Contemporary technology governance has shifted from rule-based regulation to a landscape defined by administrative leverage and directive-driven decisions. This dynamic is seen in both the cybersecurity and AI sectors, where agencies such as the U.S. Department of Defense and companies including OpenAI and Anthropic navigate obligations and approvals through administrative action rather than statutory change. As a result, MSPs and IT service providers must recognize that the durability of their offerings and client architectures increasingly hinges on how they respond to rapid, unpredictable shifts in the governing environment rather than on fixed compliance deadlines or product release dates.
A notable example of this mechanism is the Department of Defense’s suspension of the rollout of Phase Two of the Cybersecurity Maturity Model Certification (CMMC), as reported by Federal News Network. About 80,000 companies had been preparing for new third-party assessment requirements, but these assessments have been paused pending a 60-day review. Despite the pause, the underlying data protection requirements for defense contractors remain in force, demonstrating that while compliance deadlines can disappear overnight, fundamental security obligations persist.
Additional cases amplify the trend toward directive-based governance. The U.S. Commerce Department lifted export restrictions on Anthropic’s Fable 5 and Mythos 5 AI models after new safeguards were implemented, following the same pattern previously used to impose those restrictions. Similarly, OpenAI’s GPT 5.6 model was released to the public only after a voluntary government review concluded, illustrating that administrative reviews, not boardroom decisions, can dictate technology availability. Concurrently, other governments such as China are employing similar tactics, with Reuters reporting that Chinese authorities have met with local AI firms to discuss restricting overseas access to advanced models. These parallel moves across geopolitical boundaries indicate a structural reliance on executive discretion rather than legislative clarity.
The operational impact for MSPs, IT service providers, and technology leaders is a heightened exposure to contract risk and pricing volatility. Service commitments anchored to deadlines, default settings, or product availability are susceptible to abrupt policy reversals or administrative interventions, translating to sudden revenue shortfalls and reactive client management. The recommended response is to audit current commitments, identify those pegged to mutable triggers rather than enduring obligations, and systematically re-anchor contract language and client communication to core outcomes and standing requirements. This preparation mitigates the risk of unpaid work, scope renegotiation, and unplanned operational disruption when another directive-driven policy shift occurs.
00:00 Three Government Switches in Three Weeks
04:07 Why AI Is Governed by Leverage, Not Law
06:46 CMMC Paused — Your Obligations Didn't
09:27 Why Do We Care?
Supported by:
💼 All Our Sponsors
Support the vendors who support the show:
👉 https://businessof.tech/sponsors/
🚀 Join Business of Tech Plus
Get exclusive access to investigative reports, vendor analysis, leadership briefings, and more.
👉 https://businessof.tech/plus
🎧 Subscribe to the Business of Tech
Want the show on your favorite podcast app or prefer the written versions of each story?
📲 https://www.businessof.tech/subscribe
📰 Story Links & Sources
Looking for the links from today’s stories?
Every episode script — with full source links — is posted at:
🎙 Want to Be a Guest?
Pitch your story or appear on Business of Tech: Daily 10-Minute IT Services Insights:
💬 https://www.podmatch.com/hostdetailpreview/businessoftech
🔗 Follow Business of Tech
LinkedIn: https://www.linkedin.com/company/28908079
YouTube: https://youtube.com/mspradio
Bluesky: https://bsky.app/profile/businessof.tech
Instagram: https://www.instagram.com/mspradio
TikTok: https://www.tiktok.com/@businessoftech
Facebook: https://www.facebook.com/mspradionews
Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.

