Blog

Three June 2026 Executive Orders Just Reset Internal Audit's Tech Risk Agenda

Subscribe now to join the Risk Register community:

In June 2026 the White House issued three executive orders that together define the federal posture on advanced AI, quantum information science, and the cryptography that protects data from both. 

The AI order was signed June 2, 2026. The orders on quantum innovation and on cryptographic attacks were both signed June 22, 2026. They were not signed on a single day, but they function as one coordinated package, and they should be read that way.

The orders are framed for federal agencies. The obligations flow downstream. If you serve a federal agency, a federal contractor, a critical infrastructure operator, or any enterprise that handles long-lived sensitive data, the requirements reach you through procurement rules, sector guidance, and counterparty expectations. 

Treat the federal timeline as your earliest credible signal, not as someone else's problem. This briefing walks each order in plain terms and closes with a six-point audit response you can start on now, so you leave with the moves, not just the news.

The three orders at a glance

The AI order makes AI both an attack surface and a defensive control

The first order, Promoting Advanced Artificial Intelligence Innovation and Security, pairs an explicitly deregulatory innovation stance with a security mandate. It directs rapid hardening of government systems and a coordinated public-private cyber defense built around AI capability.

The operative pieces. The Committee on National Security Systems, the Department of War, and CISA are each directed to prioritize cyber defense of their respective systems within 30 days, including Binding Operational Directives for civilian federal systems. Treasury, NSA, and CISA are to stand up a voluntary AI cybersecurity clearinghouse that coordinates vulnerability scanning, validates findings, and prioritizes patch distribution across industry and critical infrastructure. 

The order specifically names rural hospitals, community banks, and local utilities as recipients of AI-enabled defensive tools and, where appropriate, access to covered frontier models. A classified benchmarking process will define the cyber-capability threshold at which a model becomes a covered frontier model, and a voluntary framework lets developers give the government up to 30 days of pre-release access. The order expressly prohibits any mandatory licensing or preclearance regime for releasing models. 

The Attorney General is directed to prioritize prosecution under existing computer-fraud, identity, and wire-fraud statutes against actors who weaponize AI for unauthorized access or other crimes.

For internal audit and risk management functions, the implication is the one many programs are still avoiding. AI is now both an attack surface and a defensive control. Your audit universe has to treat it as both. Testing AI governance in isolation from cyber defense is no longer adequate, and the inverse is also true.

The other piece is the third-party and frontier-model exposure. If your organization deploys frontier models, the pre-release access framework and the covered-model designation create new vendor due-diligence questions: the model's cyber-capability classification, what federal access arrangements exist, and how insider and IP risk is managed during access windows. 

Critical infrastructure operators named in the order (hospitals, community banks, utilities) should expect both new defensive resources and heightened expectations to use them. Auditable adoption matters. And the threat model itself has shifted: AI-accelerated attackers compress the window between vulnerability disclosure and exploitation, which means patch-cycle SLAs and vulnerability management programs designed for human-speed adversaries need re-evaluation.

The quantum order is the bridge to the cryptographic deadline

The second order, Ushering in the Next Frontier of Quantum Innovation (EO 14411), is an industrial-strategy order. It commits a whole-of-government effort to accelerate quantum information science and technology across computing, sensing, and networking, and to protect that ecosystem from adversaries.

Key directives. An updated National Quantum Strategy within 180 days, covering commercialization, the quantum-enabling supply chain, and industry partnerships. A QC-ADDS national effort to build a quantum computer at a scale meant to open the era of quantum-enabled scientific discovery, with delivery targeted to a Department of Energy facility. 

The Department of War must identify at least three next-generation quantum sensor projects to field by September 30, 2028, and multiple agencies must produce five-year plans. Plans to strengthen domestic quantum supply chains, a government-wide recruitment and retention strategy, and a network of QIST workforce institutes. And expansion of a Quantum Counterintelligence Protection Team to defend the ecosystem against adversarial and cyber threats. 

The DNI and Department of War are also directed to assess the national security implications of commercial quantum scale, explicitly including the implications for migration to post-quantum cryptography.

Read Orders 2 and 3 as a single risk thesis. The same scaling of quantum computers that drives commercial opportunity is the scaling that breaks current encryption. Quantum order 2 names the cryptographic threat in its own text, then cryptographic order 3 prescribes the response.

For organizations in or adjacent to quantum, semiconductors, advanced sensing, and research, the strategic and supply-chain risk picture changes. Federal investment is real, and so are the research-security, export-control, and counterintelligence obligations that come with it. Those become auditable program areas. Heavy federal recruitment into quantum tightens an already scarce talent market, which means key-person and IP-protection controls warrant attention for affected firms. For everyone else, the signal is timing. The order is the clearest federal statement yet that quantum scale is a planning-horizon reality, not a distant abstraction. That is the premise of the cryptographic order.

The cryptographic order is the one with teeth and dates

The third order, Securing the Nation Against Advanced Cryptographic Attacks, is the operational response to the threat the quantum order describes. It states the risk plainly. 

Large-scale quantum computers, especially in adversary hands, will break widely used cryptography. And adversaries are collecting encrypted U.S. data now to decrypt later once quantum machines exist. That second sentence is the harvest-now-decrypt-later problem. It is why a future capability creates a present-day exposure for any data with a long confidentiality life.

The order requires federal information systems to transition to NIST-approved Federal Information Processing Standards for Post-Quantum Cryptography (PQC), and to assist critical infrastructure owners and operators. 

Every agency names a PQC migration lead within 30 days, reporting to the CIO and owning cryptographic inventory and a prioritized migration plan. Agencies review their inventory of high-value assets and high-impact systems. CISA and NIST will publish minimum elements for a Cryptographic Bill of Materials (CBOM) within 270 days, enabling automated assessment of the cryptographic assets inside any hardware or software element. The FAR Council will propose rules requiring covered contractors to comply with NIST FIPS, including PQC algorithms, by December 31, 2030, and to run vulnerability disclosure programs that include cryptographic vulnerabilities such as missing encryption and non-FIPS algorithms.

The deadlines that matter:

For internal audit, four implications stack on top of each other. 

First, cryptographic inventory becomes an auditable control, because you cannot migrate what you cannot see. The first finding in most organizations will be that no complete inventory of where and how cryptography is used exists. 

That gap is the audit. Start there. 

Second, the CBOM is coming to your third-party program once minimum elements are published, the same way the software bill of materials propagated into vendor questionnaires and contracts. Build the question into vendor due diligence before it is demanded of you. 

Third, procurement is the transmission mechanism for private industry. Federal contractors face a 2030 compliance date through the FAR. If you sell to the government, the deadline is effectively yours. If you buy from firms that do, it reaches you through your supply chain. Fourth, harvest-now-decrypt-later reframes data classification. The audit question is no longer only whether this data is encrypted. It is how long the data must stay confidential, and whether today's encryption will still protect it across that life. Data with a 10-plus year confidentiality requirement is exposed today.

Underneath all four, the durable control objective is crypto-agility. The specific algorithms will keep changing. The architectural capability to swap cryptographic primitives without re-engineering systems is what audit should test for. Assess whether systems are crypto-agile, not merely whether they are compliant this quarter. Full stop.

Three mechanics drive everything above

Strip away the policy language and three things explain why all three orders exist, and why they coordinate.

The first is harvest-now-decrypt-later. An adversary does not need a quantum computer today to harm you today. Encrypted data captured now can be stored and decrypted the moment a capable machine exists. Exposure is a function of two variables: how long your data must remain secret, and how long until a cryptographically relevant quantum computer arrives. Where those two timelines overlap, you are already exposed. This single idea is the entire justification for acting on a 2030 deadline rather than waiting for the threat to be live.

The second is that AI compresses the attack timeline. AI-enabled tooling shortens the time from vulnerability discovery to working exploit, and it lowers the skill required to run a sophisticated attack. The AI order's clearinghouse and defensive-tooling provisions are a direct response. For audit, the implication is that controls calibrated to human-speed adversaries (patch windows, detection latency, response playbooks) are being outpaced. The same AI that defends can attack, and both sides are accelerating. We wrote about the same dynamic from a different angle in our SEC cybersecurity disclosure two-year review.

The third is that cryptography is infrastructure, and it is invisible. Encryption is embedded in nearly every system, protocol, device, and vendor relationship, and almost no organization has a clean map of where. Migration to post-quantum cryptography is not a single project. It is a multi-year program touching identity, data, networks, applications, and the entire supply chain. The CBOM exists because the first hard problem is simply seeing the cryptography you already depend on.

How fast this moves next

Assess the timeline in three bands. The mistake is treating a 2030 date as distant. For a program of this scope, it is aggressive.

In the next 12 months, federal machinery turns immediately. PQC migration leads named within 30 days. OMB inventory guidance within 90 days. CBOM minimum elements and the FAR vulnerability-disclosure rule within 270 days. The NIST pilot completes by end of 2027. Watch the proposed FAR rules. The moment they publish, the private-sector clock effectively starts for any government-facing business, well ahead of the 2030 date.

In the 18-month to 4-year band, the 2030 key-establishment deadline and the 2031 digital-signature deadline govern. Cryptographic inventory, prioritized migration, and crypto-agility re-architecture all have to happen inside that window. For large or complex environments, four years is short. Expect CBOM expectations to migrate into commercial vendor management during this band, independent of any single firm's federal status.

Past four years, quantum computing capability continues to scale on the trajectory the quantum order is built around. Estimates of a cryptographically relevant quantum computer vary widely and remain contested, which is exactly why the policy is anchored to fixed migration dates rather than to a predicted arrival date. The defensible planning posture is to assume the migration deadline, not the threat date, is the binding constraint. The threat date is uncertain. The migration deadline is fixed. Manage to the fixed date. Organizations that wait for the quantum threat to be demonstrably real will be migrating cryptography under time pressure they chose to inherit.

A six-point internal audit response, where relevant to your environment

Concrete, sequenced, and startable now. Not every point applies to every organization. Read each against your industry, regulatory posture, and data profile before adopting the ones that fit.

  1. Add cryptographic posture to the audit universe. Make post-quantum cryptography readiness and crypto-agility a named, recurring risk in the assessment, not a footnote under cyber.
  2. Audit for a cryptographic inventory. Test whether the organization can produce a complete map of where, how, and with what algorithms it uses cryptography. The likely answer is no. That finding is the starting point for everything else.
  3. Pressure-test data classification against confidentiality lifespan. Identify data that must stay secret for 10-plus years. That data is exposed to harvest-now-decrypt-later today and should be first in line for migration.
  4. Extend third-party risk to cryptography. Add post-quantum roadmap and cryptographic-bill-of-materials readiness questions to vendor due diligence now, ahead of the published standard.
  5. Re-examine vulnerability management against AI-speed threats. Reassess patch service-level agreements, detection latency, and response playbooks under the assumption that exploit timelines are compressing.
  6. Brief the audit committee on the deadlines. The 2030 and 2031 dates belong on the committee's forward agenda this year. Position internal audit as the function tracking readiness against them.

Where Cherry Hill Advisory fits

We help internal audit and risk functions translate directives like these into auditable programs: cryptographic posture assessments, AI governance reviews aligned to the NIST AI Risk Management Framework, third-party risk redesign, and audit committee briefings that frame the 2030 and 2031 PQC deadlines as a board-level planning matter. 

If your audit plan does not yet name post-quantum readiness as a risk, that is the conversation to have this quarter. The next disruption is already coming, and the audit functions that handle it well are the ones that put it on the universe before they had to. 

If your audit plan doesn't yet name post-quantum readiness, we can help you put it there.

Until next time.

Subscribe now to join the Risk Register community: