Before the Rules Exist: How Frontier Labs Are Governing National Security AI Access Themselves

Private Gatekeepers in a Public-Interest Domain

There’s a word for what OpenAI, Anthropic, and a small number of other frontier labs are doing with their national security AI programs. It’s not “partnership.” It’s governance, informal, proprietary, and entirely self-designed.

According to OpenAI’s announcement and initial press reporting, the company has launched a gated government AI access program for biodefense applications. A note on the record here: a T1 cross-reference to OpenAI’s site surfaced a separate cybersecurity program, GPT-5.4-Cyber, under the “Trusted Access for Cyber” banner. OpenAI may have announced both programs in the same reporting window. TJS will update as the program scope is confirmed. What’s not in dispute: OpenAI has built a vetting framework that decides which institutions access this capability.

Reportedly including partners such as Lawrence Livermore National Laboratory, Johns Hopkins Applied Physics Laboratory, and the Coalition for Epidemic Preparedness Innovations, per OpenAI’s announcement, though those names come from T3 sources and haven’t been confirmed at a primary source level. Per OpenAI’s program terms, as reported, access is bounded by wet-lab restrictions designed to limit use to defensive biological research. The model’s performance claims come from OpenAI’s internal evaluation only; Epoch AI review is listed as pending.

Those caveats matter for this story. But they don’t change the structural argument.

The Pattern Is Established

This isn’t the first time a frontier lab has built a national security access program before federal law caught up. It’s closer to the fourth or fifth.

Anthropic has built its own defense access architecture, with AI systems operating inside government environments under contract terms that the company helped design. OpenAI’s cybersecurity access program, the “Trusted Access for Cyber” program, which may be distinct from the biodefense program, already operates on a vetting model where eligibility criteria are vendor-defined. The vertical-specific model strategy, building specialized variants for defense, health, and legal applications, reflects a deliberate decision to expand into high-stakes domains before regulatory frameworks can define the terms of entry.

The registry entry on “The Compliance Moat” (May 29, 2026) named this pattern explicitly: frontier labs are using voluntary governance frameworks to shape what future regulation looks like, establishing the operating norms before legislators arrive to codify them. The biodefense program is that pattern in its most consequential application yet.

Where the Regulatory Framework Doesn’t Reach

No federal law currently governs which organizations can access dual-use biological reasoning AI. That’s not a gap in AI regulation specifically, it’s a gap that predates large language models.

The NIH has biosafety frameworks under 42 C.F.R. Part 73 governing select agents and toxins. DARPA runs its own rigorous program evaluation for defense research contracts. The Department of Health and Human Services operates the Federal Select Agent Program. Each of these frameworks was built for physical biological materials and the laboratories that work with them. None were designed for AI systems that can provide detailed biological reasoning without ever touching a physical specimen.

That’s the capability gap a biodefense AI program fills. It’s also where the regulatory gap is most exposed. An AI model that can assist with pathogen characterization, countermeasure development, or outbreak prediction doesn’t fit neatly into any existing biosafety category. The wet-lab restriction in OpenAI’s program, per initial reports, attempts to draw a line between in-silico assistance and wet-lab execution. But that line is difficult to enforce externally when the vendor is also the entity defining it.

No federal procurement regulation currently specifies how agencies must evaluate AI access terms set by vendors. That means the decision about whether to accept OpenAI’s vetting criteria and access conditions sits with individual contracting officers, agency counsels, and program managers, without a shared standard.

Who’s Affected and What They Need to Know

The institutions most immediately affected split into three groups.

Federal agencies and national labs, DARPA, USAMRIID, NIH’s National Institute of Allergy and Infectious Diseases, and defense-adjacent research institutions, are the target market for this kind of program. For them, the practical question is what documentation OpenAI requires for institutional vetting, how long the access approval process takes, and what happens to data generated through the API. None of those details have been confirmed publicly as of publication.

Federal contractors and commercial biotech firms working on government programs face a subtler problem. If the prime contractor on a federal biodefense program gains access to OpenAI’s capability and a subcontractor doesn’t, that creates an asymmetric information environment within the same contract. FAR clauses don’t currently address AI access parity in subcontracting chains.

AI governance and biosecurity policy researchers are watching this space for a different reason. The vetting criteria OpenAI applies, whatever they are, will become a de facto standard if the program scales. A standard set by one vendor, without public input or regulatory backstop, has no built-in mechanism for challenge or revision.

What Has to Happen Next

The catch is that regulatory catch-up on biodefense AI won’t follow a straightforward legislative timeline. Biosecurity AI sits at the intersection of at least three overlapping federal jurisdictions: HHS and the select agent framework, DoD and DARPA’s research contracting authority, and whatever AI-specific governance eventually emerges from Congress or an executive order. Coordinating across those jurisdictions is slow even when there’s political urgency.

Three developments are worth watching:

First, whether OpenAI makes its vetting criteria public. A proprietary access framework for national security AI that operates entirely behind closed doors is a harder political position to hold as these programs scale. Transparency about eligibility criteria would at least allow institutions to self-assess before applying.

Second, whether the Federal Select Agent Program or its equivalent issues guidance on AI-assisted biological research. That guidance doesn’t require new legislation, it can come through existing regulatory channels and would give contracting officers a framework for evaluating vendor access terms.

Third, whether any of the three congressional AI bills currently in committee specifically address dual-use biological AI. The competing actors shaping U.S. AI policy don’t share a common view on how to handle national security AI applications, and biodefense is politically complicated in ways that general AI governance isn’t.

TJS Synthesis

The biodefense AI access program, whatever its final confirmed shape, marks a structural moment in how frontier AI governance works in practice. Labs aren’t waiting for biosecurity AI regulation because no such regulation exists and none is imminent. They’re building the access architecture, the vetting relationships, and the capability portfolios now. The institutions that understand this first, and engage with vendor vetting processes on their own terms, with their own legal and policy analysis, will have more influence over how those access criteria evolve than the institutions that wait for federal guidance to arrive. That guidance is coming. It won’t arrive before the next generation of these programs does.