For nearly nine months, Trump-administration officials have defended top national-security leaders who shared information in a Signal chat about U.S. strikes in Yemen, first reported by The Atlantic’s editor in chief, Jeffrey Goldberg, who was inadvertently included in the group. Officials played down the severity of the breach and insisted that the information wasn’t classified.

Now the Pentagon’s top watchdog has concluded that the information Defense Secretary Pete Hegseth shared in the chat could have put the mission, U.S. personnel, and national security at risk had it fallen into the wrong hands. The information Hegseth shared included the precise times that fighter pilots would attack their targets. If Houthi militants had learned those details in advance, they might have been able to shoot down American planes or better defend their positions.

The Defense Department Inspector General found that while the mission ultimately was not jeopardized, Hegseth violated his department’s own policies when he used Signal, a commercial messaging app that is not approved for sharing classified information. The IG’s report, scheduled to be published on Thursday, was described to us by numerous U.S. officials familiar with its findings.

The Pentagon did not immediately respond to a request for comment. Neither did an attorney for Hegseth.

Senator Mark Kelly, an Arizona Democrat who sits on the Armed Services Committee, said that the report found Hegseth was in violation of Pentagon regulations. “They very clearly stated he should not be using his cell phone and putting this kind of information on an unclassified system,” he told reporters on Capitol Hill.

The report also found that the information Hegseth shared was classified at the time he received it. (Trump administration officials had tried publicly to argue otherwise.) Battlefield information like what Hegseth shared is routinely classified because of the risk it would pose to U.S. forces were it exposed. Classified information is normally transmitted over approved, secure government systems. U.S. Central Command, which is responsible for military operations in the Middle East, had classified the information about the air strike as secret, according to defense officials who spoke to us on the condition of anonymity.

But the report also found that Hegseth, as the secretary, had the authority to declassify information, Kelly noted. Less clear is why Hegseth thought it was appropriate or necessary to do so.

The Inspector General’s office, led by acting director Steven Stebbins, also noted that Hegseth is hardly the only official to have used the encrypted messaging app.

What is known is that Hegseth’s communications included the precise times that U.S. fighter planes would attack their targets, the sort of information ordinarily shared only on secure platforms. Signal is an open-source encrypted messaging service popular with journalists and others who seek more privacy than other text-messaging services are capable of delivering. Current and former government officials have told us that if lower-level employees shared such sensitive information on a commercial platform, they would certainly be fired and possibly be prosecuted.

The inspector general’s conclusions seem likely to create an impression among the military rank and file that there are two sets of rules: one for the Defense Department’s presidentially appointed leadership, and one for everyone else.

The inspector general’s findings may also compound the criticism that Hegseth has been facing since he assumed office. Critics—including people within the Trump administration—have complained about his chaotic management, which has been marred by infighting among senior aides, and they say that Hegseth has spent more time focused on personnel issues and physical-fitness standards than running the world’s most advanced military. A number of Democrats and at least one Republican have called for him to resign. And now two congressional committees led by Republicans have said that they will investigate a report in The Washington Post that Hegseth gave a verbal order to leave no survivors in a September military strike on an alleged drug boat, leading the United States to conduct a follow-up strike that killed two people who survived the initial attack. Some legal experts have said that such an order could be a war crime. During a Cabinet meeting on Tuesday, Hegseth said that he “did not personally see survivors” clinging to the boat after a first strike, and he has denied knowing that a second strike could have hit them.

Signalgate became a shorthand for ineptitude at the highest reaches of the administration. Foreign allies told us that they felt justified in their earlier reluctance to share their secrets with the United States, given President Donald Trump’s long history of mishandling classified information. Interspersed in the chat—along with questions about the wisdom of conducting the Yemen strike and details about weapons packages, targets, and timing—were emoji, exclamation points, acronyms, and several words in all caps. “PATHETIC,” Hegseth wrote to describe Europe’s response to threats to a key shipping lane.

The Signal app is not approved by the government for sharing classified information. Indeed, inside much of the Pentagon, personnel are not even allowed to bring their cellphones into their office; instead, they have to keep them outside their door in storage lockers.

The government has its own systems for communicating classified information. When officials want to discuss military activity, they customarily go into a specially designed space known as a sensitive compartmented information facility, or SCIF—most Cabinet-level national-security officials have one installed in their home—or they communicate only on approved government equipment.

The Signal group chat concerning Yemen turned out to be just one of at least a dozen such groups that administration officials had used to conduct government business, former and current officials told us.

The inspector general’s report examined only Hegseth, not other senior officials in the Signal chat whose actions aren’t under the Pentagon’s jurisdiction, including CIA Director John Ratcliffe, Vice President J. D. Vance, and then–National Security Adviser Mike Waltz, now the ambassador to the United Nations. Waltz set up the “Houthi PC small group” chat in the first place and inadvertently added Goldberg. There are no comparable reviews planned for these officials or other members of the chat.

The unprecedented security breach revealed the Trump administration’s casual approach to handling some of the country’s most sensitive information. The information about the precise times that U.S. fighter jets would be over their targets in Yemen could have helped Houthi rebels shoot the planes down if it were exposed. “We are currently clean on OPSEC,” or operations security, Hegseth wrote in the chat, unaware the group clearly wasn’t.

The story became comedy gold for late-night hosts. (Saturday Night Live reimagined it as the show’s cold open.) Perhaps the fiasco resonated so widely because it was simultaneously so relatable and so reckless. Who hasn’t felt the chagrin of accidentally posting in the wrong group chat or hitting “Reply All” to an office email? And also: The senior-most government leaders in the United States did what with their secret attack plans?

Hegseth, a former National Guard soldier and Fox News host, has faced other questions about his professional and personal judgment since his nomination last fall. During his confirmation process, he defended himself against allegations of heavy drinking and sexual assault, which he denied. Since taking office, scrutiny has intensified as he has summarily fired scores of senior military officers without cause, focused on personnel issues such as service members’ weight and hair, and departed from precedent by launching sharp partisan attacks.