TRUMP AI REG PLAN CAN WORK NOW ON CYBER SECURITY

ISA used artificial intelligence tools—specifically natural language processing and semantic clustering— to analyze 304 cybersecurity-related regulations across the federal government to quantify duplication and identify opportunities for streamlining. The analysis showed numerous results all broadly consistent with the administration’s estimates from savings from their large plan.

These results included:

• 76% (232 of 304 cybersecurity regulations) are functionally duplicative across two or more agencies.

• 220,000 federal contractors are subject to overlapping cybersecurity mandates.

• Broken down by category the amount of overlap included 47% of security planning rules, 22% of compliance rules, 7% of risk management rules and 5% of incident response rules.

• Only 3 of 22 agencies accept documentation from another agency, despite requiring similar content.

• Using AI tools to eliminate duplication could reduce the number of cyber regulations from 304 down to 75 core regulations

• An estimated 40% of industry cyber budgets are directed toward compliance—not risk mitigation.

• Reducing regulations by eliminating duplications would save industry $30-50 billion annually (based on 200,000+ affected companies saving $150,000-250,000 each)

• Government would save between $3-5 billion just from a reduction in administrative overhead.

To validate earlier findings, a separate analysis was conducted by the Applied Intelligence Student Group (JHU). Their team reviewed more than a dozen major cybersecurity regulations from agencies including DHS, SEC, FTC, DoD, and HHS. Using a side-by-side comparison of regulatory text, government audits, industry case studies, and public cost estimates, they identified specific points of duplication—mirroring the results of our own AI-driven analysis.

The JHU analysis showed that while each regulation seeks to address genuine risks—protecting personal data, securing critical systems, or defending national security—lack of coordination has led to substantial overlap. “Organizations are often subject to multiple, slightly different mandates for the same types of activities (such as breach reporting or risk management). This not only increases compliance cost but also pulls attention away from substantive risk reduction efforts (GAO, 2024a). As digital threats and regulatory scrutiny both escalate, the cost of inefficiency is no longer sustainable.

Moreover, JHU found that the opportunity cost is profound. When up to 70% of cyber staff time is spent on compliance in some sectors resources are diverted from threat response. The threat landscape is dynamic, but compliance lags behind, making organizations “compliant but not secure.”

The time to act is now. We are suffering from literally hundreds of thousands of cyber-attacks daily which have already compromised much of our critical infrastructure. We are long past the time for additional research and “taskforces.”

Both the House Homeland Security and Oversight and Government Reform Committees leadership have found that OMB has the existing authority to eliminate cyber regulatory duplication and urged OMB to “act now to do so. Their April 2025 letter to OMB specifically identifies eliminating these redundancies as “the most cost-effective way to strengthen our nations cybersecurity” at the ground level – and at no cost. Industry has also backed this proposal with a muti-association lett4er to OMB requesting that OMB set up a process to eliminate the cyber regulatory duplication.

Both the House Committee and industry requests are fully consistent with President Trump’s AI Action Plan OMB should act to eliminate cyber regulatory redundance now.

METHODOLOGY

ISA conducted a Four-Stage Analytical Process including Natural Language Processing Tokenization, Clauds Opus 4, Jaccard Similarity Analysis and Functional Clustering.

Stage 1: Natural Language Processing Tokenization

Claude Opus 4 breaks down each regulation into its component linguistic elements, creating a standardized format that enables systematic comparison across different regulatory texts, regardless of formatting or stylistic differences.

Stage 2: Jaccard Similarity Analysis

The system calculates similarity scores between regulations by comparing their tokenized content. This mathematical approach identifies regulations that share substantial textual overlap, indicating potential duplication or redundancy.

Stage 3: Functional Clustering

Regulations with high similarity scores are grouped into clusters, allowing analysts to examine families of potentially related or duplicative requirements. This clustering reveals patterns of regulatory overlap that might not be apparent through manual review.

Stage 4: Automated Text Verification

Claude Opus 4 performed over 45,000 automated verifications of clustered regulations to confirm actual duplication versus legitimate regulatory variation. This AI-powered verification process ensures accuracy and relevance of findings while maintaining complete automation throughout the analysis.

JHU METHODOLOGY

Rather than relying on a single technology or vendor, this validation relied on practical, side-by-side review—comparing official regulatory texts, agency guidance, GAO reports, and real-world enforcement practices. The goal was to document how and where cybersecurity rules overlap across agencies. The findings confirm what prior AI analysis showed: duplication is systemic, costly, and avoidable.