Week of Sunday, June 21, 2026

Last week we reported that the US government ordered Anthropic to switch off two AI models worldwide with no notice and no appeal. That was not the beginning of this story. It was the latest in a chain of events that had already convinced European governments to walk away from American software.

The chain started in May 2025 when Microsoft blocked the Outlook email account of Karim Khan, Chief Prosecutor of the International Criminal Court (ICC) in The Hague. The action complied with a US executive order sanctioning Khan after the ICC issued arrest warrants for Israeli officials. A US corporation disabled the email of an international court sitting on allied European soil, without any European legal process. Khan switched to Proton Mail. A month later, a Microsoft lawyer testified before the French Senate that he could not guarantee French data stored in European Microsoft data centers was safe from silent US government access.

European officials call the risk the "kill switch": a US company can disable a product a foreign government depends on because Washington said so. After the ICC email, governments stopped debating whether the risk was real and started replacing the software.

In May this year German intelligence and military agencies replaced Palantir with ChapsVision, a French company whose ArgonOS platform runs locally with no cloud connectivity. On June 16 France's DGSI, the external intelligence agency, ended a decade-long Palantir contract for the same product. Prime Minister Lecornu framed it plainly: "We cannot accept new strategic dependencies in the digital sphere."

The pattern extends well past intelligence agencies. France's Interministerial Digital Directorate ordered every government ministry to formalize a plan to eliminate extra-European digital dependencies by autumn. The scope is 2.5 million civil servant workstations migrating from Windows to Linux, the largest government OS migration in European history. Germany's Schleswig-Holstein state has been migrating its 30,000 workstations to Linux since 2024. Denmark started its own migration after the ICC email incident.

The policy spine arrived on June 3 when the European Commission published the European Technological Sovereignty Package. Its centerpiece, the Cloud and AI Development Act, creates an assurance framework for cloud services whose upper tiers require EU ownership, EU-based personnel, and independence from third-country legal orders. US hyperscalers do not qualify for those tiers as currently structured. The same week, the EU formally adopted a new foreign direct investment screening regulation that eliminates preferential treatment for allied-country investors and introduces a five-year post-closing call-in power. American money no longer gets a fast lane into European critical infrastructure.

Each incident built on the last: the ICC email, the French Senate testimony, the government migrations, the sovereignty legislation. The Anthropic cutoff in June was not the trigger. It was the confirmation that arrived after the decisions were already made.

Sanctions were designed to be precise. Target an individual, a company, or a government, freeze them out of the financial system, and leave everyone else's business alone. An investigation published June 17 by the Organized Crime and Corruption Reporting Project shows how thoroughly that precision has been defeated.

OCCRP reporters went undercover and found payment brokers advertising openly on Telegram, offering to move money around EU sanctions on Russia through shell companies in Hong Kong, Dubai, Indonesia, Canada, Germany, and Lithuania. A digital currency called A7A5, pegged to the ruble and linked to a Russian state bank and sanctioned Moldovan oligarch Ilan Shor, has processed more than $93 billion in transactions over ten months. The brokers rotate structures daily, use non-Russian front directors, and take new clients on the messaging app. One sanctions expert quoted by OCCRP said enforcement runs "one to two years" behind the evasion infrastructure.

None of that is your problem, until governments respond. When the precise tool stops working, governments reach for the blunt ones. That escalation is already underway. Tariffs are broadening. Export controls on technology are tightening. The EU has proposed new powers to restrict cryptocurrency services used for sanctions evasion. The UK sent Royal Marines to physically board a sanctions-evading oil tanker in the English Channel. Shipping insurers are repricing routes. Each of those instruments raises the cost of doing ordinary business for everyone, not just the people evading sanctions.

That is the pattern. Criminals build evasion infrastructure. Enforcement falls behind. Governments compensate with trade restrictions and physical interdiction that cannot be routed around as easily. The cost of that compensation lands on freight rates, tariff schedules, insurance premiums, and the price of goods that cross a border.

The threat intelligence that feeds your security program has a supply chain, and three links in it just got thinner.

The first is local. The Multi-State Information Sharing and Analysis Center, known as MS-ISAC, was the threat intelligence backbone for state and local government in the United States. It provided threat feeds, around-the-clock monitoring, vulnerability scanning, and incident response support to nearly every public entity in the country, from state agencies down to county health departments, rural water districts, and 911 dispatch centers. When the Department of Homeland Security cut federal funding last year, the Center for Internet Security kept the organization alive by switching to a paid membership model. The result was a 70 percent membership collapse, from 18,574 organizations to roughly 5,600. Thirty-five states and territories no longer participate. The small towns and utility operators most likely to be targeted and least able to defend themselves are the ones that cannot afford dues.

The second is federal. Section 702 of the Foreign Intelligence Surveillance Act (FISA), the legal authority behind a significant share of the nation's foreign intelligence collection, lapsed on June 12 for the first time in the program's history. The House rejected a short-term extension and recessed until June 23. Collection continues under existing court orders through early 2027, but the providers executing those orders now operate on legal authority that is untested and contestable. The government advisories and threat alerts your security team receives downstream are built on that collection. The statute behind it is gone.

The third is commercial. In early June, Google cut more than 100 positions from Mandiant and its Threat Intelligence Group, the team that produces the M-Trends report and tracks the advanced campaigns that shape the industry's threat models. Google acquired Mandiant for $5.4 billion in 2022. The same week it announced the layoffs, it launched AI-powered security tools. The human researchers who investigate real intrusions are being replaced by automation that has not been tested against a real adversary campaign.

Each of those three sources, local, federal, and commercial, feeds the next. Government advisories cite commercial research. Commercial vendors rely on government attribution. Local organizations depend on both. When all three degrade at once, the quality of what reaches your security team is harder to verify.

In the time it takes to read this paragraph, a software company somewhere shipped an AI feature built on components nobody reviewed. The competitive pressure to add artificial intelligence to every product, every platform, and every internal tool has created a supply chain problem that most companies have not recognized yet, because it sits one layer below the product they actually bought.

On June 17, a North Korean state actor that Microsoft tracks as Sapphire Sleet compromised Mastra, an open-source framework used to build AI agent applications. Mastra packages are downloaded nearly one million times a week through npm, the software registry that supplies components to most modern applications. The attackers published 141 poisoned versions of the framework in roughly 81 minutes using a fake utility package as the delivery vehicle. Microsoft disclosed the compromise the following day. The payload was a credential stealer that harvested cloud access keys, login tokens, and cryptocurrency wallets from any developer environment that installed the update.

Mastra is not a product your company bought. It is a component inside a product your company bought. The AI chatbot a vendor added to its customer service platform, the document summarization a law firm plugged into its review workflow, the automated reporting an accounting tool shipped last quarter, all of these are built on layers of open-source dependencies pulled from npm, PyPI, and similar registries. The developer building the feature installs hundreds of these packages without reading the code. The company selling the finished product does not disclose which packages are inside. The company buying the product has no visibility into any of it.

Three package ecosystems were compromised in the same month. npm had the Mastra attack and the ongoing Miasma worm campaign. PyPI, the Python equivalent, had a variant called Hades that executes a credential stealer every time the Python interpreter starts, without the user importing anything. The Arch Linux user repository had more than 400 packages replaced with versions carrying a rootkit that hides at the operating system level. The common thread is not the technique. It is the target: developer environments where cloud credentials, API keys, and deployment pipelines live.

In 2007 the question was whether your bank held mortgage-backed securities. Most companies had no idea, because the risk was bundled and resold under names that hid what was inside. The same structure is forming now, and it is concentrated in one sector.

Private credit is lending that happens outside the banking system. Funds raise money from pension plans, insurance companies, and endowments, and lend it directly to businesses. The market has grown to roughly $2 trillion. According to data from the Bank for International Settlements, loans to software and AI companies within that market grew from $8 billion in 2015 to more than $500 billion last year. A third of all private credit funds are exposed to that single sector.

The money comes from the institutions that hold yours. Pension funds investing retirees' savings. Insurance companies backing the policies that pay your claims. The fund manager decides where the capital goes, and right now it is going overwhelmingly to AI and software companies that have never been tested in a downturn.

The stress is showing. BlackRock's largest private credit fund received withdrawal requests for 13.3 percent of its assets this quarter but can only release 5 percent. Investors who asked for their money back will get roughly 38 cents on the dollar. Partners Group capped withdrawals on an $8.6 billion fund. Goldman Sachs came within one basis point of triggering its own cap. Blue Owl Capital is facing the first lawsuit from the gating wave, a derivative suit alleging inflated valuations and conflicted fees.

These loans are not traded on a public market. The fund manager decides what they are worth, reports that number, and collects fees on it. Nobody outside the fund can verify the math.

The United States-Mexico-Canada Agreement, the trade deal signed in 2018 to replace NAFTA, faces its first mandatory review on July 1. The review is supposed to be procedural: all three countries agree to extend it for sixteen years, or it enters annual reviews and begins winding down. It will not be procedural. All three members are pulling in different directions, and any company that built supply chain assumptions on this deal's stability should revisit them before next month.

Start with Mexico. Companies have been routing Chinese-made components through Mexican factories to claim North American origin and avoid US tariffs. How aggressively the review addresses that practice determines what nearshoring actually costs going forward. The first US-Mexico negotiating round, concluded in late May, focused on automotive rules of origin, steel and aluminum, and what the US calls "economic security," which is its framing for the Chinese content problem.

Then Canada. Prime Minister Mark Carney said in April that Canada's economic ties to the United States were once a strength but are now "a weakness that must be corrected." In January he flew to Beijing and signed a deal with Xi Jinping that cut Chinese tariffs on Canadian canola from 85 percent to 15 percent and opened the door to 49,000 Chinese electric vehicles at a 6.1 percent duty. Ontario's provincial government pulled all American alcohol from its liquor stores, cancelled a $100 million Starlink contract, and banned US companies from bidding on public contracts. Canada is now leading discussions to link the EU trade agreement with the Indo-Pacific trade bloc into a combined market of 1.5 billion people. None of that is the posture of a country planning to quietly extend a US-led trade deal.

Then Washington. Trump has said publicly that he is not looking to renew it. No sixteen-year extension is expected on July 1. If the three countries cannot agree, the deal enters annual reviews, and any member can withdraw with six months' notice. The agreement stays in force during that period, but the certainty it was designed to provide disappears.

Last week we wrote about the cyber insurance market and the gap between having a policy and collecting on it. This is a different policy and a different gap.

Earlier this year, the Insurance Services Office (ISO), the organization whose standard policy forms are used by most commercial property and casualty insurers in the United States, issued new endorsements that give carriers the option to exclude claims arising from generative artificial intelligence on commercial general liability policies.

Commercial general liability, or CGL, is not the cyber policy. It is not the directors-and-officers policy. It is the foundational coverage that protects a business against claims of bodily injury, property damage, and personal injury, including defamation and advertising injury. It is the policy every company carries. If an AI-generated customer email contains a defamatory statement, or an AI pricing tool produces a discriminatory outcome, or an AI chatbot gives advice that causes someone financial harm, the general liability policy is where that claim would traditionally land. With these endorsements attached, it may not.

Most mid-market companies have no idea the endorsements exist. They arrive as attachments on renewal documents that few people read past the premium page.