Breaking News · 8 min read

Google Signed a Classified Pentagon AI Deal. First It Deleted the Rule That Forbade It.

On April 27, 2026, more than 600 Google employees, many of them from DeepMind, asked Sundar Pichai not to sign a classified AI deal with the Pentagon. The next day, Reuters confirmed the deal was already signed. Eight years earlier, a similar letter had worked. This is the story of what changed in between.

600+

Google staff signed the April 27 letter

3,100

Project Maven signatures, 2018

$200M

Pentagon ceiling per AI lab in 2025

2025

Year Google dropped its no-weapons limits

Executive Summary

  • More than 600 Google employees, many from DeepMind, sent Sundar Pichai a letter on April 27, 2026, asking him not to sign a classified AI deal with the Pentagon
  • Reuters confirmed on April 28 that the deal had been signed, allowing the Pentagon to use Google AI for any lawful government purpose
  • Google's 2018 AI Principles included a no-weapons, no-surveillance pledge that was dropped in 2025, the year before the classified deal
  • The leaked contract uses softer language than OpenAI's published agreement: “should not,” “not intended for,” and “appropriate human oversight”
  • Reuters reports Google does not have the right to veto how the government uses its AI, a kind of restriction Anthropic had pushed for and was punished for
  • OpenAI's own published statement claims its agreement has more guardrails than any previous classified AI deployment, including Anthropic's
  • The Department of War is convening a working group of frontier labs to define what “appropriate oversight” means in practice; Anthropic is currently barred and in litigation, and is not on the participant list

The Anthropic Playbook the Pentagon Just Ran Three Times

Three labs, three outcomes. Anthropic refused and was barred. OpenAI signed days later. Google signed in April 2026.

In February 2026, Anthropic asked the Pentagon to add a contractual clause that would prevent its AI from being used for fully autonomous weapons or mass surveillance. The Pentagon's response was not negotiation. It was a label. The Department of Defense designated Anthropic a “supply-chain risk” and barred the company from all Defense Department work. The two are now in court over the designation.

Days later, OpenAI signed its own classified deal. Sam Altman has said publicly he is confident the contract will not allow the technology to be used for mass surveillance in the United States or for lethal autonomous weapons. In a follow-up published statement on the agreement, OpenAI also wrote that “other AI labs have reduced or removed their safety guardrails” in their national-security work, a line readers in the industry interpreted as a competitive distinction from the labs willing to soften commercial protections for the military.

In December 2025, Google had already signed an unclassified deal letting the Pentagon use Gemini. The 2025 contract had a $200 million ceiling, identical to the ceiling on Anthropic's and OpenAI's parallel agreements. The April 2026 deal is the third step. It is classified. It permits use for “any lawful government purpose.” It does not name a specific model.

Each step normalized the next. By April, the only AI lab still refusing was the one that had already been frozen out.

What Google's 2018 Promise Said, and Where It Went

Timeline. 2018: Google publishes AI Principles with weapons pledge. 2018 to 2024: pledge stays live. 2025: limits dropped. April 2026: classified deal signed.
The deletion came first. The deal came after.

Google's first AI Principles page went up in 2018, after the Project Maven protest. The Washington Post describes the pledge it carried as a commitment that Google's AI technology “would never be used for weapons or surveillance.” The page itself, archived in many places, listed four prohibitions plainly worded with no legal hedging.

The list said Google would not build:

  • Weapons whose principal purpose is to cause injury to people
  • Surveillance technology violating internationally accepted norms
  • Technologies whose purpose contravenes widely accepted principles of international law and human rights
  • Anything causing overall harm where benefits do not substantially outweigh risks

That page sat there for roughly seven years. It was a rule the company had drawn for itself, in public, on its own infrastructure, with its own name attached.

In 2025, Google dropped its limits on use of AI for weapons and surveillance, as the Washington Post reported in its coverage of the April 2026 letter. The list of prohibitions came off the page. International law and human rights moved from a categorical prohibition to a category of process consideration: a thing the company says it considers when developing AI, not a category the company says it will not build.

The current Google AI Principles page, still live as of this writing, leans on the word “responsible” and its variants more than a dozen times. The 2018 prohibitions are not on it.

This sequence is the part to notice. Before Google could sign the Pentagon deal, it had to remove the rule that would have prevented it. The deletion came first. The deal came after.

The Three Words That Carry the Whole Contract

Contract comparison. Google waived its veto right. OpenAI retained it. Google must adjust safety filters at government request. OpenAI keeps full discretion.
Side by side: Google's contract vs. OpenAI's contract.

Reuters published one full sentence of contract language. It is the most quoted sentence in the entire story:

“the parties agree that the AI System is not intended for, and should not be used for, domestic mass surveillance or autonomous weapons (including target selection) without appropriate human oversight and control.”

Read it word by word and three problems show up.

“Not intended for” is intent language. It binds purpose, not use. A draftsman who wanted a hard prohibition would have written “shall not be used for.” Whoever wrote this clause did not.

“Should not” is hortatory English. In a contract, “shall” is mandatory and “should” is preferred. The drafter chose the softer one.

“Appropriate human oversight” has no defined meaning in the public reporting. With “appropriate” oversight, target selection by AI is permitted. Without a definition, “appropriate” is whatever the operator says it is at the time of use.

Reuters also reported a second clause that carries even more weight. The agreement does not give Google the right to control or veto lawful government operational decision-making. The wording is from the report, not a verbatim contract leak, but the substance is consistent across the article.

In plain English, even if Google's AI is used in a way Google considers wrong, the company has signed away the contractual right to object. The kind of restriction Anthropic had pushed for, which got Anthropic blacklisted, is the same kind of restriction Google has now agreed to live without.

A side-by-side reading of OpenAI's published account of its own classified deal makes the gap in safeguard architecture visible. OpenAI claims its agreement has “more guardrails than any previous agreement for classified AI deployments, including Anthropic's.” The Reuters reporting on Google's contract does not show the same shape. The reader can decide which of the two readings is more reassuring.

What This Reveals About Cloud AI

The structural fact about hosted AI: the safety stack belongs to the host, not the user. The user sees only the prompt and answer.

The contract clause that has not gotten enough public attention is the one requiring Google to adjust its AI safety settings and filters at the government's request. This is the language that distinguishes Google's deal from OpenAI's. OpenAI kept “full discretion over our safety stack.” Google did not.

This clause exposes a structural fact about every cloud AI service. The fact pre-existed the deal but became visible because of it. The safety configuration of a hosted AI belongs to whoever hosts the model. It does not belong to the user. The host can adjust it at any time. The user cannot verify what configuration is running at any given moment, and has no contractual right to be told if it changes.

For the Pentagon, this is the point. Different operational contexts need different filter behavior. For a private user, this is the part nobody discusses out loud. The same filters that protect the public from a model's worst outputs are the filters that can be retuned for a customer who finds those filters inconvenient.

Most professionals reading this will never paste classified material into Gemini. That is not the parallel. The parallel is that every professional with a confidentiality duty is in the same architectural position as the Pentagon:

  • A lawyer with privileged communications
  • A clinician with patient notes
  • A financial advisor with portfolio data
  • An HR director with personnel files
  • An accountant with audit working papers

They are users of a system whose safety configuration belongs to someone else. They have no instrument to confirm that the configuration has not been changed in a way that affects their data. The Google story is about the Pentagon. The architecture it makes visible reaches every cloud AI user with a confidentiality duty.

Redact Sensitive Data Before You Send It

Two practical answers to a host that can change its own safety stack: on-device PII redaction first, local AI models as the substitute for the highest-sensitivity work.

The first practical answer to a host that can retune its own safety stack is to never let it see the sensitive data in the first place. Before any prompt is sent to a cloud AI, sensitive entities can be scrubbed on the user's own device. Client names, account numbers, medical record numbers, internal project codes, and draft contract clauses are replaced locally with placeholders. The cloud AI processes a sanitized version of the prompt. The original stays on the user's machine.

On-device PII redaction addresses the structural fact directly. The host's safety stack can be retuned at any time, but it never sees what the redaction layer caught. Whatever clauses get added to a future government contract, the redacted entities are not in the data the host could expose, log, or hand over. Tools designed to keep client data private sit in this category, and the Google story is the public moment that makes the category worth understanding.

Elephas is one example of this approach. It is a privacy friendly AI knowledge assistant for macOS. Sensitive entities are redacted on-device before any cloud call leaves the user's machine. The same app supports cloud models like ChatGPT 5.5 and Claude Opus 4.7 when speed or capability is the priority. It also provides built-in local LLM models for the highest-sensitivity work, so a user does not need to install Ollama or set up server infrastructure to run a model on their own Mac.

Local AI Models as the Substitute

For the highest-sensitivity work, where even a redacted summary cannot leave the device, a local AI model on the user's own Mac is the substitute. The model runs on the user's own machine. Data does not leave the device at all. The safety configuration is whatever the application ships with. A third party cannot adjust it remotely without the user knowing, because there is no remote.

Several local-first AI tools offer this combination of on-device redaction and a local-model fallback. Elephas is one current example. The architectural alternative to trusting the host predates the Google story. It is a practical step a careful professional can take this week.

Two Letters, Same Desk

The takeaway. The safety of the AI you use is set by whoever is hosting the model.

Two letters arrived eight years apart, both addressed to the same CEO. The first one worked because Google had not yet deleted the rule. The second one did not, because Google deleted the rule first.

The contract Google signed in April will probably not be the most lasting thing about the week. According to OpenAI's published statement, the Department of War is convening a working group of frontier AI labs, cloud providers, and Department staff. That group will decide what “appropriate human oversight” means in operational practice. Anthropic, the lab that asked for the definition to be put in writing, is currently barred from Defense Department contracts and in litigation with the Department.

For a reader watching from outside Washington, the takeaway is the simple one. The safety of the AI a person uses is set by whoever is hosting the model. If that arrangement does not work for the data a professional handles, the architecture of where the AI runs is a decision that is theirs to make.

Selvam Sivakumar
Written by

Selvam Sivakumar

Founder, Elephas.app

Selvam Sivakumar is the founder of Elephas and an expert in AI, Mac apps, and productivity tools. He writes about practical ways professionals can use AI to work smarter while keeping their data private.

LinkedInFollow

Related Resources

Explore all AI Privacy & Security resources
news

Starlink Updated Its Privacy Policy on January 15. If You Don't Opt Out, Your Data Trains AI.

On January 15, 2026, SpaceX updated the Starlink Global Privacy Policy to allow customer data, including audio, video, and shared files, to be used for AI training. A breakdown of what changed, who's affected, and what to do today.

9 min readnews

Vercel Got Hacked: The April 2026 Breach Tied to a Context AI Misstep

A Vercel employee's OAuth grant to Context.ai became the entry point for a breach listed on a cybercriminal forum for $2 million. The full attack chain, IOCs, and what to rotate now.

10 min readnews

Lovable Hacked: API Flaw Exposes Thousands of Projects on the Lovable AI App Builder

A security researcher exposed a Lovable API flaw that leaked source code, AI chat histories and database credentials across thousands of projects. Lovable denies data was breached; its apology reveals a February 2026 backend regression.

13 min readnews

Claude Mythos Preview: First AI to Complete a 32-Step Autonomous Cyber Attack (AISI 2026)

The UK AI Security Institute evaluated Claude Mythos Preview and found the first AI model to autonomously complete a 32-step corporate network attack. Full analysis and defender guidance.

12 min read

Sources