On June 5, 2026, President Trump signed National Security Presidential Memorandum-11 (NSPM-11), titled Artificial Intelligence in the National Security Enterprise. The memorandum rescinds and replaces the Biden-era NSM-25 and rewrites the rules for how the Department of War (DoW), the Intelligence Community, and supporting federal agencies adopt, procure, and operate AI.
The White House fact sheet summarizes the central guardrail in one sentence: "The Memorandum directs departments and agencies to ensure that no entity, commercial or otherwise, can disable, degrade, or modify an AI system that American warfighters depend on without prior approval."
It is a sweeping commitment. It is also a commitment about the model, not about the data that crosses into the model. And in a defense industrial base where most cleared personnel still get their day-to-day cognitive lift from chat.openai.com or claude.ai on a consumer-grade browser, that distinction matters more than the press release admits.
What NSPM-11 actually does
The Benton Institute's June 5 analysis by Kevin Taglang is the clearest public walk-through of the memorandum to date. NSPM-11 organizes its national security AI policy around what it calls the Four Pillars: Adoption, Adaptation, Assurance, and Accountability.
- Adoption directs the national security enterprise to eliminate "unnecessary barriers to rapid deployment" of frontier AI and to make "the most advanced frontier models" broadly available to national security professionals "without delay."
- Adaptation instructs agencies to use commercial or open-source AI "wherever appropriate," drawing from a diverse supplier base — explicitly walking back the perceived single-vendor lean of the prior administration's NSM-25.
- Assurance is where the headline language lives. The memorandum requires that all AI systems adopted by the national security enterprise be "reliable, robust, steerable, and controllable," and adds the provision Taglang notes "has no clear precedent in prior national security AI policy": agencies must ensure, "through contractual clauses or other means," that no commercial entity or adversary can prevent use of, disable or degrade, or materially modify a warfighter-facing AI system "without Federal Government knowledge and approval."
- Accountability writes a civil-liberties floor into the directive: AI used by the national security enterprise "shall never be used to censor free speech, embed ideological bias, or conduct unauthorized or unlawful surveillance of American citizens." Commanders and agency heads remain personally on the hook.
The timeline is aggressive. Within 90 days (~September 3, 2026), the Secretary of War must update DoD Directive 3000.09 on autonomy in weapon systems, the Committee on National Security Systems and OMB must publish an AI governance policy for national security systems, and a classified annex will be issued. Within 120 days (~October 3, 2026), procurement processes must be re-tooled for rapid onboarding of frontier models from multiple vendors, an AI National Security Strategic Reserve of non-governmental AI talent must be stood up, and joint AI data and model exchanges across classification enclaves must be initiated.
NSPM-11 also lands on top of DoW's May 2026 agreements with eight frontier AI companies to deploy their capabilities on the Department's classified networks — the largest single procurement signal in defense AI to date.
The boundary NSPM-11 doesn't draw
Read it twice. NSPM-11 is a directive about models: which ones get fielded, on what networks, under what contractual terms, with what TEVV methodology, with what kill-switch governance against the vendor. It is silent on the data path from a cleared employee's keyboard into a commercial LLM running on the open internet.
That path is the one that matters for most defense contractor shadow-AI exposure today:
- A cleared engineer at a prime, working under a CUI-tagged program, opens
claude.aiin Chrome on a corporate laptop to summarize a 40-page requirements doc. - The browser tab is on the public consumer SKU. The model is running on Anthropic's commercial infrastructure, not on the classified networks NSPM-11 governs.
- The Adoption pillar's frontier-model availability promise does not apply here. The Assurance pillar's contractual-clause regime does not apply here. The Accountability pillar's chain-of-command attestation does not apply here, because the workflow is not under any of those layers.
- The data crosses the policy boundary at the moment the engineer presses Enter.
The FY26 NDAA's Section 1513 — covered in our post on the FY26 NDAA's AI-governance obligations for defense contractors — pushes some of this responsibility onto defense contractors as a cybersecurity framework obligation. NSPM-11 reinforces the model-side guardrails. Neither sees the browser tab.
What the deployer still owns
NSPM-11's Assurance pillar uses a precise phrase: "through contractual clauses or other means." The "other means" is where deployer-side tooling lives. Three categories of control that NSPM-11 explicitly does not provide, but that defense contractors and intelligence-community deployers still need:
- Real-time visibility into commercial-LLM use by cleared personnel. If a Tier-1 prime's incident-response team needs to answer the question "did anyone on Program X paste CUI into a public model in the last 30 days," classified-network agreements provide zero signal. Browser-layer telemetry does.
- Policy-driven block of disclosure paths that violate program rules. NSPM-11's Adaptation pillar invites broader use of commercial AI, but the policy boundary for what a given cleared employee can disclose to a given commercial model — by program, by classification marking, by data category — sits with the deployer, not the federal government, and not the model vendor.
- An audit trail the program office can read. When the 120-day AI governance policy lands, contracting officers will want defense-industrial-base evidence that the deployer can answer questions about its workforce's AI use. "We trust the model vendor's contract terms" will not be that evidence.
The complementary layer
Containment.AI runs at the browser layer. Our extension and proxy enforce data-boundary policy before a paste leaves a cleared employee's session for a public commercial AI surface — chat.openai.com, claude.ai, gemini.google.com, Microsoft Copilot, Grok, Perplexity. We do not govern what the model does, who hosts it, or which classified enclave it runs on. We govern what data the deployer's workforce sends to it.
In the world NSPM-11 just drew — frontier-model adoption is accelerated, vendor lock-in is explicitly disfavored, and the federal government holds a contractual veto over how the model is operated on its own networks — the deployer-side data boundary is the part the directive leaves on the table. For DoD primes, aerospace OEMs, and classified-intel program offices: the browser tab is still yours.
Defense contractor preparing for the 120-day NSPM-11 procurement window? See how Containment.AI's browser-layer policy enforcement complements the Assurance pillar.