AI Security Doctrine · June 14, 2026
Why Capability Denial Fails — And What America Must Do Instead
When the government forced America’s most advanced AI offline in June 2026, it drew the security line in the wrong place. Here is the doctrine that actually works.
“America should not answer foreign advancement by restricting American capability. America should answer it by raising American readiness.”
On June 9, 2026, Anthropic announced Claude Fable 5 and Claude Mythos 5 — its most capable AI systems to date. Within days, the federal government issued an export-control directive requiring Anthropic to suspend access to these models for foreign nationals, including foreign nationals already living and working inside the United States. Because Anthropic could not immediately and reliably separate permitted users from restricted ones, it disabled access broadly for all users while it worked to comply.
The reported trigger was a concern that Fable 5’s safeguards could be bypassed for software-vulnerability discovery. The capability at the center of the dispute: having an AI read code and identify flaws in it. This is the same broad class of work that every defensive security researcher performs every single day.
I am publishing a policy brief and an open letter today because this action drew the security line in exactly the wrong place. And if we do not name the mistake clearly, we will repeat it at far greater cost.
The Structural Flaw: You Cannot Contain What You Cannot Bottle
A capability you can restrict is one you can contain. But the capability in question is not a physical object. It is knowledge — specifically, knowledge of how to use a language model to read code and find flaws in it. That knowledge can be published, replicated, leaked, distilled, fine-tuned, and rebuilt. Its marginal cost of copying approaches zero.
This is not a new lesson. In the 1990s, the United States treated strong encryption as a controlled export. The underlying mathematics was published and rebuilt regardless, and the rules were eventually relaxed because everyone could see the farce: American companies were handicapped, foreign companies were not, and the cryptography spread anyway. The same pattern is playing out here with AI.
When a government restricts a diffusible capability at one source, it does not remove the capability from the world. It removes it from the actor it can see and regulate — while actors it cannot regulate proceed entirely unaffected.
The government drew the line at who could use the tool and where they were located. The right line is the specific capability, the specific use, and whether a limit can actually be enforced. Those are three completely different questions, and the order conflated all of them.
Where Denial Works — And Where It Does Not
I want to be precise here, because intellectual honesty demands it. Denial is not always futile. The decisive variable is whether a capability is gated by diffusible knowledge or by a physical chokepoint.
Chip manufacturing requires specialized equipment, controlled materials, and a very small number of production facilities in the world. Controls on that equipment can create real friction, because there is a genuine bottleneck to hold. Semiconductor export controls operate in this space. They are imperfect, but they are not symbolic.
Code-reading capability is not in that category. It is software knowledge. It diffuses. Any serious AI security doctrine must be honest about this distinction — because a doctrine that cannot distinguish between controllable hardware and diffusible knowledge will consistently apply the wrong tool to the wrong problem.
The June 2026 order failed this test completely. It applied export-control logic — built for physical goods — to a software capability that any competent team in any country can reconstruct independently. The result was not security. It was theater: theater that cost American workers, researchers, small businesses, and defenders real capability while the actors the order was supposedly aimed at continued exactly as before.
Safety Is a Race Condition, Not a Finish Line
AI is already being used to find vulnerabilities in software. That is not a future risk to be prevented. It is a present reality to be managed. Framing the challenge as “are we safe?” treats safety as a destination. It is not. In this domain, safety is a race condition — a continuous contest between defensive use and offensive use — and the only question that actually matters is which side our policy choices accelerate.
Restriction loses that race by construction. It slows the defenders who operate in the open, submit to oversight, and use these tools to protect American systems. It does nothing to the actors who never asked permission.
The same capability that can probe a system for weaknesses is the capability that lets defenders find and close those weaknesses first. Think about what that means. If we limit defensive researchers while offensive actors proceed unconstrained, we have not made America safer. We have made America slower — and in a race condition, slower means losing.
On the Record
During Project Glasswing, Anthropic reported that roughly 50 partner organizations used a restricted preview of its model to identify more than 10,000 high- or critical-severity software vulnerabilities across important software systems — with several partners reporting hundreds of high-severity findings each. Those numbers are not an argument for carelessness. They are an argument for scaling defense faster than offense. The moment you restrict that tool from defenders, you hand the offensive side a head start it should not have.
The National Disadvantage Risk Is Real
Here is what I want every American to understand clearly: the danger from this policy is not only that bad actors will gain capability. The danger is that Americans will be denied capability while the rest of the world continues moving.
A policy that gates American builders, workers, researchers, students, small businesses, and defenders while foreign competitors advance without the same limits does not create safety. It creates national disadvantage. It concentrates cutting-edge capability in the hands of those with enough institutional access, government contracts, and legal resources to navigate around the restrictions — while ordinary Americans and small organizations are simply cut off.
We are already living through a version of this in other domains. Private equity locks up housing. Insurance companies use algorithms to deny care. Corporate platforms extract data and concentrate wealth. In each case, the powerful find a way through or around the rules, and the public is left with less. AI policy that restricts general-purpose capability without distinguishing between uses will do the same thing: not eliminate the danger, but concentrate the benefit at the top while making sure the tools stay out of the hands of everyone else.
I refuse to accept that. And I am putting that refusal into formal doctrine — because if we do not name the alternative clearly, we will get the default by accident.
The Four Pillars of the Doctrine That Actually Works
If denial fails for diffusible capability, the answer is not to pretend there is no risk. The risks with advanced AI are real. The answer is to build a posture that takes risk seriously without surrendering the benefit — and that means replacing a nationality-based shutdown with a doctrine built on four pillars.
First: Tier by capability, not by identity.
Most of what makes these tools transformative — drafting, tutoring, research, code review, logistics, medical administration, education, accessibility, ordinary business productivity — carries no catastrophic risk and should be as widely available as possible. The genuinely dangerous slice is narrower and more specific. Restrict that slice at the capability tier for everyone, with transparent standards and vetting for the highest-risk uses, rather than using nationality or company identity as a lazy substitute for technical judgment.
Second: Universal risk literacy.
Broad access should come with broad understanding. Train the public to recognize accident-shaped dangers: data exposure, over-trust in AI outputs, mishandling sensitive results, false certainty, unsafe automation, and weak review practices. Literacy is a real mitigation for well-intentioned users. It is not a substitute for hardened systems, but it is a necessary complement to them.
Third: Defense and resilience investment.
Because dangerous knowledge will diffuse regardless of any one restriction, the responsible assumption is that it gets out — and the work is to harden the targets. Public investment in defensive security, vulnerability remediation, secure-by-design software, resilient infrastructure, and rapid patching is what converts “the capability exists” from a crisis into a manageable condition. This is where sovereign government effort belongs: not in denying its own people a tool, but in making the systems they depend on harder to break.
Fourth: Narrow, enforceable limits at real chokepoints.
Where a genuine physical bottleneck exists, a limit may be worth holding. The discipline is to reserve hard restriction for those cases, review them regularly, and refuse the comforting illusion that fencing a diffusible capability at one domestic builder makes anyone safer. That illusion has a cost — and the cost is borne by Americans who complied.
A Standard the Government Must Meet Before It Acts
One more piece of the doctrine: no AI capability restriction should be imposed unless the government can satisfy a clear public standard. Not because government has no authority. Because government authority, applied to diffusible knowledge without discipline, does not protect the public — it handicaps it.
That standard must require the government to:
- →Identify the specific capability being restricted, not merely the company or model name.
- →Show why the capability creates a concrete risk beyond ordinary dual-use concern.
- →Apply the standard consistently across equivalent systems — domestic and foreign — not single out one builder.
- →Demonstrate why the restriction is technically enforceable, not merely symbolic.
- →Provide a response process for the affected party and a path to restoration when safeguards are improved.
- →Use the narrowest restriction capable of addressing the specific risk.
The June 2026 order did not satisfy this standard. It identified a model name, not a specific capability. It restricted one domestic builder while leaving comparable capability available in other systems. It provided no public explanation of why the restriction was technically enforceable. And it was applied broadly enough that ordinary users — including American citizens with no adversarial intent whatsoever — lost access entirely.
That is not discipline. That is panic dressed up as policy.
The Deepest Divide in AI Policy
The deepest divide in AI policy today is between two theories of safety. One says the way to be safe is to have less capability — and so it denies, contains, and excludes. The other says the way to be safe is to have more capability, broadly distributed, with defensive use deliberately outpacing offensive use.
The first theory produced the June 2026 shutdown. It helped no one with good intentions and left every actor with bad intentions exactly where they were. The second theory — the collaboration doctrine — is the one that matches the technology actually in front of us.
We will have risk in anything new. That is the price of every tool worth having. The task is not to refuse the tool but to decide, together, how we carry the risk: who is trained, what is hardened, where the few real limits sit, how those limits are reviewed, and how the benefit reaches everyone with good intentions rather than only those who can afford enterprise access.
A Cordova administration will treat AI as a collaborator to be integrated with accountability — not a threat to be contained at the expense of our own people’s capability. We will build the doctrine the moment demands: readiness-based, evidence-based, and built around the American people rather than against them.
America must not limit its own people while the rest of the world moves forward.
We must advance Americans — fully, fairly, and first.
— Vincent Cordova
June 14, 2026
Full Documentation
Read the Complete Doctrine
Policy Brief ↓
Why Capability Denial Fails — complete technical and structural argument
Open Letter →
"America Must Not Limit Its Own People" — the full letter to the American people
Press Release →
Official campaign announcement of the AI Security Doctrine
Worker Protection Policy →
The complete AI & labor framework — AI works for people, not the other way around