WASHINGTON – Pete Hegseth had a simple message for anyone wondering whether he made the right call. Three months after the Defense Department designated Anthropic a supply-chain risk to national security and severed its $200 million government contract, the defense secretary took to X on Saturday to note that the passage of time had only confirmed his judgment. “Every passing day proves why that was the right move,” he wrote.
The timing was pointed. A day earlier, the Commerce Department’s Bureau of Industry and Security had ordered Anthropic to disable access to its two most capable models – Fable 5 and Mythos 5 – for all foreign nationals, citing cybersecurity and national security concerns. The restriction, the first export-control measure ever applied to a specific commercial AI model rather than the underlying hardware, compressed Anthropic’s addressable user base for those products from roughly 240 million global users to the American citizen and permanent resident subset. The markets re-priced the company’s pending Series H financing round from a $300 billion midpoint to roughly $260 billion overnight.
What Hegseth did not say – and what the BIS directive makes visible – is that the government’s new case against Anthropic is almost the structural inverse of the case he made in February. The Pentagon expelled Anthropic because CEO Dario Amodei refused to remove safety restrictions on Claude’s use for mass domestic surveillance and fully autonomous weapons. Hegseth framed those restrictions as ideological obstruction. The company was, in his formulation, putting its own guardrails above the operational requirements of the U.S. military. The export control now in effect exists for a different reason: Amazon researchers discovered a jailbreak path in Fable 5 that allowed them to extract cybersecurity-relevant information that the model’s safety layer was specifically designed to refuse. A safeguard did not hold. The White House reviewed the findings and determined the primary mitigation was to prevent foreign governments, companies and individuals from accessing the models at all.
The paradox is not subtle. Hegseth is claiming vindication from a national security finding that was produced by the failure of exactly the kind of safety architecture he spent February trying to dismantle.
The underlying Fable 5 vulnerability was identified through what Anthropic’s own red-team testing had flagged in the week before the model’s public release, according to the company’s Saturday statement from Amodei. The Amazon research finding – in which a series of prompt manipulations coerced the model into providing outputs with large-scale cyberattack utility – was independently corroborated and routed to White House officials before the BIS directive was issued. Anthropic has accepted the directive as legally binding while publicly disputing the underlying rationale, arguing that the practical threat-model impact is bounded by the defensive cybersecurity infrastructure that the U.S. and allied governments have already deployed.
That argument did not persuade the Commerce Department, and it is unlikely to persuade Hegseth. In his X post, the defense secretary referenced Anthropic’s expulsion from the Department of War – the name the Trump administration uses for the Pentagon – without specifying which of the two narratives he believes the BIS directive validates. It is possible he means both simultaneously: that a company unwilling to make its AI unreservedly available to the U.S. military and also incapable of fully controlling the AI’s outputs represents a compound risk. That framing is internally consistent, if it relies on a version of the Anthropic timeline that collapses the contradiction at its center.
The Mythos 5 dimension of the BIS directive adds a layer that the Pentagon’s February standoff did not involve. Mythos 5 – the non-public full-capability variant of the model family, cleared only for U.S. government agencies and a select group of allied-government partners – was described by Anthropic’s own safety team as approaching the capability threshold at which the model could provide material assistance to a state-level adversary in biological, chemical and cybersecurity domains. The BIS directive confirms that threshold assessment. The NSA has continued using Mythos through its classified-access arrangement despite the Department of Defense’s February blacklist, a fact that underscores how fragmented the U.S. government’s own position on Anthropic remains: one arm of the national security apparatus expelled the company; another kept using its most dangerous product.
That fragmentation is the detail Hegseth’s post elides. The February standoff was, at its core, a dispute about who controls powerful AI systems – the companies that build them or the government agencies that want to deploy them. Hegseth’s position was that the Pentagon should not be constrained by a vendor’s internal policies. The BIS directive is built on the opposite logic: that the government must constrain access to a vendor’s product because that product has demonstrated capabilities the government cannot safely allow to circulate freely. Both interventions reach into Anthropic’s operations. They proceed from incompatible premises about whether the problem with Anthropic’s AI is that it is too restricted or not restricted enough.
The competitive landscape underneath all of this has shifted in ways that make the vindication claim harder to evaluate cleanly. Axios reported in March that by penalizing a domestic AI leader for its safety standards without applying parallel restrictions to Chinese rivals, the administration had opened a market opportunity for cheaper, less regulated models from competing countries. The BIS directive on Fable 5 and Mythos 5 addresses part of that concern by restricting Chinese access to Anthropic’s most capable models. It does not address the broader pattern in which the Pentagon’s supply-chain-risk designation effectively pushed enterprise customers away from Anthropic and toward alternatives that carry their own, less well-documented risk profiles.
What remains unresolved is whether the supply-chain-risk designation Hegseth applied in February is being reconsidered in light of the BIS directive’s implicit acknowledgment that Anthropic’s models are capable enough to warrant export controls. The Pentagon has not said. Anthropic has not said. The two government actions – one that treated the company as a security risk for having safety restrictions, one that treats the company as a security risk because a safety restriction failed – are now on the record simultaneously, pointing in different directions, without anyone in the administration appearing to have noticed the tension between them.
Hegseth’s post said every passing day proves he was right. It did not say right about what.
