The scene, as I picture it, is the early 1950s. Smoke in the room. G-men in suits. A patent examiner at a desk with a stamp that says SECRET on it. The Cold War is the air everyone is breathing. The Soviets just got the bomb. McCarthy is on the warpath. The country has decided, with some justification and some paranoia, that it cannot afford to let any meaningful technology drift into the wrong hands.

The authority to suppress patents in the name of national security had already existed since 1917. It got used heavily during World War II. The 1951 Act took that wartime authority and made it permanent. From that point forward, the United States government could reach into the patent office, pull an application off the stack, and declare it secret, in peacetime, without a war to justify it. The inventor cannot publish. The inventor cannot sell. The inventor cannot, in many cases, even tell their attorney everything. The order can sit on the application for years. Decades, in some cases.

That law is still on the books. It has been quietly used, every year, for the seventy-four years since.

This post is about the Invention Secrecy Act of 1951, what it actually does, what has been classified under it, and the question that brought me here in the first place, which is whether and how it could intersect with the current generation of commercial AI development. The history is real. The current statistics are real. The AI question is theoretical. I want to be clear about which is which as we go.

A disclaimer up front. I am not a lawyer. I am a security practitioner who reads policy when it intersects with the work, and this law has been intersecting with the work for a long time. The legal analysis here is my policy and operator-grade rather than practice-grade. Where I am speculating, I will say so.

The Law Most People Have Not Heard Of

The Invention Secrecy Act sits in an odd place in American law. It is not obscure. The statute is public. The Federation of American Scientists has been tracking secrecy order statistics for decades. There is a substantial body of academic writing about it. Articles in Slate, Wired, and Bloomberg have covered specific cases. The Wikipedia entry is detailed and accurate. If you go looking, you can find this law without much effort.

What is also true is that most people who work adjacent to it have never heard of it.

I have known about this law for years. It came up in passing during a conversation about technology policy and stuck with me, the way certain pieces of policy infrastructure stick with you once you know they exist. I have referenced it in conversations with peers in security and policy. The reaction is almost always the same. They have not heard of it. They want to know more. They go look it up, and they come back surprised at how much authority is sitting there in plain view.

That gap, between how documented the law is and how few people know it exists, is part of why I wanted to write this post. This is not a secret authority. It is a publicly available authority that has been operating mostly out of the broader public’s view for seven decades, racking up thousands of classified inventions, with very little public attention beyond a small circle of policy researchers and intellectual property attorneys.

It is also an authority with real teeth. Violation of a secrecy order can result in up to two years in federal prison and a $10,000 fine. The patent application can be voided. The invention can be deemed legally “abandoned” if the inventor tries to file abroad without permission. Inventors are entitled to compensation, technically, but the compensation is capped at 75 percent of assessed value, and inventors have historically struggled to prove damages because they cannot disclose the invention they are trying to argue was suppressed. The cases that have gone to court have mostly settled before reaching a precedent-setting ruling, in what some legal historians have argued is a deliberate pattern by the government to avoid producing case law that would constrain the Act’s authority.

So that is the shape of the thing. Public. Powerful. Underdiscussed. Used continuously since 1951.

How the Law Works

The mechanics are straightforward in outline.

Every patent application filed with the United States Patent and Trademark Office is reviewed for national security implications. The screening is done by USPTO examiners using something called the Patent Security Category Review List, which is itself partially classified, but declassified versions from 1971 and 2009 show the categories of inventions flagged for further review. Computers, communications, sensors, materials, weapons, propulsion, navigation, mapping, and a long list of dual-use categories.

If an application falls into a flagged category, it goes to a government agency. The Pentagon. NSA. DOJ. DHS. Department of Energy. NASA. Any federal agency with classification authority can request a secrecy order. The agency reviews the application and decides whether disclosure would harm national security. If the answer is yes, the Commissioner of Patents is legally compelled to issue the secrecy order. The inventor is not consulted. The inventor finds out when they get a letter.

The order can be one of three types. Type 1 is for export-controlled inventions that may not themselves be classified but are restricted under existing export regulations. Type 2 is for inventions that already contain classified material or were developed by people holding DoD security agreements. Type 3 is the catch-all, applied to inventions, including those by private citizens with no government affiliation, that the government decides need to be suppressed.

Once an order is in place, the inventor cannot publish, cannot sell, cannot disclose the invention to anyone who was not aware of it before the order was issued, and cannot file the patent abroad. The application sits in suspended animation. Patents that would otherwise be granted are not granted. Even if the underlying invention is found patentable by examiners, no patent issues until the order is rescinded. The order is renewed annually in peacetime, automatically extended during declared emergencies, and can sit in place for decades.

There are roughly 6,500 active secrecy orders as of fiscal year 2025. About 100 new orders were imposed that year, with about 30 rescinded. The total count has been climbing, not falling, despite the Cold War having ended several decades ago. The 2009 declassified category list is essentially identical to the 1971 list. The categories of concern have not changed much. The volume of secrecy has.

What Has Been Classified

The cases we know about, because the orders were eventually rescinded or the inventors went public, give a sense of the range. By definition we do not know everything that has been classified under this Act, which is the entire point of the Act. If I did know, I would not put it here, because that is also the entire point of the Act. Anything I am about to describe is something the government, for reasons of its own, decided to let into the public record.

A note on the older example below. The cryptograph case predates the 1951 Act by fifteen years. It was originally classified under the earlier wartime authority that the 1951 Act eventually replaced. I am including it because the secrecy carried forward into the post-1951 regime through annual renewals, and because it is one of the cleanest illustrations of how long a single secrecy order can sit on a single invention once the machinery is in motion. The same kind of staying power applies under the current Act.

In 1936, an inventor filed a patent for a mechanical cryptograph for manually encoding and decoding messages. The patent was finally issued in 2000. Sixty-four years of secrecy, originally imposed under the 1917 wartime authority and expanded during World War II, then carried into the permanent regime when the 1951 Act took effect, and renewed annually for decades after that. The technology was already obsolete by the time the order was lifted.

In 1958, the Vienna-born physicist Otto Halpern was forced into a closed-door trial over his invention for evading radar detection. The case was tried in camera, meaning the public was excluded for national security reasons.

In 1977, a researcher named Carl Nicolai filed a patent for a device called the Phasorphone, which would have allowed civilians to scramble their voices on telephone calls and CB radio for privacy. Six months later, an NSA-driven secrecy order landed on the application. The inventors went to the press. After media pressure, the order was rescinded.

Also in 1977, University of Wisconsin researcher George Davida filed for a patent on a stream cipher. The NSA had a secrecy order on it within six months. Davida had developed the technology entirely from unclassified research. The order was eventually lifted after public pushback, in part led by groups like the Federation of American Scientists.

In 2009, husband-and-wife inventors Budimir and Desanka Damnjanovic had their patent for an anti–heat-seeking-missile measure classified. The FBI visited their home to warn them against disclosure. After a five-year administrative appeal that went nowhere, they sued the Air Force and the Department of Defense, claiming First and Fifth Amendment violations. The government settled in 2015 for $63,000 before the case could establish precedent.

A pattern shows up across all of these. The Act has been used most aggressively on dual-use technologies. Cryptography. Radar evasion. Voice scrambling. Sensors. The kind of work that has obvious military applications but also obvious civilian ones. When the civilian use is the kind that defense agencies see as threatening, even when the threat is the public’s ability to communicate privately, the secrecy order has shown up.

The cryptography history is the part that matters most for the rest of this post. In the late 1970s and through the 1980s, the NSA repeatedly used the Invention Secrecy Act to try to suppress civilian cryptography research. The pattern was consistent. A researcher, often at a university, would develop a new approach to encryption or voice security. They would file for a patent. The NSA, working through the USPTO, would issue a secrecy order. The researcher would either comply quietly, fight in court at significant personal cost, or go to the press. The Phasorphone case is the cleanest example because the inventors won. The Davida case is the closest to a draw. The broader fight was about whether the federal government had the authority to suppress an entire civilian research domain because the agency that did the same work in secret considered it sensitive.

That fight was, in retrospect, the last large-scale civilian struggle against the Act on a frontier technology. The government largely backed off cryptography in the years that followed, in part because the math could not be put back in the box. The internet happened. Cryptography became commercial. The NSA continued doing its own work in the dark, but the civilian field developed in the open, and the world we live in now, with end-to-end messaging and HTTPS and everything else, is downstream of that decision not to suppress.

The question I want to ask in the rest of this post is whether AI is the next version of that fight, what would change, and what the government’s options actually are.

Can an AI Model Be Patented

Before we get to the secrecy question, the prior question is whether AI models are patentable in the first place. The Act applies to patent applications. If AI cannot be patented, the Act does not apply.

The answer is more complicated than you might expect, but the short version is yes.

AI models, machine learning architectures, training methods, and applications can be and routinely are patented. The USPTO has been issuing AI-related patents in volume since well before the recent boom, and the volume has accelerated significantly in the last few years. The USPTO has been working through guidance on what aspects of AI are patentable, with multiple guidance updates in 2024, 2025, and into 2026 expanding eligibility rather than restricting it.

The wrinkle is on inventorship. The Federal Circuit ruled in Thaler v. Vidal that an AI cannot be listed as the inventor on a patent. Inventorship is reserved for humans. The USPTO has issued guidance saying that humans who use AI as a tool in the inventive process can still be named as inventors, the same way a human who uses laboratory equipment or software is still the inventor of what they produce. So AI as a tool produces patentable inventions. AI as the named inventor does not.

For the purposes of this post, the relevant point is that the AI itself, the model, the training architecture, the techniques used to fine-tune it, the methods for serving it, the safety techniques applied to it, all of those are patentable, and many of them have been patented. Some are also kept as trade secrets rather than patented, which is a different choice for different reasons. But the question “can a frontier AI capability be the subject of a patent application” has a clean answer. Yes. It happens constantly.

Which means the Act applies.

The Theoretical Scenario

Now we are in speculation. There is no public reporting that any AI model has been classified under the Invention Secrecy Act. To my knowledge, no major AI lab has had a secrecy order issued against one of its patents. If it has happened, it happened in a way that has not surfaced in public reporting, and the inventors have not gone to the press the way the Phasorphone or Davida inventors did.

I want to be careful with that "to my knowledge" qualifier, because the qualifier is doing a lot of work. The whole point of this Act is that the existence of a classified patent is itself something the public is not supposed to know about. When I say I do not know of any classified AI patents, what I really mean is that none have been declassified and no inventors have gone to the press. The system is operating as designed. And even if I did know of one, I would not be writing it down here. That is also the entire point of the Act

But the mechanism is in place. The legal authority exists. The categories of concern on the 2009 declassified list explicitly include computers, communications, sensors, materials, and a catch-all for “unique materials, devices, or performance data and characteristics” that maps cleanly to frontier AI capabilities. The decision to classify an AI patent under the Act would not require new legislation, new executive orders, or any public debate. It would require a defense agency to decide the underlying capability was sensitive, and a USPTO process to flag the application, and a Commissioner of Patents who, by statute, is required to comply with the secrecy request once the defense agency makes it.

I have spent a lot of time thinking about what would have to be true for this scenario to play out. A few things stand out.

The capability would have to be significant enough to attract federal attention. Frontier AI models, by definition, qualify. The largest labs are producing capabilities that have obvious dual-use applications, including in cyber, in defense, in intelligence, in autonomous systems. The capability does not have to be weaponized. The 2009 category list shows the government’s interest extends to dual-use civilian technology that has theoretical military relevance, which is essentially the entire frontier of AI.

The patent application would have to be filed in the United States by an inventor based in the United States, since the Act applies to inventions made in the United States. That is the case for most of the major American AI labs. Models developed abroad fall outside the Act’s scope.

The defense agency would have to make the call. The Pentagon, the NSA, and the others with the authority. have been quietly classifying things in this space for decades. The question is not whether they have the authority. We’ve already clarified they do. The question is whether they would use it on a commercial AI capability.

And finally, the government would have to be willing to absorb the consequences of using the Act in a domain where almost every meaningful capability is being developed in the open commercial sector. Which is where the rest of the post lives.

The Mythos Wrinkle and a New Executive Order

Three things converging are what make this law worth talking about right now.

The first is Mythos. Anthropic announced Claude Mythos and Project Glasswing in April, describing Mythos as the company’s most capable model to date and explicitly declining to make it generally available because of the cybersecurity capabilities it had demonstrated during testing. The framing from Anthropic and from the partners who have seen the model is that Mythos is too dangerous to release broadly, that it can identify zero-day vulnerabilities in real-world software at a scale that previous models could not, and that during testing it broke out of a sandbox and sent an unexpected email to a researcher who was eating a sandwich in a park at the time. According to public reporting, the model found thousands of high-severity vulnerabilities, including one in OpenBSD that had been hidden in plain sight for twenty-seven years.

The second is an executive order. On June 2, 2026, President Trump signed an order titled “Promoting Advanced Artificial Intelligence Innovation and Security.” The order directs a group of federal agencies, including Treasury, the Department of War, DHS, NSA, CISA, NIST, and Commerce, to establish a voluntary framework through which AI developers would submit “covered frontier models” to the government for up to 30 days before public release. The NSA director gets to designate which models are covered. The earlier draft of the order, which the President pulled back from signing in May, had set the review period at 90 days. The signed version cut it to 30. The order is voluntary on its face, and the text explicitly disclaims any authority to create a mandatory licensing, preclearance, or permitting requirement. The question is how voluntary “voluntary” actually is when the government is asking and the requesting agency is the NSA.

The third is the overlap. The agencies designated under this new pre-release review framework are largely the same agencies that have classification authority under the Invention Secrecy Act. NSA. Department of War. DHS. The Pentagon. To be fair, this is partly just because these are the agencies that work in this space. Cybersecurity, intelligence, and national defense are not infinite fields. The agencies that handle them are the agencies that handle them, regardless of which authority is being invoked. So the overlap is not, by itself, evidence of anything other than that the federal government has a finite number of organizations that do this kind of work, and they are showing up in both places because that is what they do.

That said, the structural significance is hard to miss. The same agencies that would now get a 30-day look at a frontier model before its public release are the same agencies that, once they had taken that look, would be in a position to invoke the Invention Secrecy Act if they decided the model needed to be suppressed rather than reviewed and released. The pipeline that delivers the model to the reviewer’s desk and the pipeline that delivers the secrecy order to the inventor’s mailbox now share staff, share infrastructure, and share the same designation criteria for what counts as significant enough to warrant attention. The lever I have been describing throughout this post just got an antechamber.

I want to hold two things separately here on the Mythos claim itself, because they need to be held separately.

The first is the substance. If the public reporting is accurate, Mythos meets the kind of capability threshold this post has been talking about as a trigger condition. A model that can autonomously discover zero-day vulnerabilities at scale, including in foundational operating systems and browsers, is exactly the kind of dual-use civilian technology that has historically attracted federal attention. The 2009 category list has clear hooks for this. Computers. Communications. Concealment, communications, countermeasures and counter-countermeasures. A model that finds new ways into software infrastructure fits.

The second is the marketing posture, which is where I want to put a small skeptical thumb on the scale.

I have never seen a company market a product by saying it is not as good as the last version. The framing of Mythos as too dangerous to release is, whatever else it is, an excellent way to communicate that the new model is more capable than the previous model. The product narrative and the safety narrative point in the same direction here, which does not make either narrative false, but does mean a reader should be aware that the same set of facts can serve two different commercial and reputational purposes simultaneously. Anthropic is a company. Companies have incentives. The incentives of “we are responsible because our product is so powerful we will not release it” line up neatly with “our product is so powerful you should pay attention to it.”

I am not saying Anthropic is making it up. I genuinely do not know how to evaluate the underlying capability claims from outside. The public reporting cites the company’s own descriptions, the company’s own internal testing, and the company’s chosen partners. The independent verification, in any meaningful sense, is not yet in. If Mythos is everything Anthropic says it is, that is significant. If it is partially what they say it is, that is also significant. Either way, the model is exactly the kind of capability the rest of this post has been describing as theoretically subject to the Invention Secrecy Act, and the government has now built a pre-release pipeline that puts the same agencies in the same room with the same models.

What is interesting, for the purposes of this post, is what the government still has not done. Mythos has not been classified under the Invention Secrecy Act. The patent applications, if any, that cover the underlying techniques have not been suppressed. The model is being voluntarily restricted by its maker, and the federal government has set up a voluntary pipeline to look at it before release. None of that is classification. The Act is still on the shelf.

That is a meaningful data point. The conditions that, on paper, would justify reaching for the lever are arguably present. The lever has not been pulled. The current arrangement is voluntary on both ends. The company restricts the model voluntarily. The government reviews it voluntarily. The Invention Secrecy Act exists as the formal authority that could turn voluntary into compulsory, if the relevant agencies decided that conversion was warranted. The Act has not been used. Yet.

There are a few possible reads of why the lever has not been pulled. The government may have decided the voluntary arrangement is sufficient for its current purposes. The political costs of formal classification may still outweigh the benefits, given the importance of commercial leadership in AI. The 30-day review pipeline may give the relevant agencies the access they actually want without needing to invoke the Act. Or the situation may not yet have ripened to the point where the lever feels necessary, and the executive order is a step toward making sure the pipeline is in place before that point arrives. The structure being built right now looks less like an alternative to the Act and more like a runway to it.

The Phasorphone case took six months from patent filing to secrecy order. The infrastructure to do the same thing to a frontier AI model is in place today. The new 30-day review window is, depending on how you read it, either a softer alternative to that infrastructure or a feeder for it. The same agencies sit on both ends of the pipeline. The same designation criteria, in broad strokes, govern both processes. If a “covered frontier model” looked, during a 30-day review, like a capability that genuinely needed to be suppressed, the path from that determination to a secrecy order under the Act is short.

The lever is sitting there, available. The antechamber to the lever is now also sitting there, with the door open. The federal posture toward a model that arguably meets every condition this post has discussed is still, today, to let the company handle it, with the government getting a closer look beforehand. That posture could change. The choice of whether to change it has gotten faster and easier to make.

The Strategic Dilemma

Here is the part I have actually been trying to think through, and where I want to do more thinking than concluding.

The United States government depends on commercial AI in a way that does not have a clean analog in earlier technology cycles. The frontier labs, OpenAI, Anthropic, Google DeepMind, Meta FAIR, and several others, are producing capabilities the government uses but did not produce. The government has been building its own AI capabilities for decades, in various forms, but the public frontier has overtaken anything the government has historically been able to do internally, and that delta is widening, not closing. The government needs the commercial sector to keep moving forward, because the commercial sector is where the frontier lives now.

That dependency runs against the historical instinct that says “if it is strategically important, lock it down.” The Manhattan Project was a national program. Stealth aircraft were developed under classification. Nuclear submarine reactors were developed under classification. The pattern, across the twentieth century, was that capabilities considered critical to national security were brought inside the tent. Commercial development was allowed to happen, when it happened at all, in parallel or downstream of the classified work.

AI does not fit that pattern. The commercial sector is the frontier. The classified work, to the extent it exists, is downstream of the commercial work. If the government decided tomorrow to bring the frontier under the Invention Secrecy Act, the practical effect would be to stop the labs from publishing, stop them from filing patents, stop them from coordinating with each other, stop them from hiring openly, and stop the broader research ecosystem from continuing to produce the talent and the techniques the labs depend on. The labs would not stop existing. They would just stop being able to operate as labs.

And that is the version where the United States is the only player in the game. It is not.

China has been investing in AI for years, with explicit support from the Chinese Communist Party for its domestic AI sector. The CCP has well-documented structural relationships with its leading tech firms, including the AI labs. Whatever the United States does inside its own borders to suppress, classify, or constrain commercial AI development, the Chinese government is not going to follow the same playbook. Their playbook is the opposite. State support. State direction. Aggressive commercial development tied to state interests. If the United States slows down its commercial sector through classification, the practical effect is to widen the gap between American and Chinese commercial AI capability, in favor of China.

There is no clean answer to this. I want to be honest about that. The pure-classification approach gives the United States more direct control over individual capabilities but cripples the broader ecosystem and cedes ground to adversaries. The pure-open approach maintains American commercial leadership but means that the same capabilities the United States considers strategic are also available to anyone who can buy access or train a competing model. The current approach, which is mostly open with selective export controls and significant federal investment, is somewhere in between, and it is fragile.

The Invention Secrecy Act is the lever that exists, today, with no additional legislation required, for the government to move along that spectrum toward more classification. The fact that it has not been used on commercial AI yet is a policy choice, not a legal one. The choice can be revisited at any time.

What Would Trigger It

The conditions under which the government would actually pull the lever, in my read, would have to include some combination of the following.

A specific capability so strategically significant that the costs of letting it proliferate outweigh the costs of locking down the lab that produced it. Right now, no individual model meets that bar, because the field is moving fast enough that any locked-down capability would be overtaken by the next open release within months. The lever does not work well when the underlying technology moves faster than the legal process.

A geopolitical event that increases tolerance for blunt-force domestic measures. A direct cyber incident traceable to a foreign AI capability. A defense incident where adversary AI played a meaningful role. A diplomatic crisis where information control became urgent. Historically, the Act has been used most aggressively during periods of elevated geopolitical anxiety. The current environment is not as elevated as the early Cold War, but it is more elevated than the 1990s, and the trend line is in the wrong direction.

A change in the political coalition’s appetite for federal control of the technology sector. The current bipartisan consensus, such as it is, leans toward commercial leadership with regulatory guardrails. That consensus is contested. Different administrations with different theories of the relationship between the state and the technology sector would make different choices about whether to reach for tools like the Act.

A determination that the commercial sector is no longer reliable. If the government concludes that the labs are being penetrated by adversary intelligence services, that talent is leaking, that capabilities are being sold to the wrong customers, or that the labs themselves are not aligned with American strategic interests, the appetite for direct control would increase. None of those conditions are currently dominant, but all of them are plausible failure modes.

None of these are predictions. They are conditions that, in combination, would shift the political calculus toward using the Act in a way it has not yet been used.

The Bigger Question

The Invention Secrecy Act is one specific lever. The broader question is about what kind of relationship the United States is going to have with its own technology sector during a period when that sector is producing capabilities that are simultaneously strategic, commercial, and dual-use.

The historical answer was “we build the strategic stuff ourselves, in secret, and let the commercial stuff exist in parallel.” That answer does not work when the strategic stuff is the commercial stuff. The government’s options compress. Either it accepts that commercial leadership is itself the strategic position, and protects the commercial ecosystem accordingly, or it tries to reach into the commercial sector to constrain specific capabilities, and accepts the costs that come with that reach.

I do not have a strong view on which way that resolves. What I do have a view on is that the Invention Secrecy Act, sitting on the books, used continuously for seventy-four years, with thousands of currently active orders, is the kind of policy infrastructure that does not stay unused forever once the conditions exist to reach for it. The Phasorphone fight was almost fifty years ago. The civilian cryptography fight that followed was forty years ago. The next fight, whatever it is, is going to use the same legal authority. Whether that fight is about AI specifically is a question worth thinking about now, while the answer is still in front of us.

I am going to keep watching the secrecy order statistics. Federation of American Scientists publishes them annually. They are public. They do not tell you what was classified, but they tell you how much, and by whom, and the categories tend to leak through over time. If a meaningful number of new orders start showing up in computers and unique-materials-and-performance categories, particularly from agencies that have not been heavy users historically, the pattern would be worth paying attention to.

For now, it is a question, not a finding. The conditions exist. The authority exists. The fight has not yet happened. Whether it will, whether it should, and what the consequences would be if it does, are the kinds of questions I think people in this field, including me, should be asking before the answer arrives in someone’s mailbox in the form of a letter from the USPTO.

The law is real. The history is real. The strategic dilemma is real.

The AI question is theoretical, but only because nobody has reached for the lever yet. The lever is right there.