Is an AI Answer an Export?

Legion LegalTech, Corp. v. United States, No. 1:26-cv-02225 (D.D.C., filed June 23, 2026). Complaint and motion for a preliminary injunction on the docket here.

The lawsuit over the Anthropic shutdown turns on a question that sounds almost too simple for export law: "What actually crossed the border (got exported)?"

A U.S. legal-tech company called Legion says the answer is nothing that current export controls were built to stop. Its Canadian engineers never received Fable 5's weights, source code, or object code. They logged into a hosted service, sent prompts, and got text back. When the government ordered that access shut off, Legion went to federal court in Washington and asked a judge to undo it, filing alongside a same-day motion for a preliminary injunction in front of Judge Richard J. Leon.

The case turns on a real national-security concern. Frontier models can help with offensive cyber work and other uses the government has reason to worry about. But export law still has to say what crossed the border. Model weights, source code, and technical know-how fit that framework pretty cleanly. A Canadian engineer getting text back from a U.S.-hosted SaaS model is a harder fit.

What the directive did

Anthropic said on June 12 that the government had ordered it to suspend access to Fable 5 and Mythos 5 for any foreign national anywhere, including its own foreign employees. The company couldn't cleanly filter by nationality, so it pulled the models for everyone. Hundreds of millions of users lost access in an afternoon, and Legion's Canada-based developers lost a tool the company had already wired into its product.

The order didn't arrive as a rule or a regulation. According to the complaint, it came as a letter from Commerce's Bureau of Industry and Security with a ninety-minute deadline to comply. That speed is part of what Legion is fighting, but the deeper objection is about authority, not pace.

The cleanest argument: nothing controlled changed hands

Legion's strongest claim is that hosted inference does not give the user controlled technology.

The Export Administration Regulations care about the release of controlled "technology" or "source code" to a foreign person. Legion's point is that none of that moves when someone uses a hosted model. The user walks away with generated text, not weights, not source code, not training data, not implementation details. The model stays exactly where it was.

Export controls are easiest to understand when the thing being transferred is a chip, a model-weight file, or a technical manual someone can use on their own. Hosted inference works differently because the model stays on the provider's servers and the user receives an answer, not the system that produced it. The service can be enormously capable and the output genuinely useful, and the transaction is still a prompt going in and a paragraph coming out.

The government's best comeback

Commerce's likely answer is that the risk does not come only from transferring files. A frontier model can help a foreign user find software vulnerabilities, write exploit code, or work through other sensitive tasks without ever handing over weights or source code. On that view, the capability is what needs controlling, even if the model itself never leaves the server.

If Commerce is right, export control is no longer limited to the model, the code, or the technical instructions behind it. It can also reach the use of a hosted system when the user is foreign and the answer might be sensitive. Congress may decide that is the right rule for frontier AI, and Commerce may be able to build something like it through normal rulemaking. The harder move is claiming that power already exists in export-control language written for a different kind of transfer.

A control that was rescinded

Legion's second problem for Commerce is more concrete: you can't enforce a control that isn't on the books.

The only classification that ever directly covered advanced AI model weights, ECCN 4E091, came out of the Biden-era AI Diffusion Rule. BIS rescinded that rule in May 2025 and said a replacement would come later. It hasn't. Legion argues that no current entry on the Commerce Control List classifies hosted model access, or the text a model produces, as a controlled export.

Every export-control system runs on defined controlled items. When the item isn't listed, the agency needs another hook. The complaint says BIS reached for an "is informed" letter, a tool meant for specific end-use or end-user risks, and stretched it into a worldwide license requirement covering every foreign national on earth, including Canadian engineers at an American company.

The information-materials angle

Legion's most ambitious argument is its alternative one. If the directive rests on the International Emergency Economic Powers Act rather than export-control law, it collides with the Berman Amendment, Congress's longstanding carveout protecting the free flow of information. Model outputs, in Legion's telling, are drafts, summaries, and written analysis, which is expressive material, and cutting off access to them is an indirect restriction on information.

This one could matter a great deal, but it's a heavier lift than the hosted-inference point. The government will say it regulated access to a live capability, not publications or news feeds. Legion's answer is that the statute strips the President of authority over informational materials "directly or indirectly," regardless of medium. A court would have to decide whether generated AI text lives inside that protection, or whether the service producing it sits outside it.

Why this is bigger than one company

If Commerce can disable hosted model access with a letter, releasing a frontier model starts to look less like shipping software and more like operating a licensed export surface, switchable at the agency's discretion. The boundary between controlling model weights and controlling model use blurs. The next fight wouldn't be about whether a model file left the country. It would be about whether a foreign user asked the wrong kind of question.

The government can have a real concern even if no model file crosses a border. A hosted frontier model can still help a foreign user with cyber operations or other sensitive work. But BIS still has to identify the controlled technology, explain why hosted access counts as its release, and use a process that gives affected companies more than a shutdown order after the fact.

AI export control was always going to run into this problem. The law knows how to deal with model weights, source code, and technical know-how because those are things someone can receive, copy, and use elsewhere. Hosted inference is messier. The model stays put, but the answer crosses to the user, and the current rules do not clearly say how to treat that exchange.

Legion's lawsuit does not settle the question, but it forces Commerce to answer it in court. If the government wants a kill switch for SaaS models, it may need more than a national-security label and a letter. It may need Congress, a rule, and a clearer account of what is actually being exported.