Jones Walker Logo
  • News & Insights
  • Professionals
  • Services
  • News & Insights
  • Professionals
  • Services

  • Firm
  • Offices
  • Careers
  • Events
  • Media Center
  • Blogs
  • Contact

  • text

AI Law and Policy Navigator

Your AI Vendor's Export License Just Became a National Security Liability...and Other AI Policy and Governance News

By Andrew R. Lee, Michelle Ramsden, Jason M. Loring
July 8, 2026

For nearly three weeks this summer, the US government pushed Anthropic to disable access to two of its most advanced frontier AI models, treating access to model capability (and not just the chips that power them) as a national security concern. That fight, resolved for now, sits at the center of a bigger story: AI is moving fast enough to reshape how criminals attack and how governments respond. 

What We're Reading This Week

US Lifts Export Controls on Anthropic's Frontier Cybersecurity AI Models
The Commerce Department lifted export control restrictions on Anthropic's Fable 5 and Mythos 5 models after Anthropic disabled access in response to a directive covering foreign nationals. Reporting indicates that Fable 5 was restored more broadly, while access to Mythos 5 remains tied to select or approved cybersecurity use cases.

AI Access Fight Divides Trump's Tech Allies
As reported by Axios, the episode split the administration's own allies: former AI czar David Sacks warned that slowing releases cedes ground to China, while others argued the controls reflect exactly the caution frontier AI now warrants. Investors told Axios the bigger problem is that nobody yet knows what rules will govern the next release.

It's Inevitable — You're Going to Get Hacked. But Here's One Solution.
In this New York Times opinion piece, PR executive Juleanna Glover uses AI-enabled extortion as a broader warning about how quickly cyber risk has become personal, including through voice cloning and account compromise. Her proposed fix is cultural as much as it is technical: she argues society should abandon “digital shame” so leaked private material loses its value as extortion leverage.

Claude Helped a Hacker Find a Way to Issue Tickets to Almost Every US Music Festival
Wired reports that researcher Ian Carroll, operating within Anthropic’s Cyber Verification Program for approved security researchers, used Claude Opus 4.7 to identify and validate a vulnerability in Front Gate Tickets, the company behind ticketing for most major US music festivals. According to the reporting, Carroll obtained admin-level access and identified a path that could have been abused to issue free tickets and expose customer records. Carroll reported the flaw rather than exploit it, and Front Gate said the issue was resolved within 24 hours with no evidence of exploitation, ticket impact or compromise of customer information. The episode still matters because Carroll says Claude built the firewall-bypassing technique largely on its own, faster than he could understand it himself.

Apple Reverses Age-Old Patch Policy to Keep Up With AI
Apple has abandoned bundling security fixes into major OS releases, instead pushing out-of-cycle patches in direct response to AI-accelerated attack development, Dark Reading reports. Researchers cited in the piece note that the average gap between a flaw's disclosure and its exploitation has gone negative: attackers are now weaponizing bugs before a patch exists.

xAI's Massive AI Data Center Sparks Fight Over Who Can Enforce Clean Air Laws
The Los Angeles Times reports that the Justice Department moved to intervene in a Clean Air Act citizen suit brought by the NAACP against xAI and its subsidiary MZX Tech over gas turbines powering xAI’s Memphis-area data center power infrastructure, arguing that national security considerations support allowing the turbines to continue operating without citizen-suit second-guessing. Environmental lawyers call the theory unprecedented, since it could let an administration invoke national security to block pollution enforcement against a favored company.

The Bigger Picture

“National security” did double duty this week: it helped justify restrictions on frontier AI model access, and it appeared again as part of DOJ’s argument in litigation over AI data-center power infrastructure. Same phrase, opposite direction, both aimed at AI infrastructure. Meanwhile, Wired and the Times approached the same shift from different angles: AI-enabled cyber capability is moving from specialized technical settings into ordinary commercial and personal risk.

For counsel and compliance teams, the throughline is procedural, not just technical. Export control exposure now attaches to AI capability, not just chips. “National security” is proving flexible enough to justify both restricting AI and shielding it from unrelated regulatory regimes. And responsible disclosure practices need to assume outside researchers now have AI tooling that finds your vendors' bugs before your vendors do.

What This Means for Counsel

Export control risk is moving up the stack: The Anthropic episode suggests that frontier AI capability itself (not just the chips, data centers, or cloud infrastructure) can become the object of national security controls.

“National security” is becoming a flexible AI regulatory argument: In one context, it supported restrictions on model access; in another, the DOJ invoked it in litigation involving AI data center infrastructure. Companies should expect the phrase to appear across regulatory domains that do not look like AI law at first glance.

AI-assisted vulnerability discovery is now part of the operating environment: The Front Gate incident shows how quickly outsider researchers using frontier tools can identify serious vendor flaws.  Responsible disclosure readiness now belongs with your incident response, vendor governance, and security engineering.

A larger shift is emerging: AI is rapidly lowering the expertise needed to identify vulnerabilities, conduct sophisticated attacks, and test security controls. As these capabilities become more widely available, organizations may face growing expectations from regulators, customers, and litigants to use AI to proactively identify and address security weaknesses. At the same time, government appears increasingly willing to regulate AI based on capability rather than hardware, signaling that legal and compliance obligations may evolve as quickly as the technology itself.

For questions about AI-driven cybersecurity risk and the expanding reach of national-security regulatory arguments, please contact the Jones Walker Privacy, Data Strategy and Artificial Intelligence team. Stay tuned and subscribe for continued insights from the AI Law and Policy Navigator.


Curated by the AI Law and Policy Navigator team.

Related Professionals
  • Andrew R. Lee
  • Jason M. Loring
  • Michelle Ramsden

Related Practices

  • Privacy, Data Strategy, and Artificial Intelligence
Sign Up For Alerts
© 2026 Jones Walker LLP. All Rights Reserved.
PrivacyDisclaimerAvident Advisors
A LexMundi Member