Claude will write surveillance code on request: who controls the AI inside your business?
A cloud AI assistant builds whatever its prompt and its defaults allow, including user-tracking code, and you control neither.
Will an AI assistant really write surveillance code if you ask it to?
Yes. In July 2026, Cybernews reported that Anthropic's Claude will generate user-tracking and surveillance code when prompted to do so. That is the plain fact, and it is not a scandal about one model. It is a demonstration of a structural truth: an AI assistant builds what its prompt asks for, within the limits its owner sets, and you are usually neither the prompter of record nor the owner. The urgent question for any regulated business is not "is Claude safe?" It is "who controls the AI inside my software, and can I see what it wrote and why?"
We build Mickai, a sovereign intelligence operating system that runs on your own hardware. So we have a view here. But we will be honest throughout: this is a question of control and provenance, not a claim that any single vendor is uniquely reckless.
Why does this matter more than the headline suggests?
The tracking-code story is a symptom. The underlying condition is that a cloud AI is a tool whose behaviour and defaults you do not set. When your developers, or your low-code builders, or an automated agent ask a hosted model to "add analytics" or "log user activity", the model decides what that means using guardrails, training and defaults that live on someone else's servers. Those defaults can change from one week to the next without your knowledge. The model can be helpful in ways you did not intend, and cautious in ways you did not choose.
For most software that is a nuisance. For defence, finance, healthcare and government it is a governance failure waiting to be found in an audit. If an AI quietly writes data collection into your product, and you cannot show who requested it, what exactly it does, and on whose authority it shipped, you own the consequence without owning the decision.
Who is the AI actually working for?
This is the part buyers rarely price in. A hosted assistant serves three parties at once: you, the vendor who runs it, and whatever policy the vendor is obliged to apply. Most of the time those interests line up. When they diverge, you are the party with the least visibility. You cannot inspect the model. You cannot pin its behaviour. You often cannot even keep it from changing under you.
So "who controls the AI inside your business" has an uncomfortable answer for cloud tools: not you, not fully. You control the prompt. You do not control the substrate, the defaults, the update schedule, or the record of what happened.
What does sovereign AI change about this?
Sovereignty changes who holds the controls, not whether AI can be misused. A person can still ask a sovereign model to write tracking code. The difference is that the request, the output and the deployment are yours to govern, inspect and prove.
Mickai runs on the operator's own hardware, offline, inside your walls. The model is not reaching back to a vendor for its behaviour. Its defaults are the ones you set. And every consequential action is sealed into a post-quantum signed audit ledger using ML-DSA-65, the signature scheme standardised as FIPS 204. So when the AI writes something into your systems, there is a tamper-evident record of what it did and under whose authority, one you can show a regulator or an internal reviewer.
To be exact about the benefit and its limit: this does not make surveillance code impossible to write. It makes it impossible to write invisibly. Provenance is the point. If something questionable ships, you can trace it. If nothing questionable ships, you can prove that too.
Does running AI on your own hardware make you compliant or exempt?
No, and we will not pretend otherwise. Owning and running the AI yourself does not exempt you from any law, and it does not make your organisation immune to misuse by your own staff. What it does is give you the two things auditors and regulators actually ask for: control over behaviour and a trustworthy record of actions.
On the regulatory calendar, note the detail that is easy to get wrong. Under the EU AI Act as amended by the Digital Omnibus, the standalone high-risk obligations in Annex III are deferred to 2 December 2027. The general-purpose AI enforcement powers and fines do switch on from 2 August 2026. So the pressure to demonstrate governance over what your AI does is arriving in stages, and the sensible time to be able to answer "show me what your AI wrote and why" is before you are asked, not after.
How does this play out with a hosted assistant versus a sovereign one?
Picture the same request in two worlds. A developer asks an AI to instrument a feature. On a hosted assistant, the model interprets the request with defaults you did not set, on infrastructure you do not run, and the only record is whatever your own logging happened to capture. In the sovereign world, the same request runs on your box, against your defaults, and the action is sealed into an audit ledger you own. The code might be identical. Your ability to see it, govern it and prove it is not.
That is the whole argument in one scene. Same capability, different ownership of the controls and the record.
What should a regulated buyer actually do about it?
Treat AI provenance as a procurement question, not a trust exercise. Ask any vendor, us included, three things. Where does the model run, and can it run with no external calls? Who sets its behaviour and defaults, and can those be pinned so they do not change under you? And is there a tamper-evident record of what the AI does inside your systems that you, not the vendor, control?
If the answers are "our cloud", "we do", and "we hold the logs", you are trusting a tool you do not control. That may be fine for low-stakes work. For regulated work it is a gap you should price in.
The Cybernews finding is a useful prompt, not a verdict on one company. Every capable model will do what it is asked within its owner's limits. The question that outlasts the headline is ownership. What we do about it is straightforward: Mickai runs on your hardware, offline, with the AI's behaviour under your control and every consequential action sealed into an audit ledger you own, so what the AI writes and does is inspectable and provable by you.
“July 2026 Cybernews reporting showed Anthropic's Claude will generate user-tracking and surveillance code when prompted, which points to a control problem rather than a single-vendor fault.”
Frequently asked questions
Did Claude actually write surveillance code?
In July 2026, Cybernews reported that Anthropic's Claude will generate user-tracking and surveillance code when prompted. The wider point is that any capable model builds what its prompt asks for within its owner's limits, so this is a control and ownership question rather than a fault unique to one vendor.
Does running AI on my own hardware stop it writing tracking code?
No. A person can still ask a sovereign model to write tracking code. What changes is that the request, the output and the deployment happen under your defaults and are sealed into an audit ledger you own, so nothing ships invisibly. The benefit is provenance and control, not immunity.
Who controls a cloud AI assistant's behaviour?
The vendor does. Hosted models apply guardrails, training and defaults that live on the vendor's servers and can change without your knowledge. You control the prompt, not the substrate, the defaults, the update schedule, or the record of what happened.
How does Mickai make what the AI does inspectable?
Mickai runs on your own hardware, offline, and seals every consequential action into a post-quantum signed audit ledger using ML-DSA-65, standardised as FIPS 204. That gives you a tamper-evident record of what the AI did and on whose authority, which you can show a regulator or reviewer.
Does sovereign AI make me exempt from the EU AI Act?
No. Owning and running the AI yourself does not exempt you from any law. It gives you control over behaviour and a trustworthy record of actions, which is what governance regimes ask for. Under the Digital Omnibus, Annex III high-risk obligations are deferred to 2 December 2027, while general-purpose AI enforcement powers and fines switch on from 2 August 2026.
What should I ask an AI vendor before buying?
Ask where the model runs and whether it can run with no external calls, who sets its behaviour and defaults and whether those can be pinned, and whether there is a tamper-evident record of the AI's actions that you control rather than the vendor. Those three answers reveal who really controls the AI inside your business.




