The Plug Gets Pulled. Then What?

A thought on known risks, unknown risks, and the questions nobody is asking about AI dependency.

Friday 13th June, 2026, 5:21pm Eastern Time.

The US government sent a letter to Anthropic. By the time most of Europe had finished dinner, two of the most advanced AI models in the world, Claude Fable 5 and Mythos 5, had been switched off. Not restricted, switched off. For every non-American user on the planet, including Anthropic's own foreign-born employees, without notice, without an appeals process. Zero allied-nation exemption.

Gone, like dinner in Europe.

Now, the geopolitical commentary has been plentiful this week and while the sovereignty debate is important, I'm not going to rehash it. What I want to talk about is something quieter, something that hasn't been written about yet, and something that I think is genuinely the more dangerous story for most businesses.

The threat you know versus the threat you don't.

There's a risk management principle worth revisiting here. A known adversary with predictable motives is manageable, you can architect around a known threat model, you understand what they want, how they might act, and you build your defences accordingly.

An unpredictable actor, even a nominally friendly one, is fundamentally harder to defend against. Not because they're more powerful, but because you can't model the risk:

What triggers action?

What is the notice period?

What is the threshold for escalation?

Late last week demonstrated that for US-hosted closed AI models, the answer to all three of those questions is, by the way: unknown, none and unknown.

Have any other risks on your risk register that look like that?

I want to be clear though: this isn't an anti-American argument. I'm genuinely an admirer — of the innovation culture, capital markets, the research institutions. The US AI ecosystem has produced extraordinary things, and those things have genuinely made the world better, probably.

Admiration however, doesn't make for good risk management.

The angle nobody's writing about.

Here's the piece I haven't seen anyone address.

Businesses have been embedding AI into their operations at extraordinary speed, not dabbling but embedding. Customer service workflows, document processing, deal analysis, credit decisions, product features, national security?And where AI has gone in deep, in many cases, people have come out. Sad, but true. Processes have been rebuilt, institutional knowledge has been retired, staff redundancies have been made on the back of capability that the business doesn't own and can't control.

And then the plug gets pulled.

Think about what that actually means operationally, this isn't like a SaaS tool going dark whereby you lose a feature, you find another tool, you move on. This is more like going from Excel back to... whatever people used before Excel. At least there'd be a booming market in microfibre cloths, with all the dusting off that would need doing.

The deeper the embedding, the more catastrophic the discontinuity. If your customer service operation runs on a wrapped AI API, if your analysts rely on AI-generated deal intelligence, if your product itself is AI-powered and the underlying model just got export-controlled overnight, what's your recovery plan? How long does it take to rebuild? And crucially, who did you let go six months ago whose knowledge you now desperately need back?

This is the operational risk that isn't on most boards' risk registers and trust me, it should be.

The fiduciary question that's coming.

In financial services, this will eventually become a regulatory conversation. At what point does dependence on AI infrastructure you don't control, infrastructure subject to arbitrary withdrawal by a foreign government with no notice and no appeals mechanism, constitute a material business risk that boards have a duty to disclose and mitigate?

We're not there yet in terms of formal regulation (the EU sort of, nearly are). But the question is live, and the answer is already obvious to anyone who watched what happened this week.

So, what am I actually saying?

I want to be precise here, because it's easy to read pieces like this as luddite hand-wringing. It isn't.

I'm not saying don't embrace AI. Embrace it. The productivity, the capability, the competitive advantage, it's real and it's compounding. Anyone sitting on the sidelines waiting for certainty is going to find themselves structurally disadvantaged and probably unemployable.

I'm not saying don't embed it deeply. Deep embedding is where the real value is. Shallow usage produces shallow returns, if you're using AI as a fancy search engine, you're leaving most of the value on the table.

I'm not saying it's dangerous and I'm worried about it. Quite the opposite, I'm excited about what's coming. The next two to three years are going to be genuinely fascinating.

What I am saying is, ask the right questions.

Of your own AI stack, of your service providers, of your service providers' service providers. The question is simple: who holds the off switch, and under what circumstances will they use it?

If the answer involves a closed model running on infrastructure ultimately subject to the export control authority of any single government, especially one currently behaving unpredictably, that belongs on your risk register. Not as a reason to stop, but as a constraint to design around.

Own the capability where it matters, understand the dependency stack all the way down and when you're reviewing competing services, ask them the question directly:

Could a unilateral decision by a foreign government permanently disable your service without notice, no exemption for allies, and no appeals process?

Watch how they answer. That's your risk assessment.