The White House might vet AI models before launch, and Europe's high-risk AI rules likely move to 2027

AI Business Risk Weekly

This week, the White House is weighing mandatory pre-deployment review of AI models, reversing its tune after tossing out Biden’s AI oversight framework on day one. The EU reached a provisional agreement to move high-risk AI obligations to late 2027, and Oxford researchers found that making chatbots warmer increased factual errors by 60%. Finally, Anthropic launched Claude Security as a public beta, releasing a limited version of Opus 4.7 to help scan codebases for vulnerabilities.

White House considers executive order requiring pre-deployment AI model review

The Trump administration is considering an executive order to create a formal review process for frontier AI models before they are released to the public. National Economic Council Director Kevin Hassett compared the concept to FDA drug approval, saying he wants every new model to go through a safety review. This was likely triggered by Anthropic's Mythos model and its offensive cybersecurity capabilities. If the White House proceeds, it would be a huge reversal. Just last year, David Sacks publicly accused Anthropic of "fear-mongering" to pursue regulatory capture.

Regardless of any executive order, the AI industry seems to be moving in the same direction. NIST's Center for AI Standards and Innovation (CAISI) announced agreements with Google DeepMind, Microsoft, and xAI to conduct pre-deployment evaluations of their frontier models, joining OpenAI and Anthropic.

Business Risk Perspective: U.S. policy, and AI labs on their own, are moving toward pre-release oversight. The CAISI agreements mean government evaluation of frontier models is becoming a de facto industry norm regardless of any executive order. This is good news for AI safety, but if the comparison to FDA drug approval is a valid one, it likely means a much slower pace of frontier model deployment. Businesses should watch these developments closely.

EU Omnibus deal delays high-risk AI obligations to December 2027, but transparency deadlines hold

On May 7th, the Council presidency and European Parliament reached a provisional agreement to delay the EU AI Act's high-risk system obligations. Assuming the agreement is finalized this summer, obligations for Annex III systems including hiring, credit scoring, insurance, education, and law enforcement now apply from December 2nd, 2027 instead of August 2nd, 2026. Embedded systems move to August 2028.

The agreement also prohibits AI-generated non-consensual intimate content and CSAM, extends SME exemptions to small mid-caps, and clarifies the AI Office's supervisory scope, and the deadline for watermarking of AI-generated content was moved to December 2nd, 2026.

Business Risk Perspective: The case for the delay is strong, and this gives organizations real breathing room. Harmonized standards and conformity assessment procedures still aren't ready, which were the main justifications for the extension.

That being said, December 2027 is twenty months away, which is an absolute eternity in AI. The risks in high-risk applications like hiring and insurance are already live. Most of the provisions of the EU AI Act are things companies should be doing regardless. Some requirements, like ensuring AI systems don’t show demographic bias, are already required under anti-discrimination laws, and shouldn’t wait on EU AI Act enforcement.

Oxford: training chatbots to be warmer increased factual errors by 60%

Oxford researchers found that fine-tuning LLMs to be warmer and more empathetic, even while explicitly instructing them to preserve accuracy, led to a 60% increase in incorrect answers across over 400,000 responses. The study tested five models on medical knowledge, disinformation, and conspiracy detection.

Warmer, more empathetic models were 40% more likely to agree with users' incorrect beliefs, and the effect was more pronounced the more vulnerable the prompts were. The researches also trained models to be colder, as a control, and found that they were as accurate as the originals.

Business Risk Perspective: Every organization fine-tuning or prompt-engineering an LLM for customer interactions is making decisions about tone and personality, usually without measuring tradeoffs between traits like warmth vs. accuracy. This study demonstrates that persona tuning actively reshapes what models will and won't say, and the effect is largest when users are most vulnerable.

Anthropic launches Claude Security for enterprise codebase scanning

Anthropic released the public beta of Claude Security, giving Claude Enterprise customers access to a limited version of Opus 4.7 for automated vulnerability scanning and patch generation. This comes after its somewhat controversial choice to withhold Opus 4.7 from the public because of its powerful cyberattack capabilities.

Technology partners including CrowdStrike, Palo Alto Networks, and SentinelOne are embedding Opus 4.7 into their security products.

Business Risk Perspective: AI cybersecurity capabilities are ramping up quickly, both offensively and defensively. Attackers with current models can discover vulnerabilities faster than the pace most organizations can currently patch them. Periodic manual audits are now mismatched to the speed at which exploitable flaws can be found, so partially automating cybersecurity is an important move.

AI Business Risk Weekly is a Conformance AI publication.

Conformance AI ensures your AI deployments remain safe, trustworthy, and aligned with your organizational values.