When Deft Hands Are Needed: DoD’s Conflicted Strategies for Acquiring IP Rights in AI Systems

122 Min Read By: Roland Trope April 15, 2026

In Brief

AI systems have become essential to the accelerated tempo of military operations. The U.S. Department of Defense (“DoD”) needs to obtain military AI systems that not only have the requisite current capabilities, but can be modified and upgraded, when needed, to address new threats with future capabilities.
To modify and upgrade military AI systems, DoD needs its defense contractors to grant it the requisite IP rights to make those changes, with or without their participation.
To achieve those objectives in contract award and negotiation, DoD crafted a detailed strategy guide for its contracting officers (“COs”) to use in planning and executing acquisitions of military AI systems and to help its COs avoid problems that had impeded earlier acquisition of military AI systems.
In August 2025, DoD published its AI strategy guide for acquiring IP rights in military AI systems. Within five months of the guide’s publication, DoD was embroiled in disagreements with a key contractor for military AI systems, Anthropic.
As that disagreement turned into a contract dispute, it became apparent that DoD had a conflicted strategy for acquiring IP rights in military AI systems.
The first installment of this article offers an analysis of what turned a coherent strategy for acquiring IP rights in military AI systems into a conflicted strategy and considers how the community of defense contractors for AI military systems may react to it.

I. Introduction^{^[1]}

Artificial Intelligence (“AI”) systems^[2] have become essential to the accelerated tempo of military operations.^[3] The U.S. Department of Defense (“DoD”)^[4] needs to obtain military AI systems that not only have the requisite current capabilities, but can be modified and upgraded, when needed, to ensure (i) new data used to train the AI model “are not negatively affecting performance”^[5] and (ii) to address new threats with future capabilities.

To modify and upgrade military AI systems, DoD needs its defense contractors to grant it the requisite intellectual property (“IP”) rights to make those changes, which, depending on negotiations, may be with or without the original contractor’s participation.

Counsel for AI companies should pay attention to and draw lessons from DoD acquisitions of AI systems and DoD-published guidance on its strategies for achieving its objectives in those acquisitions—in particular, its strategies for ensuring it obtains the IP rights it needs to use, maintain, repair, and upgrade AI systems throughout their life cycle. To that end, this article will focus on five topics:

DoD’s published articulation of its IP strategies (“IPS”) in AI systems acquisitions, and in particular its Intellectual Property Strategies for Artificial Intelligence Programs: A Supplement to the Intellectual Property Guidebook for DoD Acquisition, issued in August 2025 (“Strategies Supplement”)
Issues those strategies may raise with companies considering seeking DoD award of prime contracts for AI systems or nontraditional contractors seeking award by the prime contractor of a first-tier AI system subcontract thereunder
Emerging tensions between DoD and the community of AI developers over IP rights and determination of the scope of use of AI systems in the last quarter of 2025
Disagreements that surfaced between DoD and one of its key military system contractors, Anthropic, over agreed-upon terms of an AI acquisition contract, and DoD’s handling of those disagreements in January/February 2026 through threats and punitive measures that a U.S. District Court, in late March 2026, declared unlawful and enjoined with a preliminary injunction
Lessons that military AI contractors may draw, at this stage, from the DoD/Anthropic controversy, especially regarding how DoD turned its published coherent strategy for acquiring IP rights in military AI systems into a conflicted strategy pursued by threats and punitive measures.

The first section of this article gives context to DoD–AI company tensions by detailing the problems that impeded an earlier DoD acquisition of a military AI system—Project Maven. The second section focuses on the Strategies Supplement, see infra, and what it reveals about issues that may need to be the subject of discussions between counsel and a nontraditional defense contractor client (“Nontraditional Defense Contractor”) when the client is considering seeking DoD award of a prime contract or first-tier subcontract for design and development of an AI system. The third section considers the DoD/Anthropic controversy, which seems to be a return to the tensions that arose between DoD and an AI developer in Project Maven and which adds to the issues counsel may need to discuss with its Nontraditional Defense Contractor client. The fourth section reviews the reasoning of the District Court’s Order Granting [Anthropic’s] Motion for Preliminary Injunction that determined DoD’s punitive measures against Anthropic to be unlawful and issued a preliminary injunction to enjoin them. The fifth section considers the lessons that counsel and its Nontraditional Defense Contractor clients might draw from this stage of the DoD/Anthropic controversy, including advice counsel to military AI contractors gave their clients in the weeks preceding the District Court’s decision and that the Court cited in support of its decision.

II. Context: Project Maven

Several successive administrations have sought to coax developers of emerging technologies (such as AI, robotics, and quantum computing) (“ETs”) to bid on DoD contracts for acquisition of ETs. DoD established the Defense Innovation Unit—Experimental to invest in Silicon Valley companies and encourage them to bid for prime contracts and subcontracts from DoD for ETs and particularly AI systems.

Unfortunately, the results were mixed, and even when a major Silicon Valley company bid on and obtained award of a DoD acquisition contract for an AI system, tensions sometimes arose between the company’s personnel and its management over performance of the DoD contract. Example: Project Maven.

Project Maven involved award of a contract to Google to use machine learning (“ML”)^[6] to identify and classify objects from moving or still imagery captured by aerial, often drone, reconnaissance (“Recon”) platforms. According to PBS reportage:

Google’s role in this project has been to create artificial intelligence to do image classification on the footage collected by drones and so they were trying to help the Department of Defense mark objects in this footage to say this car is a car, this building is a building, this is a person.^[7]

Among the potential uses of object recognition in Recon is assisting human operators to identify, verify, and select targets for drone strikes.

In 2019, Google employees expressed objections to Google’s work on Project Maven in a letter to Google’s Chief Executive Officer (“CEO”), signed by over 3,000 Google employees and published in the New York Times.^[8] The letter highlights the internal challenges that a developer of AI systems might face, especially if its workforce joined the company to be part of developing AI and not to participate in defense procurement projects—notwithstanding the clear need for such projects in order to protect U.S. national security.

The Google employees’ letter stated, in relevant part:

We believe that Google should not be in the business of war. Therefore we ask that Project Maven be cancelled, and that Google draft, publicize and enforce a clear policy stating that neither Google nor its contractors will ever build warfare technology.
Google is implementing Project Maven, a customized AI surveillance engine that uses “Wide Area Motion Imagery” data captured by US Government drones to detect vehicles and other objects, track their motions, and provide results to the Department of Defense.
Recently, Googlers voiced concerns about Maven internally. Diane Greene responded, assuring them that the technology will not “operate or fly drones” and “will not be used to launch weapons.” While this eliminates a narrow set of direct applications, the technology is being built for the military, and once it’s delivered it could easily be used to assist in these tasks.
This plan will irreparably damage Google’s brand and its ability to compete for talent. . . . Google’s unique history, its motto Don’t Be Evil, and its direct reach into the lives of billions of users set it apart.
We cannot outsource the moral responsibility of our technologies to third parties. . . . This contract puts Google’s reputation at risk and stands in direct opposition to our core values. Building this technology to assist the US Government in military surveillance—and potentially lethal outcomes—is not acceptable.
Recognizing Google’s moral and ethical responsibility, and the threat to Google’s reputation, we request that you:
Cancel this project immediately
Draft, publicize, and enforce a clear policy stating that neither Google nor its contractors will ever build warfare technology^[9]

Google management declined to cancel the project; and under the procurement contract (which is not publicly available), Google probably did not have the right to cancel—let alone cancel because its employees protested doing the work to fulfill Google’s contractual obligations.

Two other considerations may have factored into Google’s decision to continue work: one concerned a government contractor’s obligations to continue work pending a final resolution of the dispute, and one concerned the impact that a Google breach would have on Google’s “past performance” record and its adverse effect on Google’s future opportunities to win award of a U.S. government (“USG”) contract.

Consideration 1: Contractor Obligations to Continue Work

If Google had found a basis to claim a breach of the procurement contract by DoD and wanted to use the claim as a basis for stopping work, it would have found significant impediments to that strategy. If the contract was subject to the Federal Acquisition Regulation (“FAR”) and the Defense Federal Acquisition Regulation Supplement (“DFARS”), the FAR and DFARS mandate inclusion of disputes clauses that give the USG or DoD cognizant contracting officer (“CO”) the authority to require the contractor to diligently continue performing the contract. That authority is provided by federal statute. The federal statute, 41 U.S.C. § 7103(g), addresses the issue in its provision concerning the finality of review of a contractor’s claim by the cognizant contracting office:

(g) Finality of Decision Unless Appealed.—The contracting officer’s decision on a claim is final and conclusive and is not subject to review by any forum, tribunal, or Federal Government agency, unless an appeal or action is timely commenced as authorized by this chapter. This chapter does not prohibit an executive agency from including a clause in a Federal Government contract requiring that, pending the final decision of an appeal, action, or final settlement, a contractor shall proceed diligently with performance of the contract in accordance with the contracting officer’s decision.^[10]

In contracts subject to the DFARS, it is mandatory that the disputes clause at FAR 52.233-1 be included in those contracts.^[11] The disputes clause states, in relevant part: “(i) The Contractor shall proceed diligently with performance of this contract, pending final resolution of any request for relief, claim, appeal, or action arising under the contract, and comply with any decision of the Contracting Officer.”^[12] If the DoD/Google contract for Project Maven was subject to the DFARS, Google would not have had the right to stop work pending resolution of a claim. Halting work, or failing to perform work diligently, would probably have put Google in material breach of the contract.

This consideration is unique to contracting with the federal government. Commercial contracts seldom require a vendor to continue work pending final disposition of a claim against its customer. It’s an issue of probable interest to nontraditional contractors considering bidding on, and accepting award of, a prime contract or first-tier subcontract^[13] for a DoD AI system acquisition.^[14]

Consideration 2: Impact of a Work Stoppage on a Contractor’s “Past Performance” Record

Among the important criteria applied to DoD’s selection of a contractor for award of a prime contract for acquisition of defense articles is the contractor’s record, if any, of past performance. As explained by the General Services Administration on its website, “[i]nformation regarding a contractor’s actions under previous contracts and orders, also known as past performance, is an indicator of future performance and is one of the most relevant factors that a selection official should consider in awarding a contract.”^[15]

Past performance data is collected by the CO and the CO’s representative or technical representative (“COTR”), who use the data to prepare the contractor performance assessment report (“CPAR”) and enter that report into the contractor performance assessment reporting system (“CPARS”) at least annually.^[16] The contents of a CPAR are granular, empirical, comprehensive, and highly sensitive and, as such, are not releasable under a Freedom of Information Act request:

The CPAR captures current, complete, and accurate Information on contractor performance that is then made available for use in source selections. This information supports best value source selection decisions to reward proven performers and to motivate contractors to perform. Additionally, the CPAR provides up-to-date documentation of a contractor’s ability to provide quality, on-time products and services that conform to contractual requirements and supports responsibility determinations of prospective contractors. When preparing the CPAR, it’s important to remember the information is pre-decisional in nature; treat contractor performance information as privileged source selection information including any working papers and electronic files. This information is not releasable under the Freedom of Information Act (FOIA).^[17]

This consideration also is unique to contracting with the federal government. It serves as both an incentive to perform DoD contracts well and as a disincentive to perform them poorly. Google would likely have known that its performance of the Project Maven prime contract was being entered at least annually into the CPARS and that its past performance record would have been adversely affected if it had stopped work or purported to cancel the contract.

Google eventually declined to seek award of follow-on contracts for Project Maven.^[18] But Google did not withdraw from supporting U.S. national security and made clear it would continue to seek award of and perform DoD contracts. As its CEO Sundar Pichai wrote, “While we are not developing AI for use in weapons, we will continue our work with governments and the military in many other areas.”^[19]

In the three years following Google’s withdrawal from (not seeking follow-on contracts for) Project Maven, Google obtained awards of contracts with defense and intelligence agencies. The contracts included work on

detecting corrosion on Navy vessels by applying machine learning to drone imagery and . . . supporting aircraft maintenance for the Air Force. . . . [And supplying] cloud security technology to the Pentagon’s Defense Innovation Unit, set up to help the agency work more closely with tech companies. . . . [And a portion] of a large CIA cloud contract.^[20]

There would appear to be lessons worth learning from the Project Maven controversy: an AI developer does not have to have an “all-in” relationship with DoD to be of considerable support to DoD. When DoD has at times determined to terminate a traditional big defense contractor for default on a major procurement contract (e.g., termination for default of General Dynamics Corp. and McDonnell Douglas Corp. as prime contractors on the A-12 project for the first carrier-based stealth aircraft back in 1991),^[21] DoD usually continues to consider favorably bids for procurement contracts by those companies. Similarly, as Google demonstrates, when there is a parting of the ways between an AI developer and DoD, that does not require that the parties cease finding ways and projects on which they can work together in support of U.S. national security.

A more immediate lesson following Google’s decision prompted considerable discussion among Silicon Valley developers of AI. As noted in December 2019 by Peter Thiel, cofounder of PayPal and Palantir, there was a “silver lining” to Google’s decision and the subsequent discussions about it in Silicon Valley:

I think sort of the silver lining of the Maven controversy is that it tells us that AI is a military technology, or at least it’s a dual-use technology. . . . And it’s not something that Silicon Valley had acknowledged for a long time.
. . .
Even though I disagree with Google on Project Maven, I think it has forced a debate, and that sort of debate about AI is going to happen in many other areas of technology. . . . They are dual-use [technologies] and we better make sure we get the cutting-edge ones on our side.
. . .
[Silicon Valley] is very disconnected from the history of the 1950s and 1960s where it was heavily created by military R&D. And people are just not aware of that history in any way.
. . .
[Regarding the ethics debate of developing AI for miliary purposes], when it’s a choice between the U.S. and China, it is always the ethical decision to work with the U.S. government. . . . It’s really odd that we’re even having any sort of debate where that’s even framed as a question.^[22]

Contemporaneous with Thiel’s expression of his views (and in the same forum), the then head of the Pentagon’s Defense Innovation Unit (“DIU”) also saw a “silver lining” in the Google decision, namely, that it did not reflect the views or positions of many AI developers in Silicon Valley:

[W]e’re seeing no shortage of companies that want to work with us. The last solicitation we did for an AI project had 60 companies applying. . . . [W]hile very regrettable, the Project Maven-Google story . . . is significant for what that represents and how we need to change that, I don’t think that’s representative of how Silicon Valley or the other innovation hubs feel about defense.^[23]

As Thiel noted a disconnect between Silicon Valley company personnel and the DoD-funded research and development (“R&D”) projects that provided those companies with considerable work and opportunities in Silicon Valley’s formative years, it is important not to lose sight of or allow a disconnect between the Project Maven experience by DoD and a major developer of AI, Google, and the efforts of DoD and major developers of AI systems to work together with a now later generation of employees and new generation of developers, such as OpenAI and Anthropic.

The DoD/Google experience with Project Maven should also not overshadow a major tension that tends to arise whenever DoD seeks contractors (traditional or nontraditional) to perform design and develop work for AI systems: the allocation of IP rights that arise from performance of the work. Within the past year, DoD has formally expressed its views on that subject in the 2025 publication of Intellectual Property Guidebook for DoD Acquisition (“Guidebook”)^[24] and addressed the IP issues in acquisition of AI systems in its August 2025 publication of Intellectual Property Strategies for Artificial Intelligence Programs: A Supplement to the Intellectual Property Guidebook for DoD Acquisition (“Strategies Supplement”).^[25]

III. Strategies Supplement

The Strategies Supplement asserts early on that AI procurement programs have “unique” objectives—and, accordingly, titles section 2.1.2 “Unique AI Program Objectives.” It’s an interesting nontrivial assertion, especially for a federal agency that has such diverse acquisitions. Section 2.1.2 does not explain the assertion, but, as discussed below, Nontraditional Defense Contractors should take it seriously.

Accepting that AI system procurements have “unique” objectives should alert such clients that DoD’s program objectives will be unlike those of other programs; may involve accordingly “unique” strategies; and probably derive from DoD’s recognition that there are features in AI systems that are so unlike other systems DoD procures that DoD needs to make sure it gets what it needs throughout the life cycle of an AI system in performance, maintenance, repairs, and upgrades (“PMR&U”). DoD’s PMR&U objectives, moreover, require DoD to obtain, via license granted by the AI developer, the IP rights needed to use, maintain, repair, and upgrade an AI system designed and developed for DoD. DoD usually seeks those IP rights by focusing on rights to data needed to operate, maintain, install, and train (“OMIT”) users to operate equipment and systems that DoD procures. These rights are usually referred to as “OMIT data rights.”

OMIT data rights do not usually extend to rights to upgrade (correct, retrofit, or otherwise improve equipment or systems). DoD used to procure such work from the original equipment manufacturer (“OEM”), but that tended to give OEMs a lock on that work and created what DoD found to be unfavorable “vendor lock” in situations in which DoD wanted to seek competitive bids for follow-on work in maintenance, repair, and upgrades of equipment or systems.

Historical Context

The Strategies Supplement speaks in the present tense and regrettably omits historical context that would explain why DoD would be so concerned about OMIT or PMR&U (which, to be fair, can be easily inferred from the military end-users’ need to achieve mission objectives), and why DoD would be so concerned about the IP rights it needs to control and utilize the PMR&U features of an AI system (which may be obscure and hard for a Nontraditional Defense Contractor to know, or to infer or guess accurately). Here, a bit of historical context is needed because DoD acquisition professionals know it, but the Nontraditional Defense Contractor needs to be read into it—if necessary, with the help of its counsel.

Our sources for this historical background are reports prepared by the U.S. Government Accountability Office (“GAO”) in the early 2000s reflecting on DoD’s experiences in fielding and maintaining complex weapon systems downrange, far from the United States. A July 2006 GAO report summarized the challenges DoD encountered without sufficient rights to technical data needed to operate and sustain those systems and to have them available and capable of achieving military mission objectives.

A critical element in the life cycle of a weapon system is the availability of the item’s technical data—recorded information used to define a design and to produce, support, maintain, or operate the item. Because a weapon system may remain in the defense inventory for decades following initial acquisition, technical data decisions made during acquisition can have far-reaching implications over its life cycle. . . .
The Army and the Air Force have encountered limitations in their sustainment plans for some fielded weapon systems because they lacked needed technical data rights. The lack of technical data rights has limited the services’ flexibility to make changes to sustainment plans that are aimed at achieving cost savings and meeting legislative requirements regarding depot maintenance capabilities. GAO identified . . . weapon system programs that encountered such limitations—C-17, F-22, and C-130J aircraft, Up-armored High-Mobility Multipurpose Wheeled Vehicle, . . . [and] Airborne Warning and Control System aircraft. . . . Although the circumstances surrounding each case were unique, earlier decisions made on technical data rights during system acquisition were cited as a primary reason for the limitations subsequently encountered. As a result of the limitations encountered, the services had to alter their plans for developing maintenance capability at public depots, developing new sources of supply to increase production, or soliciting competitive offers for the acquisition of spare parts and components to reduce sustainment costs. For example, the Air Force identified a need to develop a core maintenance capability for the C-17 at government depots to ensure it had the ability to support national defense emergencies, but it lacked the requisite technical data rights. . . . [A]ccording to Air Force officials, some sub-vendors have declined to provide the needed technical data needed to develop core capability.^[26]

GAO’s report took DoD to task for failing to obtain, in initial contract negotiations, the tech data rights it needed for life-cycle PMR&U:

Current DOD acquisition policies do not specifically address long-term technical data rights for weapon system sustainment. For example, DOD’s policies do not require program managers to assess long-term needs for technical data rights to support weapon systems and, correspondingly, to develop acquisition strategies that address those needs. DOD, as part of the department’s acquisition reforms and performance-based strategies, has deemphasized the acquisition of technical data rights. Although GAO has recommended that DOD emphasize the need for technical data rights, DOD has not implemented these recommendations. . . . Unless DOD assesses and secures its rights for the use of technical data early in the weapon system acquisition process when it has the greatest leverage to negotiate, DOD may face later challenges in sustaining weapon systems over their life cycle.^[27]

Since publication of that report in 2006, DoD has made extensive efforts to develop long-term strategies for acquisition of IP rights needed throughout the life cycle of procured equipment and systems. Knowledge of the problem discussed by GAO in the quoted report (and others it issued back then) and knowledge of the efforts to change its IP rights acquisition strategies are assumed by the text of the August 2025 Strategies Supplement. It’s important, for example, to know that the April 2025 Guidance replaced guidance issued back in October 2001 (that took an approach to only acquire IP rights absolutely needed). DoD’s strategies change slowly and reflect long swings in the pendulum between seeking less and seeking more IP rights from the developers of complex systems. With that background, we can make an informative reading and analysis of the Strategies Supplement.

Unique Objectives

The Strategies Supplement sets out the AI procurement objectives without making clear which of the objectives are the “unique” ones. However, the Strategies Supplement, when read and reread as carefully as it deserves, allows counsel and clients to infer (with text support) what makes certain PMR&U and OMIT objectives part of DoD’s ongoing change in IP rights acquisition strategies and what seems to be unique about those needs in the procurement of AI systems.

Not surprisingly, what makes AI systems different from earlier software-intensive and data-centric systems turns out also to be what makes certain IP rights acquisition strategies for AI systems “unique.” Perhaps the most important and salient differences are the following:

AI systems rely upon, and have at their center, an AI “model.”
The “model” performs as a prediction machine.
The “model” is developed or “trained” by exposing it to massive amounts of data.
Training data quality is paramount.
An AI “model” can degrade in performance over time, or fail to be accurate enough to perform upscaled or changed missions involving new sets, or pools, of intel-collected data, and may need to be “retrained.”
Retraining a “model” can also enable it to be adapted for new missions or objectives, which can include using it for purposes that it may previously have been “trained” not to perform.

As a result, although AI systems include algorithms and software, those are not what make an AI system “unique.” DoD needs strategies to acquire IP rights to algorithms and software in non-AI and AI system procurements. But for the acquisition of AI systems, DoD has “unique” needs for strategies to acquire IP rights to “models” and training data—and something unobvious but apparently salient to DoD’s missions, IP rights to retrain “models.”

The Strategies Supplement, in section 2.1.2 (“Unique AI Program Objectives”), provides a bullet-point list of what short-term and long-term program objectives may include. In quoting that list below, the objectives in italics are those that appear to an outside observer to be the “unique” or most unique—and thus AI-driven—objectives. (Notice also how several of them invoke DoD’s historical experience with challenges in obtaining the necessary PMR&U and OMIT data rights.)

Sustainment without contractor dependence or vendor lock.
Retraining or tuning models using new or domain-specific data.
System modification by the Government or non-Government partners.
Integration of AI components into broader mission systems.
Transfer of systems or capabilities to other Government platforms, non-Government partners, or coalition partners.
Use of system telemetry data or sharing of such data with other Government platforms, non-Government partners, or coalition partners.
Use of commercially available technology to promote acquisition efficiency.
Promotion of innovation or fostering an environment that encourages innovation while safeguarding IP for privately developed technology.
Protection of national security interests or ensuring that the IPS [(“IP strategy”)] aligns with national security priorities.
Compliance with cybersecurity or RAI [(“responsible artificial intelligence”)] requirements.
Cost-effectiveness or balancing rights to IP with cost considerations to optimize value or return on investment for the DoD.
Scalability from accomplishing initially discrete mission objectives to broader mission objectives over program life cycle.^[28]

There thus seem to be four “unique” objectives: “retraining” of models; integrating AI components into other systems; transferring AI capabilities to other platforms; and scaling from initial mission objectives to other, broader mission objectives.

Retraining Models

Of the four “unique” objectives, there is one that is mentioned repeatedly in the Strategies Supplement—and its repetition is so frequent that it seems to be a particular priority for DoD’s strategic planning: “retraining or tuning” of models. To accomplish the other three “unique” objectives, “retraining” of AI models may be a prerequisite as integrating, transferring, or scaling an AI system will at some point probably require “retraining” of the AI system’s model.

Significantly, the Strategies Supplement refers to retraining models nine times over its fifteen pages: the term retraining models appears in five passages,^[29] and the abridged term retraining appears in four passages^[30] (each an implicit reference to the only feature of an AI system that’s retrained—its model).

The terms retraining models and retraining are doing several kinds of work in the Strategies Supplement. Each instance shows that DoD anticipates that AI systems are “unique” and certainly unlike its usual equipment or system acquisitions. DoD typically purchases equipment or systems that are complete upon delivery; they usually do not undergo fundamental changes in their capabilities: an aircraft, an aircraft carrier, and a drone are each relatively stable in design and features over their life cycle (yes, submarines undergo so-called midlife overhauls, but those aim at extending and ensuring the safe performance of the vessel when submerged, and may alter the generation of onboard weapons, but seldom reconfigure the boat to launch a different kind of weapon system than it was designed to operate).^[31]

By contrast, the Strategies Supplement, via its iterative references to retraining models, appears to be anticipating and reminding its immediate audience of DoD COs and COTRs to anticipate that AI systems will not be static or stable—and to understand why.

AI systems, though they include algorithms and software, are not intended to be as static as software is (when it’s stable, which it should be unless it’s poorly designed). When a customer buys a license to use a word processor software package, the customer wants it to be the same each time the customer sits down to use it: features like formatting, spell checking, font control, entry of letters, and punctuation must perform uniformly and consistently so that the user can concentrate on composing or writing and not on verifying and reverifying the text as it appears on the screen (editing and proofreading should be to correct user typing errors, not word processor typing errors).

AI systems, by contrast, do not give the same output to the same prompt (if they are large language model–based generative AI (“GenAI”) apps). Conventional AI systems (as distinguished from GenAI) may change in performance as datasets are fed into them. To put it differently, an AI model may be trained to a certain point, but it may be capable of modifying its performance based on the data the user enters and the uses to which it is put. AI models can degrade in predictive accuracy. AI models can develop “emergent behavior,” namely, perform in ways that they were not designed to perform, which may result in capabilities desired or not desired by its users.

But those are reasons why AI systems, by design, will not be static after delivery to DoD. There are also reasons why AI systems will not be static that derive from the work users will do with them. DoD’s missions change continuously, as do the threats to U.S. national security. AI systems appear to be highly adaptable, but adaptation may often require “retraining models” to fit the mission.

The emphasis on the need for “retraining models” is unlike any of the issues that typically arise in DoD investments in software design and development contracts or in acquisition of software-intensive systems.

Rather than attempt a summary or highlights of the Strategies Supplement, the discussion will now focus on what issues appear to be important in the appearance of the words retraining models or retraining in certain parts of the document. Tracing these issues, by looking at some of the nine uses of those terms, should give Nontraditional Defense Contractors and their counsel insights on what appears to be one of the most salient themes in the Strategies Supplement—and one that they should be prepared to address and negotiate with DoD to ensure the successful completion of a prospective acquisition of AI systems.

First Appearance

On page 4, in the discussion of unique AI program objectives, the Strategies Supplement provides an example of how clarifying the program’s short- and long-term objectives can help frame IP requirements, data deliverables, and associated license rights:

For example, if the program will retrain models or transfer them across platforms, the IPS should address how rights to training data, model weights, and supporting documentation will be secured. Also, AI programs may be contracted on a service-based model and not a typical product delivery model, which may add complexity. . . .^[32]

The agent-less statement, “if the program will retrain models,” creates an unhelpful ambiguity: it leaves unclear who will retrain the model—the AI developer or DoD or a combined effort by AI developer and DoD or a third-party contractor and potential competitor of the AI developer. That should be recognized as the threshold issue: if DoD wants to retrain the model, it will need a license that the AI developer may not be willing to grant, or may charge a significant premium to grant; and the license may come with potentially controversial restrictions and limitations that will also raise issues of the AI developer’s right (and capability) to enforce those restrictions and limitations without creating a project-impeding disagreement, or project-disrupting dispute.

The issue of who will retrain the model, and even whether its retraining will be contemplated by the contract (as a requirement, as an option, or as a prohibition) goes to the core of what the AI developer and DoD need to reach a clear understanding on before attempting to pursue their respective strategies for negotiating allocation of IP rights under the prospective AI development contract. The salient issue is this: Who will control the retraining and retraining objective(s) for the model?

Silicon Valley companies depend on protecting their IP rights and most of all protecting the IP of, access to, and control of their “crown jewel” technologies. The most secure control is to maintain the “crown jewel” as a “black box”—not only as a trade secret, but also granting no customer access to it. AI developers in particular tend to keep their AI model as a “black box.” As one commentator explained:

Any of the three components of a machine-learning system can be hidden, or in a black box. As is often the case, the algorithm is publicly known, which makes putting it in a black box less effective. So to protect their intellectual property, AI developers often put the model in a black box. Another approach software developers take is to obscure the data used to train the model—in other words, put the training data in a black box.^[33]

The Strategies Supplement omits or jumps over this threshold issue. As a result, the AI developer and DoD may overlook the issue, or decide to “kick the can down the road” and address it when and if it arises. That, however, risks a disruptive disagreement if DoD insists on using the AI system and model for purposes the AI developer assumed it would not be used for, or that the procurement agreement, in a specially negotiated license, expressly prohibited.

A second challenge arises from the retraining issue: Who will control what data the AI system model receives (and, relatedly, will the model be designed to “learn” or be self-modified by the data)? The obvious answer would seem to be the customer, but that raises the risk for the AI developer that DoD will provide the AI system model data that will change its performance parameters or cause it to develop “emergent behavior” not anticipated or desired by the AI developer.

The Strategies Supplement expresses a guidance that should help DoD anticipate and preferably avert the risk of misunderstanding and disagreement. It notes that DoD’s documentation of its IPS should

explain not only what the Government wants, but why. Clear justifications—tied to operational goals, risks and sustainment plans—improve credibility with vendors and reviewers. . . .
It must provide enough detail to guide acquisition personnel in implementing the strategy—such as describing required data categories, intended use cases, and desired license outcomes—while avoiding overly prescriptive requirements that limit tailoring at the contract level.^[34]

Coming several pages after the first reference to “retraining models,” the DoD reader and AI developer reader might not link the “intended use cases” back to the omitted issue of who will control the model’s use, its retraining, and the extent to which the data it works with will be allowed to modify or cause the model to evolve in its performance—and possibly might not be prepared for use cases that DoD did not disclose to, or discuss with, the AI developer.

The seriousness of the control issue surfaces in the sentence that immediately follows the first mention by the Strategies Supplement of “retrain the models.” It states, “Also, AI programs may be contracted on a service-based model and not a typical product delivery model, which may add complexity and require additional understanding of short- and long-term Government needs.”^[35]

This quotation may be interpreted to address procuring AI system models on an as-a-service basis, which may mean the federal government will have no ability to do anything to the AI developer’s model directly; or, if it wants that ability, it will need provisions giving it a right to access the model, either by remote connection or by entry to the premises where the AI developer has the model situated (which may be at a premises controlled by the AI developer or at one controlled by a third party with whom it has the requisite contractual relationship).

If DoD and the AI developer plan to enter into a contract for a service-based provision of the operation of the AI system, and if that contract will contemplate DoD access to the model directly, that makes it all the more important to know who will control its operation, the data it receives once in operation, and whether the AI developer will agree to “retraining the model” by DoD or by the developer itself, as well as whether a change in the aims or the mission uses of the AI system will be subject to review and approval by the AI developer. Otherwise, an AI system designed exclusively to assist in aerial reconnaissance, for example, could be adapted and “retrained” for use on an autonomous unmanned aerial vehicle (“UAV”), providing it not only recon data but also targeting identification, verification, and justification for launching an onboard missile or other munition. In short, DoD’s interest in “retraining” a model appears to open an ambiguous door to shift the mission and, to perform that mission, the training of the model—and such changes might depart from or contravene understandings reached with the AI developer and memorialized in the contract stating, for example, a prohibition against using the AI model to conduct autonomous targeting and launching of weapons against humans.

DoD, of course, could take the position that it needs that flexibility and that it cannot disclose such plans as they would involve access to classified information, and few Nontraditional Defense Contractors have the requisite security clearance to access such information. What DoD can disclose and discuss with the developer will almost certainly turn on whether the AI developer has obtained a security clearance, not only to have access to classified information, but to have a sufficiently high level of clearance to have access to the information needed for a frank and long-range discussion at the outset of what DoD wants to be the AI system model’s use cases. It takes so many months (and sometimes more than a year) to obtain a clearance and often support from a traditional defense contractor. Such processes and time frames would preclude most Nontraditional Defense Contractors from participating in a bidding process that might be much shorter.

The DoD/Google controversy over Project Maven makes these issues important and should make them a priority for threshold discussions between DoD and a prospective AI developer. Without agreement on the “use cases” and who will have “control” over the model and “access to it,” the negotiation of licensing and of allocation of IP rights to the AI system and its model will lack the fundamental understandings between the parties—especially in the context of what is increasingly the contractual vehicle: Other Transaction Authority (“OTA”) procurement agreements that are not governed by the FAR or DFARS and thus are not required to contain any clauses mandated by the FAR and DFARS.

Second Appearance

The second appearance in the Strategies Supplement of the term retrain models occurs on the same page as the first, but in a subsequent section—section 2.1.3, “AI-Specific Data Types and Categories.” This time, we will quote the sentence that uses the term and the following sentence to see where it leads. Note that this time, instead of leading into a brief mention of AI-as-a-service procurement, the text leads into a discussion of data quality and utility needed for the AI system model:

For example, if the program will retrain models or transfer them across platforms, the IPS should address how rights to training data, model weights, and supporting documentation will be secured. The quality and utility of any AI solution relies heavily on the quality of the data type being used for model training, evaluation, input, and output. Understanding the types of data associated with the AI at different points in its development and use will directly influence which AI solution and the license rights that should be secured.^[36]

The quoted discussion of data, like the one that preceded it on contract type (AI-as-a-service), again omits the key issue: Who will control the model? AI developers know that to train a model well requires copious quantities of data and that the higher the data quality, the better the model’s performance. But AI developers may find unsettling the subtle nuance expressed with the words types of data associated with the AI at different points in its development and use. Those words do not make clear whether different points in its development refers to pre-delivery of an AI system or pre-start of the delivery of AI-as-a-service. If different points in its development includes the post-delivery or post-start of the use of the AI system, we are back to the issues of the rights to “retrain the model” discussed above.

The fact that the sentence ends with will directly influence which AI solution . . . should be secured suggests that DoD will use as a contractor-selection criteria whether a prospective AI developer is willing to give DoD a free hand in deciding when, why, how, and by whom the AI system model will be “retrained.” Many AI developers may find that a bridge too far and be unwilling to cross it or even step onto it and will respond to a solicitation with “no bid.” If the AI developer does not grasp the issues that may not surface in the negotiations but will eventually focus on the rights to retrain the model, they may balk if during contract performance the DoD directs them to retrain the model (or claims it has the right to retrain it); in that event, the AI developer may seek to enforce a restriction in the license that they understood to prohibit such retraining and its mission objectives (the kind of mission and use on that mission), and, one way or another, signal that, like Google before them, they will not agree to perform any follow-on work or seek a follow-on contract.

Third Appearance

The third appearance in the Strategies Supplement of the term retrain models finally begins to make more explicit DoD’s reiteration of and focus on rights to retrain the model. It occurs in the same “AI-Specific Data Types and Categories” section and appears in a list of bullet points about data types, one of which reads in full:

Model Data: Includes weights, biases, available features, selected features performance optimization, and parameters of trained models. These determine the:
Ability to maintain and retrain models.
Ability to modify the model’s behavior.^[37]

The two sub–bullet points are revealing. They make clear that a retraining of the model is not foreseen as primarily needed to correct degradation(s) in the model’s performance, nor to upgrade the model’s performance of its initially defined mission(s). Instead, they aim to “modify the model’s behavior,” which may suggest to an AI developer DoD’s need to have that control over the model, which then may well remove the use of the model from restrictions the AI developer may have negotiated to have expressed in the procurement agreement.

Rather than attempting a review of other key passages in the Strategies Supplement, it will be more useful for Nontraditional Defense Contractors and their counsel to see how the control over the model (its missions, use to achieve the missions, and any retraining to enable it to achieve the desired performance) may surface when these issues become points of contention between DoD and an advanced AI developer. The following section discusses what has been reported to date about the disagreement that has emerged in 2026 between DoD and AI developer Anthropic, which echoes back to the DoD/Google controversy over Project Maven.

IV. DoD/Anthropic Controversy^[38]

Award of DoD AI Acquisition Contract to Anthropic (July 2025)

Anthropic, Public Benefit Corporation (“PBC”) is a relative “start-up” and AI developer “focused on AI research safety, and policy work.”^[39] Anthropic is now valued at $380 billion.^[40] Anthropic started deploying large language models (“LLMs”) in 2023.^[41] Anthropic’s signature model is an LLM named “Claude.”^[42] Claude has been used by U.S. intelligence and defense agencies since November 2024 “through a partnership with Palantir Technologies.”^[43] DoD’s Defense Counterintelligence and Security Agency “granted Anthropic a Top Secret facility security clearance” to support classified projects.^[44]

According to Anthropic, it has “never offered any customer a [AI] model without a Usage Policy,” including the DoD.^[45] Moreover, when DoD started using Claude in March 2025, DoD did so “subject to a Usage Policy and government-specific addendum that restricted deployment to ensure safe, reliable use.”^[46]

On July 14, 2025, DoD awarded four AI developers—Anthropic, OpenAI, xAI, and Google—$200 million contracts, each to develop AI capabilities to advance U.S. national security.^[47]

According to an announcement by Anthropic posted on its website, the contract was a “two-year prototype other transaction agreement^[48] with a $200 million ceiling.^[49] As part of the agreement, Anthropic will prototype frontier AI capabilities that advance U.S. national security.”^[50] More specifically, DoD’s Chief Digital and Artificial Intelligence Office award of contract to Anthropic was “to integrate and optimize AI capabilities across” the DoD.^[51]

Anthropic’s contract differed significantly from the contracts awarded to the other three AI developers: “Anthropic is currently the only AI company to have its model deployed on the Pentagon’s classified networks, through a partnership with data analytics giant Palantir.”^[52]

The contract was reportedly to “integrate Anthropic’s Claude models into defense operations as part of the government’s deployment of AI.”^[53] Significantly, Anthropic’s July 14, 2025, press release suggests that the contract included DoD compliance with Anthropic’s “strict usage policies” for Claude: “At the heart of this work lies our conviction that the most powerful technologies carry the greatest responsibility. . . . Our commitment to responsible AI deployment, including rigorous safety testing, collaborative governance development and strict usage policies, makes Claude uniquely suited for sensitive national security applications.”^[54]

Another significant difference in Anthropic’s contract: usage restrictions. Since March 2025, DoD has used “Claude Gov,” dedicated models for national security users through the Palantir platform and with special usage restrictions:

Claude Gov has different safeguards than the civilian models and can, for example, analyze documents marked “Top Secret.” Claude Gov also has a government-specific addendum to its Usage Policy that eliminates some of the restrictions applicable to the civilian version. Since DoW began using Claude Gov in March 2025, this government-specific usage policy has “imposed broad restrictions that would have prohibited mass surveillance of Americans and lethal autonomous warfare.”^[55]

Start of DoD and Anthropic Disagreement over Usage Terms

Shortly after the contract award, DoD and Anthropic started to disagree “over the contractual terms of how Anthropic’s technology can be used. . . .”^[56] Until then, “DoW appeared to have no objection to the usage policy and did not appear to view Anthropic as a national security risk in any way.”^[57]

As reported by the Wall Street Journal:

Tensions with the administration began almost immediately after [the Anthropic contract] was awarded, in part because Anthropic’s terms and conditions dictate that Claude can’t be used for any actions related to domestic surveillance. That limits how many law-enforcement agencies such as Immigration and Customs Enforcement and the Federal Bureau of Investigation could deploy it. . . .
Anthropic’s focus on safe applications of AI—and its objection to having its technology used in autonomous lethal operations—have continued to cause problems. . . .”^[58]

The tensions increased in September 2025, when DoD began negotiating with Anthropic “a new deployment of Claude” on DoD’s “GenAI.mil” platform.^[59] According to Anthropic, DoD:

insisted for the first time that Claude be permitted for “all lawful uses.” . . . Anthropic ultimately agreed, subject to two narrow but important exceptions: Claude could not be used for lethal autonomous warfare or mass surveillance of Americans.^[60]

In a slightly different account, the U.S. District Court for the Northern District of California (in the 3/26 Order granting Anthropic’s motion for a preliminary injunction), determined that the tensions grew out of DoD’s insistence that its July 2025 contract with Anthropic be modified to relax the contract provision that expressed Anthropic’s restrictions against certain uses of Claude. DoD wanted those contractual restrictions removed and replaced by an expansive and vague authorization for Claude to be operated for “all lawful uses” (with apparently no definition of “lawful,” of who would decide on the scope and meaning of “lawful,” or of whether “lawful” could be determined after conduct of an operation or mission when any objections would be too late, making “lawful” a potentially hollow restriction):

During these conversations, DoW^[61] took the position that Anthropic should permit DoW, its contractors, and its subcontractors to use all versions of Claude for ‘all lawful uses,’ without any usage restrictions. As DoW put it, ‘We will not let ANY company dictate the terms regarding how we make operational decisions.’ Anthropic ultimately agreed to do so with ‘two critical exceptions: mass surveillance of Americans and lethal autonomous warfare.’ Anthropic did not believe Claude currently to be safe for those uses based on its training and testing. . . . [I]f Claude were used to conduct mass surveillance, Anthropic believed Claude might retrieve a much broader set of information than intended, thus inadvertently violating laws protecting civil liberties. Anthropic further believed that lethal autonomous warfare was beyond Claude’s current ability to carry out reliably, in light of the potentially grave consequences of a mistake.^[62]

DoD and Anthropic Disagreements in Public Statements (January 2026)

In January 2026, Anthropic’s CEO, Dario Amodei, authored and published a lengthy (eighty-four-page) essay entitled The Adolescence of Technology: Confronting and Overcoming the Risks of Powerful AI (“Amodei Essay”).^[63] The Amodei Essay articulates concerns that Anthropic’s CEO has about the pace, direction, and loss of control of AI systems. He notes the accelerating pace of AI development:

Because AI is now writing much of the code at Anthropic, it is already substantially accelerating the rate of our progress in building the next generation of AI systems. This feedback loop is gathering steam month by month, and may be only 1–2 years away from a point where the current generation of AI autonomously builds the next. . . . I can feel the pace of progress, and the clock ticking down.^[64]

The Amodei Essay expresses concerns about fully autonomous weapons “because they are so powerful, with so little accountability, and there is a greatly increased risk of democratic government turning them against their own people to seize power.”^[65] Furthermore, the Amodei Essay expresses concerns about AI systems used for domestic surveillance:

Sufficiently powerful AI could likely be used to compromise any computer system in the world . . . . It might be frighteningly plausible to simply generate a complete list of anyone who disagrees with the government on any number of issues, even if such disagreement isn’t explicit in anything they say or do. A powerful AI looking across billions of conversations from millions of people could gauge public sentiment, detect pockets of disloyalty forming, and stamp them out before they grow. This could lead to the imposition of a true panopticon. . . .^[66]

Those expressed concerns apparently were reflected in restrictions that Anthropic had negotiated to include in the DoD July 2026 contract for its AI system model Claude.

The fact that almost immediately after the contract start the parties were in disagreement about the terms and conditions they had just concluded negotiating (and discussing the meaning of) suggests that at least one of the parties may have decided to torque the meaning of some of the contract’s key provisions in order to release it from, or to start relaxing, the obligations or restrictions it was obligated to honor.

After the U.S. raid in February 2026 on Venezuela, the Wall Street Journal revealed that Anthropic’s AI tool Claude was “used in the U.S. military’s operation to capture former Venezuelan President Nicholás Maduro, highlighting how AI models are gaining traction in the Pentagon. . . .”^[67]

Soon after the raid, an Anthropic employee questioned a counterpart at Palantir about DoD’s use of Claude in the military operation.^[68] The implication of the report of this exchange was that Anthropic objected to certain ways and purposes for which DoD used Claude. If the objections were based on belatedly recognizing that the AI procurement contract gave DoD the rights to use Claude in ways and on missions that did not contravene the contract, then it would be a replay of sorts of Google’s expression of reservations during performance of the Project Maven contract.

But if the objections were based on apparent violations by DoD of user restrictions set forth in the AI system procurement contract, then it raises issues about whether restrictions agreed to with the federal government will, indeed, be honored by the government. That would be disconcerting for Silicon Valley developers of AI systems as it would put at risk the very IP rights they were trusting the government customer to respect: violating terms of use could be perceived as a willingness to ignore terms and conditions when they prove inconvenient. And doing so within the first few months of a procurement contract could be perceived by AI developers as a “past performance” record about the federal government and make them even more cautious and hesitant than before to bid on federal government, and particularly DoD-awarded, AI system procurement contracts.

One of the indicia of a party’s performance of a contract is what remedies it invokes when it disagrees with the other party’s interpretation of the terms and conditions. DoD has a full panoply of remedies it can invoke when a contractor fails to fulfill its contractual obligations (e.g., termination for default and the past performance record that creates)—or even when the contractor is fulfilling its obligations and the government finds it no longer in its interests to continue the contract (e.g., the government can terminate for convenience the contractor and pay a settlement amount; if it follows the regulatory procedures, the government will not be in breach for taking such action). The government can also seek to negotiate an amendment to the contract, removing a scope of the work that the contractor was supposed to perform or removing a restriction that the government no longer finds suitable for its pursuit of U.S. national security objectives. DoD has not publicly declared an intention to invoke any such remedies.

Moreover, during the amicable but apparently tense conversations, Anthropic’s CEO Amodei told DoD:

[I]f Anthropic and DoW failed to come to an agreement [on the guardrails against use of Claude for domestic surveillance of Americans and lethal autonomous warfare], Anthropic stood ready to assist in an orderly offboarding from DoW’s systems.^[69]

It would appear that the parties were disagreeing about whether DoD is contractually obligated to honor and abide by a version of Anthropic’s “Usage Policy.” There is a public version of the Usage Policy, posted by Anthropic on its website.^[70] Its effective date, September 15, 2025, appears to be later than the DoD/Anthropic contract and may, in any event, contain different terms, since the Usage Policy for public consumers might differ significantly from one crafted for, and negotiated with, DoD. But the public version of Anthropic’s Usage Policy contains what seems to be the crux of the disagreement: restrictions on the military op and surveillance use of Anthropic. The restrictions appear under a heading that gives its application expansive scope: “Universal Usage Standards.”

The relevant restriction, expressed as a prohibition, reads thus:

Do Not Develop or Design Weapons
This includes using our products or services to:
Produce, modify, design, or illegally acquire weapons, explosives, dangerous materials or other systems designed to cause harm to or loss of human life
Design or develop weaponization and delivery processes for the deployment of weapons^[71]

In January and February 2026, the disagreement between DoD and Anthropic intensified as a result of the following developments:

On January 9, 2026, U.S. Secretary of Defense (“SECDEF”) Pete Hegseth issued a Memorandum for Senior Pentagon Leadership, Commanders of the Combatant Commands, and Defense Agency and DOW Field Activity Directors on “Artificial Intelligence Strategy for the Department of War” (“SECDEF Memo”).^[72] The SECDEF Memo stated, in pertinent part:
- “I direct the Department of War to accelerate America’s Military AI Dominance by becoming an ‘AI-first’ warfighting force across all components, from front to back.”^[73]
- “[W]e will leverage the hundreds of billions in private sector capital investment being made in America’s AI sector through our growing array of creative partnerships with America’s world-leading companies.”^[74]
- “Consistent with the refocusing of the Department onto a wartime footing, I expect the following approaches to become internalized as essential elements of our execution in this race to maintain Military AI Dominance:
  AI Model Parity. . . . I direct [the Chief Digital and AI Office] to establish a delivery and integration cadence with AI vendors that enables the latest models to be deployed within 30 days of public release. This shall be a primary procurement criterion for future model acquisition.
  Wartime Approach to Blockers. We must eliminate blockers to data sharing . . . and other policies that inhibit rapid experimentation and fielding. We must approach risk tradeoffs, . . . and other subjective questions as if we were at war.
  . . .
  AI-Native Warfighting. . . . We must put aside legacy approaches to combat and ensure we use this disruptive technology to compound the lethality of our military. Exercises and experiments that do not meaningfully incorporate AI and autonomous capabilities will be reviewed by the Director of Cost Assessment and Program Evaluation for resourcing adjustment.
  . . .
  Clarifying ‘Responsible AI’ at the DoW—Out with Utopian Idealism, In with Hard-Nosed Realism. Diversity, Equity, and Inclusion and social ideology have no place in the DoW, so we must not employ AI models which incorporate ideological “tuning” that interferes with their ability to provide objectively truthful responses to user prompts. The Department must also utilize models free from usage policy constraints that may limit lawful military applications. . . . [A]nd I direct the Under Secretary of War for Acquisition and Sustainment to incorporate standard ‘any lawful use’ language into any DoW contract through which AI services are procured within 180 days.”^[75]
In January 2026, SECDEF Hegseth stated at an event that DoD would not “employ AI models that won’t allow you to fight wars.”^[76] Administration officials explained he was referring to “discussions administration officials have had with Anthropic . . . .”^[77]
An Anthropic spokesman released a statement stating that Claude was “used ‘extensively’ for U.S. national security missions and that it is ‘in productive discussions with the Department of War about ways to continue that work.’”^[78]
In mid-February, DoD confirmed it was “reviewing its relationship with Anthropic amid a long-brewing dispute over the AI firm’s usage policy, which bars the use of Claude to conduct mass surveillance or weapons development.”^[79]

Meeting Between DoD and Anthropic (February 2026)

On February 24, 2026, in a meeting between Anthropic’s CEO Dario Amodei and SECDEF Hegseth:

Anthropic’s CEO Amodei reportedly refused “to allow its products to be used for mass domestic surveillance of U.S. citizens or in physical attacks where AI makes targeting decisions without human input—two red lines that Amodei reiterated to Hegseth [in the meeting] . . . .”^[80]
SECDEF Hegseth, however, “warned the company to set aside concerns over how its technology may be used by the Defense Department”^[81] and stated that while “Claude had ‘exquisite capabilities’ . . . DoW had many other vendors to choose from that have never raised’ the concerns Anthropic was raising and who ‘would never hold any veto power over DoW.”^[82]
During the meeting SECDEF Hegseth “did not say anything about Anthropic’s AI models being unsafe, insecure, or subject to compromise,”^[83] something the DoD would later claim without substantiation.
At the meeting’s conclusion, SECDEF Hegseth told Anthropic’s representatives:
if Anthropic did not agree to “all lawful uses”^[84] of its products by 5:00 p.m. on February 27, 2026, DoW would immediately designate Anthropic a supply-chain risk and would prevent Anthropic from partnering with DoW, anyone affiliated with DoW, or any other agency.^[85]
SECDEF Hegseth also stated:
DoW might invoke the Defense Production Act [of 1950] to designate Anthropic as essential to national security and thus compel Anthropic to provide its services without the restrictions.^[86]

The SECDEF’s warning warrants several observations:

DoD was not invoking any of its customary remedies to resolve a disagreement or dispute over a procurement contract with a defense contractor.
DoD was not alleging that Anthropic had breached the procurement contract that it was awarded on July 14, 2025, nor was there any suggestion of a contract clause or obligation that Anthropic had threatened, by communication or action, that it would not fulfill.
DoD’s threat to designate Anthropic a “supply chain risk” was grounded on a federal statutory authority in 10 U.S.C. § 3252 that DoD had never invoked or applied against any U.S. defense contractor—and needs some explanation.
DoD’s threat to use the Defense Production Act of 1950 (“DPA”) against Anthropic also needs some explanation, especially as it paradoxically contradicted the threat to designate Anthropic a “supply chain risk.”
If one claims a company is a “supply chain risk,” it is contradictory in the same breath to claim that under the DPA the company must perform its government contract; each claim undercuts the other.

Authority to Designate a Company a “Supply Chain Risk”

By its terms, the federal statute 10 U.S.C. § 3252 is expressly focused on U.S. adversaries, not on traditional or nontraditional defense contractors or any AI system developer. The clause defines the risk at issue as follows:

“[S]upply chain risk” means the risk that an adversary may sabotage, maliciously introduce unwanted function, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a covered system so as to surveil, deny, disrupt, or otherwise degrade the function, use, or operation of such system.^[87]

To invoke the authority, a “covered system” must be at such risk, and the statute defines covered system to mean “a national security system, as that term is defined in section 3552(b)(6) of title 44.”^[88]

The cross-reference to 44 U.S.C. § 3552(b)(6) provides a detailed definition of a “national security system” (and, thus, a “covered system”):

The term “national security system” means any information system (including any telecommunications system) used or operated by an agency or by a contractor of an agency, or other organization on behalf of an agency—(i) the function, operation, or use of which—(I) involves intelligence activities; (II) involves cryptologic activities related to national security; (III) involves command and control of military forces; (IV) involves equipment that is an integral part of a weapon or weapons system; or (V) subject to subparagraph (B), is critical to the direct fulfillment of military or intelligence missions; or (ii) is protected at all times by procedures established for information that have been specifically authorized under criteria established by an Executive order or an Act of Congress to be kept classified in the interest of national defense or foreign policy.^[89]

Without delving further into the intricate and complex definitions of the “supply chain risk” statute, the statute authorizes the SECDEF to take “covered procurement action,” namely, to identify a contractor as a “supply chain risk” and to determine which of the following consequences to impose on such contractor:

Excluding the contractor from bidding on or being awarded any DoD contract
Withholding consent for a contractor to subcontract with the “supply chain risk” contractor and directing DoD contractors to exclude such contractor from consideration for a subcontract^[90]

The net effect of SECDEF Hegseth’s threat to Anthropic would be to preclude it from award of contracts by DoD and, far broader, to preclude it from any subcontract by any DoD prime contractor or any of their subcontractors at any tier.

To invoke “supply chain risk” authority, SECDEF Hegseth was required by statute to meet certain conditions, including:

consulting with procurement or other relevant officials of DoD;
making a determination in writing that
1. use of the authority is necessary to protect national security by reducing supply chain risk, and
2. “less intrusive measures are not reasonably available to reduce such supply chain risk.”^[91]

Prior to the DoD/Anthropic controversy, DoD had used the “supply chain risk” designation authority solely against “foreign companies located in countries such as China and Russia. Groups that have previously been deemed a supply-chain risk include China’s Huawei and ZTE Corporation and Russia’s Kaspersky Lab.”^[92]

Anthropic might find it difficult to challenge and cause DoD to rescind the designation for several reasons. First, there do not appear to be any cases in which a contractor challenged the designation in court, and thus there is no judicial interpretation of the meaning of less intrusive measures are not reasonably available to reduce such supply chain risk.

Second, the statute gives the SECDEF the authority to limit disclosure of information by requiring that the SECDEF only explain the basis of the designation to the extent “necessary to effectuate” the designation and its consequences (an explanation that would need to be given to DoD prime contractors and subcontractors that may be subject to the designated “supply chain risk”).^[93]

And third, the SECDEF’s designation of a “supply chain risk” contractor is not “subject to review in a bid protest before the Government Accountability Office or in any Federal court.”^[94]

However, Anthropic retained the right to pursue a remedy in a U.S. District Court, which Anthropic ultimately found necessary.

Authority Under the DPA

The DPA confers on the president of the United States the authority to take a variety of actions to compel a contractor to perform work needed for the national defense. The DPA gives the president the authority to, among other things:

require that a contractor’s performance of contracts “take priority over performance under any other contract or order” to promote the national defense^[95] and
require “acceptance and performance of such contracts . . . by any person he finds to be capable of their performance.”^[96]

Thus, if delegated that authority by the president, the SECDEF could require Anthropic to perform the AI system contract (even if DoD is breaching it by violating a contract that included Anthropic’s Usage Policy for Claude) and to ensure that Anthropic’s performance of such contract “take priority” over its performance of any other contract.

V. Pre-Litigation “Endgame” Between DoD and Anthropic

DoD had threatened to designate Anthropic a “supply chain risk” and thus to preclude it from award of any DoD contract and from being awarded any subcontract by any DoD contractor. That would effectively freeze Anthropic out of any business related to DoD contracts at any tier.

DoD also threatened to invoke DPA authority to require Anthropic to perform the AI systems contract awarded in July 2025 and to ensure its performance took priority over performance of any other Anthropic contract with any other customer.

Initial reactions suggested some bewilderment by commentators and observers:

Dean Ball, a former AI adviser in the Trump administration, said the Pentagon is contradicting itself by forcing Anthropic to cooperate with the government even as it moves to label the company a security risk.
“You’re telling everyone else who supplies to the DOD you cannot use Anthropic’s models, while also saying that the DOD must use Anthropic’s models.” . . . He called it “incoherent” to even float the two policy ideas together, and “a whole different level of insane to move up and say we’re going to do both of those things.”^[97]

Katie Sweeten, a tech lawyer who formerly served as the Department of Justice’s point of contact with DoD, characterized DoD’s threats as “contradictory,” adding:

“I don’t know how you can both use the DPA to take over this product and also at the same time say this product is a massive national security risk.” . . . She warned that Hegseth’s “very aggressive” negotiating posture could have a chilling effect on partnerships between the Pentagon and Silicon Valley.^[98]

On February 26, 2026, two days after the meeting in which SECDEF Hegseth threatened to designate Anthropic a “supply chain risk” and to compel it, under the DPA, to perform without its AI usage restrictions, Anthropic’s CEO Amodei issued a public statement on behalf of Anthropic, stating in relevant part:

Anthropic understands that the Department of War, not private companies, makes military decisions. We have never raised objections to particular military operations nor attempted to limit use of our technology in an ad hoc manner.
However, in a narrow set of cases, we believe AI can undermine, rather than defend, democratic values. Some uses are also simply outside the bounds of what today’s technology can safely and reliably do. Two such use cases have never been included in our contracts with the Department of War, and we believe they should not be included now:
Mass domestic surveillance. We support the use of AI for lawful foreign intelligence and counterintelligence missions. But using these systems for mass domestic surveillance is incompatible with democratic values. AI-driven mass surveillance presents serious, novel risks to our fundamental liberties. To the extent that such surveillance is currently legal, this is only because the law has not yet caught up with the rapidly growing capabilities of AI. . . .
Fully autonomous weapons. Partially autonomous weapons, like those used today in Ukraine, are vital to the defense of democracy. Even fully autonomous weapons (those that take humans out of the loop entirely and automate selecting and engaging targets) may prove critical for our national defense. But today, frontier AI systems are simply not reliable enough to power fully autonomous weapons. We will not knowingly provide a product that puts America’s warfighters and civilians at risk. We have offered to work directly with the Department of War on R&D to improve the reliability of these systems, but they have not accepted this offer. In addition, without proper oversight, fully autonomous weapons cannot be relied upon to exercise the critical judgment that our highly trained, professional troops exhibit every day. They need to be deployed with proper guardrails, which don’t exist today.
To our knowledge, these two exceptions have not been a barrier to accelerating the adoption and use of our models within our armed forces to date.
. . .
Regardless, these threats [by DoD to designate Anthropic a “supply chain risk” and, under the DPA, to compel it to perform with Claude’s safeguards removed] do not change our position: we cannot in good conscience accede to their request.
. . .
[W]e hope they reconsider. . . . Should the Department choose to offboard Anthropic, we will work to enable a smooth transition to another provider, avoiding any disruption to ongoing military planning, operations, or other critical missions. Our models will be available on the expansive terms we have proposed for as long as required.^[99]

In short, Anthropic would not waive or agree to an amendment to remove from the DoD/Anthropic miliary AI acquisition contract the domestic surveillance and autonomous warfare restrictions on the use of Claude.

There is no reported evidence, in the media or court filings to date, that the DoD reconsidered its threats. Instead, an hour and a quarter before expiration of the DoD’s 5:00 p.m. deadline to Anthropic, President Trump, at 3:47 p.m. on February 27, 2026, issued a directive via Truth Social that “EVERY Federal Agency” in the U.S. government “IMMEDIATELY CEASE all use of Anthropic’s technology” (“Presidential Directive”). The president added:

There will be a Six Month phase out period for Agencies like the Department of War who are using Anthropic’s products, at various levels. Anthropic better get their act together, and be helpful during this phase out period, or I will use the Full Power of the Presidency to make them comply, with major civil and criminal consequences to follow.^[100]

The Presidential Directive appears to be a de facto debarment, not only of award of any DoD prime contract, or a subcontract thereunder at any tier, but a debarment that extends to “EVERY Federal Agency.” That action is beyond the scope of designating Anthropic a “supply chain risk,” and in itself did not impose that designation on Anthropic.

Moreover, there is no suggestion in the president’s Truth Social post that Anthropic posed any supply chain risk of the kind the statute targets involving a U.S. “adversary,” i.e., “the risk that an adversary may sabotage, maliciously introduce unwanted function, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a covered system so as to surveil, deny, disrupt, or otherwise degrade the function, use, or operation of such system.”^[101]

Nonetheless, at approximately 6:00 p.m. the same afternoon, SECDEF Hegseth announced his own directive on X (“Hegseth Directive”):

In conjunction with the President’s directive for the Federal Government to cease all use of Anthropic’s technology, I am directing the Department of War to designate Anthropic a Supply-Chain Risk to National Security.
Effective immediately, no contractor, supplier, or partner that does business with the United States miliary may conduct any commercial activity with Anthropic. Anthropic will continue to provide the Department of War its services for a period of no more than six months to allow for a seamless transition to a better and more patriotic service.
. . . This decision is final.^[102]

The phrasing of the Hegseth Directive unfortunately risked creating misunderstandings, confusion, and misdirection. The Hegseth Directive, as phrased exceeded the scope of the authority conferred by the “supply chain risk” statute, which limits the exclusion authority to DoD contracts, i.e.,

excluding the contractor from bidding on or being awarded any DoD contract; and/or
withholding consent for a contractor to subcontract with the “supply chain risk” contractor and directing DoD contractors to exclude such contractor from consideration for a subcontract.^[103]

There is no authority within the statute (10 U.S.C. § 3252(d)(2)) for the SECDEF to prohibit every contractor, supplier, or partner that does business with the U.S. military from conducting “any commercial activity with Anthropic.” To the extent the phrasing of the “supply chain risk” designation purports to apply beyond prime contracts and subcontracts for the DoD, the Hegseth Directive would appear to have been ultra vires.

The immediate impact of the Presidential and Hegseth Directives precluded Anthropic from doing business with any agency of the federal government—and any companies doing business with federal agencies. As Judge Rita F. Lin of U.S. District Court for the Northern District of California would later observe in her 3/26 Order:

Taken together, the Presidential Directive and the Hegseth Directive create an immediate, permanent, federal government-wide bar on using any Anthropic technology (except during a six-month transition period), and also prohibit private companies from doing business with both the military and Anthropic. Neither the President nor Secretary Hegseth cited any statutory authority for the Directives.^[104]

On the same day as the Hegseth Directive was issued, the Financial Times reported that Anthropic “intended to challenge” the SECDEF’s decision in court, quoting the company as stating:

No amount of intimidation or punishment from the Department of War will change our position on mass domestic surveillance or fully autonomous weapons. We will challenge any supply chain risk designation in court. . . . [Hegseth lacks] the statutory authority to back up this statement. Legally, a supply chain risk designation . . . can only extend to the use of Claude as part of Department of War contracts—it cannot affect how contractors use Claude to serve other customers.^[105]

On March 4, 2026, before Anthropic took any legal action, it received two letters “on DoW letterhead, signed by Secretary Hegseth and dated one day prior [March 3, 2026],”^[106] each a DoD notice to Anthropic: one cited 41 U.S.C. § 4713 (the Federal Acquisition Supply Chain Security Act of 2018 (“FASCSA”)) (“FASCSA Letter”); and the other cited 10 U.S.C § 3252 (“Section 3252”) (“Section 3252 Letter”).

The FASCSA Letter. The FASCSA Letter stated that DoD had

determined that (i) the use of [Anthropic’s] products or services in [Department of War] covered procurements presents a supply chain risk and that the use of the Section 4713 authority to carry out covered procurement actions is necessary to protect national security by reducing supply chain risk, and (ii) less intrusive measures are not reasonably available to reduce such supply chain risk.^[107]

The FASCSA Letter stated its determination was “effective immediately” and that the DoD would take “’all [covered procurement] actions’ under 41 U.S.C. §4713(k)(4),” including “withholding consent for and directing the exclusion of Anthropic’s current and future ‘covered products and services’ from government supply chains, including subcontracts.”^[108]

The Section 3252 Letter. The Section 3252 Letter stated, rather similarly to the FASCSA Letter, that DoD:

has determined that (i) the use of the Covered Entity’s [i.e., Anthropic’s and its subsidiaries’ and affiliates’] products or services in DoW covered systems presents a supply chain risk and that the use of the Section 3252 authority to carry out covered procurement actions is necessary to protect national security by reducing supply chain risk, and (ii) less intrusive measures are not reasonably available to reduce such supply chain risk.^[109]

The Section 3252 Letter explained that the “supply chain risk” designation was immediate and permanent, and applies to “Anthropic’s existing or future ‘covered item[s] of supply,’ or any product or service procured by DoW as part of a ‘covered system.’”^[110]

Different Scopes of the FASCSA and Section 3252 Letters. The two letters, despite their similarities, have quite different scopes of application, as revealed in a comparison of their respective definitions of “supply chain risk.”

The FASCSA defines a “supply chain risk” to mean:

The risk that any person may sabotage, maliciously introduce unwanted function, extract data, or otherwise manipulate the design, integrity, manufacturing, production, distribution, installation, operation, maintenance, disposition, or retirement of covered articles so as to surveil, deny, disrupt, or otherwise manipulate the function, use, or operation of the covered articles or information stored or transmitted on the covered articles.

By contrast, Section 3252 defines a “supply chain risk” to mean:

the risk that an adversary may sabotage, maliciously introduce unwanted function, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a covered system so as to surveil, deny, disrupt, or otherwise degrade the function, use, or operation of such system.^[111]

The FASCSA definition of “supply chain risk” differs significantly from the Section 3252 definition of “supply chain risk.” Salient differences include the following:

The FASCSA applies “supply chain risk” to actions by “any person,” whereas Section 3252 applies more narrowly to actions by “an adversary”;
the FASCSA includes among the threats that any person may “extract data” from the product or service—a threat not specifically mentioned in Section 3252;
the FASCSA concerns a broad category of any person’s efforts to “otherwise manipulate the design, integrity, manufacturing, production, . . .” of a covered system, whereas Section 3252 applies more narrowly to an adversary’s efforts to “subvert the design, integrity, manufacturing, production, . . .” of a covered system; and
the FASCSA focuses on any person ultimately being able to “manipulate the function, use, or operation of the covered articles or information stored or transmitted on the covered articles,” whereas Section 3252 applies more narrowly to an adversary being able to “degrade the function, use, or operation of such system.”^[112]

Those differences in scope and application of the “supply chain risk” may be part of the reason why, when Anthropic took legal action to challenge them, it did so in separate federal courts: challenging the FASCSA Letter’s “supply chain risk” designation in the United States Court of Appeals for the District of Columbia Circuit; and challenging the Section 3252 “supply chain risk” designation in the U.S. District Court for the Northern District of California.

VI. Initiation of Anthropic/DoD Lawsuits

On March 9, 2026, Anthropic filed two federal lawsuits. One lawsuit was a petition in the U.S. Court of Appeals for the District of Columbia Circuit for judicial review of the DoD’s 41 U.S.C. § 4713 notice (i.e., the FASCSA Letter). Anthropic could seek its remedy in that court, instead of a U.S. District Court for the District of Columbia, because the FASCSA permits a party,

[n]ot later than 60 days after a party is notified of an exclusion or removal . . . , the party may file a petition for judicial review in the United States Court of Appeals for the District of Columbia Circuit claiming that the issuance of the exclusion or removal order or covered procurement action is unlawful.^[113]

The other lawsuit, brought in the U.S. District Court for the Northern District of California, sought a temporary restraining order (and preliminary injunction) to halt the effects of the Section 3252 Letter’s actions.

Anthropic’s Suit in the U.S. Court of Appeals for the District of Columbia

On April 8, 2026, Anthropic’s action seeking a judicial review of the FASCSA Letter designation and an emergency motion for a stay pending review resulted in an order by the U.S. Court of Appeals for the District of Columbia Circuit (“D.C. Circuit”), denying the motion for a stay pending a review on the merits.^{^[114]} In its four-page Per Curiam Order, the D.C. Circuit noted that the financial losses Anthropic would experience, absent any mechanism to recover them, “qualify as irreparable,”^{^[115]} but found (without reaching the merits) that the “equitable balance here cuts in favor of the government” because:

On one side is a relatively contained risk of financial harm to a single private company. On the other side is judicial management of how, and through whom, the Department of War secures vital AI technology during an active military conflict. For that reason, we deny Anthropic’s motion for a stay pending review on the merits. Nonetheless, because Anthropic raises substantial challenges to the determination and will likely suffer some irreparable harm during the pendency of this litigation, we agree with Anthropic that substantial expedition is warranted.^{^[116]}

The D.C. Circuit set briefing dates in April and May, identified issues to be briefed, and scheduled oral argument for May 19, 2026.^{^[117]}

The D.C. Circuit’s Per Curiam Order is crafted with terms that understate and omit salient features and creates a kind of M.C. Escher–esque rendering that distorts the facts. Examples include:

To state in one sentence that Anthropic faces “a relatively contained risk of financial harm” and three sentences later state Anthropic “will likely suffer some irreparable harm” is inconsistent; but separating those inconsistent statements with two intervening sentences makes it hard for the reader’s mind to compare them and see that each undercuts the other. Irreparable harm exceeds quantification; it’s not a contained risk, though saying so in solemn simple prose may make it seem so.
To state that there is the problem of “judicial management of how, and through whom, the Department of War secures vital AI technology during an active military conflict” omits what government contract counsel (in and outside the government) know—and so do the judges on the D.C. Circuit:
- The government had announced it would phase out the use of Anthropic’s Claude models over a six-month period, which the government could extend if it wished; meanwhile the government did not need to “secure vital AI technology during a military conflict”—it had and was reportedly continuing to use Anthropic’s Claude model for military operations in the Iran conflict.
- If the government did not want or trust Anthropic’s Claude models, it would not be continuing to use them, but in any event, it could at any moment cease using them and/or terminate Anthropic’s contracts for convenience in the customary way. In short, contrary to the D.C. Court’s characterization, there was no need for “judicial management” of how and through whom the DoW would procure vital AI models; DoW had all the authority it required to terminate the contract with Anthropic and manage a reprocurement of vital AI models.
- DoD had threatened to use the authority of the DPA to compel Anthropic to perform its contracts without usage restrictions. That further diminished the plausibility that “judicial management” was needed to help the DoD continue to prosecute a military conflict with the vital AI it needed for those operations. The Per Curiam Order omits that publicly documented fact.

Thus, the DoD’s reprocurement, if it wished, could proceed without any “judicial management.” The depiction of the DoD facing a procurement plight was a verbal illusion, but a useful one when combined with the suggestion that it outweighed the other illusion—that of a “confined risk” that the D.C. Circuit acknowledged to be “irreparable harm.” It will be interesting to see what happens as this case proceeds to a review on the merits.

Meanwhile, Anthropic’s action in the District Court of the Northern District of California challenging DoD’s Section 3252 “supply chain risk” designation has resulted in the District Court’s issuance of the 3/26 Order of a preliminary injunction that enjoins the Section 3252 Letter’s action.

For that reason, the balance of this article focuses on Anthropic suit in the District Court challenging the Section 3252 Letter, the Presidential and Hegseth’s Directives (collectively the “Challenged Actions”), and the District Court’s reasoning for issuing the 3/26 Order.

Anthropic’s Suit in the U.S. District Court for the Northern District of California

On March 9, 2026, Anthropic filed a complaint for declaratory and injunctive relief (“Complaint”) in the U.S. District Court for the Northern District of California (the “District Court”).^[118] The Complaint alleged that the Challenged Actions were harming Anthropic “irreparably,” and identified those harms as including:

In Secretary Hegseth’s own words, Anthropic’s status in the eyes of the federal government has been “permanently altered.” Official designation as a “Supply-Chain Risk to National Security” carries profound weight, particularly under a President who has threatened both “criminal consequences” and “the Full Power of the Presidency” to enforce compliance. Anthropic’s contracts with the federal government are already being canceled. Current and future contracts with private parties are also in doubt, jeopardizing hundreds of millions of dollars in the near-term. . . . Absent judicial relief, those harms will only compound in the weeks and months ahead.^[119]

The Complaint alleged that the Challenged Actions were unlawful on five grounds:

The Section 3252 designation failed to observe the statutory procedures that governs it;
the Challenged Actions constituted retaliation against Anthropic for its public comments that the government disfavored and such retaliation violated Anthropic’s speech and other protected activities under the First Amendment;
the Presidential Directive that required all federal agencies to cease use immediately of Anthropic’s technology was “outside any authority that Congress has granted the Executive;”
the Challenged Actions arbitrarily deprived Anthropic of property interests in its business relationships without “any process, much less due process,” in violation of the Fifth Amendment’s Due Process Clause; and
the Challenged Actions violated the Administrative Procedures Act’s prohibition against imposing any sanction, penalty, revocation, suspension, or other compulsory or restrictive action against a person “except within jurisdiction delegated to the agency and as authorized by law.” ^[120]

After briefing and oral argument, the District Court issued the 3/26 Order, in which it made the following determinations:

DoD “may permissibly stop using Claude and look for a new AI vendor who will allow ‘all lawful uses’ of its technology,’” but “[t]hat is not what this case is about.”^[121]
The lawsuit is about whether the government’s three significant measures (the aforementioned Challenged Actions) in response to Anthropic’s public expressions of disagreement with the DoD’s demands to waive Claude’s usage restrictions were unlawful.^[122]
The District Court characterized the Challenged Actions by reference to their disproportionate impact—and described them in terms that would in all likelihood raise concerns among Nontraditional Defense Contractors as to whether they would want to be in a contract with DoD, since it might respond similarly to a disagreement with them about the contract’s existing terms and conditions:
- The Presidential Directive “that every federal agency (not just the Department of War) would immediately ban Anthropic from ever having another government contract”—would include “the National Endowment for the Arts using Claude to design its website.”^[123]
- The Hegseth Directive that “anyone who wants to do business with the U.S. military must sever any commercial relationship with Anthropic” would mean that an enterprise “that used Claude to power its customer service chatbot could not serve as a defense contractor.”^[124]
- The DoD designation of Anthropic as a ”supply chain risk” was a label that applied to “adversaries of the U.S. government who may sabotage its technology systems”—a designation that had “never been applied to a domestic company and is directed principally at foreign intelligence agencies, terrorists, and other hostile actors.”^[125]

The District Court determined that the Challenged Actions did not appear directed at the “government’s stated national security interests.”^[126] Had that been the government’s real aim—the integrity of its operational chain of command—the DoD “could just stop using Claude.”^[127] Instead, the District Court found:

DoD designated Anthropic a “supply chain risk” because of its “hostile manner through the press” and because DoD sought to punish Anthropic “for bringing public scrutiny to the government’s contracting position” and thus constituted “illegal First Amendment retaliation.”^[128]
DoD’s “supply chain risk” designation was “likely both contrary to law and arbitrary and capricious,” chiefly because DoD provided “no legitimate basis to infer from Anthropic’s forthright insistence on usage restrictions that it might become a saboteur.”^[129]
“Nothing in the governing statute supports the Orwellian notion that an American company may be branded a potential adversary and saboteur of the U.S. for expressing disagreement with the government.”^[130]
And, “these broad punitive measures were likely unlawful” and Anthropic was “suffering irreparable harm from them.”^[131]

In the course of its reasoning, the District Court highlighted the several ways in which the Challenged Actions exceeded the lawful limits of authority Section 3252 granted to the SECDEF, including the following:

Section 3252 did not authorize the SECDEF to exclude a company from providing services to government agencies other than DoD.^[132]
Section 3252 did not authorize the SECDEF to require all DoD contractors to cease working with the “supply chain risk” company, only those whose work involves “covered systems.”^[133]
Section 3252 required the SECDEF to consider whether less intrusive measures were reasonably available to reduce the supply chain risk, and the evidence presented by DoD to the District Court contained no explanation of any “less intrusive measures” the SECDEF had in fact considered.^[134]

At oral argument, the District Court questioned the government’s counsel about the legal authority for the Hegseth Directive’s expansive reach: “Effective immediately, no contractor, supplier, or partner that does business with the United States military may conduct any commercial activity with Anthropic . . . This decision is final.”^[135]

Government counsel conceded he was not aware of any statute that gave the SECDEF authority to issue that prohibition—and further conceded the SECDEF’s statement had “absolutely no legal effect at all.”^[136] Government counsel also disclosed that the SECDEF’s statement did not reflect DoD’s “immediate intended course of action” and that DoD “does not intend to terminate any contractors on the basis that they have a commercial relationship with Anthropic that [i]s separate from their work” for DoD.^[137] On this point, however, oral argument did not yield the clarity the District Court appeared to be seeking, as shown in the colloquy the District Court excerpted in the 3/26 Order:

When asked why Hegseth made a public statement that had no legal effect and that did not reflect the immediate intent of Dow, counsel stated, “I don’t know.” . . . Even so, [the government] Defendants declined to stipulate to enjoin this prohibition because DoW “is continuing to assess the situation” and “will take action as needed . . . to mitigate the risk from Anthropic.”^[138]

That was one of several positions the government took during this stage of the litigation that not only keep Anthropic in a kind of “designation limbo,” but also extend that uncertainty to all DoD contractors that have, or may be negotiating to enter into, “any commercial activity” contract with Anthropic.

The number of DoD contractors with whom Anthropic has, or is in negotiations to have, commercial activity and the dollar value Anthropic might lose if the Presidential and Hegseth Directives remain in effect is not trivial—and according to Anthropic, some were lost immediately, starting the date of the Presidential and Hegseth Directives, with many more lost soon thereafter.

Some metrics may help illuminate the cascading loss of existing and prospective Anthropic contracts.

First, to cover the scope of the Challenged Actions that could impact its business, Anthropic found it necessary to name a cohort of federal agencies and officials as defendants in the Complaint, including:

The U.S. Departments of Defense, Treasury, State, Health and Human Services, Commerce, Veterans Affairs, Energy, and Homeland Security
The U.S. Nuclear Regulatory Commission and Social Security Administration
The Securities and Exchange Commission, Federal Reserve Board of Governors, National Endowment for the Arts, General Services Administration, and National Aeronautics and Space Administration (“NASA”)
The secretary, director, chairman, or administrator of those respective agencies

Second, Anthropic introduced evidence (not controverted by the government Defendants) that national security stakeholders in the military and intelligence community with whom Anthropic had developed relationships over several years of efforts to demonstrate its models could effectively serve their needs would need to consider severing their relationships with Anthropic. Anthropic detailed examples:

“[A] defense technology provider has indicated it intends to move all U.S. government work to other generative AI model providers as soon as possible.”^[139]
“On the same day [the President and SECDEF] issued their directives, the General Services Administration (‘GSA’) announced that it was removing Anthropic from USAi.gov, the centralized platform for federal agencies to access and adopt AI tools. That decision cuts off Anthropic’s government procurement opportunities with numerous federal entities, including the U.S. Departments of Veterans Affairs, Health and Human Services (‘HHS’), State, Labor, Interior, as well as the federal judiciary.”^[140]
“A few days later, on March 2, 2026, Secretary of Treasury Scott Bessent announced on X.com that the Department of Treasury would terminate all use of Anthropic’s AI models in compliance with President Trump’s directive.”^[141]
“The Department of State and HHS subsequently issued internal statements announcing the same. The Lawrence Livermore National Laboratory, a nuclear weapons research and development center funded by the Department of Energy, likewise informed Anthropic that it was shutting down Claude . . . .”^[142]
“Government contractors for other components of the federal government have been directed to cut ties with Anthropic and to stop using Claude. One partner, which has a multi-million-dollar annual contract, immediately switched from Claude to a competing generative AI model for a deployment by their end customer, the U.S. Food and Drug Administration. That switch instantly eliminated an anticipated revenue pipeline worth more than one hundred million dollars.”^[143]

The District Court made the following determinations:

Anthropic had shown a likelihood of success on its First Amendment retaliation claim, because:
- The government Defendants’ conduct appeared driven “not by a desire to maintain operational control when using AI in the military but by a desire to make an example of Anthropic for its public stance on the weighty issues at stake in the contracting dispute.”^[144]
- An internal DoD memo repeatedly referred to Anthropic’s public airing of its dispute with the DoD as the “reason that it is no longer trustworthy.”^[145]
- “If this were merely a contracting impasse, DoW would presumably have just stopped using Claude . . . [but the] Challenged Actions . . . far exceed the scope of what could reasonably address such a national security interest. The Presidential Directive ordered a permanent federal government-wide bar, and the Hegseth Directive blacklisted Anthropic. Nothing in the record supports a determination that the contracting impasse alone would have triggered such an extreme response.”^[146]
Anthropic had shown a likelihood of success on its procedural Due Process claim under the Fifth Amendment, because:
- Anthropic had a Fifth Amendment protected liberty interest that includes the right to “follow a chosen profession free from unreasonable governmental interference.”^[147]
- The debarment of Anthropic from government contract bidding constituted a deprivation of liberty that triggered Anthropic’s right to procedural guarantees of the Fifth Amendment’s Due Process Clause.^[148]
- Each of the Challenged Actions deprived Anthropic of protected liberty interests in that they threatened “to cripple Anthropic by not only stripping it of billions of dollars in federal contracts and subcontracts but also by labeling it as an adversary to the United States and ending its ability to have any commercial relationship with any company that might want to do business with DoW.”^[149]
- Given the sweeping aspects of the Challenged Actions, and a record that contained no evidence of any risk, much less an urgent one, that could have motivated those Actions, the government Defendants should have provided Anthropic pre-deprivation notice and process—which they failed to do.^[150]
Anthropic had shown a likelihood of success on its APA claim, because of the following:
- Under the APA, an agency’s action must be held unlawful and set aside if it is shown to be arbitrary, capricious, or an abuse of discretion.^[151]
- Congress intended Section 3252 to address the risk of an “adversary” sabotaging national security systems.^[152]
- Section 3252 does not authorize the DoD “to designate a domestic vendor a supply chain risk simply because a vendor publicly criticized DoW’s views about the safe uses of its system.”^[153]
- Anthropic’s conduct did not appear to be within Section 3252’s definition of “supply chain risk” and the government Defendants appear to take “the position that any vendor who ‘push[es] back’ on or ‘question[s]’” the DoD becomes its “adversary.”^[154]
- DoD failed to follow the process required by Section 3252 because, among other things, “it failed to make any reasoned determination about whether less intrusive measures were available.”^[155]
- There was no evidence that the determinations that Section 3252 requires the SECDEF to make before designating a company or entity a “supply chain risk” were made prior to the issuance of the Hegseth Directive; on the contrary, the government Defendants’ Section 3252 determinations “all occurred after the Hegseth Directive was issued.”^[156]
- The evidential record shows the reasons given by the government Defendants for designating Anthropic a supply chain risk were “pretextual and that Defendants’ real motive was unlawful retaliation.”^[157]
- The Hegseth Directive was therefore “likely in excess of statutory authority and contrary to law.”^[158]

Based on its reasoning in the 3/26 Order, the District Court issued a Preliminary Injunction Order (“Preliminary Injunction”) on the same date, March 26, 2026, immediately restraining and enjoining “pending final resolution of this action or further order of this Court,” the government Defendants from:

implementing, applying, or enforcing the Presidential and Hegseth Directives;
issuing or maintaining “any guidance, directive, communication, or instruction to any officer, employee, contractor, or agent, in furtherance of or implementing” the Presidential and Hegseth Directives; and
taking any other action to implement, effectuate, or further the purposes of the Presidential and Hegseth Directives.^[159]

The District Court added the following clarification purporting to demarcate what the Order did and did not do:

This Order restores the status quo. It does not bar any Defendant from taking any lawful action that would have been available to it on February 27, 2026, prior to the issuances of the Presidential Directive and the Hegseth Directive and entry of the Supply Chain Designation. For example, this Order does not require the Department of War to use Anthropic’s products or services and does not prevent the Department of War from transitioning to other artificial intelligence providers, so long as those actions are consistent with applicable regulations, statutes, and constitutional provisions.
This Order is stayed for seven days from its issuance.^[160]

In an uncommon addition, the Order further required the government Defendants to file a status report (“Status Report”) in a very short time—by no later than April 6, 2026—“describing the steps taken to ensure compliance with this Order and certifying compliance with its requirements.”^[161]

The District Court stayed its Order to give the government time to file an appeal. The government Defendants timely filed an appeal with the U.S. Court of Appeals for the Ninth Circuit (“Ninth Circuit”). The Ninth Circuit set April 30, 2026, as the due date for the government appellants to file their opening brief(s).^[162]

On April 6, 2026, government counsel timely filed with the District Court the Status Report explaining efforts made by government officials to ensure compliance with the Preliminary Injunction (which went into effect on April 3, 2026) and describing other steps taken:

Rescinding or directing the recission of prior guidance implementing the Presidential Directive, including prior notices to pause or cease work that involves the use of Anthropic’s products and services and prior notices to remove Anthropic from USAi . . . ;^[163]
Restoring both internal and external access to Anthropic products and services where access had been disabled;
Authorizing relevant personnel to resume use of Anthropic’s products and services; . . .
Rescinding a request to a contractor to remove Anthropic products from a contract and requesting the contractor submit an offer to add Anthropic products and services back to the contract under the same terms and conditions effective on February 26, 2026.^[164]

However, the Status Report also disclosed that DoD had issued a memorandum providing guidance on two “distinct directives or determinations unaffected by the Preliminary Injunction,”^[165] namely the SECDEF’s January 2026 policy AI memorandum^[166] and the FASCSA (Title 41) supply chain risk designation that Anthropic had challenged in the D.C. Circuit Court. Regarding the latter, DoD appeared intent on reinforcing the “supply chain risk” designation and its consequences, utilizing the FASCSA authority since the D.C. Circuit Court had not yet ruled on it. As the Status Report inconsistently disclosed:

The DoW memorandum advised that the Department will continue to transition from Anthropic to other AI providers . . . . The memorandum also specifically instructed that DoW may not refuse to award prime or subcontracts to Anthropic or direct vendors not to use Anthropic technology, whether for DoW or commercial work, or take any other action on the basis or in furtherance of the covered action.^[167]

Where Things Stand as of April 13, 2026

Despite the Preliminary Injunction taking effect on April 3, 2026, and the representations contained in the April 6, 2026, Status Report, Nontraditional Defense Contractors and their counsel will be challenged to sort through the current legal significance of the FASCSA and Section 3252 designation of Anthropic as a “supply chain risk.”

The District Court stated in its Preliminary Injunction Order, “This Order restores the status quo.” The reality is quite different. The Preliminary Injunction does not cause all the government contractors that severed relationships with Anthropic to restore those relationships, or undo recission or termination of contracts with Anthropic that existed prior to the Challenged Actions, or reverse the impact of guidance that counsel to traditional and Nontraditional Defense Contractors may have given their clients—either as a preemptive attempt to protect their clients from violating the Challenged Actions or in response to client requests for guidance. Much of the damage done cannot be undone by a court stating its Order “restores the status quo.”

Further undermining the Court’s declaration of restoration of the status quo, the Status Report highlights that beyond the jurisdictional reach of the Preliminary Injunction, DoD “will continue to transition from Anthropic to other AI providers.” It is curious, however, that the Status Report positioned that action as beyond the reach of the Preliminary Injunction on Section 3252 actions and within the ambit of the FASCSA designation: DoD does not need to brand, tarnish, and turn one of its trusted contractors into a target for abusive rhetoric in order to discontinue using that contractor’s products and services. As the District Court observed, “If this were merely a contracting impasse, DoW would presumably have just stopped using Claude.” DoD seems to intend to proceed with punitive actions beyond discontinued use of Anthropic’s Claude models, as evidenced by: (i) its continued litigation of the FASCSA designation of Anthropic as a “supply chain risk,” (ii) the representations in the Status Report that provide an incomplete picture of the damage done to Anthropic’s contractual relationships with other defense contractors, and (iii) the government Defendants’ appeal of the District Court’s Preliminary Injunction.

Rather than restoration of the status quo ante, where things now stand is that the defense contractor community faces considerable uncertainty about what the Ninth Circuit and the D.C. Circuit may do, and equally important, about what the DoD may decide to do if it seeks to turn an impasse with a defense contractor into a designation of the contractor as a “supply chain risk,” especially if next time the DoD exercises greater care to follow (or create the documented appearance of following) the procedural requirements of Section 3252 and FASCSA.

That picture of the status of the DoD/Anthropic controversy became further complicated by a significant development in early April 2026 that might give DoD reasons to reassess and reconsider whether it wants to cease using Anthropic’s AI models. On April 7, 2026, Anthropic announced a new general-purpose language model: Claude Mythos Preview (“Mythos”). As Anthropic explained in a blog post the same day, it found that Mythos performed “strongly across the board,” and its testing and assessment of the capabilities and safety of Mythos revealed

[i]t is strikingly capable at computer security tasks. . . .
[W]e’re limited in what we can report here. Over 99% of the vulnerabilities we’ve found have not yet been patched, so it would be irresponsible for us to disclose details about them (per our coordinated vulnerability disclosure process). Yet even the 1% of bugs we are able to discuss give a clear picture of a substantial leap in what we believe to be the next generation of models’ cybersecurity capabilities—one that warrants substantial coordinated defensive action across the industry. We conclude our post with advice for cyber defenders today, and a call for the industry to begin taking urgent action in response.^[168]

Mythos reportedly has the capability to find and exploit vulnerabilities better than most humans can, and do so at a greater scale, and thus greater speed. The risk: Mythos can find and exploit zero-day vulnerabilities^[169] in an enterprise’s (and possibly also a military system’s) digital systems. That represents a paradigm shift in cybersecurity, one that Anthropic apparently decided it could not stand back and watch by simply releasing Mythos generally to enterprises. Anthropic also does not appear to have offered use of Mythos to the DoD, not surprising in light of DoD having designated Anthropic a “supply chain risk.” And Anthropic does not appear to have acted as a “supply chain risk” actor by ignoring how a general release of Mythos would have run the risk that foreign adversaries might have used Mythos in attempts to compromise, degrade, and otherwise sabotage DoD digital military systems.

To make clear the paradigm shift posed by Mythos, Anthropic also released on April 7, 2026, the System Card: Claude Mythos Preview (“System Card”) that describes what Anthropic discovered when it tested and assessed Mythos (for capabilities and safety) and Anthropic’s responses to what it discovered:

This System Card assesses the model’s capabilities and reports many detailed safety evaluations. . . .
Claude Mythos Preview’s large increase in capabilities has led us to decide not to make it generally available. Instead, we are using it as part of a defensive cybersecurity program with a limited set of partners.^[170]

As Anthropic’s blog post summarized,

[d]uring our testing, we found that Mythos Preview is capable of identifying and then exploiting zero-day vulnerabilities in every major operating system and every major web browser when directed by a user to do so. The vulnerabilities it finds are often subtle or difficult to detect . . . .
The exploits it constructs are not just run-of-the-mill stack-smashing exploits . . . . In one case, Mythos Preview wrote a web browser exploit that chained together four vulnerabilities . . . . It autonomously obtained local privilege escalation exploits . . . . And it autonomously wrote a remote code execution exploit . . . . that granted full root access to unauthenticated users . . . .^[171]

Anthropic further disclosed that in the weeks leading up to Anthropic’s announcement of Mythos, Anthropic had used the model

to identify thousands of zero-day vulnerabilities . . . many of them critical, in every major operating system and every major web browser, along with a range of other important pieces of software.^[172]

One might be tempted to suspect that Anthropic trained Mythos to achieve such exceptional cyber capabilities (detecting zero-day vulnerabilities and writing code to exploit them). Anthropic’s blog post makes it clear that’s not how it happened:

We did not explicitly train Mythos Preview to have these capabilities. Rather, they emerged as a downstream consequence of general improvements in code, reasoning, and autonomy. The same improvements that make the model substantially more effective at patching vulnerabilities also make it substantially more effective at exploiting them.^[173]

That apparently brought Anthropic to an ethical crossroad: as Anthropic explained, Mythos could give attackers or defenders a significant advantage:

The advantage will belong to the side that can get the most out of these tools. In the short term, this could be attackers, if frontier labs aren’t careful about how they release these models. In the long term, we expect it will be defenders who will more efficiently direct resources and use these models to fix bugs before new code ever ships. But the transitional period may be tumultuous regardless.^[174]

Anthropic doesn’t mention it—not in its blog post on Mythos nor in the Mythos System Card—but imagine if Anthropic had developed Mythos, not using its own funds, but in the course of performing a DoD-funded R&D contract. Would DoD’s change in acquisition strategy and its insistence on being able to use an AI model for “all lawful uses” have allowed Anthropic to view Mythos’s unexpectedly powerful capabilities as an ethical crossroad—and to decide not to make it generally available, and only available to a limited set of users with usage restrictions attached?

Apparently, over the same period in which Anthropic was challenging in court the DoD’s “supply chain risk” designation because of Anthropic’s refusal to waive contractual provisions on usage restrictions, Anthropic arrived at a stage in its assessment of Mythos where Anthropic needed to decide how to prevent the malicious use of Mythos. Anthropic decided to invite a group of companies to concentrate on using Mythos to discover and remediate zero-day vulnerabilities—so that adversaries could not exploit them.

As explained by Anthropic, the company involved the participating companies in a project titled Project Glasswing^[175] (and subtitled Securing critical software for the AI era):

We formed Project Glasswing because of capabilities we’ve observed in a new frontier model trained by Anthropic that we believe could reshape cybersecurity. Claude Mythos Preview is a general-purpose, unreleased frontier model that reveals a stark fact: AI models have reached a level of coding capability where they can surpass all but the most skilled humans at finding and exploiting software vulnerabilities.
Mythos Preview has already found thousands of high-severity vulnerabilities, including some in every major operating system and web browser. Given the rate of AI progress, it will not be long before such capabilities proliferate, potentially beyond actors who are committed to deploying them safely. The fallout—for economies, public safety, and national security—could be severe. Project Glasswing is an urgent attempt to put these capabilities to work for defensive purposes.^[176]

According to the announcement, more than forty companies will participate, including “Amazon Web Services, Anthropic, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks.”^[177]

Within a few days of Anthropic’s announcement of Mythos and its release of the System Card detailing its cybersecurity capabilities, U.S. Secretary of the Treasury Scott Bessent convened a meeting in Washington attended by chief executives of major banks (e.g., Bank of America, Citi, and Wells Fargo) and the Federal Reserve chair, Jerome H. Powell.^[178] The Treasury secretary reportedly warned the bank executives that Mythos “could lead to heightened risks of cyberattacks” and that the model was particularly “good at identifying security vulnerabilities in software that human developers could not find.”^[179]

A couple of days later, the United Kingdom financial regulators reportedly held “urgent discussions with the government’s main cyber security watchdog and the country’s biggest banks to assess the risks posed”^[180] by Mythos. In addition, within a fortnight of those discussions, “[l]eading British banks, insurers and exchanges will be warned about the cyber security risks exposed by the model at a meeting with the regulators . . . .^[181]

Interestingly, notwithstanding the Presidential Directive and the Hegseth Directive and the ensuing lawsuits in federal courts, Anthropic’s April 7, 2026, blog post announcing plans for Project Glasswing disclosed:

Anthropic has also been in ongoing discussions with US government officials about Claude Mythos Preview and its offensive and defensive cyber capabilities. . . . [T]he emergence of these cyber capabilities is another reason why the US and its allies must maintain a decisive lead in AI technology. . . . We are ready to work with local, state, and federal representatives to assist in these tasks.^[182]

Nontraditional Defense Contractors and their counsel might well be discussing what to make of these developments and what, if any actions, they need to consider taking if, on one hand, a government CO sends them a notice directing that they cease doing business with Anthropic, and on the other hand, they have an opportunity to participate in Project Glasswing and to use Anthropic’s Mythos to identify and fix zero-day vulnerabilities in their digital networks (and possibly in military systems they are developing for the DoD).

VII. Lessons Nontraditional Defense Contractors and Their Counsel Might Draw

Actions of the magnitude of those taken by the president (through debarment from all federal contracts) and by the SECDEF (through the “supply chain risk” designation that purports to prohibit any U.S. military contractor from conducting “any commercial activity” with Anthropic) will be noticed by Nontraditional Defense Contractors and their counsel. They may perceive the actions as creating new risks for any company considering whether to become a U.S. defense contractor. The risks are new because they do not derive from the contractual relationship.

Neither the president’s nor the SECDEF’s actions cited a breach of contract by Anthropic. Their actions did not explain why the company should be subjected to measures expressly created and limited to use against the country’s “adversaries”—which means foreign adversaries, not political ones. Regrettably, the president’s Truth Social post of the Presidential Directive opens with words that would stigmatize Anthropic, not for its usage policies or reasons for them, but for not capitulating to DoD demands to relinquish them, notwithstanding that the usage terms were apparently in the contract awarded to Anthropic:

THE UNITED STATES OF AMERICA WILL NEVER ALLOW A RADICAL LEFT, WOKE COMPANY TO DICTATE HOW OUR GREAT MILITARY FIGHTS AND WINS WARS! That decision belongs to YOUR COMMANDER-IN-CHIEF, and the tremendous leaders I appoint to run our Military.
The Leftwing nut jobs at Anthropic have made a DISASTROUS MISTAKE trying to STRONG-ARM the Department of War, and force them to obey their Terms of Service instead of our Constitution.^[183]

The president’s and the SECDEF’s actions against Anthropic may also be perceived by Nontraditional Defense Contractors as creating a new context within which to read and interpret the Strategies Supplement, a document that throughout shows considerable thoughtfulness, care, and judgment.

The text of the Strategies Supplement shows that its authors made a diligent effort to create coherent, balanced strategies that will enable DoD and AI developers (traditional and nontraditional defense contractors) to negotiate for DoD to obtain the IP rights it really needs and to ensure the AI developers retain the IP rights they need for their commercial success and to be in a position to create the cutting-edge technologies that DoD needs to protect U.S. national security.

The Presidential and Hegseth Directives and the positions taken by the government Defendants in the Court adjudicating the Section 3252 designation create a context in which the Strategies Supplement may well appear skillful and truly well-intentioned, but is now irrevocably turned into a conflicted strategy. How will contractors read the Strategies Supplement differently and how will government contracting officers be guided by it differently, when there are demonstratable new risks that DoD may proceed with a conflicted strategy? The risks of a conflicted strategy include the following:

conflicted in the pre-contract negotiations by accepting a contractor’s commercial license terms and usage restrictions, only to demand less than three months later that the contractor waive those usage restrictions;
conflicted in the pre-contract negotiations by requiring henceforth a clause that permits DoD “all lawful uses” of a military AI system (and to achieve that by seeking to use IP rights to “re-train” the model to perform in ways that might exceed “lawful uses” (especially if “lawful” includes the laws of armed conflict); and
conflicted in the post-contract award or performance period by threatening to resolve any dispute with a defense contractor by invoking Section 3252 or FASCSA to designate the contractor a “supply chain risk.”

The noted emphasis in the Strategies Supplement on “retraining the model” appears to have been an effort by its experienced and expert lawyer-authors at foresight, accurate foresight, which is really hard to do—and with that foresight to anticipate needs for correcting, improving, and possibly repurposing the AI system models contracted to support DoD activities and operations. It is doubtful the authors of the Strategies Supplement contemplated the DoD’s addition of “supply chain risk” designations to its IP-focused contract management toolkit, and having not foreseen that, they could not have refined the Strategies Supplement to resist wary and cautious reinterpretation by defense contractors as they observe DoD’s use of those designations. It would seem appropriate to ask (as many defense contractors and their counsel might): how does it serve DoD’s efforts to achieve superiority in military AI systems to deprive itself of AI models by Anthropic when for years it regarded them as among the best models available for DoD’s military and classified operational uses? It would also seem appropriate to ask: how does it serve DoD’s efforts to achieve missions in the current conflict with Iran to be phasing out use of Anthropic’s models that it is at present reportedly relying upon to conduct those warfare missions?^[184]

The president’s and SECDEF’s actions, by adding new and severe risks to contracting with DoD, create a context within which the Strategies Supplement may well be read and interpreted differently by Nontraditional Defense Contractors and their counsel than when first released in August 2025 and differently than its authors intended to express by their careful crafting of its text. The Strategies Supplement reads as an effort to give both DoD and its prospective AI system contractors a map to negotiating IP rights, with the implicit caution that failing to use the map well, or proceeding without a map, will lead to misunderstandings, disagreements, and disputes—which serve neither DoD nor its AI system contractors. One wonders what Nontraditional Defense Contractors will now make of the Strategies Supplement—and whether they will view it as representative of the positions that will be taken and honored by DoD’s ultimate decision-makers. What seems certain is that the DoD/Anthropic controversy will generate discussion among the Nontraditional Defense Contractors who are AI developers, and those discussions will lead to the AI developers asking their counsel some challenging questions. We consider what some of those questions might be in the final section of this article.

VIII. Concluding Observations

The DoD/Anthropic controversy provides several troubling issues that would cause many counsel for Nontraditional Defense Contractors to pause and consider what their clients might ask them to address as a result. The following questions would be reasonable for a Nontraditional Defense Contractor to ask counsel, regardless of how the DoD/Anthropic controversy is ultimately resolved:

In light of the SECDEF’s January 9, 2026, memorandum and its direction to include the all lawful purposes language in future DoD contracts for procurement of AI systems, can DoD be relied upon to honor an AI developer’s usage policies and restrictions that are incorporated into a procurement contract for an AI system?
Although the “supply chain risk” authority is expressly aimed at U.S. “adversaries,” can DoD be relied upon not to invoke that authority whenever a serious misunderstanding or disagreement arises in a procurement contract for an AI system between DoD and one of its AI developers?
If an AI developer wants to attract the best talent in order to compete successfully in the commercial market, is it best now to avoid bidding on DoD contracts and being put in a position of being ordered under DPA authority to perform a contract that would dissuade young, talented AI engineers from continuing to work at the company or applying to be employed by it?
In light of the SECDEF’s direction in his January 9, 2026, memorandum that “[t]he Department must also utilize models free from usage policy constraints that may limit lawful military applications,” how much can a Nontraditional Defense Contractor or a traditional defense contractor rely on the guidance contained in the Strategies Supplement as an accurate reflection of DoD’s current and future policy on IP rights in contracts for procurement of an AI system?
For the same reasons given in question #4, what seem to be DoD’s real aims in the emphasis so often in the Strategies Supplement on obtaining the rights to “retrain the model” of the AI developer?
In light of the Strategies Supplement’s early focus and emphasis on “if the program will retrain models or transfer them across platforms,” is there a serious risk that DoD will try to reinterpret license terms later in an AI system contract to justify its transferring of an AI developer’s AI models to its competitors and thereby to deprive the AI developer of its IP rights in those models, in both the government and commercial markets?

These questions suggest that DoD might be doing itself a disservice by trying to coax Silicon Valley start-up AI developers with the Strategies Supplement while at the same time taking the “supply chain risk” designation actions and positions it is taking in the current controversy with Anthropic.

In all fairness to the lawyer-authors of the Strategies Supplement, their efforts in drafting it undoubtedly aimed at avoiding disruptions in AI system procurement programs and at averting ruptures in AI system procurement contracts between DoD and highly talented AI developers. It is worth noting that the Strategies Supplement was published on August 25, 2025, more than two months after the DoD award of the AI procurement contract to Anthropic on July 14, 2025. But events can overtake and change the context of authors’ writings. So, in closing, it’s worth recalling Plato’s observations near the end of his dialogue Phaedrus, where Plato has Socrates comment on the risks that speeches, when written down, are exposed to once the words leave the hands of their author:

And when they have been once written down they are tumbled about anywhere among those who may or may not understand them, and know not to whom they should reply, to whom not: and, if they are maltreated or abused, they have no parent to protect them; and they cannot protect or defend themselves.^[185]

R.L.T.^[186]

Exhibit A

Exhibit B

© Copyright Roland Trope 2026. All rights reserved.
Disclaimers:
- The views expressed in this essay are solely those of its author and have not been approved by, and should not be attributed to, the author’s firm or clients; or the U.S. Military Academy at West Point, where the author lectured from 1992–2025.
- Questions raised and issues identified in this essay are intended to clarify issues that may be encountered by counsel for companies that are or may be seeking prime contracts or subcontracts for AI systems acquisition by DoD. The raising of questions and issues herein are not intended and should not be interpreted as suggesting any criticism of DoD or of its procurement aims, policies, or strategies. ↑
“While there are various definitions of AI, in general, AI refers to computer systems that are able to solve problems and perform tasks that have traditionally required human intelligence and that continually get better at their assigned tasks.” U.S. Gov’t Accountability Off. (“GAO”), GAO-23-105850, Artificial Intelligence: DOD Needs Department-Wide Guidance to Inform Acquisitions 3 (June 2023).
It is open to question whether all AI systems, including military AI systems, “continually get better at their assigned tasks,” as their models can degrade in performance or “crash.” See, e.g., Ilia Shumailov, Zakhar Shumaylov, Yiren Zhao, Nicolas Papernot, Ross Anderson & Yarin Gal, AI Models Collapse When Trained on Recursively Generated Data, 631 Nature 755 (2024); Zachary Arnold & Helen Toner, AI Accidents: An Emerging Threat—What Could Happen and What to Do, Ctr. for Sec. & Emerging Tech. (July 2021) (“[E]ven the most advanced artificial intelligence tools can unpredictably fail, potentially crippling the systems in which they are embedded.”). ↑
Evidence for this view includes the following:
“The Pentagon is reportedly using AI to generate hundreds of recommendations for targets in Iran, pinpoint their location, prioritize their importance, and even evaluate whether the targeting is legal. . . . In addition to surveillance and targeting, the military is investing heavily in the development of autonomous weapons, which can select targets and take lethal action with varying degrees of human involvement.” Amos Toh & Emile Ayoub, The Military’s Use of AI, Explained, Brennan Ctr. for Just. (Mar. 12, 2026).
“AI is no longer a peripheral advantage but a cornerstone of military operations, influencing everything from strategic-level decision-making to tactical execution. It enhances operational efficiency, provides unparalleled analytical capability, and is fundamentally reshaping future geopolitical scenarios. . . . AI provides unmatched cognitive velocity, data processing and analysis of information at a speed and scale impossible for humans, turning vast datasets from the battlefield into actionable intelligence and productive decisions. As the conflict in Eastern Europe has demonstrated, the effective use of AI for target recognition, data analysis and drone operations can be a decisive factor, allowing a smaller, technologically adept force to challenge a larger adversary.” Lt. Col. Aditya S. Khurana, The Algorithmic Battlefield: Forging the U.S. Army’s Future Dominance with a New Breed of Acquisition Leader, U.S. Army Acquisition Support Ctr.: Behind the Frontlines (Mar. 2, 2026) (emphasis added).
“AI-enabled tools accelerate sensor fusion, compress timelines, and extend the reach of tactical formations. . . . Yet technology continues to outpace the Army’s ability to prepare the humans responsible for interpreting and acting within these systems. Contemporary work on cognitive warfare argues that the modern battlefield extends into the human mind, where contests over identity and resolve begin long before physical first contact. . . . [H]uman performance remains the decisive variable. As AI expands sensing and increases operational tempo, identity alignment becomes the factor that enables soldiers to exercise judgment, interpret intent, and act with confidence in uncertain conditions. Identity alignment is the internal coherence between a soldier’s sense of self and the demands of his or her role. . . . AI can flood formations with information, but identity-aligned soldiers decide what matters and what to act on.” Jerae Perez, When Automation Accelerates War, Identity Determines Victory, Mod. War Inst. at West Point (Jan. 26, 2026) (emphasis added). ↑
The statutorily authorized legal name is the “Department of Defense,” established by the National Security Act Amendments (“NSAA”) of 1949, Pub. L. No. 81-216, 63 Stat. 578 (1949). On September 5, 2025, President Trump issued Executive Order (“EO”) 14347, entitled Restoring the United States Department of War. EO 14347, contrary to its title, did not replace the name “Department of Defense” with “Department of War,” nor did it purport to override the NSAA of 1949. Instead, EO 14347 “authorized” the use of “Department of War” as a secondary title:
Sec. 2. Implementation. (a) The Secretary of Defense is authorized the use [sic] of this additional secondary title—the Secretary of War—and may be recognized by that title in official correspondence . . . and non-statutory documents within the executive branch.
(b) The Department of Defense and the Office of the Secretary of Defense may be referred to as the Department of War and the Office of the Secretary of War, respectively, in the contexts described in subsection (a) of this section.
. . .
(d) All executive departments and agencies shall recognize and accommodate the use of such secondary titles in internal and external communications, provided that the use of such titles does not create confusion with respect to legal, statutory, or international obligations.”
EO 14347, 90 F.R. 43893 (Sep. 5, 2025), §§ 2(a), (b), (d) (emphasis added).
In this essay, all references are to the DoD, its official statutory title and the title used in the key document under analysis, issued in August 2025 by the Office of the Under Secretary of Defense for Acquisition and Sustainment and entitled “Intellectual Property Strategies for Artificial Intelligence Programs: A Supplement to the Intellectual Property Guidebook for DoD Acquisition” (emphasis added). Where public announcements or court proceedings adopt the alternative title DoW, the essay will for clarity use such title, but otherwise, the term DoD is used in this essay’s text. Use of the statutory term DoD is not to be interpreted as any criticism or disrespect for EO 14347 nor for officials who, acting on its authority, use the term “DoW.” ↑
GAO, Artificial Intelligence, supra note 2, at 5. ↑
A brief primer on ML from Scientific American:
Machine learning is the dominant subset of artificial intelligence. It underlies generative AI systems like ChatGPT and DALL-E 2. There are three components to machine learning: an algorithm or a set of algorithms, training data and a model. An algorithm is a set of procedures. In machine learning, an algorithm learns to identify patterns after being trained on a large set of examples—the training data. Once a machine-learning algorithm has been trained, the result is a machine-learning model. The model is what people use.
For example, a machine-learning algorithm could be designed to identify patterns in images, and training data could be images of dogs. The resulting machine-learning model would be a dog spotter. You would feed it an image as input and get as output whether and where in the image a set of pixels represents a dog.
Saurabh Bagchi, Why We Need to See Inside AI’s Black Box, Sci. Am. (May 26, 2023). ↑
Hari Sreenivasan & Kate Conger, Amid Pressure from Employees, Google Drops Pentagon’s Project Maven Account, PBS News (June 3, 2018) (transcript). ↑
Scott Shane & Daisuke Wakabayashi, “The Business of War”: Google Employees Protest Work for the Pentagon, N.Y. Times (Apr. 4, 2019). ↑
Letter from Google Employees to Google CEO, Sundar Pichai (published as an attachment to Shane & Wakabayashi, supra note 8) (emphasis in original). ↑
41 U.S.C. 7103(g) (emphasis added). ↑
48 C.F.R. § 33.215(a). ↑
Id. § 52.233-1(i) (May 2014) (emphasis added). ↑
Although the clause will initially appear in a prime contract subject to the DFARS, the prime contract will usually flow down that clause to the prime’s first-tier subcontractors; and they, in turn, will usually flow it down to their subcontractors. ↑
If the contractor’s claim is ultimately sustained, the disputes clause requires the USG to pay interest on the amount found due and unpaid “from (1) the date that the Contracting Officer receives the claim (certified, if required), or (2) the date that payment otherwise would be due, if that date is later, until the date of payment.” 48 C.F.R. § 52.233-1(h). ↑
Past Performance, FAI.gov (last visited Mar. 8, 2026) (emphasis added). ↑
Def. Acquisition Univ., Contractor Performance Assessment Report (CPAR) and the Contractor Performance Assessment Reporting System (CPARS) (APMT 019) (last visited Mar. 9, 2026). ↑
Id. (emphasis added). ↑
Billy Mitchell, The ‘Silver Lining’ in the Fallout Between Google and Project Maven, FedScoop (Dec. 10, 2019). ↑
Tom Simonite, 3 Years After the Project Maven Uproar, Google Cozies to the Pentagon, Wired (Nov. 18, 2021). ↑
Id. ↑
Ronald Fox, A-12 Termination Sets Harmful Precedent for Defense Programs, Nat’l Def. Mag. (Jan. 1, 2003). ↑
Mitchell, supra note 18. ↑
Id. ↑
Off. of the Under Sec’y of Def. for Acquisition & Sustainment, Intellectual Property Guidebook for DoD Acquisition (Apr. 30, 2025). ↑
Off. of the Under Sec’y of Def. for Acquisition & Sustainment, Dep’t of Def., Intellectual Property Strategies for Artificial Intelligence Programs: A Supplement to the Intellectual Property Guidebook for DoD Acquisition (Aug. 25, 2025) [hereinafter Strategies Supplement]. ↑
U.S. Gov’t Accountability Off., GAO-06-839, Weapons Acquisition: DOD Should Strengthen Policies for Assessing Technical Data Needs to Support Weapon Systems (July 2006) (emphasis added). ↑
Id. ↑
Strategies Supplement, supra note 25, § 2.1.2, at 4 (emphasis added). ↑
Id. at 2, 4 (twice), 5, 8. ↑
Id. at 7 (twice), 11, 14. ↑
A notable exception was the major, multiyear overhaul of four of the oldest U.S. Ohio-class ballistic submarines during the period 2002–2008, to be converted into guided-missile submarines capable of firing and controlling Tomahawk cruise missiles and to be modified so that two of the submarines’ twenty-four large vertical payload tubes were converted to lockout chambers for Special Forces personnel, e.g., Navy SEALS. About the US Submarine Programs, Submarine Indus. Base Council (last visited Mar. 9, 2026). ↑
Strategies Supplement, supra note 25, at 4 (emphasis added). Note: The second appearance of “retrain models” appears later on the same page, in an identical statement to the first, but in a section entitled “AI-Specific Data Types and Categories.” This is addressed later in this article. ↑
Saurabh Bagchi, Why We Need to See Inside AI’s Black Box, Sci. Am. (May 26, 2023) (emphasis added). ↑
Strategies Supplement, supra note 25, § 2.3, at 9 (emphasis added). ↑
Id. § 2.1.2, at 4. ↑
Id. § 2.1.3, at 4–5 (emphasis added). Note: The second appearance of “retrain models” appears later on the same page, in an identical statement to the first, but in a section entitled “AI-Specific Data Types and Categories.” This is addressed later in this essay. ↑
Id. (emphasis added). ↑
NB: A number of facts about the DoD/Anthropic controversy came to light in the account provided in the U.S. District Court for the Northern District of California Order Granting [Anthropic’s] Motion for Preliminary Injunction issued March 26, 2026. Anthropic PBC v. U.S. Department of War, No. 3:26-cv-01996-RFL (N.D. Cal. Mar. 26, 2026) (order granting preliminary injunction) [hereinafter 3/26 Order]. This article cites the 3/26 Order as the source for facts drawn from it. ↑
Id. at 3. ↑
George Hammond & Steff Chávez, Pete Hegseth Threatens to Cut Anthropic from Pentagon Supply Chain in Showdown with CEO, Fin. Times (Feb. 24, 2026). ↑
3/26 Order, supra note 38, at 3. ↑
Id. The District Court explained at page 3: “When given access to tools, Claude can act as an agent of the user (‘agentically’)—or even autonomously—executing tasks without requiring ongoing user direction.” ↑
Id. at 4. ↑
Id. at 5. ↑
Petitioner’s Emergency Motion for Stay Pending Review, Relief Requested by March 26, 2026, at 8, Anthropic PBC v. U.S. Department of War, No. 26-1049 (D.C. Cir. Mar. 11, 2026). ↑
Id. ↑
Jennifer Jacobs, Jo Ling Kent & Caitlin Yilek, What’s Behind the Anthropic-Pentagon Feud, CBS News (Feb. 25, 2026). ↑
Other Transaction Authority (“OTA”) agreements are increasingly used for DoD procurement of frontier or emerging technologies. Contract clauses that the FAR or DFARS mandate be included in DoD contracts are not required to be in OTA agreements because the FAR and DFARS do not apply to OTA agreements. OTAs were created to
give DoD the flexibility necessary to adopt and incorporate business practices that reflect commercial industry standards and best practices into its award instruments. When leveraged appropriately, OTs provide the Government with access to state-of-the-art technology solutions from traditional and non-traditional defense contractors (NDCs), through a multitude of potential teaming arrangements tailored to the particular project and the needs of the participants.
Off. of the Under Sec’y of Def. for Acquisition & Sustainment, Other Transactions Guide 4 (ver. 2.0, July 2023). ↑
3/26 Order, supra note 38, at 5. ↑
Press Release, Anthropic, Anthropic and the Department of Defense to Advance Responsible AI in Defense Operations (July 14, 2025). ↑
3/26 Order, supra note 38, at 5. ↑
Id. Anthropic, as of this writing, is no longer the only AI developer with its model in use on DoD classified systems. The last week of February 2026, DoD decided “to put xAI at the center of some of the nation’s most sensitive and secretive operations by agreeing to allow its chatbot Grok to be used in classified settings.” Shalini Ramachandran, Heather Somerville & Amrith Ramkumar, Government Agencies Raise Alarm About Use of Elon Musk’s Grok Chatbot, Wall St. J. (Feb. 27, 2026). ↑
Keach Hagey, Shalini Ramachandran & Amrith Ramkumar, Anthropic-Pentagon Clash over Limits on AI Puts $200 Million Contract at Risk, Wall St. J. (Jan. 29, 2026). ↑
Press Release, Anthropic, Anthropic and the Department of Defense to Advance Responsible AI in Defense Operations (July 14, 2025) (emphasis added). ↑
3/26 Order, supra note 38, at 4 (citations omitted). ↑
Hagey, Ramachandran & Ramkumar, supra note 53. ↑
3/26 Order, supra note 38, at 4. ↑
Hagey, Ramachandran & Ramkumar, supra note 53. ↑
3/26 Order, supra note 38, at 5. ↑
Petitioner’s Emergency Motion for Stay Pending Review, Relief Requested by March 26, 2026, at 8, Anthropic PBC v. U.S. Department of War, No. 26-1049 (D.C. Cir. Mar. 11, 2026). ↑
The Court in its 3/26 Order, at page 4, footnote 2, explained its use of the term “DoW”: “In the complaint, motion papers, and evidence, the parties refer to the Department of Defense as the ‘Department of War’ or ‘DoW.’ . . . This Order adopts the parties’ phrasing for consistency and ease of reference.” Except when quoting the 3/26 Order, this article will adhere to referring to the Department by its statutory name, that is, the Department of Defense or DoD. ↑
3/26 Order, supra note 38, at 5–6 (emphasis added) (citations omitted). ↑
Dario Amodei, The Adolescence of Technology: Confronting and Overcoming the Risks of Powerful AI (Jan. 2026). ↑
Id. (emphasis in original). ↑
Id. ↑
Id. (citation omitted). ↑
Amrith Ramkumar, Keach Hagey & Vera Bergengruen, Pentagon Used Anthropic’s Claude in Maduro Venezuela Raid, Wall St. J. (Feb. 15, 2026). ↑
Id. ↑
3/26 Order, supra note 38, at 6. ↑
Usage Policy, Anthropic (effective Sept. 15, 2025). ↑
Id. (image on file with author). ↑
Memorandum from Pete Hegseth, SECDEF, Artificial Intelligence Strategy for the Department of War (Jan. 9, 2026). ↑
Id. at 1. ↑
Id. at 3 (emphasis added). ↑
Id. at 1–5 (emphasis added). Note: It would appear that this issuance, in January 2026, of a directive to “incorporate standard ‘any lawful use’ language” into DoD AI system and service procurement contracts suggests that language was not contained in the AI system or service contract awarded by DoD to Anthropic on July 14, 2025. ↑
Hagey, Ramachandran & Ramkumar, supra note 53. ↑
Id. ↑
Id. ↑
Filip Timotija & Julia Shapero, Anthropic on Shaky Ground with Pentagon Amid Feud After Maduro Raid, Hill (Feb. 19, 2026). ↑
Id. (emphasis added). ↑
Brendan Bordelon, Pentagon Sets Friday Deadline for Anthropic to Abandon Ethics Rules for AI—or Else, Politico (Feb. 24, 2026) (emphasis added). ↑
3/26 Order, supra note 38, at 7. ↑
Id. ↑
The term “all lawful uses” was a new contractual phrase the SECDEF introduced in his January 9, 2026, memorandum (supra note 72). As a contractual term it has potentially ominous implications, especially in the context of development of military AI systems. As one commentator observed:
[W]here a contract permits “all lawful uses,” companies should assume that government customers will interpret that language broadly as carte blanche to use the tools in whatever manner they wish and that the government will take action against contractors that take any steps to try to enforce that “lawful uses” limit to prohibit activity the contractor may believe to be unlawful.
‘All Lawful Uses’: Precautions AI Businesses Need to Take After Anthropic v. US DoW, Herbert Smith Freehills Kramer (Mar 26, 2026). ↑
3/26 Order, supra note 38, at 7 (emphasis added). ↑
Id. (emphasis added). See also Jennifer Jacobs & Joe Walsh, Pentagon Official Lashes Out at Anthropic as Talks Break Down: “You Have To Trust Your Military to Do the Right Thing,” CBS News (Feb. 26, 2026). ↑
10 U.S.C. § 3252 (emphasis added). This authority was created by section 881 of the 2019 National Defense Authorization Act. ↑
10 U.S.C. § 3252(d)(5). ↑
44 U.S.C. § 3552(b)(6) (emphasis added). ↑
10 U.S.C. § 3252(d)(2). ↑
10 U.S.C. § 3252(b) (emphasis added). ↑
Steff Chávez & George Hammond, Anthropic to Sue Trump Administration After AI Lab Is Labelled Security Risk, Fin. Times (Feb. 27, 2026). ↑
10 U.S.C. § 3252(c). ↑
Id. § 3252(c)(1). ↑
DPA § 101(a), 50 U.S.C. § 4511(a). ↑
Id. ↑
Brendan Bordelon, ‘Incoherent’: Hegseth’s Anthropic Ultimatum Confounds AI Policymakers, Politico (Feb. 26, 2026). ↑
Id. ↑
Dario Amodei, Statement from Dario Amodei on Our Discussions with the Department of War, Anthropic (Feb. 26, 2026) (emphasis in original). ↑
President Donald J. Trump (@realDonaldTrump), Truth Soc. (Feb. 27, 2026, at 3:47 PM) (emphasis added). A copy of President Trump’s complete posting, which provides the president’s explanation of his decision, is attached to this essay as Exhibit A and linked in this sentence. ↑
10 U.S.C. § 3252 (emphasis added). This authority was created by section 881 of the 2019 National Defense Authorization Act. ↑
Secretary of War Pete Hegseth (@SecWar), X (Feb. 27, 2026, at 5:14 PM) (emphasis added). A copy of SECDEF Hegseth’s complete posting, which provides his explanation of his decision, is attached to this essay as Exhibit B and linked in this sentence. ↑
10 U.S.C. § 3252(d)(2). ↑
3/26 Order, supra note 38, at 9. ↑
Chávez & Hammond, supra note 92. ↑
3/26 Order, supra note 38, at 9. ↑
Petition for Review at 1, Anthropic PBC v. U.S. Department of War, No. 26-1049 (D.C. Cir. Mar. 9, 2026) (citing the FASCSA Letter). ↑
Id. at 3. ↑
Section 3252 Letter, at 1 (citations omitted). ↑
3/26 Order, supra note 38, at 10 (citing the Section 3252 Letter). ↑
10 U.S.C. § 3252 (emphasis added). This authority was created by section 881 of the 2019 National Defense Authorization Act. ↑
41 U.S.C. § 4713 (emphasis added); 10 U.S.C. § 3252 (emphasis added). ↑
FASCSA, 41 U.S.C. § 1327(b)(1). ↑
Per Curiam Order Filed (Special Panel) at 1, 4, Anthropic PBC v. United States Department of War, No. 26-1049 (D.C. Cir. Apr. 8, 2026), ECF No. 1208838678. ↑
Id. at 3. ↑
Id. at 4 (footnote omitted). ↑
Id. at 2. ↑
In a status conference held on March 10, 2026, the Court determined that Anthropic’s motion should be handled in the preliminary injunction posture rather than in the temporary restraining order posture. Reasons: to allow for development of a fuller record and afford time for the government Defendants to respond. 3/26 Order, supra note 38, at 18. ↑
Complaint for Declaratory and Injunctive Relief at 4, ¶ 11, Anthropic PBC v. U.S. Department of War, No. 3:26-cv-01996-RFL (N.D. Cal. Mar. 9, 2026) (emphasis added). ↑
Id. ¶¶ 12–16. ↑
3/26 Order, supra note 38, at 1. ↑
Id. ↑
Id. ↑
Id. at 1–2. ↑
Id. at 2. ↑
Id. ↑
Id. ↑
Id. ↑
Id. ↑
Id. ↑
Id. at 3. ↑
Id. at 12. ↑
Id. ↑
Id. at 15. ↑
Id. at 16 (emphasis added). ↑
Id. ↑
Id. ↑
Id. ↑
Declaration of Paul Smith at ¶ 12, Anthropic PBC v. U.S. Department of War, No. 3:26-cv-01996-RFL (N.D. Cal. Mar. 9, 2026), Dkt. No. 6-4. ↑
Id. ¶ 13. ↑
Id. ↑
Id. ↑
Id. ¶ 14. ↑
3/26 Opinion, supra note 38, at 19. ↑
Id. at 22. ↑
Id. at 24 (citation omitted). ↑
Id. at 25. ↑
Id. ↑
Id. at 27. ↑
Id. at 29. ↑
Id. at 30. ↑
Id. ↑
Id. ↑
Id. ↑
Id. ↑
Id. at 34. ↑
Id. at 30. ↑
Id. at 35. ↑
Preliminary Injunction Order at 1–2, Anthropic PBC v. U.S. Department of War, No. 3:26-cv-01996-RFL (N.D. Cal. Mar 26, 2026). ↑
Id. at 3. ↑
Id. at 2. ↑
Preliminary Injunction Time Schedule Notice at 3, Anthropic PBC v. U.S. Department of War, No. 26-2011 (9th Cir. Apr. 2, 2026). ↑
It’s unclear from the Status Report what the government Defendants’ current position is regarding the use of Anthropic’s Claude AI models by NASA. As disclosed by NASA’s Jet Propulsion Laboratory (“JPL”),
NASA’s Perseverance Mars rover has completed the first drives on another world that were planned by artificial intelligence. Executed on Dec. 8 and 10 . . . the demonstration used generative AI to create waypoints for Perseverance, a complex decision-making task typically performed manually by the mission’s human rover planners. . . . [NASA Administrator Jared Isaacman stated,] “Autonomous technologies like this can help missions to operate more efficiently, respond to challenging terrain, and increase science return as distance from Earth grows. It’s a strong example of teams applying new technology carefully and responsibly in real operations.”
. . .
The initiative was led out of JPL’s Rover Operations Center (ROC) in collaboration with Anthropic, using the company’s Claude AI models.
NASA’s Perseverance Rover Completes First AI-Planned Drive on Mars, JPL (Jan 30, 2026). ↑
Defendants’ Status Report at 2–3, Anthropic PBC v. U.S. Department of War, No. 3:26-cv-01996-RFL (N.D. Cal. Apr. 6, 2026), Dkt. No. 146. ↑
Id. at 2. ↑
This vague reference in the Status Report, without date or title, may refer to the SECDEF’s January 9, 2026, memorandum to senior Pentagon leadership, commanders of combatant commands, and defense agency and DoD field activity directors, entitled Artificial Intelligence Strategy for the Department of War, discussed supra note 72. ↑
Defendants’ Status Report at 2–3, Anthropic PBC v. U.S. Department of War, No. 3:26-cv-01996-RFL, (N.D. Cal. Apr. 6, 2026), Dkt. No. 146. ↑
Nicholas Carlini et al., Assessing Claude Mythos Preview’s Cybersecurity Capabilities, Anthropic: Frontier Red Team Blog (Apr. 7, 2026). ↑
As GAO explains:
A zero-day vulnerability can lead to a threat actor exploiting a previously unknown hardware, firmware, or software vulnerability, which has no existing official fix or patch. . . . By writing an exploit for the previously unknown vulnerability, an attacker creates a potent threat since the compressed time frame between public discoveries of both makes it difficult to defend against.
U.S. Gov’t Accountability Off., GAO-22-104746, Cybersecurity: Federal Response to SolarWinds and Microsoft Exchange Incidents, 2 n.6, 5 (Jan. 2022). ↑
System Card: Claude Mythos Preview 3, Anthropic (Apr. 7, 2026) (emphasis added). ↑
Nicholas Carlini et al., Assessing Claude Mythos Preview’s Cybersecurity Capabilities, Anthropic: Frontier Red Team Blog (Apr. 7, 2026) (emphasis added). ↑
Project Glasswing: Securing Critical Software for the AI Era, Anthropic (last visited Apr. 14, 2026). ↑
Nicholas Carlini et al., Assessing Claude Mythos Preview’s Cybersecurity Capabilities, Anthropic: Frontier Red Team Blog (Apr. 7, 2026). ↑
Id. ↑
Anthropic explained that it named the project “Glasswing” for the glasswing butterfly, Greta oto, and added, “The metaphor can be applied in two ways: the butterfly’s transparent wings let it hide in plain sight, much like the vulnerabilities discussed in this post; they also allow it to evade harm—like the transparency we’re advocating for in our approach.” Project Glasswing: Securing Critical Software for the AI Era, Anthropic (last visited Apr. 14, 2026). ↑
Id. (emphasis at “Given the rate of AI progress . . .” and at “Project Glasswing is an urgent attempt . . .” added). ↑
Id. ↑
Rob Copeland & Colby Smith, Banks Are Warned About Anthropic’s New, Powerful A.I. Technology, N.Y. Times (Apr. 10, 2026). ↑
Id. ↑
Martin Arnold, UK Financial Regulators Rush to Assess Risks of Anthropic’s Latest AI Model, Fin. Times (Apr. 12, 2026). ↑
Id. ↑
Project Glasswing: Securing Critical Software for the AI Era, Anthropic (last visited Apr. 14, 2026). ↑
President Donald J. Trump (@realDonaldTrump), Truth Soc. (Feb. 27, 2026, at 3:47 PM). ↑
Tara Copp, Elizabeth Dwoskin & Ian Duncan, Anthropic’s AI Tool Claude Central to U.S. Campaign in Iran, amid a Bitter Feud, Wash. Post (Mar. 4, 2026). ↑
Plato, Phaedrus (B. Jowett trans.). ↑
The author wishes to thank Olivia Stovicek and Sheila V. Sybrant for their careful and thoughtful editing of this article, which improved it substantially. ↑

By: Roland Trope April 15, 2026

When Deft Hands Are Needed: DoD’s Conflicted Strategies for Acquiring IP Rights in AI Systems

In Brief

I. Introduction^{^[1]}

II. Context: Project Maven

Consideration 1: Contractor Obligations to Continue Work

Consideration 2: Impact of a Work Stoppage on a Contractor’s “Past Performance” Record

III. Strategies Supplement

Historical Context

Unique Objectives

Retraining Models

First Appearance

Second Appearance

Third Appearance

IV. DoD/Anthropic Controversy^[38]

Award of DoD AI Acquisition Contract to Anthropic (July 2025)

Start of DoD and Anthropic Disagreement over Usage Terms

DoD and Anthropic Disagreements in Public Statements (January 2026)

Meeting Between DoD and Anthropic (February 2026)

Authority to Designate a Company a “Supply Chain Risk”

Authority Under the DPA

V. Pre-Litigation “Endgame” Between DoD and Anthropic

VI. Initiation of Anthropic/DoD Lawsuits

Anthropic’s Suit in the U.S. Court of Appeals for the District of Columbia

Anthropic’s Suit in the U.S. District Court for the Northern District of California

Where Things Stand as of April 13, 2026

VII. Lessons Nontraditional Defense Contractors and Their Counsel Might Draw

VIII. Concluding Observations

Exhibit A

Exhibit B

MORE FROM THIS AUTHOR

Mergers & Acquisitions

The Importance of Cybersecurity Due Diligence in M&A Transactions

In Brief

I. Introduction[1]

II. Context: Project Maven

Consideration 1: Contractor Obligations to Continue Work

Consideration 2: Impact of a Work Stoppage on a Contractor’s “Past Performance” Record

III. Strategies Supplement

Historical Context

Unique Objectives

Retraining Models

First Appearance

Second Appearance

Third Appearance

IV. DoD/Anthropic Controversy[38]

Award of DoD AI Acquisition Contract to Anthropic (July 2025)

Start of DoD and Anthropic Disagreement over Usage Terms

DoD and Anthropic Disagreements in Public Statements (January 2026)

Meeting Between DoD and Anthropic (February 2026)

Authority to Designate a Company a “Supply Chain Risk”

Authority Under the DPA

V. Pre-Litigation “Endgame” Between DoD and Anthropic

VI. Initiation of Anthropic/DoD Lawsuits

Anthropic’s Suit in the U.S. Court of Appeals for the District of Columbia

Anthropic’s Suit in the U.S. District Court for the Northern District of California

Where Things Stand as of April 13, 2026

VII. Lessons Nontraditional Defense Contractors and Their Counsel Might Draw

VIII. Concluding Observations

Exhibit A

Exhibit B

MORE FROM THIS AUTHOR

Mergers & Acquisitions

The Importance of Cybersecurity Due Diligence in M&A Transactions

Login or Registration Required

You need to be logged in to complete that action.

I. Introduction^{^[1]}

IV. DoD/Anthropic Controversy^[38]