Three Government Switches in Three Weeks
The people who make the rules keep changing them — and the pattern is showing up in places that have nothing to do with each other.
Start with the Pentagon. Federal News Network reports the Department of Defense has suspended the rollout of phase two of the Cybersecurity Maturity Model Certification — CMMC — the program that was set to require defense contractors to pass third-party security assessments before winning contracts. New assessment requirements are halted, and the department has launched a sixty-day, top-to-bottom review of the entire program. Roughly eighty thousand companies were on track for those assessments. Contractors and the providers who serve them spent years and real money preparing for a deadline that just stopped existing.
But read the fine print, because here’s the detail that matters. The department suspended the assessments. It did not suspend the security requirements underneath them. Every data-protection obligation contractors carried before the announcement, they still carry. The deadline moved. The duty didn’t.
Now watch the same hand move in an entirely different arena. Reuters reports the Commerce Department has lifted export controls on Anthropic’s most advanced AI models — Fable 5 and Mythos 5 — restoring global access after the company implemented new safeguards. Remember, this is the same government that switched those models off in the first place. The most capable AI on the market went dark by directive, and now it comes back the same way.
And OpenAI’s newest model shipped through a gate you may not have noticed. Engadget reports that GPT-5.6 launched to the public on July ninth — after a government review that was, officially, voluntary. OpenAI held the release until the review concluded, and the White House insists no permission was ever required. Read that carefully: nobody needed anybody’s approval — and the launch date of a flagship American AI product still wasn’t set in a boardroom. It was set when the government’s review ended.
So line up what’s observable. A compliance deadline years in the making, un-set by memo — while the obligations underneath it stand. The most advanced AI models, switched off and switched back on by directive. A flagship model launch, gated on a government review. Three switches, three flips, one after another. That’s what happened. Why it’s happening — and why it won’t stop — is where this gets uncomfortable.
Why AI Is Governed by Leverage, Not Law
The reason the switches keep flipping is that the normal machinery for governing technology — legislation, rulemaking, published standards — takes years, and this technology became strategically important in months. When something matters to a state faster than policy can form around it, the state doesn’t wait. It governs with whatever leverage it already has. And leverage doesn’t look like law. It looks like switches.
Watch how far that’s already gone. The Financial Times reports OpenAI has floated giving the United States government a five percent ownership stake in the company — early conversations, as part of a plan that would have every leading American AI lab do the same. Sit with that for a second. Not a regulation the company would comply with. Not a standard it would certify against. An equity conversation — the kind of arrangement you negotiate, not the kind you legislate. And put a number on it: at OpenAI’s latest valuation, five percent is roughly forty-two billion dollars — more than the government paid for its entire stake in Intel, and where Intel traded shares for funding, this would be a gift. In plain terms: the rules governing the most important technology of the moment are being worked out as deals between a government and individual companies, one at a time.
And here’s why neither side walks away from the table. Reuters reports that CISA — the government’s own cybersecurity agency — is using Anthropic’s Mythos model to audit federal code repositories for vulnerabilities, and it’s finding real bugs. The government isn’t just standing at the gate deciding what these companies can ship. It’s a customer, operationally dependent on the very models it’s switching on and off. The leverage runs in both directions — which is exactly why this settles into a standing arrangement instead of resolving into law.
Now, the fair objection: maybe this is one administration’s style, and it passes. Except Reuters also reports Beijing has convened Alibaba, ByteDance, and the startup Z.ai to discuss curbing overseas access to China’s top AI models. The other superpower, with an entirely different political system, is reaching for the identical move. When both sides independently arrive at the same behavior, that’s a structure, not a personality.
Strip away the specifics and the mechanism is this: AI became state infrastructure before it became a regulated industry, so it’s governed by leverage instead of law — and leverage gets exercised as often as circumstances change. And notice that CMMC fits the same shape: the obligations live in regulation and contract, and those don’t move — but the assessment deadline was an administrative gate, and gates flip on a memo. That’s not an emergency measure. That’s the operating environment now.
CMMC Paused — Your Obligations Didn’t
For the MSP, this lands in one specific place: the gap between what your revenue is pegged to and what your client’s obligations are pegged to.
Look at what’s happening inside the channel right now. CRN talked to the MSP executives closest to the CMMC market, and their message was blunt: CMMC is not dead. The data-security requirements underneath the program didn’t move an inch. But that’s not what clients heard. Clients heard “paused,” and the calls started — can we stop the assessment prep, can we defer the spend, can we wait and see. And here’s the trap: if the compliance work was sold as get-ready-for-the-deadline, the client is right to pause it. The deadline is gone. The thing they bought no longer has a date attached. The provider who priced the deadline just watched the government reprice their pipeline with a memo.
Now flip it, because there’s a version of this MSP who’s in a very different position. The provider who sold the same client the same work as standing security posture — meet the obligations you already carry, stay ready for whatever shape the requirement takes next — has nothing to walk back. When the review lands in sixty days and the program comes back rewritten, and history says pause-and-review is how programs get rewritten, not retired, that provider’s clients are already positioned while everyone else’s are restarting from a dead stop. Same work. Same client. Opposite outcomes — decided entirely by what the engagement was anchored to.
And that’s the choice this moment puts in front of you, because it’s bigger than CMMC. Every commitment in your stack is anchored to something — a deadline, a default, a model that ships, a rule that holds. You can anchor your commitments to the current rule-state and reprice every time a switch flips — reactive, unpaid, explaining to clients why the thing they bought changed. Or you can anchor them to the obligations and outcomes that survive the flip, and let the switch-flipping become the reason clients need you instead of the reason they pause you.
Because the obvious pushback is that this is Washington noise, and your defense-adjacent clients are maybe a tenth of your book. But the anchoring problem isn’t a CMMC problem: passkey defaults, crawler defaults, model availability — every client’s environment sits on rules someone else can flip, and CMMC is just the flip that came with a press release. The question isn’t whether you have contractors as clients. It’s how many of your commitments quietly assume the current rule-state holds — and the honest answer is: count them before a switch does it for you.
What to Consider
- Run the anchor audit on your own book, and make it a list, not a feeling. Go contract by contract and flag every commitment whose value dies if a date moves, a default flips, or a model goes dark — deadline-pegged compliance projects, integrations that assume a specific model stays available, configurations built on a platform default someone else controls. Most shops have never seen this exposure in one place, and CMMC providers discovering it in real time are finding it on a client call rather than on a worksheet.
- Rewrite the flagged commitments against the obligation, not the date. For each deadline-pegged engagement, name the standing duty underneath it — the data-protection requirement, the security outcome, the contractual obligation the client carries regardless of the assessment calendar — and re-anchor the scope language to that. The work barely changes; the justification becomes something a memo can’t erase, which is the difference between a pause request and a renewal.
- Pre-write the switch-flip response before the next one lands. Decide now what happens to scope, pricing, and client communication when a rule your commitments depend on changes — who calls the client, what the reframe is, what stays billable. The providers improvising that answer on CMMC are proving what improvisation costs; the sixty-day review gives you a known date to rehearse against.
If this trend continues: Within the next twelve months, at least one more rule your clients’ environments depend on gets flipped by directive rather than legislation — and the MSPs who inventoried their rule-state exposure will absorb it as a scoped, billable adjustment while everyone else runs another round of unpaid emergency calls.

