS providers in the United States to submit reports to the federal government when foreign persons transact with the providers to train a large AI model with potential capabilities that could be used in malicious cyber-enabled activity.
  • Reduction of Risks Posed by Synthetic Content. The Executive Order directs the Secretary of Commerce to submit a report identifying the existing standards, tools, methods, and practices, as well as the potential development of further science-backed standards and techniques for (1) authenticating content and tracking its provenance; (2) labeling synthetic content, such as using watermarking; (3) detecting synthetic content; (4) preventing generative AI from producing child sexual abuse material or producing non-consensual intimate imagery of real individuals; (5) testing software used for the above purposes; and (6) auditing and maintaining synthetic content.
  • Development of a National Security Memorandum. The Executive Order directs key national security offices to develop a National Security Memorandum on AI that addresses the governance of AI used as a component of a national security system or for military and intelligence purposes.
  • Promotion of AI Talent. The Secretaries of State and Homeland Security must take appropriate steps to streamline processing times of visa petitions and applications for noncitizens who seek to travel to the United States to work on, study, or conduct research in AI or other critical and emerging technologies.
  • Understanding AI Implications for Workers. The Executive Order calls for a report addressing AI-related workforce disruptions, potential legislative measures, and best practices for employers that could be used to mitigate the potential harm that AI might pose to employees’ well-being.
  • Civil Rights Offices Cooperation Concerning Issues Related to Algorithmic Discrimination. The Executive Order directs the Assistant Attorney General in charge of the Civil Rights Division and the heads of other civil rights offices within regulatory agencies to discuss AI and algorithmic discrimination, public awareness of potential discriminatory use of AI, use of AI in the criminal justice system, and other related topics.
  • Establishing a Strong International Framework for Managing AI Risks and Benefits. The Executive Order calls for increased efforts to expand engagements with international allies and partners in developing global technical standards for AI development and use outside of military and intelligence areas.
  • Creation of the White House AI Council. The function of the White House AI Council is to coordinate the activities of agencies across the federal government to ensure the effective formulation, development, communication, industry engagement related to, and timely implementation of AI-related policies.
  • Creation of the AI Safety and Security Board. The Secretary of Homeland Security will establish the AI Safety and Security Board as an advisory committee with AI experts from the private sector, academia, and government. The purpose of the AI Safety and Security Board is to provide advice and information for improving security, resilience, and incident response related to AI usage in critical infrastructure.

The Executive Order is extensive in its breadth and is expected to shape federal policy surrounding AI. Companies developing large AI models, IaaS providers lending their computing power for AI uses, government contractors, other entities in key industries (such as health care, financial services, housing, etc.), and companies already using or intending to use AI in business operations, should pay close attention to the requirements, programs, and reports that are issued under this Executive Order.

The Constangy Cyber Team assists businesses of all sizes and industries with implementing necessary and recommended updates to their privacy, information technology and security, and compliance programs to address these complex and evolving developments. If you would like additional information on how this Executive Order may affect your organization, please contact us at

  • Carolyn C. Ho

    Carolyn is a member of the Constangy Cyber Team and is based in New York. She assists clients with the development and implementation of comprehensive data security and privacy compliance programs in accordance with federal, state ...

The Constangy Cyber Advisor posts regular updates on legislative developments, data privacy, and information security trends. Our blog posts are informed through the Constangy Cyber Team's experience managing thousands of data breaches, providing robust compliance advisory services, and consultation on complex data privacy and security litigation. 


* indicates required
Back to Page