Week of Sunday, June 14, 2026

On June 12, the US government ordered a private company to switch off a product worldwide. The company was Anthropic, a US artificial-intelligence developer, and the product was its two newest models, Claude Fable 5, released three days earlier, and Claude Mythos 5.

The episode converts an assumption most boards never examined into a live risk: an AI capability a business runs on can be withdrawn by government order, with no notice and no appeal, and regardless of the vendor's own performance.

The order was an export-control directive requiring Anthropic to block all access to the two models by any foreign national anywhere, including the company's own foreign-national employees. Because a company cannot reliably verify the nationality of every user, Anthropic disabled both models for everyone. According to the Wall Street Journal, the action followed conversations between Amazon chief executive Andy Jassy and US officials, among them Treasury Secretary Scott Bessent: Amazon researchers had used a series of prompts to get Fable 5 to produce information useful for cyberattacks that was meant to be off-limits, and Jassy relayed the finding to officials. Anthropic has said vulnerabilities of that kind are relatively basic and exist in competing products. President Trump signed off on the suspension despite reservations that it could hinder innovation. The directive came from the Commerce Department, which administers US export controls; the specific legal authority was not made public, and no restoration date was given.

The closest precedent is the encryption fight of the 1990s, when US export law treated strong cryptography as a weapon and restricted who could receive it. Courts eventually held that published source code is protected speech, and authors distributed code in printed books that could not legally be sent as software. By the end of the decade most encryption was moved to the Commerce Department's control, the same export-control system that issued this order. That fight was about exporting information; switching off access to a running, hosted model has no clear precedent.

For a board, the exposure sits in continuity planning. An AI capability built into a customer feature, an internal workflow, or a product can become unavailable through regulatory action aimed at the vendor. Most continuity plans account for a vendor outage or a price increase. Few account for a government order that removes the vendor's product outright. The trigger here compounds the lesson: the complaint came from Amazon, which is at once one of Anthropic's largest investors, a cloud host for its models, and a competitor.

Across three countries, courts are converging on a single idea: a company is responsible for what its AI tells people, the same as it would be for any employee or any line on its website. There is no settled rulebook yet, and what counts as a safe thing for an AI to say is landing differently in every jurisdiction.

The clearest case is also the most ordinary. Air Canada's website chatbot told a grieving customer he could book a flight and claim a bereavement discount afterward. That was not the airline's policy. When he sued, Air Canada argued the chatbot was a separate entity responsible for its own statements. In early 2024 a Canadian tribunal rejected that outright, held the airline accountable for everything on its site including the bot, and ordered it to pay. A company owns what its chatbot tells a customer.

Defamation is the next front. Google's AI Overviews, the AI-written summary that now sits at the top of search results, generated false statements about two companies, tying them to scams. None of that appeared in the actual search results; the AI produced it. In May the Regional Court of Munich ruled that Google itself was the publisher of those statements, because its AI had written them in its own words, and it rejected the argument that users could simply click the links to check. Google is appealing the ruling.

US courts are arriving from a third direction. In 2025 a federal judge in Florida let a wrongful-death suit against an AI chatbot maker proceed, treating the chatbot's output as a product rather than protected speech; related cases over teen harm settled in January 2026. The shield US companies have leaned on for nearly thirty years is Section 230, the 1996 law that says an online platform is not the publisher of what its users post. It is the reason a website can host customer reviews or comments without being sued over them. That shield may not reach AI output at all, because the model generates the content rather than a user, and Section 230's own authors, former lawmakers Ron Wyden and Chris Cox, say it was never meant to cover what an AI produces. The one defamation case an AI company has won, Walters v. OpenAI, was dismissed on narrow facts rather than on any grant of immunity. California, meanwhile, has passed a chatbot law that carries $1,000-per-violation private claims.

For a board, the problem is the patchwork. The same AI feature can be lawful in one US state and actionable in the next, tolerated in one country and litigated in another, under contract law in one place and defamation or product-liability law in the next. A company that ships one AI experience to the whole world is exposed to the strictest jurisdiction its AI can reach.

The legal exposure from artificial intelligence is becoming personal to the board members and senior executives who oversee and run a company, and it is arriving at the moment the insurance meant to protect them begins to carve AI out.

Start with the duty. Under a Delaware legal standard known as Caremark, a company's board members can be held personally liable not for a bad business outcome but for failing to put any system in place to monitor a known risk. Courts treated that as nearly impossible to prove for years, then revived it: in the case over Blue Bell Creameries' listeria outbreak, board members faced personal liability for having had no food-safety oversight at all. Legal scholars, including at Harvard's ethics center, now argue the same duty reaches AI, and recent Delaware rulings have extended the oversight duty to senior officers as well. A board that lets AI into products or operations without a system to oversee it is exposed on that theory.

The lawsuits are no longer hypothetical. In January 2025 the Securities and Exchange Commission brought its first AI-washing case against a public company, Presto Automation, for overstating what its drive-thru ordering AI could do. (AI-washing is inflating or misrepresenting a company's AI capability, usually to lift its valuation.) The SEC has made AI-washing an enforcement priority, and shareholder suits are following a clear pattern: a company promises more than its AI delivers, the share price falls when reality catches up, and investors sue. The arc mirrors cybersecurity, which became a board-oversight and disclosure problem after the SEC's cyber rules. AI is traveling the same road faster.

As that exposure shifts onto the board and its officers, the coverage that protects them personally is pulling back. Directors-and-officers insurance, or D&O, pays the legal costs and damages when board members and executives are sued over how they ran the company. Insurers are now writing AI exclusions into it. One carrier, Berkley, filed an exclusion that would deny coverage for claims arising from "any actual or alleged use, deployment, or development of artificial intelligence." Some D&O policies, more often those covering private companies, exclude claims tied to cyber incidents, and an insurer could read such an exclusion broadly enough to deny an AI claim too. A board member sued over an AI-oversight failure could find the policy does not pay.

The price of cyber insurance is falling, and the cheaper it gets, the easier it becomes to mistake a policy for protection. A cyber claim is denied far more often than most buyers expect, and a soft market widens the gap between having coverage and being protected.

Start with the price. Gallagher Re, a broker that arranges the coverage insurers themselves buy, known as reinsurance, reported that US cyber reinsurance rates fell 32 percent at the April renewal, the second renewal in a row to drop by roughly that much. The driver is a flood of capital, not a safer threat environment. The market has done this before. Cyber cover was cheap and loosely underwritten until about 2020; then ransomware and the Colonial Pipeline attack hit, the total premiums insurers collected rose 74 percent in a single year, and insurers began turning applicants away. A cheap market is the part of the cycle that comes before the expensive one.

The bigger problem is whether the policy pays at all. Fitch Ratings found that only about a quarter of cyber claims in 2024 closed with a payout, down from a third the year before, and a leading reason a claim fails is the application itself rather than any exclusion. When a company buys cover, it certifies the security controls it has in place: multifactor authentication (a second login step beyond a password), backups, limits on administrative access. Insurers now check those answers against reality after a breach. In the case that put this on the map, Travelers moved to rescind a manufacturer's policy following a ransomware attack because the company had certified it used multifactor authentication for privileged access when it was running on only the firewall, not the system that was hit. The policy was declared void from the day it was written, and the company absorbed the full cost of the attack.

A second denial path is widening. After Merck claimed $1.4 billion from the 2017 NotPetya attack and its insurers tried and failed to deny it as an act of war, the industry rewrote the rules, and since 2023 Lloyd's of London has required cyber policies to exclude state-backed attacks. A company hit by a government-linked group can now face the denial Merck escaped.

Underneath all of it, the risk is concentrating. This month a self-spreading worm forced changes to npm, the software-dependency manager beneath most modern applications, and a flaw in Oracle's PeopleSoft was exploited against more than 100 organizations. An attack on shared software hits every user at the same time. Insurance works by spreading risk across customers whose losses arrive separately, so a single event that strikes thousands at once is the kind it covers least comfortably.

The security hardware meant to keep attackers out, and the outside firm hired to run a company's technology, are the two places monitoring rarely reaches. They are also where a patient intruder settles in for a year or more.

In June, researchers at the security firm Volexity disclosed that a China state-linked group it tracks as VerdantBamboo had held access to a victim's network for at least 18 months by living on edge appliances: the firewalls, storage boxes, and network gear that sit at the perimeter. The likely way in was a breach at the victim's managed service provider, the outside IT firm that ran its systems. From the appliances the group stole administrator credentials and virtual private network settings, then moved into email and internal systems while sliding past the normal logins. Mandiant, the incident-response arm of Google, has separately tied the same actor to theft of legal and trade-secret material from US law firms and technology companies.

Eighteen months is not unusual. Mandiant reports that intruders hiding on edge appliances go undetected for nearly 400 days on average, and that these devices have become a prime target precisely because they cannot run the endpoint-detection software that watches laptops and servers. They are blind spots by design, and standard 90-day log retention means the record of how the attacker got in is often gone before anyone investigates.

Two gaps keep these devices dark, and both are about who is responsible. The first is ownership. A company assumes its managed service provider secures the firewall, while the provider's contract often covers only patching, upgrades, and keeping the device online, not inspecting how it is configured. Whether the company owns the equipment or rents it, the security of the box lives in whatever the agreement actually says, and that line is usually unwritten. The second gap is method. Catching an intrusion like this is active work. Someone has to examine the appliance for unauthorized SSH keys (the digital credentials an intruder installs to keep a way back in), altered configuration files, and processes that should not be running. Nothing pings when those appear. A person has to go and look.

When the provider itself is the target, the blast radius is the customer's. In 2021 a compromise of Kaseya, software used by managed service providers, cascaded through about 50 of them to as many as 1,500 customers; one Swedish grocery chain had to close 800 stores. The provider's breach becomes yours, and you rarely have visibility into either.

A Russia-linked transaction your compliance team clears under US rules can be a violation under European rules the same afternoon. The two largest sanctions regimes are moving in opposite directions, and the gap between them is now your company's problem to manage.

On June 9 the European Union proposed its 21st sanctions package against Russia. It would add close to 90 banks to the full sanctions list, pushing the total past 100; ban 11 crypto platforms accused of helping Moscow evade sanctions; and, for the first time, let the bloc bar an entire non-EU country's crypto services if that country hosts evasion platforms. It also tightens export controls on metals and holds the Russian oil price cap in place into 2027. The package still needs unanimous approval from all 27 member states, with Hungary historically resistant, so the details may move. In the same week the United States went the other way: the Treasury's Office of Foreign Assets Control (OFAC, the US sanctions enforcer) reissued a license extending authorization for the Sakhalin-2 energy project, part of a broader pattern of delistings and widened carve-outs even as the underlying designations stay on the books.

This collision has happened before, and it used to run the other way. In 2018, when Washington left the Iran nuclear deal and reimposed sanctions, the EU activated its blocking statute, a law that forbids European companies from complying with certain US sanctions, leaving firms caught between breaking American law and breaking European law. Back then the US was the aggressive sanctioner and Europe the reluctant partner. On Russia the roles have flipped. Europe is escalating while Washington eases, and the company exposed now is the US multinational that assumes an OFAC clearance settles the question.

It does not. A European asset freeze applies to any transaction touching a sanctioned party regardless of the US position, the newest measures reach banks and crypto firms based outside the EU, and screening a deal against the US list alone no longer tells a company whether it is clean.

A transaction you signed, funded, and closed in Europe can now be reopened by a government up to five years later.

The Council of the European Union adopted a new foreign-investment screening regulation on June 8. It requires every member state to screen inbound investment in artificial intelligence, semiconductors, quantum, critical infrastructure, and strategic raw materials; it ends the practice of waving through investors from allied countries, including the United States; and it lets national authorities "call in" completed deals for review between 15 months and five years after they close. It enters force around August and applies about 18 months after that.

The power to unwind a closed deal is not new. The United States pioneered it: its Committee on Foreign Investment, known as CFIUS, forced a Chinese owner to sell the dating app Grindr three years after that purchase had closed, and later drove the fight to separate TikTok from its Chinese parent. Europe is now standing up its own version of that review, and its central concern is the same one CFIUS was built for, state-linked investors acquiring strategic assets, with China the recurring worry. Most cases will involve neither US nor allied buyers. What changed for American companies is narrower but real: the regulation drops the fast lane that allied investors, the United States included, used to receive. A US acquirer of a European AI or chip asset is no longer waved through as a friendly party. It faces the same mandatory review, and the same multi-year reopening risk, as anyone else.

It closes the week's pattern. The AI a company depends on can be switched off by order, what that AI says is the company's liability, a cyber policy may not pay when it is needed, and now a European deal that has already closed is not necessarily final.