AI Policy Weekly — Issue #3: Trump's AI oversight order drafted and killed, first Take It Down Act arrests, and BIS's non-enforcement stance called into question

This week's AI policy action centered on three distinct pressure points: a White House frontier AI oversight order that got written, leaked, and then killed in 24 hours; the first criminal prosecutions under the Take It Down Act just six days after enforcement began; and a GAO ruling that quietly knocked out BIS's non-enforcement stance on the AI chip export rules. In the states, Illinois advanced the most ambitious frontier AI transparency bill yet.

The Trump White House spent most of the week circulating a draft executive order that would have asked frontier AI developers to share their most capable models with federal agencies up to 90 days before public release — then killed it hours before signing. 1

The draft, described to industry on Tuesday evening, was structured as a voluntary review rather than a mandate. Treasury, CISA, NIST, the Office of the National Cyber Director, and NSA would jointly receive pre-release model access. Within 30 days of signing, Treasury and CISA would have been required to establish a voluntary information-sharing body between AI labs and critical infrastructure operators. Within 60 days, the same agencies plus the White House chief of staff and OSTP director would have defined what qualifies as a "regulated frontier model."

The order's stated trigger was Anthropic's Mythos model, which the company declined to release publicly after its internal evaluations found it could provide meaningful assistance in constructing biological weapons. 2

Trump pulled the order the same day it was reported. "We're leading China, we're leading everybody," he told reporters. "I don't want to do anything that's going to get in the way of that lead." 3

What to watch: The internal disagreement — some White House officials favoring pre-release review, others resisting any oversight framing — hasn't resolved. The same dynamics that produced this order in draft form are still present. A version of it could resurface, potentially reframed around national security rather than safety.

Six days after FTC enforcement of the Take It Down Act officially began on May 19, the Justice Department filed the first criminal cases under the law.

On May 20, the U.S. Attorney's Office for the Eastern District of New York unsealed criminal complaints against Cornelius Shannon, 51, of New Jersey, and Arturo Hernandez, 20, of East Texas. Shannon allegedly published AI-generated nonconsensual intimate images of women, including celebrities. Hernandez allegedly created deepfake pornography of female classmates. Both face a maximum of two years in prison. 4

The arrests came the same week that all major platforms were required to activate removal request mechanisms under the law. The FTC launched a victim reporting portal at takeitdown.ftc.gov. Platforms that fail to remove valid requests within 48 hours face penalties of $53,088 per violation.

Advocates have flagged a transparency gap: platforms have stood up intake systems, but are not disclosing how takedown decisions are made or what error rates look like. Omny Miranda Martone, CEO of the Sexual Violence Prevention Association, said lawsuits — rather than FTC administrative action — are likely to be what finally forces that transparency. 2

What to watch: Neither Shannon nor Hernandez has yet been convicted, and maximum penalties are rarely applied in first cases. The FTC's own enforcement posture — administrative letters versus civil suits — remains unclear. The transatlantic dimension: the EU's AI Act Omnibus bans AI systems used to generate nonconsensual intimate imagery, with a compliance deadline of December 2, 2026. 5

The Government Accountability Office ruled this month that BIS's May 2025 press release — in which the agency announced it would not enforce the Biden-era AI Diffusion Rule and intended to replace it — constitutes a "rule" under the Congressional Review Act, and therefore never legally took effect because BIS did not submit it to Congress first. 6

GAO Managing Associate General Counsel Shirley Jones confirmed May 19 that GAO reached out to the Commerce Department about submitting the document under the CRA. Commerce "has not done so to date," Jones said.

The practical consequence is that the AI Diffusion Rule — which imposes tiered export license requirements on advanced AI chips by country destination — remains on the books and, per GAO's logic, should be enforceable. BIS has told the semiconductor industry for a year that it would not enforce the rule, and companies have been operating under that assumption. The GAO ruling creates direct legal exposure: the rule the industry was told to ignore may never have been suspended at all.

Commerce argued to GAO that the press release was not a final agency action but "an initial step before the regulatory framework is finalized." GAO rejected that framing, noting that BIS never identified any procedural mechanism — notice-and-comment, draft guidance, or otherwise — within which the non-enforcement directive was embedded.

What to watch: BIS has not indicated whether it will submit the press release to Congress under the CRA, issue a formal interim rule, or simply acknowledge the exposure and move on. Companies exporting advanced chips to countries in the diffusion rule's restricted tiers should get legal review of their current compliance posture.

The pace of state AI legislation continued to accelerate this week, with Illinois the most significant development.

The Illinois Senate voted 52-5 on May 20 to pass SB 315, a bill targeting the largest frontier AI developers — those with revenues over $500 million — with mandatory transparency frameworks, third-party auditing, and catastrophic risk reporting requirements. 7

The bill, sponsored by Sen. Mary Edly-Allen, requires covered developers to:

The effective date was extended from 2027 to 2028 during amendments. OpenAI and Anthropic both testified in support of the bill. Industry groups — particularly those representing startups — raised concern that third-party audit costs would strain companies with no legal staff.

OpenAI's position — that state laws converging on a common framework targeting only the "most capable" models is preferable to fragmented state mandates — has been consistent across California, New York, and now Illinois.

The bill goes to the Illinois House. Gov. JB Pritzker has not yet taken a public position.

Other state-level activity this week: 8

What to watch: Connecticut SB 5, once signed, will cover frontier AI developers, AI companions, synthetic content labeling, and automated employment decisions — one of the broadest state AI laws yet enacted. The Illinois bill's third-party audit requirement is the live variable that could differentiate it from California's and New York's frameworks in ways that fragment the national standard both OpenAI and smaller companies say they want.