Something happened three days ago that most small organizations will scroll past entirely. It's worth not scrolling past.
Last Wednesday night, the White House was hours away from signing an executive order that would have created a voluntary framework for AI safety review. Not heavy regulation. No licensing regime. Explicitly not mandatory — the draft language said so directly. Just: AI companies could voluntarily submit their most powerful models to federal agencies for safety testing, up to 90 days before release, so the government could check for dangerous capabilities and flag security vulnerabilities before they hit the public.
That's the version that got killed.
By Thursday morning, Trump had pulled the signing. He told reporters he "didn't like certain aspects" and didn't want to do anything to jeopardize the US lead over China. What happened in between: Elon Musk (xAI), Mark Zuckerberg (Meta), and David Sacks — until recently Trump's AI policy czar — all called Trump directly. One after another, Wednesday night into Thursday morning.
The voluntary safety review was dead.
The Conflict of Interest Is the Story
Musk and Zuckerberg have both disputed the framing. Musk posted that he didn't know what was in the order and only spoke to Trump after the decision was made. The debate about who did what will probably run for weeks.
But here's the part that doesn't depend on who called who: both Musk and Zuckerberg have direct, significant financial interests in a US AI landscape with no meaningful safety oversight.
Musk's xAI competes with OpenAI and needs regulatory space to release models without a government review queue. Zuckerberg's Meta has built its competitive position largely around open-source AI — and a pre-release review process, even a voluntary one, creates friction that benefits incumbents with existing government relationships (the major labs already in the CAISI voluntary review program we covered earlier this month).
These aren't neutral voices on AI safety policy. They're stakeholders with billions at stake in the outcome. And they had the president's personal number.
That's not a conspiracy. It's just context that should change how small orgs think about who shapes the AI environment they're operating in.
What the US AI Landscape Looks Like Now
There is no federal AI safety framework in the United States. The administration has no formal plan for managing the risks of the most powerful AI systems, and no timeline for producing one. The CAISI voluntary agreements where the five major US AI labs agreed to pre-deployment reviews still exist, but they're informal, bilateral, and entirely at the discretion of those five companies to maintain.
The practical result: if you're a 20-person NGO, a public-sector contractor, or a mid-sized services firm trying to make responsible AI decisions, the signals you were hoping to get from Washington aren't coming. Not this year. Possibly not next year.
The political alignment that would be necessary for meaningful AI oversight — bipartisan agreement on scope, industry buy-in, executive willingness to push back on the loudest voices in tech — doesn't exist right now. Every time something gets close, it gets derailed.
Meanwhile, Europe is not having the same problem. The EU AI Act is still proceeding. The transparency obligations — AI-generated content labeling, watermarking, audit trails — have a hard compliance deadline of December 2026. If you work with any EU clients, EU funding, or EU-based data, those requirements are real and coming fast.
Why This Is Actually a Power Dynamics Story
Here's the structural thing worth naming directly: the people who benefit most from no AI oversight are the ones with the personal phone numbers of the people who make AI policy. That's not a conspiracy — it's just how access works.
Large AI companies have lobbyists, board relationships, and in some cases their founders have direct lines to heads of state. When an AI safety framework comes up that would slow their release cycles, they have options. They can call. They can push back. They can kill it before it's signed.
Small orgs don't have those options. You're operating in an environment shaped by decisions you're not part of — and in some cases, shaped specifically against your interests. A consistent, predictable regulatory environment would actually help small orgs more than it would help Big Tech. Big Tech can absorb compliance costs. You can't. And Big Tech knows that.
That's the asymmetry worth understanding. It doesn't mean you're powerless. It means you should stop waiting for the regulatory environment to stabilize before you make AI decisions. That environment is now officially settled in the worst possible way: it's owned by whoever has the best access.
What Actually Changes for Your Team
A few practical shifts that follow from all this:
Stop waiting for US regulatory clarity. It's not coming on any predictable timeline. If your AI strategy is "we'll get more serious once the rules are clearer," the rules are now officially unclear for the foreseeable future. The organizations building internal governance now — AI usage policies, vendor audits, data handling standards — are the ones who won't be caught flat-footed when your board or funders start asking questions.
Take the EU AI Act seriously even if you're Canadian. The EU compliance framework is the most developed AI governance signal available anywhere right now. Using it as your internal benchmark — especially if you have any international footprint or funding — is a smart hedge. Canada's own AI governance through ISED and Treasury Board draws on international standards, not US ones. The White House's current posture doesn't pull Ottawa in the same direction.
Build your own AI vendor accountability process. Nobody's going to require your vendors to disclose how their models changed, when they had a breach, or what your data is being used for. You have to ask — and make it stick. Build vendor AI accountability into your procurement checklist and annual reviews. The organizations that treated this as optional are the ones that end up in the news.
For AI agents specifically: build your own guardrails. The UK NCSC and Five Eyes released joint guidance on agentic AI last week (May 18) that's worth reading regardless of jurisdiction. Least-privilege access, human-in-the-loop checkpoints before consequential actions, spending caps where agents have financial authority. The government isn't going to mandate this. Which means the teams that do it anyway are the ones who avoid the expensive surprises.
Don't mistake "no federal framework" for "no rules." Privacy law, professional liability, and sector-specific regulation (health, legal, education) still applies to everything your AI tools touch. The absence of a dedicated AI safety framework doesn't create a blank slate — it just means you're responsible for navigating the existing rules with no AI-specific guidance.
The Bottom Line
The governance vacuum in US AI policy is now real and officially indefinite. The people filling it are the people with the most at stake in the outcome. That's the situation.
The question isn't whether this is fair. It isn't. The question is whether your organization is building the internal capacity to operate responsibly in this environment — or waiting for someone else to sort it out.
We spend a lot of time helping small teams build exactly that kind of capacity. Not the policy version — the actual working version: AI usage policies that people follow, vendor reviews that catch real risks, governance processes that don't require a compliance team to maintain. If this is where you are, let's talk.