The AI Sovereignty Trilemma: When a Frontier Model Vanishes and Reality Bites

On 12 June 2026, Anthropic received a national-security directive from the US government without prior warning ordering it to suspend all access to two deployed frontier models, Fable 5 and Mythos 5, for every foreign national, including its own foreign-national staff. Because Anthropic could not separate those users from the rest of its base, the only compliant response was to switch both models off for every customer on the same day. Anthropic disputed the basis and has said it is working to restore access, but it could not overrule the order while it stood.

For any organisation that had built a process on those models, the capability did not degrade. It disappeared. There was no service-level conversation, no notice period, and nobody to negotiate with. Those organisations were not the target of the directive: they lost the capability as collateral of Anthropic’s compliance with an order that was never aimed at them.

This is not a novel risk. It is one I named last year. The AI Sovereignty Trilemma held that an organisation choosing frontier capability and economical compute surrenders sovereign control, and that export controls are one of the forms that surrender can take. That was a structural claim. It is now a documented event, and the Trilemma carries a cost that is visible and one that is not, of which most Boards have only ever been shown the first.

The Trilemma, restated at the model layer

The Trilemma sets three poles against one another: sovereign control, frontier capability, and economical compute. It holds that an organisation can secure two of them together, never all three at once. Most select frontier capability and economical compute: the best available models, bought at hyperscale prices, hosted and governed elsewhere.

This is convenient and the great majority of those organisations arrived here by default, through a sequence of reasonable procurement choices that were each defensible on their own and never assembled into a position the Board examined. Not choosing is itself a choice, and it is the most common one. The pole they surrender is sovereign control.

Sovereign control has always meant more than data residency. It means the ability to keep a capability running on terms the organisation sets, rather than terms a distant provider, or a government, can revise without consultation.

What the Anthropic situation adds is the height at which the dependency now sits. Sovereignty has been argued for years at the level of chips, accelerators, data centres, energy, and cloud infrastructure, on the assumption that securing those layers secures the capability. This event shows the dependency reaching higher, to the model itself as a strategic dependency: an organisation can hold sovereign hosting, sovereign data, and sovereign infrastructure, and still lose a capability controlled elsewhere, because the pole it never secured was sovereign control over the model itself. The Trilemma has moved up the stack, and the model layer is now where the surrender of sovereign control is felt first.

This is what separates the event from a generic outage. An outage is a failure the provider is working to reverse and is contractually answerable for. This was a withdrawal the provider was compelled to perform and was arguing against. A model recall on national-security grounds is not an outage; it is the removal of a capability by a party the Board has no standing to appeal to or negotiate with.

What matters is not that it happened to these particular models, but that it happened at all. For the first time, a frontier capability has been withdrawn from production environments by a sovereign authority, which is the first observable proof of a risk the Trilemma had until now only described. The specific directive may prove temporary; the proof it supplied is not.

That claim invites an objection worth meeting: software under export control is not new. In the 1990s the United States treated strong cryptography as a munition under the Arms Export Control Act and ITAR, and the international spread of Pretty Good Privacy brought a three-year federal investigation of its author from 1993 to its closure in early 1996, with the controls on strong cryptography themselves collapsing by 2000. That control sought to stop the outbound distribution of copyable source code, and it failed in part because supporters published the code as a printed book protected as speech and exported it that way. This event is the opposite shape of problem: the capability was not being distributed; it was withdrawn from a running service, and there is no book to print. So the precedent does not weaken the claim; it locates it. Software has long been subject to export control, but the compelled removal of a deployed frontier capability from a running service has not happened before.

The cost you can see, and the one you cannot

Sovereign capability costs more, and that is easy to see. UK industrial electricity prices run to roughly four times those faced by US competitors, on the energy that sovereign compute depends on. That is the figure executives see, and the point at which the sovereignty conversation usually stops. I have observed the pattern repeatedly: interest in sovereignty runs broad until the cost lands, at which point organisations quietly stop talking about sovereignty. The expense is visible, so it deters, and the retreat is rarely recorded as a decision.

The cost of this decision is harder to see, because it is not paid in money. It is paid in sovereign control. An organisation that buys its capability cheaply and runs it on someone else’s terms is exposed to losing it by a decision it has no part in, and that exposure had never been tested.

On 12 June it was tested: the capability withdrawn overnight, by an order the organisation could not see coming, influence, or reverse. The convenient choice is not the cheap option; it is the one whose price had not yet been presented.

Both choices cost something. One cost is money, countable in advance; the other is control, unnoticed until the day it is taken. The discipline is to know which an organisation is paying, and to have chosen it rather than backed into it.

What the Board actually carries

Model availability is a third-party continuity risk. It belongs on the risk register, with a named owner, and not delegated below the Board as an operational matter. Treating it as an IT setting is the error the event has exposed.

Most continuity planning assumes outages, degradation, cyber incidents, or supplier failure, because those are the categories existing governance structures were built to hold. This event sits outside all of them. The provider remained operational, the infrastructure remained operational, and the capability was withdrawn regardless. The difference matters, because a fallback designed for an outage assumes the provider will recover and the contract will hold, and neither assumption applies when the capability is removed by an authority the provider cannot answer to.

Single-model and single-jurisdiction dependence is a single point of failure for any process that relies on it. Where a withdrawn capability sits inside a customer-facing or regulated process, the continuity exposure is immediate and material rather than theoretical. The exposure is also wider than a Board tends to assume. It was not only an order aimed at the organisation that could strand it; the organisations cut off this time were not the target at all, and lost the capability because their provider’s only compliant response was to withdraw it wholesale. Any order whose compliance forces a provider to pull a capability can reach a customer who was never named in it.

There are questions a Board should be able to answer without commissioning a special exercise, and they are which deployments depend on a single model, which of those touch a critical or regulated process, what the fallback is and whether it is truly switchable rather than nominal, how long the organisation can operate on that fallback before service or compliance degrades, and which critical or regulated processes depend on frontier models that could be subject to export controls or equivalent extraterritorial directives. One operational question makes the exposure concrete in a single line: if this model disappeared tomorrow morning, what would stop working by lunchtime? It is memorable, and it reveals immediately whether the dependency is actually understood or merely assumed.

Read against the Six Board Concerns, this is Risk Management at the level of continuity, Safeguarding Innovation where a withdrawn capability strands work already in flight, and Stakeholder Confidence where customers and regulators expect the organisation to have anticipated the dependency rather than discovered it. None of these is satisfied by a procurement note.

It is worth being precise that diversification is not the same as resilience. Two providers in the same jurisdiction, subject to the same directive, are one exposure wearing two names. Resilience here means a fallback that survives the specific event, which is jurisdictional as much as commercial. The Board’s task is not to choose the remedy from the chair, nor to prescribe an architecture or a vendor. It is to require that the exposure is known, owned, and priced.

The discipline, not the programme

None of this is an argument for sovereignty at any cost. The cost is real, and for most organisations full sovereign control is neither affordable nor necessary across the whole estate. A response sized to the fear rather than to the exposure is its own failure.

The proportionate response is Minimum Lovable Governance: the smallest set of disciplines that lets the Board sleep, not a sovereignty transformation. Knowing the exposure, naming the owner, and keeping a fallback that works in practice is most of the work, and it can be done without a new committee or a new approval queue.

The choice is made per deployment, not once for the organisation. A meeting summariser and a customer-eligibility model sit in different places on the Trilemma and warrant different answers, and the trade for each is either taken knowingly or taken by default. The cost of the discipline is modest set against the cost of discovering the dependency at the moment it fails. This event has supplied, at someone else’s expense, the demonstration that usually arrives only after harm.

There is an accountability point that turns this from commentary into a Board lesson. Many organisations believed they had outsourced the operational risk of frontier AI to a provider. What they had outsourced was control. The operational risk stayed with them, and it returned without warning. The doing of the work can move to a provider; the consequence of its withdrawal cannot.

The instruction that survives the incident

The Trilemma was never a prediction in the narrow sense. It was a statement that every position has a cost, and that the convenient one’s bill had simply not yet been presented. The bill has just been presented, dated, and itemised.

What a Board should take from this is the instruction, not the incident. The specific directive may be reversed within days, and the provider is contesting it; the lesson does not depend on the outcome either way. The question is not whether this particular model returns. It is whether the Board knows where else the same exposure sits, and whether it chose that exposure or merely defaulted into it.

The task was never to solve the Trilemma. The task was to decide which price to pay. Most organisations already have. The question is whether they know which one they chose.