Anthropic-Pentagon Crisis

What happens when an AI company says “no” to the world’s most powerful military?

We have been seeing the answer since the last week of February 2026. Anthropic, the developer of the Claude models, refused the requests of the U.S. Department of Defense.¹ Within a few days, the company was designated a “national security supply chain risk,” a process was initiated to suspend its use across federal agencies, and contracts worth hundreds of millions of dollars were put at risk. Anthropic then sued the Trump administration. Some employees at rival companies supported Anthropic, new restrictions on AI were proposed in the U.S. Congress, and the issue quickly grew beyond an ordinary dispute between a company and the state.

This crisis reminded us of something important: debates about AI safety are no longer only about lab tests, model cards, or abstract statements of principle. Part of safety is now being written into procurement notices, supply contracts, and terms of use. Sometimes a model’s future is determined not by a benchmark result, but by a single phrase in a contract: all lawful purposes.

That is exactly what we will discuss in this article. Why Anthropic did not back down, why the Pentagon responded so harshly, why OpenAI stepped in on the same day, and why all of this may be a turning point for AI safety.

Background: Anthropic was already working with the defense sector#

This was not a story in which “a peaceful company confronted the military.” Anthropic had been working with U.S. national security institutions since 2024. According to the company’s own statements, Claude models were being used in areas such as intelligence analysis, modeling and simulation, operational planning, and cyber operations. Press reports and legal filings also said the dispute revolved around a roughly 200 million dollar Pentagon contract and deployments in classified environments.

This distinction matters. There was no company here that “refused on principle to work with the state.” Rather, there was a company saying, “I will work with the state, but I will say no to certain uses.” Anthropic’s position was not that “the military should never be given AI.” In fact, in its official statement, the company specifically emphasized that it had turned down significant revenue from firms believed to be linked to the Chinese Communist Party, had blocked CCP-backed cyberattacks, and had lobbied for strong export controls on advanced chips. So the issue was not cooperation itself, but the limits of that cooperation.

That is precisely why the crisis was so striking. The question was not “Is the company against the state?” but “How far can a company go in setting limits while working with the state?”

Two red lines: why did this become such a big deal?#

Anthropic insisted on two exceptions, and the crisis largely revolved around these two lines.

The first: mass domestic surveillance. Anthropic said it would not allow Claude to be used for the large-scale surveillance of American citizens. The company’s logic was this: AI can combine fragmented data sources such as security cameras, location data, financial transactions, communication records, and social media into a single large surveillance system. Data streams that are currently separate can, with powerful models, be processed, classified, and made real-time in one place. The company saw this not only as a technical risk, but as a possibility contrary to democratic values.

The second: fully autonomous lethal weapons. Anthropic stated that it would not permit Claude to be used for systems that select targets and make the decision to fire on their own. Its technical argument here was also notable: today’s frontier model systems are not reliable enough for tasks with risks this high. A model can misclassify, miss context, produce overconfident conclusions from incomplete data, or create an excessive aura of confidence around human decision-makers. In domains like this, the cost of error is not the cost of an ordinary product failure. The issue is not a bad user experience; the issue is human life.

There is an important nuance here. Anthropic was not categorically rejecting the possibility that fully autonomous weapons might one day become critical for national defense. Its line was more like this: “Maybe one day, but not today. This technology is not ready yet.” Press reports even suggested that Anthropic had put a joint R&D option on the table to improve the reliability of such systems, while the Pentagon was focused primarily on expanding permission to use them.

The Pentagon’s position followed a different logic. According to press reports and court filings, the Defense Department wanted to standardize the phrase “all lawful purposes” in its contracts. The administration’s logic was roughly this: in national security missions, the final word should be determined not by companies’ usage policies, but by the law and the military chain of command. The White House spokesperson summarized this in crude but clear language: “Our military will obey the Constitution: not the terms of service of any ‘woke’ AI company.”

This argument is not entirely senseless. It is understandable that the state, especially in a domain as high-risk as war, would be uncomfortable with private companies holding unilateral veto power. But the crucial AI safety question appears exactly here: Which law? The law as it exists today? Law that may change tomorrow? Uncertain gray areas? International norms around autonomous weapons remain unsettled. The U.S.’s own policy, Department of Defense Directive 3000.09, requires an “appropriate level of human judgment,” but it does not impose an absolute and categorical ban. So although “lawful” sounds reasonable, in a legal order that cannot keep pace with technology, it does not by itself form a reassuring boundary.

And that is exactly where things blew up.

Timeline of the crisis: from ultimatum to blacklist#

Let us briefly recap the sequence of events.

January 9, 2026: Secretary of Defense Pete Hegseth issued an internal memorandum laying out the department’s AI strategy. The document aimed to turn the department into an “AI-first warfighting force” and to evaluate frontier models independently of the companies’ own usage restrictions.

Late February: According to press reports, one of the points at which negotiations hit an impasse was the Pentagon’s desire to remove restrictive language about large-scale data analysis from the contract. Anthropic saw this as one of the last remaining brakes, especially against the risk of mass domestic surveillance.

February 24-27: Press reports and legal analysis said that the Pentagon gave Anthropic a deadline and presented two pressure options: force cooperation via the Defense Production Act or designate the company a “supply chain risk.”

Here there was an interesting contradiction. If a company is indispensable enough for the Defense Production Act to be invoked, how can it simultaneously be branded an unacceptable risk to the national security supply chain? Some critics pointed precisely to this logical tension.

February 27: Anthropic did not back down. Dario Amodei said that while the department had the right to choose its contractors, he hoped the value Claude provided to the armed forces would be reconsidered. According to Anthropic’s complaint, President Trump called on federal agencies via social media that same day to stop using Anthropic technology, and Hegseth announced that the company would be designated a “supply chain risk.”

March 5: Anthropic said it had received the official letter confirming this classification. The company argued that the relevant authority had to be interpreted narrowly and that the principle of the “least restrictive means” had been ignored.

March 6: According to press reports, an internal memorandum signed by Pentagon CIO Kirsten Davies instructed military commanders and contractors to remove Anthropic products from their systems within 180 days. What stood out here was not only the schedule but also the scope. This removal process was reported to cover extremely sensitive areas such as nuclear weapons systems, ballistic missile defense, and cyberwarfare infrastructure. The political message was harsh. The technical reality, however, was not black and white: once a technology is embedded in a supply chain, it is not easy to rip it out overnight.

March 9: Anthropic filed suit both in the Northern District of California and along the Washington, D.C. track. The company’s legal case proceeded along three axes: retaliation against free expression, violation of due process rights, and overreach of authority.

Meanwhile on the battlefield: Claude was still being used#

One of the most striking aspects of the crisis was press reporting about Claude’s role in actual military operations. According to The Wall Street Journal and The Washington Post, Claude was used through Palantir’s systems in January to support intelligence analysis and targeting in the operation to capture Venezuelan President Nicolas Maduro and in military operations against Iran. According to reports based on sources close to Anthropic, Claude’s role in these operations was to analyze large volumes of intelligence reports, detect patterns, and present findings to human analysts, not to directly recommend “strike this target.”

But the most remarkable point was the timing. According to press reports, at the very time the Pentagon was labeling Claude a “supply chain risk,” the U.S. military was continuing to use Claude in active operations. The fact that a model could be treated simultaneously as a “national security risk” and yet continue to be used on the battlefield vividly illustrated the logical inconsistency at the heart of the crisis.

We need to be careful here. The details of these operations are difficult to verify independently through public records. By their nature, they rely on anonymous sources and press reports. Even so, these reports matter if we want to understand why the debate around the crisis became so intense.

OpenAI’s role: solution or safety theater?#

This was one of the most controversial aspects of the crisis: according to press reports, hours after Anthropic was punished, OpenAI announced its own agreement with the Pentagon.

Let us first state plainly what happened. OpenAI said it had reached an agreement to deploy its models in the Pentagon’s classified systems. CEO Sam Altman said this agreement contained even more safeguards than previous examples and remained committed to the substance of the red lines Anthropic had defended.

How did OpenAI frame this? According to the public framework the company described, the models could be used for “all lawful purposes,” but mass domestic surveillance and autonomous weapon guidance would be prohibited. Later updates also added surveillance of U.S. citizens and tracking based on commercially acquired personal data to the list of prohibited uses.

So why did Anthropic find this inadequate? Because the key difference lay in the structure of the contract. Anthropic wanted certain prohibitions to appear directly in the contractual text as binding limits. OpenAI’s approach, by contrast, was more like accepting the phrase “all lawful purposes” and then placing a layer of safety on top of it. According to what leaked publicly and was reported in the press, Amodei criticized this approach as “safety theater.” Altman also acknowledged that the timing of the agreement “looked opportunistic and careless,” but defended its substance.

From our perspective, the real question is: how should we read this development?

A charitable reading would be that OpenAI accepted the work but limited it with layered safeguards. A more pessimistic reading would be this: preserving the language of “all lawful purposes” and then adding a layer of safety rhetoric on top does not solve the governance problem; it only makes it look more acceptable on the surface.

Moreover, the basic problem remained in place: because the full contractual text was not public, the scope of the prohibitions, how they would be enforced, who would monitor them, and what would happen in the event of a violation could not be clearly seen from the outside. The fact that OpenAI’s own head of national security policy, Connie LaRossa, said the terms were still being negotiated did not reduce that uncertainty.

Despite all this, it was also important that OpenAI said it did not support the “supply chain risk” label being applied to Anthropic. In other words, you fill the space vacated by your rival on the one hand, while on the other you acknowledge that the sanction imposed on it sets a dangerous precedent. That clearly showed the tension between competition and norm-setting.

Anthropic was not alone#

Perhaps the most striking and hopeful aspect of the crisis was the wave of support from within the industry.

On the day Anthropic filed suit, more than 37 Google DeepMind and OpenAI employees, including Google’s chief scientist Jeff Dean, submitted an amicus brief supporting Anthropic. The employees said they were acting in their personal capacities. Their message was clear: Anthropic’s red lines were not marginal within the technology world; on the contrary, they reflected legitimate concerns that were taken seriously in the scientific community.

The support did not stop there. The open letter titled “We Will Not Be Divided” called on Google and OpenAI employees to take a common position around Anthropic’s two red lines. According to press reports, hundreds of employees backed the call, with more than 900 signatures on the Google side. Microsoft also filed a separate amicus brief in support of Anthropic. The IT Industry Council, a major technology trade association, sent a letter to the Pentagon reminding it that such extraordinary powers were normally designed for foreign adversaries.

There was also an echo in Congress. California Representative Sam Liccardo introduced an amendment aimed at limiting the use of the Defense Production Act as a tool of retaliation against technology companies that adopt safety precautions. Liccardo’s summary was blunt: “There is no law. The law is years behind the technology.” The proposal was rejected, but the diagnosis did not disappear.

All of this mattered because it turned the crisis from a story about “one company standing up to the Pentagon” into a broader debate about governance. The message was clear: if one lab is punished today for drawing red lines, no other lab may dare to draw them tomorrow.

Historical parallel: why is Project Maven back in the conversation?#

This crisis naturally brought to mind the Google-Project Maven episode of 2018. At that time, Google employees objected to the company’s participation in a Pentagon AI project for analyzing drone footage. Thousands of signatures were gathered, employees resigned, and the company ultimately decided not to renew the contract.

But the conditions of 2026 are different from those of 2018. Back then, withdrawing was a more realistic option, because the military integration of AI was still at a much earlier stage and the Pentagon’s options were limited. In 2026, by contrast, multiple frontier model labs, such as OpenAI, Google, xAI, and others, are actively competing for defense contracts. That weakens a similar withdrawal strategy from the outset; maximalist policies of that kind are much less effective than they were in 2018. If one company refuses, another can step in very quickly.

From an AI safety perspective, this creates a deeply troubling race to the bottom. If setting safety boundaries gets you punished in the market, and your competitor is more willing to relax those boundaries, market incentives start working against safety. It is too early to say the outcome is inevitable, but it would be madness to deny that the risk is real.

What does this crisis teach us?#

If we look at this crisis only by asking “Was Anthropic right or was the Pentagon right?”, we miss part of the picture. The Pentagon’s argument is simple: no state wants to live with the unilateral veto power of private companies in an area like war. Anthropic’s argument is also clear: current models are not reliable tools for domains like mass surveillance and autonomous lethal use. The problem is that these two positions collided for the first time this openly and this harshly, and no mature governance framework exists to resolve the conflict.

Several important lessons follow.

First: “legal” is not the same thing as “safe.” This is the real backbone of the crisis. Until the law becomes clear on autonomous weapons and mass surveillance, the logic that “anything lawful is allowed” does not create a safe boundary. At that point, boundaries start to be set not by safety engineering or democratic deliberation, but by existing power relations.

Second: regulation by contract is a fragile model. At the moment, the limits on the military use of AI are not being set primarily by comprehensive laws or international agreements, but de facto by supply contracts and company policies. This model may be fast, but it is democratically problematic and institutionally fragile. It is created behind closed doors, public oversight is limited, and it can be reversed overnight when the political climate changes.

Third: “human oversight” is not a magical solution. The mere presence of the phrase “human in the loop” in a contract is not enough. The real question is whether the human actually has an effective power to stop the system. If an operator is only pressing an “approve” button on the final screen, but cannot meaningfully audit the system’s recommendation, how much real human control do we have?

Fourth: the race-to-the-bottom risk is real. If one lab is punished for drawing red lines while another signs a contract the same day, the signal sent to the market is clear: be more flexible, win more business. That is why it is not enough to rely only on companies’ goodwill in AI safety. We need shared floor rules, institutions, and more durable standards that preserve safety.

Fifth: safety commitments only become meaningful when they are tested under pressure. Anthropic held the line, but the cost was very high. That reminds us of something important: a safety model that depends only on the courage of individual companies is not sustainable. A company may be brave today and not tomorrow. What has to endure is structural protection.

Where are we now?#

As of mid-March 2026, the lawsuits are still ongoing. According to press reports, new hearings are expected in the near term. The 180-day transition period creates an interesting picture: Claude will likely continue to be used in some military systems for a while longer, even as its removal is being ordered.

The public statements are also contradicting one another. The Pentagon side says the negotiations are effectively over. Anthropic, by contrast, suggests that the talks are not completely closed. That shows us that public narratives are no longer just communication; they are now also part of legal strategy.

Broadly speaking, there are three possibilities ahead. The courts may grant Anthropic preliminary relief and limit the effect of the label. The industry may seek agreement on a common safety framework. Or neither may happen, and we may enter a period in which more flexible companies gain an advantage in the defense market while safety boundaries are eroded by competitive pressure.

Closing#

This crisis showed us something important: for powerful AI models, the most important question is not only “What can be done?” Perhaps even more important is: “What should not be done, and who gets to say so?”

If the answer to that question is only “whatever the law allows,” then technological capacity starts dragging legal boundaries behind it. If the answer is only “whatever the company wants,” then we face a problem of democratic legitimacy instead.

What we need is a governance framework that is neither left entirely to the mercy of companies nor surrendered entirely to the logic of military procurement. In 2018, Project Maven showed that employee objection could stop a contract. The Anthropic crisis of 2026 put a harder question before us: in an age when very powerful AI systems are merging with war and surveillance, will we really be able to protect common red lines?

The answer to that question has not yet been written. But discussing how it will be written, and if possible helping it be written more safely, is exactly our job and a debt we owe to the generations that will come after us.