Authors: Cloud Security Alliance AI Safety Initiative
Published: 2026-04-13

Categories: AI Governance and Risk, Supply Chain Security, AI Policy

Sovereign AI Dependency: The Pentagon-Anthropic Concentration Trap

Key Takeaways

The U.S. Department of Defense (DoD) applied its “supply chain risk” designation to Anthropic in March 2026 — the first time in history an American company received this classification, historically reserved for foreign adversaries — creating immediate operational disruption for defense contractors using Claude.
When Anthropic was excluded from DoD contracts following a breakdown in negotiations over permitted uses of its models — Anthropic sought written prohibitions on autonomous lethal systems and mass domestic surveillance; the Pentagon insisted on unrestricted use for all lawful purposes — OpenAI stepped in within hours with a competing agreement containing comparatively weaker restrictions, demonstrating how vendor substitution can erode safety floors rather than maintain them.
Organizations that rely exclusively on a single foundation model provider for mission-critical AI workflows face a new category of operational risk: a provider can be rendered inaccessible by geopolitical action, procurement dispute, or regulatory designation with little notice and no graceful migration path.
The conflict reveals that AI safety guardrails embedded in vendor usage policies are fragile governance mechanisms — they depend on individual CEO ethics and contract negotiation outcomes rather than enforceable legal protections, creating systemic risk for any organization whose security posture relies on vendor-provided constraints.
CSA frameworks including the AI Controls Matrix (AICM), MAESTRO, and STAR for AI provide structured means for organizations to assess provider resilience, mandate portability requirements, and avoid the concentration traps this case illustrates.

Background

The relationship between AI vendors and government customers has always entailed a tension between capability access and usage governance, but the dispute between Anthropic and the U.S. Department of Defense in early 2026 elevated that tension into a formal legal confrontation with broad precedent-setting consequences for enterprise AI risk management.

In July 2025, Anthropic entered into a reported $200 million contract with the Pentagon to supply Claude models to government operations [1]. The partnership appeared straightforward: a capable foundation model provider serving a customer with significant AI ambitions. The fracture appeared months later, when the DoD sought to expand Claude’s deployment across its GenAI.mil platform — an AI services hub used by defense personnel and contractors alike — and negotiations stalled over usage terms. The Pentagon demanded what it described as “unrestricted use” of Claude for “all lawful purposes.” Anthropic, in turn, sought written assurance that its models would not be used for two specific applications: fully autonomous weapons systems capable of independent lethal decision-making, and mass domestic surveillance programs targeting American citizens [1][2].

These were not unprecedented requests from an AI developer. Anthropic’s Responsible Scaling Policy, its Acceptable Use Policy, and public commitments made to regulators and investors all reflected these same limits. The company’s position was, in the words of CEO Dario Amodei, that “Anthropic has much more in common with the Department of War than we have differences” and that the exceptions sought were narrow in scope, relating to high-level usage categories rather than day-to-day operational decision-making [1].

The DoD did not accept those limits. In late February 2026, the Trump administration designated Anthropic a “supply chain risk” under executive authority — the first time this classification, typically applied to foreign adversaries such as Huawei and state-linked telecommunications firms, was used against a domestic American company [2][3]. The practical consequences were immediate: the designation barred Anthropic from Pentagon contracts and required defense contractors actively using Claude in military work to cease those deployments [10].

Within hours of the Anthropic ban becoming known, OpenAI announced a separate deal with the Pentagon to deploy its models on classified DoD networks [6][7]. The speed of the substitution was notable; OpenAI CEO Sam Altman later acknowledged publicly that the agreement was “definitely rushed” and that “the optics don’t look good” [8]. The OpenAI arrangement drew scrutiny because its safeguards, while including limits on mass domestic surveillance and autonomous weapons, were structured differently from Anthropic’s proposed terms — critics noted that the published agreement did not give OpenAI a freestanding right to prohibit otherwise-lawful government use of its technology, meaning the restrictions were contingent on existing law and policy rather than independently enforceable by the vendor [17].

The subsequent legal proceedings produced conflicting outcomes. Anthropic filed suit against the Defense Department in March 2026, challenging the designation as unlawful government retaliation [5]. A federal district court in San Francisco granted Anthropic a preliminary injunction in late March 2026, with Judge Rita Lin finding that the supply chain designation constituted “classic illegal First Amendment retaliation” against a company that had publicly criticized the government’s contracting position [3]. Days later, however, a federal appeals court in Washington, D.C., denied Anthropic’s request to halt the blacklisting while litigation continued. The appeals panel found that the equitable balance favored the government, reasoning that “judicial management of how, and through whom, the Department of War — the Trump administration’s designation for the renamed Department of Defense — secures vital AI technology during an active military conflict” outweighed Anthropic’s financial harm [4][18]. As of this writing, Anthropic remains excluded from DoD contracts while able to continue serving other federal agencies, leaving the matter in legal limbo.

Security Analysis

The Supply Chain Designation as an Operational Risk Amplifier

The designation of Anthropic under supply chain risk authorities — the same statutory tools used to expel Huawei from American telecommunications infrastructure — signals a meaningful expansion of how government procurement power can reshape AI market access. Defense contractors using Claude were not given a lengthy remediation window; they were required to cease using Claude in military work as a direct consequence of the designation [10]. For any contractor whose workflows, automation pipelines, or decision-support tools had been built around Claude’s API, this created an unplanned and urgent migration problem.

This incident illustrates a category of third-party AI risk that standard vendor risk management frameworks — designed primarily around financial stability, security posture, and service reliability assessments — have historically not been structured to detect or quantify: the risk that a vendor becomes inaccessible not because of a technical failure, financial collapse, or security incident, but because of a governmental or regulatory action applied to the vendor itself. Traditional vendor assessments evaluate financial stability, data security posture, and service reliability. They rarely model scenarios in which a vendor is administratively barred from serving a class of customer with little notice. The Anthropic case suggests this scenario must now be added to enterprise risk registries for any organization operating in or adjacent to regulated and government-adjacent environments.

The Vendor Substitution Problem and the Safety Floor

The manner in which OpenAI replaced Anthropic within the government AI supply chain reveals a structural vulnerability that goes beyond service continuity. When an organization changes AI vendors in response to a supply disruption, it does not simply swap equivalent capabilities — it also inherits the new vendor’s usage policies, safety constraints, and governance commitments. If the replacement vendor accepted the same terms that led to the original vendor’s exclusion, the net result is a reduction in the effective safety floor governing AI use in that context.

The MIT Technology Review characterized OpenAI’s arrangement as “the compromise that Anthropic feared” [17]. The phrase is instructive. Anthropic’s position was not that it refused to serve the government, but that it sought to preserve specific constraints as a non-negotiable condition of service. Its removal from the procurement picture — and OpenAI’s entry on terms the government found more acceptable — illustrates how, in the absence of minimum statutory guardrails, competitive vendor markets may reward vendors whose terms are more permissive, effectively lowering the aggregate safety floor.

For enterprise security leaders, the lesson is that relying on vendor-imposed usage restrictions as a primary control against AI misuse is a governance posture with inherent fragility. Vendor terms can change through contract renegotiation, acquisition, regulatory pressure, or competitive displacement. Controls that an organization relies on must be enforceable independently of the vendor relationship’s continuity.

Concentration Risk at the Foundational Model Layer

The Anthropic-Pentagon conflict exposed the consequences of centralizing critical AI capability around a single foundational model provider at scale. When that provider was removed from the procurement ecosystem, defense operations relying on Claude deployments through the DoD’s GenAI.mil platform required rapid architectural reorientation. The speed of the OpenAI substitution suggests the government prioritized service restoration over careful due diligence, creating new dependencies before the risks of the previous arrangement had been fully assessed [8].

This dynamic is not unique to defense procurement. Across the enterprise landscape, Gartner has identified vendor concentration as an emergent strategic risk and recommended that AI environments be designed with exit options and reduced concentration risk, with the ability to pivot between globalization and localization treated as a strategic necessity [15]. Analyst findings suggest that third-party AI dependencies — where critical workflows rely on an external vendor’s model or infrastructure — introduce supply chain risk that traditional vendor risk management programs were not designed to assess [11]. A single-provider AI architecture, regardless of the provider’s current stability, creates a concentration of capability that amplifies the impact of any disruption, whether technical, political, or legal.

The Anthropic case further demonstrates that this concentration risk carries a geopolitical dimension. The supply chain risk designation was applied through executive action, without a lengthy administrative process, and took effect immediately for contracting purposes [4][10]. Organizations with AI architectures dependent on a single domestic provider remain exposed to similarly abrupt service disruptions if political or regulatory conditions change. Gartner reportedly projects that by 2028, 65% of governments worldwide will introduce new technology sovereignty requirements specifically aimed at reducing external AI dependency, though this figure derives from secondary reporting of the underlying research [15] — signaling that the regulatory environment around AI vendor concentration is likely to grow more restrictive rather than less.

When Vendor Ethics Cannot Substitute for Law

The Electronic Frontier Foundation offered a pointed diagnosis of the deeper governance failure the Anthropic conflict surfaces: “the state of your privacy is being decided by contract negotiations between giant tech companies and the U.S. government — two entities with spotty track records for caring about your civil liberties” [9]. The concern is well-founded in a systems sense. Anthropic’s refusal to permit its models to be used for autonomous weapons or mass domestic surveillance was a voluntary policy commitment, enforceable only through contract negotiation. When the government found that commitment unacceptable, the mechanism for maintaining the restriction — vendor willingness — failed. The DoD retained its surveillance and weapons programs; only the vendor changed.

This governance gap is structurally significant for enterprise AI risk management. Organizations that have adopted AI usage policies frequently treat vendor acceptable use restrictions as a meaningful governance control and, in practice, as a first line of defense against prohibited use cases — though this reliance has not been systematically validated at scale across enterprise risk programs. A vendor’s stated commitment to not enabling certain categories of harm may appear as a meaningful control in risk assessments, creating an implicit dependency on the vendor relationship’s continuity. The Anthropic case demonstrates that this control can be neutralized through vendor substitution, that the pace of substitution can be very fast, and that the substitute vendor’s commitments may be materially weaker. The EFF’s call for statutory law and judicial oversight as the appropriate mechanism for durable restrictions is an argument that organizations — and the sector as a whole — should take seriously when designing AI governance frameworks [9].

Recommendations

Immediate Actions

Organizations operating in government-adjacent sectors or with AI workloads subject to regulatory oversight should immediately audit the extent of their concentration risk. This means inventorying all AI deployments by provider, identifying workflows where a single vendor’s model constitutes a critical dependency, and documenting the contractual terms — including usage restrictions and exit provisions — governing each relationship. The Anthropic case illustrates that reliance on a single provider without tested migration paths is an operational risk exposure, not merely a theoretical concern.

Security teams should review existing AI procurement contracts for portability provisions and transition rights. Contracts that lock an organization to a single provider’s APIs, fine-tuned models, or proprietary embedding infrastructure without clear data export rights and provider-agnostic interface options are points of concentration risk that warrant renegotiation or architectural redesign.

Any AI vendor whose models are used in regulated, national security-adjacent, or compliance-sensitive contexts should be assessed not only for technical and security posture, but for the robustness of its usage policy enforcement mechanisms. Specifically, teams should document which restrictions a vendor imposes contractually, which are enforced through technical means, and which are stated as policy only — and model what happens to each if the vendor relationship is disrupted.

Short-Term Mitigations

Where feasible, organizations should implement multi-provider AI architectures for critical workloads. This means designing systems that can route inference requests across multiple providers — including open-weight models that can be hosted internally — reducing the operational impact of any single provider’s inaccessibility. The cost of maintaining parallel capabilities is real, but the Anthropic case demonstrates that the cost of single-provider dependency can be higher, particularly when disruption arrives without warning.

For usage restrictions that are operationally important — limits on data categories processed, constraints on autonomous decision authorities, prohibitions on specific applications — organizations should implement controls at the infrastructure and integration layer rather than relying solely on vendor policy. This may include output filtering, workflow-level access controls, audit logging, and integration guardrails that function regardless of which underlying model is in use.

Organizations that deploy AI within classified, defense, or critical infrastructure contexts should develop and periodically test transition runbooks for their primary AI providers. These runbooks should document the steps required to migrate to an alternative provider, including timeline estimates, data migration requirements, API compatibility gaps, and performance validation procedures.

Strategic Considerations

The Anthropic-Pentagon conflict is an early case study in a category of risk that is likely to grow more common as AI becomes more deeply embedded in critical workflows and as governments increasingly assert regulatory authority over AI providers — a trajectory already visible in the EU AI Act enforcement timeline and emerging national AI strategies.

Procurement teams negotiating AI contracts should anticipate that vendor usage policies — including safety guardrails, data use restrictions, and acceptable use terms — may change materially over the contract term, either through vendor choice or regulatory pressure. Contracts should specify which usage restrictions are contractually binding on both parties, include change notification requirements for material policy updates, and define conditions under which the customer may exit the contract without penalty if core restrictions are removed.

At the industry level, in the absence of comprehensive statutory protections specifically addressing AI use in national security and surveillance contexts, vendor-imposed guardrails have become a critical — but fragile — supplement to existing constitutional and regulatory constraints such as the Fourth Amendment, FISA, and DoD policy directives on autonomous weapons. When vendor commitment fails, the remaining protections depend on the adequacy of those baseline legal frameworks, which critics argue are insufficient for the current AI deployment environment [9][16]. Security and technology practitioners should support advocacy for legislative frameworks that establish baseline AI use restrictions independent of vendor ethics, ensuring that the protections organizations and civil society depend on cannot be effectively removed simply by switching AI providers.

CSA Resource Alignment

The Anthropic-Pentagon conflict maps to several active areas of CSA guidance and framework development.

CSA’s AI Controls Matrix (AICM) provides a directly applicable framework for assessing vendor concentration and supply chain risk in AI deployments [12]. With 243 control objectives spanning 18 security domains — including supply chain management, transparency, and accountability — the AICM enables organizations to evaluate potential AI providers against consistent criteria, supporting structured comparison across vendors and reducing the analytical blind spots that accelerate concentration risk.

STAR for AI, launched by CSA in October 2025, establishes a certification and attestation framework for AI providers [13]. STAR for AI Level 1 self-assessments provide structured transparency into how a provider manages safety, governance, and risk controls. Level 2 combines ISO/IEC 42001 certification with CSA’s registry infrastructure. Requiring STAR for AI participation as a condition of AI procurement — or at minimum using STAR Registry disclosures as a baseline due diligence input — gives organizations a structured means to assess provider governance maturity before dependency deepens.

CSA’s MAESTRO agentic AI threat modeling framework addresses vendor supply chain risk explicitly within its architecture [14]. MAESTRO identifies compromised pre-trained models, vulnerabilities in ML libraries, and lack of provenance tracking as distinct threat vectors that legacy frameworks like STRIDE were not designed to capture. As organizations build agentic AI systems on top of foundation model providers, the supply chain attack surface extends beyond the vendor relationship itself to the models, datasets, and components the vendor uses. MAESTRO’s layered architecture provides a vocabulary for mapping these dependencies and identifying concentration points throughout the AI supply chain.

CSA’s AI Organizational Responsibilities guidance addresses the governance and oversight obligations of organizations deploying AI systems, including third-party AI services. The principle that organizations retain responsibility for the AI systems they deploy — regardless of whether the underlying model is vendor-hosted — is directly relevant to the governance gap this case exposes. Ethical and safety constraints that an organization depends on cannot be fully delegated to vendor policy; they must be expressed as enforceable organizational controls.