Model Dependency Is a Supply Chain Decision

On the evening of Friday 13 June 2026, the US Department of Commerce directed Anthropic to restrict access to its two newest models, Fable 5 and Mythos 5, to US nationals only. Anthropic faced a technical constraint: selectively restricting access by nationality inside shared cloud infrastructure is not straightforward to enforce. Rather than risk non-compliance, they took both models offline for all users globally, including their own non-US employees, while they work to resolve the matter with the government.

Most organisations felt nothing. Fable 5 and Mythos 5 had only just been released, and few had built any operational reliance on them. But the episode made a practical question visible that most leaders have not yet formally asked: if the tools your people use every day were no longer available tomorrow, what would break?

I use AI daily. Claude for thinking, drafting, and expanding what I can deliver. NotebookLM for compressing learning time. Wispr Flow for voice capture to speed up my work over typing. Gemini for images and short video. These tools extend my capability and my reach across a small practice. They are not infrastructure.

If any one of them disappeared tomorrow, it would be an annoying inconvenience. It would not hurt my practice functionally, because the data and the skills that inform my use of AI live outside the platforms in the first place. The safest position with consumer AI tools is to point them at your information rather than letting your information live inside them. The platforms are where that information is accessed, not where it is held.

This week I received a High Distinction in the Cybersecurity and Privacy subject of my Master of Artificial Intelligence, the result of a full trimester of work. When I sat my exam, a couple of weeks ago in a hotel room, I was in the middle of two days of conference presentations, unwell, supporting several active maritime clients, and parenting two children under ten. I went into my Master's with a deliberate attitude. P's get degrees. I gave myself permission to be exposed to the material and to learn from it, without the pressure to overachieve. What AI gives me is the ability to learn in a compacted way, inside the hours I have. The High Distinction was, in the best sense, accidental. I used AI to teach myself the material faster than I could have done alone.

That is the position of a small operator who has built personal AI competency rather than organisational dependency. The tools change what I can do. They do not underpin what I must do.

The IAPP's Navigate: Digital Risk Index 2026 was published before the Anthropic directive. It drew on responses from nearly 600 global professionals working across governance, privacy, AI, and cybersecurity, each asked to identify their top risks from a list of 22.

Political and policy focus on deprioritising governance and compliance ranked first overall at 24%. Legacy or insufficient data governance architecture came in at 21%. Dependency on third-party vendors at 18%. Business deprioritisation of governance at 18%. Risks to cross-border data flows at 17%.

Top 10 digital risks from the IAPP Navigate: Digital Risk Index 2026

Source: IAPP, Navigate: Digital Risk Index 2026.

Every one of those risks was present in the Anthropic event. A government policy decision, delivered without notice, affected cross-border access to a third-party platform, exposing organisations whose data governance had not accounted for that possibility. The directive did not create these risks. It gave them a concrete shape.

The IAPP's broader analysis of digital sovereignty, published in May 2026, framed the practical position of most organisations as a hybrid one: choosing which layers of the technology stack to rely on others for, and on what terms (Simpson, 2026). The question is not whether to have dependencies. Every organisation does. The question is whether those dependencies have been assessed, and whether a plan exists when the terms change. The ISO/IEC 42001 management standard for maritime is becoming the reference for how that assessment is structured, and the wider regulatory picture is kept current across the governance reports.

Maritime organisations already carry this thinking into operations. Flag state requirements, class society approvals, single-source equipment suppliers, and fuel availability during geopolitical disruption all sit inside a dependency map that informs contingency planning. AI tools belong on that same assessment, with the same questions attached.

The break point between a personal tool and an organisational dependency sits at function, not at the size of the team using it.

Consumer tools are the right place to start, and for many small operations, they remain the right long-term answer. A sole operator or small team using Claude or ChatGPT to expand individual capability carries low switching risk. The person with genuine AI literacy adapts when access changes. They carry their competency to a different interface and keep going. The safest version of this is to keep the data, the prompts, the frameworks, and the institutional knowledge outside the platform entirely. The tool is a lens, not a filing cabinet. The companion question — which work belongs to AI in the first place, and which does not — is taken up in Which Problems Don't Belong to AI.

The question changes when AI moves from personal capability to organisational infrastructure. When a workflow breaks without a specific model. When client-facing outputs are generated at scale through a platform you do not control. When your team cannot function if access is restricted. At that point, the governance conversation shifts from literacy to architecture. The same architecture conversation is what makes prompt injection and other agent-era risks manageable rather than abstract.

At enterprise scale, the answer is usually a platform layer rather than a direct model relationship. Microsoft Copilot and comparable enterprise platforms sit above the model layer, which means the underlying model can be updated or replaced without the organisation noticing — a shift I unpacked in The Door That Just Opened Inside Microsoft and in The Model Wars. The dependency shifts from a specific AI model to an enterprise vendor with contractual, regulatory, and commercial obligations that a consumer API does not carry. That shift does not eliminate dependency. It makes it legible and manageable.

The goal of any structured AI adoption programme is to develop people and systems that remain adaptable as tools change. Personal competency is where that starts. Governance is what keeps it from becoming an unexamined liability as the organisation grows.

The Anthropic event will not be the last time a government directive, a commercial decision, or a technical failure makes an AI tool suddenly unavailable. Organisations that have thought carefully about the line between tools and infrastructure will navigate that without disruption. If your organisation has not yet had that conversation, now is the time to have it. The Compass AI Blueprint was built for exactly this kind of assessment — begin the conversation here. Senior leaders working through this at the individual level can take the same questions into a For Executives engagement, and teams who want to build the underlying skills can start with the Academy.

Kristina Agustin is the Founder and Principal Digital Navigator of Southern Sky AI, a governance-led AI adoption practice for maritime leaders. She holds a Bachelor of Laws (admitted, Supreme Court of NSW), AWS Certified AI Practitioner, IWAI Certified AI Consultant, CPD Certified AI Trainer, ISM/ISPS Internal Auditor, and Designated Person Ashore credentials, and is completing a Master of Artificial Intelligence.

Simpson, W. (2026, 12 May). Digital sovereignty through the prism of global law. IAPP. iapp.org

IAPP. (2026, June). Navigate: Digital Risk Index 2026. Download PDF

Fortune. (2026, 13 June). Anthropic disables Fable and Mythos AI models following U.S. government export ban. fortune.com

Al Jazeera. (2026, 19 June). US export ban on Anthropic's AI models further strains alliances. aljazeera.com