The Pentagon's Anthropic ultimatum is a vendor-risk earthquake, not a news story

Defense Secretary Hegseth gave Anthropic until Friday to allow Claude for "any lawful use" — including mass surveillance and autonomous weapons — or face contract termination, supply-chain risk designation, or invocation of the Defense Production Act. Anthropic has refused so far. In the same news cycle, Anthropic also abandoned its policy of pausing development on dangerous capabilities when a competitor ships something comparable, and is pricing a $5–6B secondary at $350B.

Read those three facts together. The company that sold enterprise buyers AI on the basis of safety just told them safety is conditional on what competitors do, while the U.S. government threatens to compel cooperation by force. The premium that justified the valuation is being eroded from both sides on the same day.

This is the first time a U.S. administration has openly threatened to commandeer a commercial frontier model as a strategic national asset. The precedent matters more than the outcome. If the DPA threat works, expect the same playbook against OpenAI, Google, and anyone else with a useful model inside twelve months. If Anthropic gets designated a supply-chain risk, every defense contractor and government-adjacent enterprise has to certify non-use of Claude across its workflows — a compliance contagion that will land in your procurement inbox before you've finished reading the news article.

Most AI vendor contracts I've seen weren't written for this. They have data residency clauses, SOC 2 attestations, sometimes a model-update notification window. They do not have language for "the U.S. government compelled the vendor to remove a safety control you were relying on." That gap is the actionable item.

The new vendor-risk category

The practical work this week is unglamorous and urgent. Inventory every place Claude touches your stack — direct API, Bedrock, embedded inside Slack/Intuit/DocuSign integrations, surfacing through a consulting firm's deliverable. The Claude Cowork integration push is wide and OAuth-mediated, which means the surface is bigger than your central procurement record shows. Then write the 72-hour switchover plan. Not the polished BCP document. The actual list of which features break, which prompts need rewriting, which evals you'd run before flipping the traffic.

The Intuit pattern is the one to copy. They shipped multi-model orchestration — Claude and ChatGPT, branded as their own intelligence layer — and the market gave them five percent on the day. That is not a hedge against vendor outages. It is a hedge against a vendor's safety posture, terms of service, or government relationship changing under you on a Tuesday afternoon. Single-vendor AI dependency was always a bet. This week it became a knowable, priceable bet, and the price went up.

Meanwhile, your CI/CD is on fire

While the policy story dominates, three independent supply-chain attacks landed against AI-augmented development workflows: a self-propagating npm worm ("Shai-Hulud") harvesting CI secrets and carrying a dormant wipe payload, the Cline CLI compromise that pushed a malicious version to five million installs for eight hours, and RoguePilot — prompt injection in GitHub issues that exfiltrates GITHUB_TOKEN via Copilot in Codespaces.

All three exploit the same architectural mistake: an LLM operating in a privileged context while ingesting untrusted input. Cline's AI-automated issue triage was the entry point that eventually cost them their npm publish token. RoguePilot weaponizes the exact "helpful AI reads your issues" workflow that every Copilot deployment defaults to. The npm worm targets AI coding tools specifically because compromised packages laundered through trusted assistant suggestions reach more developers, faster, than any conventional supply-chain attack.

The defense is layered and known. Use npm ci, not npm install, in CI. Migrate package publishing to OIDC provenance via GitHub Actions and retire static publish tokens — Cline's post-incident fix should have been pre-incident hygiene. Restrict Copilot's access to issue content on repositories that accept external contributions. Rotate every secret that has touched a CI environment running npm in the last ninety days, on the assumption that some of them are already in someone's collection.

And — this is where it touches the Anthropic story — audit any LLM-in-the-loop workflow that has both untrusted input and credential access. That is now a confirmed, named, repeatable attack class.

What ties it together

The through-line across both stories is the same: AI providers and AI-augmented tooling are being treated like infrastructure but governed like SaaS. Infrastructure assumptions — sovereign override, weaponized supply chain, dependency on a single foreign-policy posture — have arrived. The contracts, the architectures, and the on-call playbooks haven't caught up.

This week, do two things. First, compile the actual list of AI vendors in your stack, including the ones reaching you through SaaS integrations and consulting deliverables, and rank each by switchover difficulty. The number of companies that cannot answer "how long to migrate off Claude" in concrete hours is going to embarrass a lot of CIOs by Monday. Second, run npm audit and diff your lockfiles against last known-good across every repo that touches production secrets, then rotate. The worm doesn't care about your roadmap.

If Friday passes quietly, you've spent a week building muscle you were going to need anyway. If it doesn't, you'll be one of the few teams not improvising.