Seven Companies, One Disclosure Problem

Today the U.S. Department of War announced that seven of the world's leading AI companies have entered agreements to deploy their advanced capabilities on the department's classified networks — Impact Level 6 and Impact Level 7 environments — for lawful operational use.

The announcement celebrates a capability milestone. The coverage focuses on which companies made the list, which did not, and what it signals about the Pentagon's accelerating AI strategy.

Nobody is writing about the disclosure problem.

That is where Sturnella works.

"These agreements accelerate the transformation toward establishing the United States military as an AI-first fighting force and will strengthen our warfighters' ability to maintain decision superiority across all domains of warfare."

— U.S. Department of War, 1 May 2026

The Seven Companies and Their Disclosure Status

The named partners are: SpaceX, OpenAI, Google, NVIDIA, Reflection AI, Microsoft, and Amazon Web Services. All seven will deploy capabilities on both IL6 and IL7 environments.

Of the seven, five are already public companies with active SEC disclosure obligations. Two — SpaceX and Reflection AI — are private but on trajectories that lead toward public markets. Here is what that means:

For the five public companies, a material cybersecurity incident touching their classified DoD AI deployment now triggers an immediate and unresolved tension between two legal obligations: the SEC's four-business-day disclosure clock under Item 1.05 of Form 8-K, and the classified nature of the network, the data, and potentially the incident itself.

The Tension the Announcement Doesn't Mention

IL6 and IL7 are not ordinary enterprise environments. IL6 covers classified information up to the Secret level. IL7 covers Top Secret and Special Access Programs. The data processed on these networks, the nature of any incident affecting them, and often the existence of specific capabilities deployed on them are themselves classified.

The SEC's 2023 cybersecurity disclosure rules were not written with this in mind.

Under Item 1.05 of Form 8-K, a public company must disclose a material cybersecurity incident within four business days of determining that the incident is material. The rule does contain a limited national security deferral: the Department of Justice may certify that immediate disclosure would harm national security or law enforcement, allowing a delay. The SEC has indicated it will work with the DOJ on a case-by-case basis.

That mechanism has never been stress-tested against a company whose classified infrastructure is simultaneously:

• a commercial product (cloud AI, GPU infrastructure, frontier models),

• a national security asset operating at the highest classification levels, and

• a system whose incident details are likely classified at the very levels that prevent disclosure.

Google, Microsoft, Amazon, and NVIDIA are not small companies navigating this for the first time. They have legal and compliance infrastructure that has been built around prior government contracting. But even for them, today's agreements represent a qualitative escalation — from cloud infrastructure at lower classification levels to frontier AI deployed on IL7 networks, directly integrated into warfighter decision-making.

The materiality question is not the same at IL7 as it is anywhere else.

The Pre-IPO Problem Is Harder

SpaceX and Reflection AI face a version of this problem that is arguably more difficult, not less.

A private company has no current SEC disclosure obligations. But the governance decisions made during the private period — how materiality is defined, how board oversight of cyber risk is structured, how classified incident response is designed — become the foundation on which a public company's disclosure framework is built.

For SpaceX, which has been on a reported IPO path and which already operates Starlink infrastructure used by military and intelligence services globally, the classified AI agreement adds another layer to a disclosure architecture that has no clean precedent. The company's CEO has also previously held an informal government advisory role, creating relational complexity in the regulatory environment that has no standard template in Regulation S-K.

For Reflection AI, today's announcement is notable for a different reason. Reflection is an early-stage company. Being named to a classified DoD AI agreement at this stage of its development means that the governance frameworks it builds now — before revenue, before institutional investors, before any IPO process — will need to accommodate classified network obligations from the outset. Most pre-IPO cybersecurity governance programs are not designed with that constraint in mind.

The Three Questions Every GRC Team at These Companies Should Be Asking Now

1. Has our materiality determination framework been designed for classified environments?

A standard materiality matrix — mapping operational and financial impact against investor and reputational exposure — is a necessary starting point. It is not sufficient for companies operating at IL6 and IL7. The framework needs an additional dimension: whether the incident details themselves are classified, and whether the DOJ deferral mechanism is activated as a matter of pre-planned protocol rather than crisis improvisation.

2. Does our board cyber oversight structure account for the classified-commercial boundary?

Item 106 of Regulation S-K requires public companies to describe how their board oversees cybersecurity risk. For companies with classified DoD deployments, the board's ability to receive full incident information may itself be restricted by clearance requirements. The disclosure of how oversight works must reflect that constraint accurately — neither overstating board visibility nor understating the governance structure.

3. What is our position on vendor lock-in and the DOD's diversity mandate?

The DoD explicitly stated that today's agreements are designed to prevent vendor lock-in and ensure flexibility across what it called a 'resilient American technology stack.' That mandate creates a competitive dynamic among the seven named companies. For GRC purposes, it also means that the classified AI relationship is not exclusive — which has implications for how each company characterizes the materiality and strategic significance of the agreement in its public disclosures.

— — —

Why This Matters Beyond the Seven

The DoD's classified AI acceleration strategy will not stop at seven companies. The GenAI.mil platform already has over 1.3 million Department personnel using it. As the classification envelope expands and more commercial AI capabilities are integrated into classified environments, the population of public companies facing this disclosure tension will grow.

The framework questions being raised today — how do you disclose a material incident on a classified network, how do you describe board oversight of a system whose details are restricted, how do you build a pre-IPO governance program that accounts for classified obligations — are not SpaceX and Google problems. They are sector-wide problems that will affect every technology company that pursues government AI contracts at scale.

The compliance guidance has not kept pace with the operational reality. That gap is where enforcement risk accumulates.

Sturnella's Role

Sturnella advises mining, energy, infrastructure, and defense companies on IPO cybersecurity readiness, SEC Regulation S-K Item 106 compliance, cyber diligence in M&A transactions, and board-level cybersecurity governance — before and during capital markets events.

We operate at the deal table, not inside the IT department. Our work is focused on governance precision, disclosure defensibility, and transaction protection

Disclaimer: This article appeared on the Sturnella website at sturnellahq.com and is provided for informational purposes only. It does not constitute investment advice, financial advice, legal advice, or a solicitation to buy or sell any security or financial instrument. The information contained herein is based on publicly available sources and is believed to be accurate at the time of publication but is not guaranteed. Sturnella LLC is a capital markets cybersecurity and governance advisory firm and is not a registered investment adviser, broker-dealer, or financial institution. Always consult a qualified financial, legal, or investment professional before making any investment decision.

Disclaimer: This article appeared on the Sturnella website at sturnellahq.com. It is provided for informational purposes only and does not constitute investment advice, financial advice, or a solicitation to buy or sell any security. Sturnella is a capital markets cybersecurity and governance advisory firm. Always consult a qualified financial professional before making investment decisions.