On March 9, 2026, over 30 engineers from OpenAI and Google DeepMind — including Google DeepMind chief scientist Jeff Dean — signed a court brief supporting Anthropic’s lawsuit against the U.S. Defense Department.
That almost never happens. Engineers from competing companies do not publicly sign joint legal briefs.
The backstory: the Pentagon designated Anthropic a “supply chain risk” — a designation typically used for foreign adversaries — after Anthropic refused to allow its models to be used for mass surveillance of Americans or for autonomously firing weapons. OpenAI accepted a similar DoD contract. ChatGPT saw a 295% surge in uninstalls overnight. Claude jumped to #1 on the U.S. App Store for the first time.
This is not an abstract story about AI safety philosophy. This is a story about risk, and it has direct implications for how you architect your organization’s AI systems.
The Supply Chain Risk That Wasn’t on Your Radar
When I review architecture decisions with my team, we talk about vendor lock-in, API reliability, model performance degradation, and data residency. We almost never talk about political and legal events that could make an AI vendor undeploy-able overnight.
We need to add that to the checklist.
Consider what happened in one week:
- OpenAI signs DoD surveillance contract
- 2.5 million people join #QuitGPT movement
- Enterprise procurement teams at companies with government clients start flagging OpenAI as a reputational risk
- OpenAI amends the contract language (but critics remain unconvinced)
- Anthropic becomes the “safe choice” for enterprise — Claude hits #1 on App Store
If you had embedded GPT-4 deeply into your product six months ago and your clients start asking hard questions about your AI supply chain, you have a problem that is not quickly solvable.
What “AI Ethics” Actually Means in Practice
There is a lot of vague talk about AI ethics. Let me be concrete about what it means for a Technical Lead evaluating AI vendors.
Ethics as a product constraint: Different AI vendors will refuse different things. Claude will not help with certain use cases (weapons, mass surveillance, some security research). GPT-4 will try more things but with inconsistent guardrails. Open models like Llama or Mistral have minimal built-in refusals.
This is not a judgment — it is a fact about what your system will and will not do in production. A customer service AI that randomly refuses to answer certain questions (because the underlying model flagged it as sensitive) creates a terrible user experience. You need to know your model’s limits before you ship.
Ethics as regulatory signal: The Anthropic/DoD story is a preview of regulation coming. Governments are starting to require documentation of AI vendor relationships, use-case limitations, and model governance. The EU AI Act is already in force. NIST AI RMF is becoming the de facto standard for US federal contractors. If you are selling to government or regulated industries, your AI vendor’s legal posture is becoming your audit paperwork.
Ethics as brand risk: The #QuitGPT movement showed that consumers care about how AI companies behave politically. If your product is built on an AI vendor that does something your users find unacceptable, you carry that brand risk. This is especially true for B2C products.
The Anthropic Institute: Governance as Strategy
One piece of news that got less attention than it deserved: Anthropic announced the Anthropic Institute this month — a formal research body focused on the economic, societal, and security impacts of advanced AI.
This is a strategic move worth understanding.
For years, “AI safety” was a cost center at most labs — the thing you did because you had to, not because it helped the business. Anthropic is now making safety research a formal institutional function with its own mandate.
What this signals for enterprise buyers: Anthropic is betting that documented, predictable AI behavior is a competitive advantage for the enterprise market. A risk-averse CISO or General Counsel will prefer a vendor that publishes formal impact assessments over one that moves fast and fixes it later.
I think they are right about this. And I think the other labs will follow.
How to Do AI Vendor Due Diligence
Here is the framework I now use when evaluating AI vendors for production systems. This is new — I added these questions after March 2026.
1. Use-Case Audit
Map your intended AI use cases to each vendor’s acceptable use policy. Document any use cases that are explicitly prohibited or in a gray area.
Use cases audit template:
- [ ] Customer service automation → Check: prohibited topics?
- [ ] Content generation → Check: copyright policy?
- [ ] Internal decision support → Check: high-stakes use case restrictions?
- [ ] Security tooling → Check: dual-use / security research policies?
- [ ] Government/defense adjacent → Check: explicit restrictions?2. Data Residency and Inference Location
Where does your data go when you make an API call? This matters for:
- GDPR compliance (EU data must stay in EU)
- HIPAA (PHI cannot leave certain boundaries)
- Government classified environments
Gemini on Vertex AI, Azure OpenAI, and AWS Bedrock all offer regional data residency. The standard Anthropic API and OpenAI API route through US infrastructure by default.
3. Model Change Risk
AI vendors update models regularly. GPT-3.5 behaved differently from GPT-4. Claude 3.5 behaved differently from Claude 4.6. Your production system can break when a vendor silently updates their model.
Check:
- Does the vendor offer pinned model versions? (Anthropic and OpenAI both do)
- What is the deprecation notice period for model versions?
- How long will the pinned version remain available?
4. Incident Response
What happens if the vendor has an outage or a security incident?
- Does the vendor have a status page with historical uptime?
- What is their SLA for enterprise customers?
- Do you have a fallback model if your primary vendor goes down?
5. Legal and Political Exposure
This is the new one.
- Has the vendor been involved in any government contracts that could affect its reputation with your clients?
- Does the vendor have a published policy on military, surveillance, or law enforcement use?
- Is the vendor incorporated in a jurisdiction that could be subject to export controls or political pressure affecting your use case?
The Multi-Vendor Strategy as Risk Management
The #QuitGPT story makes the case for multi-vendor AI architecture better than any benchmark comparison ever could.
If you are building on a single AI vendor, you are exposed to:
- Their pricing decisions
- Their model quality changes
- Their political and legal actions
- Their infrastructure reliability
A multi-vendor architecture — where different parts of your system use different models — costs more to engineer upfront but dramatically reduces this exposure.
The pattern I recommend:
Tier 1: Primary vendor (highest quality, best integration)
├── Used for: Core product features, user-facing interactions
├── Current choice: Claude 4.6 or GPT-5.4 depending on ecosystem
└── Commitment: Deep integration, monitored closely
Tier 2: Secondary vendor (fallback, specific use cases)
├── Used for: Batch processing, high-volume tasks, DR fallback
├── Current choice: Gemini 3.1 Flash-Lite for cost, regional option
└── Commitment: Lighter integration, maintained regularly
Tier 3: Self-hosted option (for sensitive data, cost optimization)
├── Used for: Internal tools, data with residency requirements
├── Current choice: DeepSeek V3 or Mistral Large on-prem
└── Commitment: Operational overhead accepted for risk reductionThis is not architecture astronautics. The engineering cost of a clean abstraction layer over multiple LLM providers is 2-4 weeks of work and pays for itself quickly in reduced risk.
What Anthropic’s Legal Fight Tells Us About the Industry
The Anthropic/Pentagon situation reveals something important about where this industry is going.
The dispute is fundamentally about whether an AI lab can control how its models are used after they are deployed. Anthropic says yes — they set hard limits on use cases as a product decision. The Pentagon says no — once licensed, use should not be restricted.
This tension will not resolve quickly. As AI becomes critical infrastructure, governments will push for more permissive military and law enforcement access. Labs will push back to protect their enterprise and consumer markets.
For Technical Leads: the contracts your AI vendors sign today determine what your AI supply chain looks like tomorrow. This is worth tracking the same way you track data center outages or major security vulnerabilities.
Practical Next Steps
Three things you can do this week:
-
Read your AI vendor’s acceptable use policies end to end. Most teams have not done this. You will find surprises.
-
Add “AI vendor governance” to your architecture review template. Questions about model change risk, data residency, and use-case restrictions should be on every design doc for any system that touches an LLM.
-
Build your fallback plan. If your primary AI vendor had a major incident or reputational crisis next week, how quickly could you switch? If the answer is “weeks to months,” your architecture is fragile in a way that needs fixing.
The Anthropic/Pentagon story will not be the last time an AI vendor’s political and ethical decisions spill into your production systems. The companies that treat AI vendor governance as a serious engineering concern — not an abstract ethics debate — will be better positioned when the next incident happens.
And there will be a next incident. Count on it.