According to the MIT Technology Review, the U.S. Department of Defense is planning a major shift: building a highly confidential training environment for generative artificial intelligence companies so that they can train military versions of large models on classified military intelligence data. This means that models that were originally only “reading” and “answering questions” in a confidential environment may directly use confidential data as training material in the future, thereby “writing” sensitive information into the model itself.
Already, some generative AI models, such as Anthropic’s Claude, are being deployed in classified environments to answer questions and aid analysis, including on Iranian targets. However, these models currently only process confidential information based on existing capabilities, and will not reuse the data to train and update the models themselves. If allowed to be trained on classified data, the model is expected to be more accurate and efficient in performing specific military tasks, but it will also introduce unprecedented security risks.
An unnamed U.S. defense official said training the military's custom model on classified data is expected to significantly improve its performance and reliability in specific missions. The plan comes amid growing demand for more powerful AI models in the U.S. military: The Pentagon has reached agreements with OpenAI and Musk's xAI to run its models in a classified environment, and is pursuing a new artificial intelligence strategy aimed at turning the U.S. military into an "AI-first combat force" in response to the escalating conflict with Iran. As of press time, the Pentagon has not officially commented on this training plan.
According to two people familiar with the relevant operating modes, the above training will be arranged in a data center certified for classified projects, where a certain version of the AI model will be paired with classified data in the same secure environment. According to the defense official, although the data ownership remains with the U.S. Department of Defense, in rare cases, AI company employees may also be allowed to access the confidential data if the relevant personnel have the appropriate security clearance. Before actually touching on classified data, the Pentagon plans to first test it on unclassified data, such as commercial satellite imagery, to assess actual improvements in accuracy and effectiveness of the trained model.
The U.S. military has long used an older generation of computer vision models to perform object recognition on images and videos collected by drones and reconnaissance aircraft, and has commissioned companies through government contracts to train algorithms on such data. In recent years, dedicated large language models and chatbot versions for government scenarios have also appeared one after another, such as Claude Gov launched by Anthropic, which emphasizes multilingual capabilities and deployment in a secure environment. However, this statement by defense officials is the first time that it has been clearly revealed that companies such as OpenAI and xAI that develop large-scale language models may directly train government-customized models on confidential data.
Aalok Mehta, former head of AI policy at Google and OpenAI and now director of the Wadhwani AI Center under the Center for Strategic and International Studies (CSIS), pointed out that compared to just "reading and answering" in a confidential environment, truly using confidential data to train models will bring new risks. He believes that the biggest problem is that the confidential information absorbed by model training may "resurface" when it is queried or called by different users in the future. This is particularly dangerous when sharing a set of models across multiple services or services with different levels of security and different intelligence needs.
For example, Mehta said that if a model had access to highly sensitive human intelligence, such as the identity of a covert operative, that information could be accidentally "leaked" to another branch of the military when the model was used by another branch of the military that did not have access. Not only would this pose a life-or-death risk to intelligence sources and frontline personnel, it would also be technically difficult to prevent absolutely, especially when the same model is shared by multiple units. In contrast, he believes that it is relatively easier to "lock" confidential information within the military and avoid it flowing back to the open Internet or AI companies.
At present, the U.S. government has established some relevant infrastructure: for example, the security company Palantir has received multiple large-scale contracts to build a security system for the government that can answer questions and answers on confidential topics without passing the information back to AI companies. In these systems, officials can question models about classified content, while the data is restricted to a controlled environment. However, applying the same security architecture to training, not just inference and question answering, remains a new technical and management challenge.
In January of this year, Defense Secretary Pete Hegseth issued a memo urging the acceleration of the introduction of more AI capabilities throughout the defense system, promoting the Pentagon’s racing layout in this field. Generative AI has been used in actual combat, such as ranking potential targets and giving priority strike suggestions. It has also been used in administrative work such as writing contracts and organizing reports. From the perspective of the defense sector, many tasks originally performed by human analysts may rely on stronger AI models in the future, but this also means that large amounts of confidential data must be opened to the models.
Mehta said the military may want AI to learn some subtle judgments that rely heavily on experience, such as identifying extremely subtle clues in images like a senior analyst, or making complex connections between newly acquired intelligence and historical information. To this end, the intelligence agencies’ vast and multilingual text, audio, image and video data may become sources of training material. However, he also emphasized that it is difficult to explain to the outside world which specific tasks require training on confidential data, because the Department of Defense has a strong incentive to keep its specific capabilities secret and does not want other countries to accurately understand the technological boundaries of the United States in this field.
In the eyes of the outside world, the Pentagon's step is not only a response to frontline needs, but also a high-risk technology bet: once confidential intelligence is deeply embedded in large models, the military will gain automated analysis and decision-making assistance capabilities that far exceed those of traditional systems. However, it will also have to face new security risks such as excessive model "memory", accidental leaks, and blurred access boundaries. Currently, U.S. defense agencies are trying to find a balance between "gaining military advantage" and "controlling security risks" that has not been fully tested in practice by establishing highly isolated secure data centers, strict access control, and layered and customized model deployment methods.