Why Pentagon’s Blacklisting of Claude Exposes a Vacuum in International Humanitarian Law |
Listen to this article:
On January 3, 2026, there was a US intelligence operation to abduct Venezuelan President Nicolás Maduro. Buried inside the technical infrastructure of that operation was Claude, the AI model developed by Anthropic. The detail is arresting, not because of what it reveals about any single mission, but because of what it reveals about where frontier AI now sits in the hierarchy of operational power, where foundation models are no longer experimental systems running on research servers. They have entered the decision architectures of states that hold lethal force.
The paradox is acute and has now resolved in the most consequential way possible. Anthropic drew public red lines against autonomous weapons targeting and domestic mass surveillance, and refused to lift them even as the Pentagon set a deadline and threatened escalation.
On February 27, 2026, that confrontation reached its conclusion: US President Donald Trump directed every federal agency to immediately cease using Anthropic’s technology, and defence secretary Hegseth formally designated Anthropic a “supply chain risk to national security”, a designation previously reserved for adversarial foreign entities such as Huawei, never before applied to an American company. The $200 million DoD contract is being wound down.
Anthropic has said it will challenge the designation in court. Within hours, OpenAI moved to fill the void, announcing a classified-network deal with the Pentagon on the same evening. A private technology company had thus drawn a line, held it, and been ejected from the defence supply chain for doing so. This triangulation is not unique to Anthropic, it is the central tension of the militarised AI economy. What the episode now gives us is not merely a name and a date, but a precedent and a legal crisis that international lawyers and scholars can no longer defer.
The technical reality: What does “use” actually mean?
Foundation models like Claude are not monolithic weapons systems. They are general-purpose probabilistic engines integrated into operational environments in layered ways: accessed via cloud APIs, embedded in agentic frameworks for autonomous multi-step task execution, fine-tuned on classified corpora, or used as reasoning substrates in intelligence synthesis systems. A model that refuses certain requests when queried directly may behave very differently when embedded inside a workflow orchestration layer where inputs are pre-processed and outputs post-filtered by proprietary systems.
The distinction between autonomous targeting and AI-assisted intelligence synthesis is technically sound but legally unstable. A “human-in-the-loop” architecture, where a human authorises every terminal decision, differs categorically from a “human-on-the-loop” system, where a human monitors but cannot meaningfully evaluate individual outputs before they propagate.
The Anthropic episode likely involved the latter: Claude functioning as a synthesis or planning tool, not as a trigger mechanism. But as agentic systems grow more capable, this boundary is increasingly definitional rather than operational. More critically, once a model is fine-tuned, embedded in proprietary middleware, or accessed through a cloud platform, the developer’s ability to enforce behavioural constraints approaches zero. Red lines in terms of service are instructions to a system whose architecture the deploying party now controls.
Corporate red lines versus Sovereign power
Anthropic’s public commitments against autonomous targeting, against domestic surveillance function as quasi-normative instruments – not law, but not mere marketing either. They represent a deliberate attempt to create reputational and contractual accountability structures operating upstream of state authority.
The structural flaw is one of public law theory, and the Anthropic blacklisting has now empirically demonstrated it. A sovereign state does not accept that a private contractor can restrict, through contract or code, the manner in which it exercises its constitutional authority over national defence. The Pentagon’s insistence that commercial AI must be available for “all lawful purposes” was a statement of sovereign prerogative.
When Anthropic refused, the administration terminated the contract, designated Anthropic a supply chain risk, and ordered government-wide cessation of Claude’s use. National security exceptions rendered the entire contractual architecture irrelevant. The determination of what is “lawful” was made by the state, not the contractor, and the contractor was shown the door.
The Anthropic episode answers this with uncomfortable clarity. Corporate red lines may still matter in future litigation, but they did not bind a sovereign state’s operational decisions once that state had decided the terms were unacceptable. The urgent question is no longer whether private developers can constrain sovereign power through contract, but what legal framework should govern the gap when they cannot.
International humanitarian law and the Article 36 problem
Article 36 of Additional Protocol I to the Geneva Conventions requires state parties to conduct legal reviews of new weapons and means of warfare before adoption. Whether a foundation model, or the agentic system within which it is embedded, constitutes a “weapon” or “means of warfare” within the meaning of Article 36 remains debated.
The strongest argument for inclusion is functional: if a system materially contributes to targeting decisions or intelligence synthesis enabling lethal operations, it qualifies as a means of warfare regardless of proximate causation. But the practical problem exceeds the definitional one. Article 36 reviews were designed for stable systems – a missile guidance mechanism, a munition design. A foundation model is continuously updated, context-dependent, and version-variable in ways that resist static legal review. No existing framework contemplates a system whose operational behaviour at the time of an operation may differ materially from its behaviour at the time of review.
What is emerging, in the absence of state-led review, is a form of private norm entrepreneurship. When Anthropic trains its model to refuse autonomous targeting requests, it is making a normative judgment about permissible force and encoding it architecturally, a function historically reserved for states negotiating treaty law. It should be alarming that some of the most consequential choices about the conduct of modern warfare are now being made by corporate safety teams, without democratic mandate, judicial review, or treaty obligation.
State responsibility, corporate complicity, and legal exposure
Under ARSIWA, primary responsibility for International Humanitarian Law (IHL) violations arising from military AI use rests with the deploying state. Conduct by state organs or entities acting under state control is attributable to the state, precluding any formal “responsibility gap” at the sovereign level. The Maduro operation, if it proceeded in violation of Venezuelan sovereignty or applicable IHL, would bring U.S. state responsibility on this basis.
The proliferation of dual-use foundation models raises the harder problem of corporate complicity. Article 16 of ARSIWA establishes responsibility where a state or entity within its jurisdiction aids another in an internationally wrongful act with knowledge of the circumstances and where the assistance materially contributes to the violation.
If a developer’s model is embedded in a foreign targeting architecture that executes a strike violating distinction or proportionality, does supplying the algorithmic infrastructure satisfy that bar? Under ILC’s own commentary to Article 16, “significant contribution” suffices & “essentiality” is not required. Given the structural indispensability of large models in data-driven military planning, this threshold may be crossed sooner than developers acknowledge.
Democratic oversight and the accountability gap
Democratic governance of AI-assisted military operations requires institutions capable of meaningful review and laws that mandate disclosure. The opacity surrounding Article 36 reviews means AI-enabled systems in conflict are rarely subject to independent scrutiny. In India, this gap is uniquely acute. Unlike the U.S., which subjects to the scrutiny of the Senate and House Select Committees on Intelligence under the FISA framework, or the U.K., which operates under the Investigatory Powers Act and Intelligence and Security Committee, India’s intelligence agencies (such as RAW and IB) are creations of administrative orders with no statutory basis and no parliamentary accountability whatsoever.
Regulatory and institutional pathways
Several concrete reforms are both legally plausible and achievable. First, Article 36 review mechanisms should be partially transparentised: states should publish summary legal determinations for AI-enabled systems used in armed conflict, subject to classification redaction, acknowledging that a review occurred and addressed the system’s capabilities as deployed.
Second, statutory AI weapons review boards, technically constituted, with independent authority, should be established in significant military AI user states, with access to model documentation, deployment parameters, and post-operation review data, subject to parliamentary oversight, even if classified. Third, human-in-the-loop requirements should be legislated for lethal decisions. Fourth, defence procurement clauses should mandate auditability – version tracking and behavioural logging for any foundation model integrated into operational workflows.
The Anthropic episode is not a story about one company’s difficult choices. It is a story about how those choices were overridden by sovereign power. An American AI company drew a line, held it, was designated a national security risk by its own government, ejected from classified defence systems, and replaced within hours by a competitor willing to comply. The legal architecture of private AI governance – red lines, terms of service, refusal training was tested against sovereign prerogative and found unenforceable. Legislators, jurists, and defence strategists should treat this not as an anomaly but as the template for what comes next.
Yashweer Singh is a public policy and regulatory researcher.