What Trump’s National Security AI Memo Gets Right—and Leaves Unresolved

President Donald Trump signed National Security Presidential Memorandum 11 (NSPM-11) on June 5, directing U.S. national security agencies to accelerate artificial intelligence (AI) adoption and revoking certain restrictions imposed by President Joe Biden’s administration. The memo is the national security complement to Trump’s broader AI agenda, which has sought0.to accelerate U.S. AI development, roll back Biden-era oversight requirements, and maintain U.S. technological dominance over China.

Notably, the memorandum requires agency’s to terminate contracts with AI companies that repeatedly limit government use of their technology (largely considered a response to the Pentagon’s legal battle with AI firm Anthropic), orders the Defense Department to update its policy on autonomous weapons, and vests accountability for AI use within the military chain of command rather than external regulators.

Below, CFR Senior Fellows Vinh Nguyen and Michael Horowitz assess the directive’s implications for AI governance and U.S. national security.

Assured intelligence: How Washington can learn to trust the AI it cannot build

Vinh X. Nguyen served as the NSA’s first chief responsible AI officer and chief data scientist for operations, leading AI adoption across agencies. He also served on the National Intelligence Council as the intelligence community’s most senior cyber analyst.

The national security enterprise runs on AI infrastructure it does not own. The hyperscalers built the compute; the frontier labs built the models. The United States is among the largest customers of a technology it did not design, cannot replicate, and cannot easily walk away from—and it is only now working out what that means.

Managing that dependence is the purpose of Trump’s directive, NSPM-11, on “Artificial Intelligence in the National Security Enterprise.” The directive is neither deregulation nor acceleration, but the expression of a community deciding how to operate from a position it did not choose: no longer in control of the core technology, even where it remains ahead. The administration’s answer is to accelerate adoption for strategic competition while embedding assurance and accountability, treating speed and safeguards as joint requirements rather than a trade-off.

Call it an assured intelligence model: harness the technology but build the means to trust it.

Manufacturing leverage

Unable to outbuild the frontier, the government instead shapes its relationship with the firms that own and operate these critical capabilities. The incentives are commercial and collaborative: lucrative contracts paired with partnerships in AI security research, threat intelligence sharing, and combating adversarial distillation that replicates frontier capabilities. Penalties are built into the contract. The central demand is that no commercial entity be able to disable, degrade, or materially modify a fielded system without the government’s knowledge and approval—no “kill switches”—with contract termination as the backstop. The hedge against concentration is also structural, rapid onboarding of multiple rivals so no single one becomes a choke point.

That demand cannot be read apart from the standoff between the Department of Defense and Anthropic. That conflict began when the AI firm refused to drop two contractual limits—barring its model from being used in lethal autonomous weapons and domestic mass surveillance—and the Pentagon, demanding use for “all lawful purposes,” designated the firm a supply-chain risk and turned to other vendors. The fight turned on two questions: who controls a deployed system and what it may lawfully do.

The no-disable clause answers the first question on the government’s terms. On the second question, the memo operates on two tracks, deferring the weapons rules [PDF] for revision within ninety days and drawing an immediate line against unlawful domestic surveillance. But the deeper question the standoff exposed remains unresolved: who gets to draw that line. Is it the lab, the executive’s own reading of “lawful,” the courts, or Congress? The line exists; who holds the authority to set it does not.

Checks and validation

The framework established by the Biden administration routed frontier-model testing through the National Institute of Standards and Technology, a civilian standards body, on a voluntary basis and pressed for shared international norms. This new Trump approach brings testing in-house and makes assurance a term of the contract. The standard is precise. AI must be reliable enough to perform as required, robust enough to hold up beyond expected conditions, steerable to the commander’s intent, and controllable when it drifts—all resting on the security of systems across the stack. In practice, the standard means an AI-powered system is secure, tested before deployment, monitored while it runs, and severable the moment it goes wrong.

But a standard is only as good as the means to verify it, so the enterprise builds its own assurance infrastructure—independent evaluation and benchmarking; standardized testing and validation methods; a dedicated test range; and the talent, compute, and research to run them. Accountability is anchored where authority already lives—agency leaders and commanders within the constitutional chain of command.

Codify and practice what works

The executive should not bear this burden or draw the line of unlawful domestic surveillance alone. The authority to set the limits of AI’s national security parameters belongs with Congress, which can provide legal guarantees to the prohibition that is in dispute. Lawmakers should incorporate the directive’s major elements into the upcoming defense and intelligence legislation: the revised weapons autonomy rules once issued; the assurance and accountability mechanisms, including the ban on unlawful domestic surveillance; and funding for talent, compute, and independent evaluation. Codification turns a posture into a clear, credible commitment.

Every high-stakes, regulated enterprise now faces the same crossroads. It must reject false choices between accelerating AI deployment with little guardrails and halting its use, and instead take the harder middle path that requires adopting AI responsibly, building the assurance and accountability infrastructure to manage risk, and creating leverage to guard against capture by a few firms. The task is not to debate AI governance in the abstract but to make it work by using this assured intelligence model to harness a defining technology while managing risk.

What governments and enterprises require and buy over the next three years will determine who operates at scale—and on whose terms—for a generation.

Trump’s National Security Memo on AI Is All About Trust

Michael C. Horowitz previously served as deputy assistant secretary of defense for Force Development and Emerging Capabilities and director of the Emerging Capabilities Policy Office.

President Trump’s NSPM-11 on AI characterizes President Biden’s NSM-25 AI memo, which it replaced, as a document that “burdened American AI adoption.” If you look past the typical White House rhetorical flourishes, NSPM-11 shows more continuity than change on actual AI policy affecting national security agencies.

The memo’s emphasis on accountability—particularly a human chain of command running from the American people through the president to the warfighter, with commanders responsible for ensuring AI is used appropriately—aligns with arguments that experts from both parties have made for years. The right approach to governing military AI is to ensure that humans remain responsible and accountable. If the memo’s accountability language is taken seriously throughout the Trump administration, it would be a meaningful step that is also consistent with the Biden memo that NSPM-11 replaces. However, whether anyone trusts this White House to implement a policy that emphasizes responsible AI is another question.

Some of the changes are common sense. For example, NSPM-11 requires an update to the Pentagon directive on autonomous weapon systems, Directive 3000.09—a move that was already anticipated and that makes sense given the rate of technological change. Moreover, with the high level of public scrutiny of a document meant for internal bureaucratic consumption, updating it to make it more publicly comprehensible (for example) could be beneficial. It all depends, of course, on the substance of the update, which remains unknown.

The provisions likely to attract the most attention are those asserting the government’s rights over procurements and contracts with AI companies. The obvious subtext here is the dispute between Anthropic and the Pentagon. Under Secretary of Defense Pete Hegseth’s leadership, the Pentagon is not one to back down, but it is worth asking how the United States will benefit if it is deprived of the talent and technology of one of the world’s leading AI companies.

That points to the memo’s central credibility problem: the gap between the words on the page and beliefs about implementation. There’s clearly a breakdown in trust between the White House and Congress on AI given the growing heat surrounding all AI issues politically. There are also mounting concerns that parts of the Trump administration might not feel bound by the rules that Congress sets. The White House has spent the past eighteen months demonstrating its belief that executive power has no constraints. A memo that emphasizes accountability, chain of command, and the rule of law lands differently in  Trump’s second term than a similar memo might have landed in a prior administration—or in whatever comes next.

A human accountability framework only works if the people enforcing it respect institutional checks and balances. This is one reason why Congress should continue paying close attention to AI’s national security uses in this National Defense Authorization Act cycle.

This work represents the views and opinions solely of the authors. The Council on Foreign Relations is an independent, nonpartisan membership organization, think tank, and publisher, and takes no institutional positions on matters of policy.