The Trump administration's designation of Anthropic as a supply chain risk and its subsequent ban from Pentagon systems is forcing CISOs into uncharted territory. Most enterprises lack the visibility to know where AI models like Claude are embedded across their environments — whether via direct APIs, developer tooling, or third-party software. The Pentagon's 180-day removal directive extends to contractors, creating compliance pressure before policy clarity exists. Experts debate whether existing SBOM frameworks are sufficient to track AI dependencies or whether a new AI-BOM standard is needed. Even identifying Anthropic usage is only the first hurdle; replacement can require reworking prompts, retraining systems, and revalidating outputs. The case signals a broader shift where AI models are treated as regulated supply chain components, with implications extending beyond government contractors to any organization that may face similar mandates from regulators or customers.
Sort: