Defense Secretary Pete Hegseth denied Anthropic’s request to reconsider its designation as a national security supply-chain risk, writing in a June 3 decision that “pre-deployment risks with the Covered Entity’s products and services, the loss of trust, and other risk factors were and remain sufficient to support the prior Determination.” The denial exhausts Anthropic’s internal review options and sends the case to a three-judge panel at the D.C. Circuit Court of Appeals.

The same week, the Financial Times reported that Anthropic has placed roughly half a dozen forward-deployed engineers inside the National Security Agency to help integrate its Mythos cybersecurity model. Sources told the FT that Mythos could support offensive cyber operations, including efforts to penetrate networks in China and Iran.

The Designation

Hegseth’s decision clarified that the original supply-chain risk label rested on pre-deployment concerns about Claude’s potential for mass surveillance and autonomous warfare, according to Politico. This matters because Anthropic had previously argued the Pentagon misunderstood the technical architecture: Claude cannot be altered in real time after deployment, making post-deployment risk claims moot. Hegseth’s letter effectively conceded that point while maintaining the designation on different grounds.

The Pentagon urged the D.C. Circuit to move forward with deciding “the urgent questions raised in the case” now that internal review is complete, Benzinga reported.

Anthropic’s Response

In a public statement, Anthropic pushed back on two fronts. First, it called the designation “unprecedented,” noting it has historically been reserved for U.S. adversaries and “never before publicly applied to an American company.” Second, it challenged Hegseth’s implied threat that contractors doing business with the military would be barred from working with Anthropic, arguing the Secretary lacks statutory authority under 10 USC 3252 to extend the restriction beyond Department of War contract work.

“No amount of intimidation or punishment from the Department of War will change our position on mass domestic surveillance or fully autonomous weapons,” the statement read. Anthropic said commercial API access, claude.ai subscriptions, and all non-DoW contractor usage remain unaffected.

The NSA Contradiction

The juxtaposition is notable. Anthropic is simultaneously fighting the Pentagon’s designation while embedding staff inside another arm of the U.S. intelligence apparatus. The Mythos deployment at the NSA, reported by the Financial Times, involves forward-deployed engineers customizing the cybersecurity model for agency-specific missions. One person close to Anthropic told the FT: “The best way to build a good defence is to build a good attack. If [Mythos] is not used to build attack agents, adversaries will find a way to do it.”

Anthropic’s stated red lines are mass domestic surveillance and fully autonomous weapons. Offensive cyber operations against foreign adversaries apparently fall outside those boundaries. Whether the D.C. Circuit sees a meaningful distinction between “we refuse to enable surveillance of Americans” and “we actively support offensive cyber operations against foreign targets” will likely shape the legal arguments.

The Federal Appeals Question

The D.C. Circuit panel now faces a novel question: can the Pentagon designate a domestic AI company as a supply-chain risk for refusing to permit unrestricted use of its models? The April 8 ruling already denied Anthropic’s motion to pause the label during litigation. A full ruling on the merits will set precedent for how the federal government can leverage procurement power against AI companies that impose usage restrictions.

For agent builders deploying in government or defense contexts, the outcome creates a binary: either AI companies can set ethical guardrails on federal use of their models, or refusal to grant unrestricted access carries supply-chain risk consequences. No middle ground has emerged.