Covered frontier models and the 30-day review window — when government access and partner access become the same access pattern

Two announcements landed within 48 hours that share a structural argument: capability above a threshold gets a controlled-access tier before the public sees it. The Trump executive order makes the federal government one of the tiered-access customers; Anthropic's Project Glasswing expansion makes 150 critical-infrastructure organizations the same. The frontier-model release pipeline has stopped being a single-event launch and become a stack of pre-release windows. The question is who else gets a window — and who decides.

The June 2 executive order and the June 1 Project Glasswing expansion are usually filed under different topics — one is AI policy, the other is enterprise security partnerships. Read together they describe the same architectural shift in how frontier models reach the world. Pre-release windows for designated partners are no longer the exception; they are becoming the default release pattern for any model that crosses a capability threshold the labs themselves call "frontier."

The executive order signed Tuesday is voluntary, narrow, and explicit about what it is not. It does not create a licensing regime. It does not preclear models. It invites developers to give the federal government up to 30 days of pre-release access to "covered frontier models" for national security and cybersecurity evaluation. The order is also explicit about who else gets the window: the government helps select "trusted partners" for early access alongside it. That second clause is the part that matters more than the headline 30-day number.

What that clause describes is the access pattern Anthropic has already been running for six weeks. Project Glasswing's expansion to 150 new organizations, with $100M in Claude Mythos Preview usage credits, is a fully operational version of the tiered-access model the EO sketches. Twelve launch partners (AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, NVIDIA, Palo Alto Networks, and Anthropic itself) ran the first cohort and surfaced more than 10,000 high- or critical-severity vulnerabilities in widely-deployed software. The Mythos-class capability that produced those results is not yet, and per Anthropic will not soon be, available to the public.

The reason Anthropic gives — and it is a defensible reason — is that the same coding capability that finds the bugs can exploit them. The Cloudflare write-up on the Glasswing partnership phrased it bluntly: a general-purpose frontier model has reached a level of coding capability where it can surpass all but the most skilled humans at finding and exploiting software vulnerabilities. Releasing that capability broadly before defenders have patched in a Mythos-aided sweep would hand the same tool to attackers. The pre-release window is the patch-window. That is a coherent safety argument; it is also a pricing argument, a partner-loyalty argument, and a regulatory-engagement argument all at once.

Stack the two announcements and the structure of the next-generation frontier release becomes legible. A model finishes training. The lab runs internal red-teaming. A government window of up to 30 days opens for national-security evaluation. A critical-infrastructure partner cohort gets parallel access for defense-side preparation. Distribution-layer partners (AWS, Microsoft, Google Cloud) get pre-integration access for inference rollout. Some weeks later — possibly months, in the Mythos case — broad availability begins. At every layer, capability flows to the parties most able to absorb the risk it creates, in the order of their ability to absorb it. The public is the last tier, not the first.

The honest critique is that this stack concentrates capability access in the hands of incumbents who already had it. The named Glasswing partners are the largest cloud, security, and finance firms in the world. The government's "trusted partner" selection authority under the EO will, in practice, route to the same names. Startups, academic security researchers, independent open-source maintainers, and non-US defenders are not on the list. That is partly defensible — concentrating cyber-offensive capability narrows the misuse surface — and partly a structural feature of how AI policy is being drafted by the parties with the most to lose from a different structure.

The throughline worth watching through Q3: whether the "covered frontier model" designation under the EO converges with Anthropic's internal Mythos-class threshold, with OpenAI's GPT-5-and-beyond threshold, with the AISI-style capability evaluations that have been running quietly in the UK. If those thresholds converge, frontier-model release becomes a regulated-distribution process with publicly known tiers, even if the order's text says "voluntary." If they diverge, the labs will run their tiered-access programs on their own terms and the government window becomes one customer among many — which, given the operational reality of Glasswing, is closer to what is already happening.

Anthropic — Expanding Project Glasswing → · CNBC — Trump signs AI executive order asking companies to give government early access to models → · The White House — Promoting Advanced Artificial Intelligence Innovation and Security →