Before Google’s next frontier AI model reaches a single user, federal evaluators working in classified facilities will have already tried to break it. The same goes for upcoming systems from Microsoft and Elon Musk’s xAI. All three companies signed voluntary agreements in May 2026 with the Commerce Department’s Center for AI Standards and Innovation, known as CAISI, granting government testers pre-release access to their most powerful AI systems. The goal: probe those models for national security risks, including the potential to help someone build a bioweapon, launch a cyberattack, or synthesize dangerous chemicals, before the technology goes live.
What the agreements actually say
CAISI, which operates within the National Institute of Standards and Technology, publicly confirmed the new deals in May 2026, calling them “frontier AI national security testing” agreements. They are voluntary, not required by any law, and they follow a template the government first used in August 2024, when the predecessor office, then called the U.S. AI Safety Institute, signed similar arrangements with Anthropic and OpenAI.
Those earlier deals gave federal teams access to major new models both before and after public release. The expanded roster now covers five of the most prominent frontier AI developers on the planet.
The name change from “AI Safety Institute” to CAISI was not cosmetic. In a Commerce Department statement accompanying the rebrand, U.S. Secretary of Commerce Howard Lutnick described the shift using language that emphasized a “pro-innovation, pro-science” direction, signaling that the office would still screen for dangerous capabilities but would position itself as a partner to industry rather than a quasi-regulator. That framing matters: companies can present their participation as a sign of responsibility without conceding any formal regulatory authority over their release schedules.
Who actually runs the tests
CAISI acts as a hub, but it does not work alone. According to the center’s own program description, it coordinates evaluation methods with the Department of Defense, the Department of Energy, the Department of Homeland Security, and the intelligence community. In practice, that means some of the most sensitive test scenarios are likely designed by security agencies drawing on their own classified threat models.
Think of it as a relay: CAISI manages the relationship with each AI company, but the hardest questions about what a model could do in the wrong hands come from agencies whose day jobs involve tracking those exact threats.
To solve the thorny problem of testing proprietary model weights without exposing trade secrets, CAISI signed a Cooperative Research and Development Agreement with OpenMined, a privacy-technology nonprofit, earlier in 2026. According to NIST’s announcement, the CRADA is intended to enable secure AI evaluations, though the specific technical methods and infrastructure involved have not been detailed publicly. The broad aim is to let government evaluators inspect model behavior without exposing the company’s intellectual property or letting classified test data leak outside controlled networks.
Companies have long resisted sharing model weights with any outside party for fear of intellectual property theft or competitive exposure. A secure evaluation framework that keeps everything locked down lowers that barrier considerably, and it likely explains why three additional companies signed on within months of the OpenMined deal.
What the government may actually be seeing
Reporting from The Guardian indicated that companies are providing versions of their models with reduced or removed safety guardrails for these classified reviews. If accurate, that means government evaluators are stress-testing the rawest form of each system, probing capabilities that end users would never encounter in a commercial product.
Neither NIST nor the companies have confirmed the specific technical configuration of the models being submitted. It remains unclear whether the government is seeing fully unfiltered systems or some intermediate version. But the implication is significant: these tests are not about how a chatbot responds to a tricky prompt. They are about what the underlying model is capable of when every safety layer is stripped away.
The big unanswered questions
For all the institutional progress, critical details remain opaque.
Can the government block a launch? Neither CAISI nor the participating firms have stated whether a negative finding could delay or prevent a public release. The agreements are voluntary, which suggests companies keep the final call. But the involvement of DOD, DHS, and the intelligence community raises the possibility that a serious national security concern could generate enough informal pressure to hold back a model, even without a legal mechanism to enforce a delay.
Has any testing actually changed anything? The Commerce Department has not disclosed how many models have been evaluated under the earlier Anthropic and OpenAI deals, what risks those evaluations flagged, or whether any company modified a system in response. Without that data, outside observers cannot judge whether the testing has produced actionable findings or functions primarily as a trust-building exercise.
Will the public ever learn what evaluators find? CAISI has not committed to publishing regular summaries of its results, and there is no public reporting requirement built into the voluntary agreements. If the agency discovers that a model can, say, walk a user through synthesizing a dangerous pathogen, it is not clear whether that information would ever reach the public or even non-participating companies building similar systems.
How this fits into a broader global picture
The United States is not the only country building pre-release testing pipelines. The United Kingdom’s AI Safety Institute, now rebranded as the AI Security Institute, has its own agreements with several of the same companies and conducted evaluations that were referenced at the 2024 AI Seoul Summit. The European Union’s AI Act, which began phased enforcement in 2025, takes a more prescriptive approach, requiring conformity assessments for high-risk AI systems before they can enter the EU market.
What distinguishes the U.S. model is its reliance on voluntary cooperation rather than legal mandate, and its direct pipeline into classified defense and intelligence infrastructure. That gives CAISI access to threat scenarios that no civilian regulator could replicate, but it also means the entire system depends on companies continuing to opt in.
What to watch as CAISI’s testing pipeline expands
The clearest signal that this program is maturing beyond a handshake arrangement would be any move toward aggregate transparency: statistics on how many models have been tested, what categories of risk come up most often, and how frequently companies adjust their systems based on government feedback. Even redacted or summary-level reporting would mark a meaningful shift from the current setup, which operates almost entirely behind closed doors.
For now, the U.S. government is steadily building a pre-release review process for the most advanced AI systems on Earth, held together by voluntary cooperation, privacy-preserving technology, and the quiet involvement of agencies whose threat assessments remain classified. Whether that process ultimately shapes when and how powerful models reach the public, or simply becomes another procedural step on the path to launch, depends on decisions that have not yet been made and may never be made public.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
