Site Search Site Search

Menu

Menu

Menu

Menu

Menu

Menu

Menu

Menu

Menu

Loading Results

The Next Move - Special Edition

What America’s AI plan means for cyber and risk leaders

  • August 14, 2025

The issue

The White House recently issued its roadmap for accelerating US leadership in artificial intelligence. While focused on government efforts to spur AI innovation and security, Winning the Race: America’s AI Action Plan sets the stage for private sector alignment by signaling where the government will reduce compliance burdens and drive self-regulation. As your company pursues its own AI acceleration plan, you’ll need to mount a parallel effort to strengthen your security and controls.

 The plan, which frames AI as a national security imperative, seeks to reduce regulatory hurdles, encourage private-sector innovation, promote open-source models, foster unbiased AI and pursue changes to export controls on advanced technology and semiconductors. These and other recommended actions are intended to support three core objectives — accelerate AI innovation and adoption, build secure AI infrastructure and counter technology advances by foreign rivals. 

Security, risk and compliance executives in the private sector have a key role to play. To help your company move quickly in this space, these leaders should strategically pursue controls that balance mitigation of AI-related risks with speed-to-market objectives.

The impact  

The AI roadmap, drafted pursuant to Executive Order 14179, identifies more than 90 federal policy measures the Trump administration will likely pursue in the coming weeks and months. Accompanying the plan are three related executive orders, which the White House issued in support of the plan’s three pillars. Taken together, these are policy recommendations to be implemented by federal agencies and institutes.

For security, risk and compliance leaders, here are some of the most salient recommendations.

Domain Policy actions PwC’s perspective
Security  Security-related actions include calls to develop secure-by-design standards for AI systems (models and their applications) across the federal government, to share AI-security threat intelligence across critical infrastructure sectors and to issue guidance on responding to AI-specific vulnerabilities and threats. The plan also recommends collaborating with leading US-based AI developers to help the private sector better secure AI innovations.

Most AI security frameworks today have been developed in silos, custom-built by private organizations trying to retrofit legacy cybersecurity standards onto a rapidly evolving technology landscape. 

 

While this approach has offered short-term solutions, it’s also resulted in inconsistent practices, unclear accountability and uneven levels of protection across industries. 

 

CISOs should closely track the evolution of federal standards governing both foundational model security and the applications built on top of them. Aligning with these standards can help organizations avoid the complexity and inconsistency of developing their own security frameworks, easing the burden on internal resources while promoting broader interoperability and assurance.

 

When supported by AI-specific threat intelligence and actionable remediation guidance, evolving standards can enable the private sector to build more consistent, resilient and proactive AI security practices. Organizations shouldn’t just rely on these standards; they should also prepare to consume and apply emerging AI threat intelligence. A critical first step is inventorying current AI use across the enterprise, both model development and adoption, so that new insights can be rapidly operationalized.

Risk and controls

 

 

 Actions impacting risk and controls include a call to revise the NIST AI Risk Management Framework (RMF) and to spur development and proliferation of open-source and open-weight AI models.

The scope of the RMF will be narrower but will continue to evolve. Companies will have to confirm that their models are fit-for-purpose.

 

Promotion of open-source models introduces variability in licensing, assurance and security. Risk leaders should strengthen third-party risk management programs to evaluate AI provider controls. They should also proactively develop internal policies governing open-source AI adoption, including usage guidelines, assurance expectations and IP considerations.

 

Collectively, these recommendations suggest companies should mature their AI governance and control infrastructure before further federal guidance is finalized. Those that operationalize controls now will be best positioned to meet emerging expectations without disruption.
Regulatory Deregulatory actions include recommendations to repeal rules that “unnecessarily hinder” AI development or deployment, expedite environmental permitting for AI infrastructure and review ongoing FTC investigations to confirm that they don’t unnecessarily burden AI innovation. Also, agencies should withhold funding in states with burdensome AI regulations, and the FCC should evaluate whether state AI regulations interfere with its statutory duties.

These actions signal a shift toward easing regulatory barriers to support AI innovation. But deregulation doesn’t mean a lack of oversight — it reflects a move toward rationalized regulation. 

 

Companies should proactively monitor changing requirements and watch for federal preemption signals in heavily regulated sectors like healthcare and banking.

 

Legal and compliance teams should build processes to monitor changing requirements, update internal policies and coordinate with technical teams in an agile way. As regulations shift, companies should assess the impact quickly and adapt their approaches accordingly.

 

Companies should recognize that while the US is prioritizing deregulatory policies, the EU, China and others are still using regulation across AI developers, service providers and companies employing AI in their operations.
Export controls Recommended actions include increased global semiconductor export control enforcement and a greater focus on all elements of the chip and AI supply chain — with tighter tracking of advanced AI compute through location verification methods and an emphasis on chip manufacturing subsystems. The plan also urges collaborative efforts such as plurilateral policies to curb unauthorized exports and a technology diplomacy plan to align AI protections. The accompanying EO on AI tech stack export controls builds on these recommendations. This outlook drives a narrower focus and higher anticipated level of control on industry awareness of their supply chains. Companies can expect continued scrutiny on maintaining and appropriately supporting traceability of their full product life cycle. This visibility includes awareness of hardware location and demands similar attention to supporting intangibles: like AI and semiconductor manufacturing software, data and models. Proposed global collaboration efforts to enhance AI protections also demand agility in supporting a shifting regulatory environment.

Your next move  

Prepare for the coming policy actions and consider developing your company’s own AI acceleration plan. To get there responsibly, rely on proactive measures and strategic inputs from your security, risk and compliance leaders.

Start by engaging in high-level scenario planning to understand how these changes may impact or disrupt your company’s business objectives, operating models and broader value chains. Translate these policy shifts into strategic business risk language for executive stakeholders. Advocate for proactive investment in AI security and risk management capabilities to help avoid costly catch-up as policies change and threats evolve.

Let’s look at some additional steps by leadership area. 

Federal AI security standards are reshaping how organizations should manage AI security. You should take this moment to align strategies, strengthen controls and prepare for a more unified, threat-informed security posture.

  • Approach AI security as a strategic extension of existing cybersecurity capabilities. While many traditional controls will remain relevant, emerging threats to AI systems will require new safeguards and tailored responses. Preparing now for anticipated federal guidelines and potential gap analyses can help confirm that your current security framework is ready to address the evolving risk terrain.
  • Expand secure-by-design capabilities to include enterprise and citizen-led development patterns for AI. Consider how AI security controls can be established as the default option throughout the software development life cycle. 
  • Begin differentiating between human and agentic identities as digital teammates start proliferating across your organization.
  • Treat AI systems — including models, agents and their identities, and training data — as distinct security assets. Inventory and classify them based on sensitivity, criticality and exposure, then integrate them into broader enterprise risk management efforts. This includes strengthening third-party due diligence to help uncover risks associated with external use of your data by AI systems.
  • Develop response procedures for AI-specific incidents, including unauthorized model access, compromised sources and generative content misuse. Train IR teams and run tabletop exercises focused on these new threat categories.
  • If you’re providing AI-enabled services to the government, put the onus on the model providers to certify that they’ll meet the requirement of unbiased service.

As AI capabilities scale and federal policy actions start taking shape, risk leaders face growing pressure to anticipate downstream impacts across the enterprise. Your priority isn’t just managing new categories of risk — it’s understanding how emerging AI use cases and regulatory changes may affect your organization’s overall risk posture, governance processes and ability to respond with speed and clarity.

  • Contribute to enterprise scenario planning by identifying AI-related risks — such as regulatory shifts, model restrictions and third-party exposure — that could materially impact business objectives or enterprise risk appetite. Coordinate with your strategy, operations, technology, compliance and legal teams to confirm that risk considerations are reflected in broader business planning.
  • Update enterprise risk taxonomies to reflect AI-specific risks such as model misuse, hallucination, drift, third-party model failures and generative content exposure. Collaborate with legal, compliance and audit teams to promote consistency across risk registers, policies and escalation protocols.
  • Enhance board- and executive-level risk reporting by incorporating metrics and qualitative assessments related to AI model deployment, usage scale and alignment with anticipated regulatory expectations. 
  • Integrate AI-related risk into integrated risk management (IRM) programs, including GRC tooling, internal audit plans and control-testing cycles. Align closely with CISOs and legal, compliance and audit leaders to coordinate risk ownership, control coverage and remediation pathways as AI is embedded deeper into operations.
  • For multinationals, confirm that international regulations are considered in addition to the US government positions.

Continue to anticipate risk, protect enterprise value and identify where current strategies may need recalibration. Balancing compliance with operational flexibility to respond to future changes, restrictions or market shifts — and evaluating how to embed agility across sourcing, product development, operations and workforce processes — will be critical.

  • Identify and maintain oversight of intangible content such as software, data, models and other technology. While this applies to all products, it’s now especially critical for semiconductor subsystems and full AI stacks. 
  • Champion embedded compliance, from concept to finished product. Work with cross-functional leaders — from engineering, supply chain, trade, operations, logistics, technology, finance and others — to integrate compliance controls into the entirety of your design and production process. From concept to final delivery or integration, awareness of the controls on hardware and subsystems, related software, models and other technology is imperative.
  • Launch and maintain organizational assessments of gaps, risks and maturity across your compliance risk areas, with specific focus on global development touchpoints.
  • Define or reinforce your approach to AI. Whether you’re developing models or leveraging them for efficiency, clearly stating and communicating your organization’s approach to managing AI helps to guide teams in their approaches.
  • Create or bolster a cross-functional monitoring team to identify, interpret and respond to rapidly evolving requirements domestically and abroad.

{{filterContent.facetedTitle}}

Follow us

© 2017 - 2025 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.