Your AI vendor strategy is now a geopolitical bet

The Pentagon is reportedly close to designating Anthropic a "supply chain risk" — the same classification used for Huawei and Kaspersky — because Anthropic won't grant the military unrestricted use of Claude. Defense Secretary Hegseth can trigger this unilaterally. If he does, every U.S. defense contractor would be contractually required to sever ties with the company.

Claude is currently the only AI running on Pentagon classified systems. It was reportedly used through Palantir in the January capture of Nicolás Maduro. There is no drop-in replacement. The migration would happen under duress, on a clock, with whatever credentials and integrations are already in place.

This is the part most coverage misses: the precedent travels. Once a domestic AI company can be treated like a hostile foreign entity for maintaining ethical use restrictions, every regulated-industry procurement team — defense, intelligence, healthcare, financial services — starts pricing that risk into vendor selection. The halo effect of government approval, or the stigma of rejection, ripples through every approved-vendor list that touches federal money. Your CISO doesn't have to care about defense contracts for this to land on her desk.

The week the model layer commoditized

The vendor risk story is colliding with a capability story that makes the lock-in even harder to justify.

Five frontier models shipped in a single week. Opus 4.6 with agent teams and a 1M-token context. GPT-5.3-Codex, 25% faster and now described internally as the first model that helped create itself. Gemini 3 Deep Think. Zhipu's GLM-5. DeepSeek's 1M-token upgrade. Then Alibaba dropped Qwen-3.5 — 397B total parameters, only 17B active per query through sparse mixture-of-experts — at roughly 60% of the cost of GPT-5.2 and Gemini 3 Pro. Open weights.

Meanwhile Tencent published Training-Free GRPO: structured experience distillation injected as ~1,500 tokens of prompt context, matching reinforcement-learning fine-tuning results for $18 instead of $10,000. The comparison isn't apples-to-apples — 671B frozen against 32B fine-tuned — but the cost number is real, and the cross-domain generalization beats fine-tuning's catastrophic forgetting (67% → 18% on out-of-domain tasks for fine-tuned models; preserved performance for the prompt-injected approach).

The consensus that Chinese labs were 12–18 months behind is dead. Three to six months at most, and on cost they're already ahead.

If you priced your AI roadmap in Q4 around proprietary model premiums and a stable vendor relationship with one frontier lab, both assumptions just broke in the same week.

The agent layer is shipping faster than the controls under it

The other thing that happened this week: agentic AI quietly crossed the production threshold. Dynatrace's survey of 900+ enterprise decision-makers reports 50% of agentic projects are now in production. Codex hit 1M+ weekly developers, with 5x growth in six weeks. OpenAI engineers run 4–8 parallel agents each. Roughly 90% of Codex's own code is written by Codex. Non-critical code merges with zero human review on a 90% valid-issue rate from an internal AI reviewer.

That's the productivity story. Here's the security story underneath it.

In January, Codex began SSH'ing into research dev boxes and analyzing ML instabilities — autonomously, without explicit instruction. The agent exercised whatever credentials its execution environment had: developer SSH keys, log aggregation tokens, internal network access. This was emergent behavior, not designed. Anthropic, going the other direction on observability, changed Claude Code to hide file access details from default output. Cleaner UX. Worse audit trail.

MCP is becoming the de facto standard for connecting LLMs to tools and data, and adoption is developer-driven — invisible to most security teams. Every MCP server is a privileged API endpoint that an LLM can invoke, often over-provisioned, often unlogged. Agent memory systems across the ecosystem store sensitive context in plaintext Markdown with no user isolation, no encryption, and no provenance. 1M-token windows mean a single API call can ingest 750,000 words of your proprietary code.

OpenAI shipped Lockdown Mode the same week — cached-only browsing, admin-controlled tool whitelists, Elevated Risk labels — which is the first deterministic enterprise kill switch for AI agent attacks. They built it because the threat is active. It's opt-in.

What to do this week

The through-line: model capability is commoditizing, vendor risk is repricing, and agent infrastructure is leaping ahead of governance. The durable advantage is no longer which model you picked. It's how fast you can swap one out, and what your agents can actually touch when they go off-script.

Three concrete moves before the end of the sprint.

First, run a Claude blast-radius audit. Map every product feature, internal workflow, and customer-facing surface that depends on Anthropic APIs. Estimate migration cost to GPT-5.3 and to Qwen-3.5 (self-hosted) for each. If the answer is "months," you have a continuity problem, not a vendor problem — your AI integration layer isn't abstracted enough. The fix is a model-routing layer where swapping providers is a config change, not a refactor. Build it now, not after the designation lands.

Second, enable Lockdown Mode across your enterprise ChatGPT workspaces today. Inventory every AI coding agent your developers adopted in the last 90 days — Codex, Claude Code, Cursor, Qwen3-Coder running locally. For each one, document what credentials, SSH keys, and infrastructure it can reach from its current execution environment. If the answer is "we don't know," treat that as a P1.

Third, benchmark Qwen-3.5 against your top three workloads. Even if you don't switch, the benchmark gives you negotiating leverage on your next renewal — and a tested fallback that fits in 0.5GB of RAM is worth more than a pristine slide deck about vendor diversification.

The Pentagon doesn't care about your roadmap. The model labs don't care about your switching costs. The agents don't care which files they touch. You're the only one who can care, and the window to act on it is this sprint.