Over the past year, the United States has moved toward an AI governance model that is flexible yet profoundly inadequate: regulation by contract.
On Feb. 27, the Pentagon designated Anthropic, the first frontier artificial intelligence (AI) company on U.S. government classified networks, as a supply chain risk to national security, even as the military reportedly continued using Claude in operations in Iran. President Trump then directed every federal agency immediately to cease all use of Anthropic’s technology, effectively resulting in a government-wide exclusion. Simultaneously, OpenAI reached a deal with the Pentagon and then publicly announced amendments to key terms on social media after facing backlash.
Although the public debate has framed this as a fight over whether the Pentagon or Silicon Valley controls military AI, the deeper problem is structural: a procurement framework carrying questions it was never designed to answer, and a policy posture that is dismantling the governance infrastructure that might have answered them. Though the problem is not new, the Anthropic-Pentagon-OpenAI standoff has added a new urgency.
The Governing Model: Regulation by Contract
Over the past year, the United States has moved toward an AI governance model that is flexible yet profoundly inadequate: regulation by contract. Increasingly, the rules governing the military’s use of AI are not derived from statutes or regulations, but from bilateral agreements between the government and individual vendors. These agreements were not designed to provide the democratic accountability, public deliberation, and institutional durability that statutes provide—and unlike statutes, they bind only the parties who signed them. In practice, enforcement depends not even on the contract terms themselves, but on the technical controls the vendor can maintain once the model is deployed within a government system or embedded in another company’s platform. That is structurally insufficient for governing domestic surveillance, autonomous weapons, and intelligence oversight.
What parties can memorialize and enforce depends on the deal structure. The federal government acquires AI through multiple contracting pathways and deployment channels, and the rights and remedies available depend on who holds the contract, what vehicle governs it, and how the model reaches the end user. An AI company contracting directly with the Department of Defense has different leverage than one whose model is embedded in a prime contractor’s platform. Much of the reporting suggests these deals are being executed as Other Transaction (OT) agreements. If that is correct, the parties are operating outside the government’s primary rulebook for federal contracts, the Federal Acquisition Regulation (FAR), which provides a default framework for contract clauses and dispute resolution. In an OT environment, the guardrails are whatever the parties negotiate, and the dispute framework is whatever the instrument provides, subject to the limits of federal law, which is why the vehicle becomes decisive once the relationship turns adversarial. Without knowing which structure applies, it is impossible to assess whether any of the “red lines” being discussed are enforceable in practice.
The Strategy That Caused the Crisis
The conflict between Anthropic and the Pentagon has a specific origin. In January, Secretary of Defense Pete Hegseth issued an AI strategy memo instructing that any Defense Department contract through which AI services are procured must, within 180 days, include standard “any lawful use” language—effectively requiring the removal of any vendor restrictions beyond what is required by law. The memo also directs the Defense Department to “utilize models free from usage policy constraints that may limit lawful military applications.” That language addresses not just contractual restrictions but technical ones—the architectural guardrails and safety systems that vendors build into their models. The directives reflect the memo’s “speed first” positioning, which frames governance requirements as barriers to rapid deployment and emphasizes that “the risks of not moving fast enough outweigh the risks of imperfect alignment.” Notably, the General Services Administration (GSA) has since proposed extending the “any lawful” government purpose requirement to civilian procurements, with a draft GSAR clause that would prohibit AI systems from refusing “data outputs or conduct analyses based on the Contractor’s or Service Provider’s discretionary policies.”
In July 2025, the Pentagon’s Chief Digital and Artificial Intelligence Office (CDAO) awarded Anthropic a two-year prototype OT agreement with a $200 million ceiling. Separately, Claude is deployed on classified networks through Palantir’s Maven Smart System and, according to the Washington Post, is generating proposed targets in the Iran campaign. According to Anthropic, mass domestic surveillance and fully autonomous weapons have never been included as use cases in its Pentagon contracts. The Hegseth AI strategy memo brought those existing arrangements into conflict with the department’s new “any lawful use” posture. When Anthropic refused to drop its red lines, Hegseth directed the Defense Department to designate the company as a supply chain risk. Anthropic has since filed suit in the Northern District of California challenging its designation under 10 U.S.C. § 3252 as well as President Trump’s directive, and intends to challenge their separate designation under 41 U.S.C. § 4713 (Federal Acquisition Supply Chain Security Act) in the U.S. Court of Appeals for the D.C. Circuit.
The OpenAI Agreement
Hours after Hegseth announced the Anthropic “supply chain risk” designation on social media, OpenAI announced a deal with the Pentagon. The agreement was negotiated over just a few days, and OpenAI CEO Sam Altman later acknowledged that the deal was “rushed” and that it “looked opportunistic and sloppy.”
Notably, OpenAI did not identify the contractual vehicle. It used “agreement,” “contract,” and “deal” interchangeably, without saying whether this was an OT, a FAR-based contract, a separate commercial agreement with a prime integrator, or something else. That omission is not merely semantic. Without knowing the vehicle and without the full text, analysis of “what this means” is necessarily incomplete. But the disclosed language matters less than the bargaining environment that produced it. When Pentagon leaders insist on an “any lawful use” baseline, oversight becomes something that must be justified, negotiated, and then defended operationally once the tool is in use. That posture shapes the negotiation of every term in the agreement before a word is drafted.
The disclosed language frames the agreement around “any lawful use,” then links the controversial use cases to external legal regimes: autonomous weapons policy, domestic surveillance authorities, intelligence oversight, and limits on military involvement in domestic law enforcement. It establishes limitations by reference but effectively shifts interpretation to the Pentagon, leaving enforceability dependent on authorities that the government controls. OpenAI says the contract ties these references to the laws and policies “as they exist today,” but without the full agreement, the public cannot assess how that freeze is operationalized, interpreted, or enforced over time.
By March 2, Altman posted an internal memo to X announcing amendments. The new language states: “Consistent with applicable laws, including the Fourth Amendment to the United States Constitution, National Security Act of 1947, FISA Act of 1978, the AI system shall not be intentionally used for domestic surveillance of U.S. persons and nationals.” OpenAI also states that the Pentagon affirmed that OpenAI’s services will not be used by Defense Department intelligence agencies, such as the National Security Agency (NSA), and that any such use would require a new agreement.
The amendment was driven not by any formal legal or governance review, but by public backlash, including hundreds of OpenAI and Google employees signing an open letter supporting Anthropic’s position and a user boycott that helped push Claude to No. 1 in the App Store. Key contractual terms governing military AI surveillance are now being publicly rewritten through a CEO’s social media posts and debated between administration officials and researchers on X.
With respect to the substance of the amendment, two features warrant close attention.
The first is the “consistent with applicable laws” preamble. On its face, the relationship between this preamble and the operative prohibition is unclear; it could either condition the prohibition or simply reinforce it. However, the structure of the disclosed language suggests an answer. The key distinction between the Anthropic and OpenAI approaches is largely a matter of framing, because framing determines who has interpretive authority. Anthropic reportedly sought explicit contractual prohibitions on mass domestic surveillance and fully autonomous weapons, with the vendor retaining the power to enforce those limits, whereas OpenAI’s agreement defines similar guardrails by reference to existing legal authorities and Defense Department policy, with interpretive discretion resting with the government. Read that way, “consistent with applicable laws” is not an independent prohibition. It refers to the authorities that the Pentagon interprets and applies, rather than the vendor.
The government accepted OpenAI’s structure because it eliminates the risk of mid-operation disablement and appears to be an agreement rather than a constraint. But in an “any lawful use” environment, the government is the first and often only interpreter in the moment, and the contractor’s remedies generally arrive too late to matter. Today, both parties may agree on what the Fourth Amendment requires and where the Foreign Intelligence Surveillance Act (FISA) applies. That agreement lasts exactly as long as the government’s interpretation does not shift, and the contractor’s recourse is not a real-time check, but an after-the-fact disputes process—one that will be resolved months or years after the contested use.
The second issue is the word “intentionally.” As a matter of contract drafting, that qualifier matters because it narrows the prohibition and allows room for interpretation. If “domestic surveillance” is not defined, the parties may end up debating whether the restriction applies only when the tool is used to purposefully monitor U.S. persons, or also when person-specific information is generated as an incidental collection output of a broader task. In other words, an “intentional” limitation can make compliance dependent on how the use case is characterized, not on the operational effect. Without either a definition of “domestic surveillance” that covers foreseeable incidental outputs or process controls that treat those outputs as regulated events, the “intentionally” qualifier may swallow the prohibition.
What the Contract Language Cannot Do
Even if the OpenAI language is read to prohibit domestic surveillance, and even if the “locks in current law” reading holds, the question remains: What happens when the government acts inconsistently with those terms?
In federal contracting, the government is not an ordinary counterparty. It possesses unique powers, including unilateral termination for convenience and the authority to direct changes. Traditionally, under FAR-based contracts, these extraordinary powers are subject to contractor protections, including those provided by the Contract Disputes Act (CDA). If a disagreement occurs between the government and a contractor, the contractor typically must continue performance and pursue relief later through the CDA process, where the remedy is usually monetary. Enforcement is primarily reactive, not preventive.
If these arrangements are OTs, the Defense Department’s Other Transactions Guide is clear: OTs are not subject to the CDA. The parties may incorporate CDA-like procedures or FAR-based dispute mechanisms, but nothing requires them to do so. Dispute resolution, termination rights, and remedies exist only to the extent that the parties negotiated them into the agreement. And where operational deployment runs through an integrator, the relevant rights and restrictions may be distributed across multiple contractual layers, so the developer’s direct agreement with the government may not fully determine how the model is used in the field. Those terms may instead be governed by a separate commercial agreement between the integrator and the developer, with different rights, remedies, and leverage.
With that said, termination is not a substitute for governance. Even assuming a vendor has robust termination rights, “termination” means withdrawing the technology entirely. It does not address the government using the system for a purpose the contractor considers impermissible while the contract is still in force. By the time termination is exercised, the conduct has already occurred. And the Anthropic situation now demonstrates a starker reality: According to the Washington Post, military commanders have become so dependent on Claude that if Anthropic directed the military to cease using it, the administration would use “government powers” to retain the technology until a replacement is available. In the national security context, termination may not be available.
OpenAI’s public defense is that the key constraint is its “safety stack,” and, on paper, it may be the most meaningful protection available. OpenAI says deployment is cloud-only, that it retains control of access, monitoring, and enforcement through the safety stack, and that cleared personnel are in the loop. It also says the architecture permits it to run and update classifiers and independently verify that its red lines are not crossed. Architectural enforcement may be able to achieve what contract terms cannot: prevent the conduct that matters in the moment. As I have noted previously, this creates an unresolved tension at the heart of these agreements: If the safety stack blocks a use that the “any lawful use” standard would permit, which provision controls?
The Hegseth memo suggests the department’s answer. The memo does not just require “any lawful use” in contract language; it instructs the department to “utilize models free from usage policy constraints that may limit lawful military applications.” This wording can be reasonably understood to address both the safety stack and the contract terms. It treats vendor-imposed constraints, including technical guardrails and refusal behavior, as potential barriers to lawful military use. Following that logic, a model that refuses a lawful military request because of a vendor’s safety policy is one that the department does not want to rely on.
Altman’s own statements confirm the limitations of this protection. In an all-hands meeting this week, he told employees: “You do not get to make operational decisions.” The Pentagon will listen to OpenAI’s technical expertise, but does not want the company to express opinions on whether certain military actions are good or bad ideas. As for the safety stack itself, Altman described it as something the government tolerates rather than something it is bound by: “I believe we will hopefully have the best models that will encourage the government to be willing to work with us, even if our safety stack annoys them.” And he identified the competitive pressure that limits even that tolerance: “There will be at least one other actor, which I assume will be xAI, which effectively will say, ‘We’ll do whatever you want.’”
Procurement Is Not a Substitute for Public Law
The administration is pursuing what it has described as the most significant reform to the FAR in its 41-year history: commercial-first mandates, faster and more flexible acquisition pathways, and a broader rollback of nonstatutory procurement requirements, while also shifting governance responsibility onto individual deals negotiated through those same accelerated pathways. The more the government removes the regulatory infrastructure that provides baseline procedural defaults, the more weight falls on whatever terms the parties negotiate. This week demonstrates what happens when those constraints become inconvenient.
Domestic surveillance, lethal targeting, and intelligence oversight are increasingly being addressed through contract carve-outs tied to legal authorities that the government itself interprets. Those carve-outs can be amended, narrowed, or reframed, and enforcement is largely post hoc. Existing legal authorities, including the Fourth Amendment, FISA, and executive orders governing intelligence activity, apply to government conduct independent of any contract. But when the application of those authorities to new AI capabilities is increasingly addressed through bilateral procurement negotiations rather than public legal and policymaking processes, the process itself fails the public interest.
“Any lawful use” is “any lawful use.” The government interprets what is lawful, acts on that interpretation, and has demonstrated what happens when a contractor disagrees. These questions deserve answers from Congress and the courts, not from a procurement framework that was never built to carry them.
– Jessica Tillipman is the Associate Dean for Government Procurement Law Studies at The George Washington University Law School. Published courtesy of Lawfare.
