Caleb Withers

✍️ NEW PAPER ✍️ The Pentagon’s AI Acceleration Strategy, released in January, targets an “AI-first” warfighting force, accepting that “the risks of not moving fast enough outweigh the risks of imperfect alignment.” The urgency is right. But I worry this elides how quickly alignment could become a central bottleneck on realizing AI’s potential in the national security enterprise. New paper from me (w/ Jay Kim and Ethan Chiu) on this challenge and what to do about it 🧵👇

Dutch Export Controls Don’t Go Far Enough on China The Netherlands can do more to prevent ASML technology from undermining its own national security, writes @michellesnie @CNASdc

A coalition to pause AI can only lose: succeed, and it passes a perilous second-best policy sure to backfire; fail, and it leaves AI politics polarised and in even worse shape. This week, I argue either outcome would lead us away from the narrow path toward getting AI right.

Devin Review caught the axios supply chain attack for multiple Cognition customers before the attack was publicly known. These attacks will be 10x more frequent in the age of AI; it is critical that repo maintainers start using AI for defense as well. (showing one example below where Devin Review caught the attack within an hour of its release - text minorly edited for anonymization)

A point my friend and sometimes co-author @anton_d_leicht makes is that many people in policy implicitly model the AI inference market as a buyer’s market but that really it will be a seller’s market—at least during the next few years when energy + compute are so constrained.

When vulnerability discovery is this fast, we'll likely see more cyberattacks as attackers find vuln's, but maybe also as they're incentivised to use them more recklessly. Any zero-day you're sitting on is more likely to be discovered and patched. For state actors, that might shifts the incentive from sitting on exploits for long-running espionage towards cashing in quickly.

Below is re: AI cyber capabilities. Carlini is an extremely well-regarded and level-headed AI and security researcher (he is not a safetyist who rebranded as “AI security”; he worked on things like neural net adversarial robustness for years at GDM before joining anthropic).

NVIDIA has restarted H200 production for China. But H200s share manufacturing inputs with more advanced US chips, and those inputs are severely supply-constrained. BIS's January rule could permit up to as many as ~1 million chip exports, but requires applicants to certify exports won't reduce chip availability for US customers. However, the rule doesn't say how to evaluate this. In a new report, @fiiiiiist and I lay out a methodology for assessing whether H200 exports could divert chips from US customers, and quantify what the US stands to lose: ifp.org/ai-chip-supply… We distinguish between two forms of diversion: inventory diversion and manufacturing capacity diversion. Based on public information, we judge that: 1. There is weak evidence that exports of existing H200 inventories at current prices would divert supply from US customers. Global Hopper sales have fallen sharply since Blackwells became available. But deployed H200s remain fully utilized in the cloud, and China is reportedly being offered chips at ~$27K/unit, below US market prices available to some customers. Technically, a diversion holds if even one US customer would purchase the chip at the price offered to China. BIS needs non-public pricing data to make this determination. 2. There is strong evidence that new H200 production would divert manufacturing capacity for US customers of comparable or more advanced AI chips. All leading US AI chips share at least one key input with the H200: advanced logic fab capacity, HBM, or CoWoS packaging. All three inputs are severely supply-constrained this year. US hyperscalers and AI labs face enormous backlogs for these chips, meaning freed capacity would very likely serve American customers. These conditions likely apply to the roughly 250,000 H200s reportedly manufactured for NVIDIA between early January and early March 2026, when severe supply constraints on advanced logic wafer fabrication, HBM, and CoWoS capacity were already in effect. 3. Under current inelastic supply conditions, the US loses disproportionately more computing power for every H200 export than China gains. This is because the same inputs and/or manufacturing capacity are being used to produce less powerful H200 chips than frontier AI chips for US customers. Each 100K H200s produced for China could delay ~75K Blackwell B200s — forfeiting 1.7x the processing power per chip. We also provide a comprehensive set of questions BIS can ask license applicants and chip suppliers to assess both inventory and capacity diversion during license reviews, using the private data needed to make these determinations accurately.

Anthropic has been testing a new model called "Mythos" with certain customers: - a "step change" in AI capabilities, including "dramatically higher scores" in coding, academic reasoning and cybersecurity - "currently far ahead of any other AI model in cyber capabilities” - part of a new "Capybara" series of models, which are larger and more intelligent than Opus - more expensive to run than Opus; not yet ready for general release

This is an important and currently overlooked point. The Pentagon declared Anthropic a supply chain risk under two different statutes, and Anthropic had to file two different parallel lawsuits challenging each designation separately. Anthropic now has a preliminary injunction stopping one designation, but the other designation is still legally in effect (although it's not clear whether DoW can enforce it, practically speaking). And two out of three judges on the D.C. Circuit panel that is currently considering that parallel case are Trump appointees who are considered to be front runners for a potential Supreme Court nomination if Thomas or Alito should retire. I think there's a very good chance that they will rule in favor of the Department of War. Legally, Anthropic is still a designated supply chain risk. After reading the N.D. Cal. preliminary injunction order, I am not entirely sure whether that designation has any practical effect, or whether the N.D. Cal. order is broad enough to prevent any enforcement of the parallel SCR designation. I'm still thinking through that question; if anyone has insights, please do share. But even if Judge Lin's order is broad enough to prohibit any enforcement of either SCR designation, I think it's entirely possible that the D.C. Circuit might issue an order limiting the effect of Judge Lin's injunction.

BREAKING: Anthropic has been GRANTED a preliminary injunction re: Pentagon 'supply chain risk' designation by Judge Rita Lin in California but is allowing a stay for one week storage.courtlistener.com/recap/gov.usco…

For more on the evidence base and the implications for evaluation and acquisition—read the full paper: cnas.org/publications/r…

The national security enterprise should also balance meritocratic procurement and economies of scale with the risks of over-consolidation—in both models and evaluators. Many approaches to managing misalignment rely on independent models checking each other’s outputs and behavior, and no single evaluator will reliably catch everything.

✍️ NEW PAPER ✍️ The Pentagon’s AI Acceleration Strategy, released in January, targets an “AI-first” warfighting force, accepting that “the risks of not moving fast enough outweigh the risks of imperfect alignment.” The urgency is right. But I worry this elides how quickly alignment could become a central bottleneck on realizing AI’s potential in the national security enterprise. New paper from me (w/ Jay Kim and Ethan Chiu) on this challenge and what to do about it 🧵👇