{"slug": "america-talked-itself-into-chinese-open-source-ai", "title": "America Talked Itself into Chinese Open Source AI", "summary": "The U.S. government's June 2026 export restrictions on Anthropic's frontier AI models backfired, driving allies toward Chinese open-source alternatives and undermining the strategic goal of promoting the American AI stack. The ban, imposed after a jailbreak report and later lifted, accelerated calls for AI sovereignty in Europe and highlighted structural forces like cost pressures pushing enterprises toward open-weight models.", "body_md": "# How America Talked Itself Into Chinese Open Source AI\n\n### The Mythos episode, the open-weights surge, and why restriction hurts defenders more than attackers\n\nFor most of the last two years, the debate about open versus closed AI was mostly an economic and ideological one.\n\nClosed labs argued that frontier capabilities were too dangerous to hand out freely. Open advocates argued that transparency, cost, and control were worth more than a marginal capability lead. Practitioners could mostly watch that argument from the sidelines, because in day-to-day security work the closed frontier models were simply better and the open models were a step or two behind.\n\nThat gap has closed, and the debate has stopped being academic. It is now a live architectural decision that CISOs, security engineers, and platform teams are making right now, often without a clear framework for reasoning about the security implications on either side.\n\nI want to walk through how we got here in the middle of 2026, and then spend most of my time on the part I think we are collectively underweighting, which is what the open versus closed choice actually means for defenders and for the software supply chain we all depend on.\n\n## How U.S. policy talked itself into a corner\n\nStart with the strategic goal, because the goal and the actions have drifted apart in a way that matters. In July 2025 the administration issued Executive Order 14320, ** Promoting the Export of the American AI Technology Stack**.\n\nThe explicit ambition was that American AI hardware, models, standards, and governance would become the default stack for allies and partners around the world. If you wanted the U.S. to win the AI competition with China, exporting the American stack and getting the world to build on it was a coherent way to do it.\n\nThen came the whiplash.\n\nIn June 2026 Anthropic launched Fable 5 and Mythos 5, and roughly three days later the U.S. government ordered the company to cut off foreign access to both, citing national security and export-control authority. Reporting from various leading media outlets tied the order to a jailbreak report from a trusted partner, with reporting pointing to Amazon, that suggested the models could be turned into unrestricted cyber tools.\n\nAnthropic disputed how severe the jailbreak actually was and criticized the opaque process. About eighteen days later the ** restrictions were lifted** and the models came back online.\n\nI already worked through the ban itself in ** Cybersecurity’s Friendly Fire Problem**, so I will not relitigate the whole thing here. The short version is that gating and banning a U.S. frontier model did not remove the underlying capability from the threat landscape.\n\nIt removed the U.S. ability to watch that capability being used, and it handed every ally in Europe and beyond a concrete reason to question whether building on an American AI stack carries political risk. That is the opposite of what Executive Order 14320 set out to accomplish.\n\nWhen France and the Netherlands start amplifying calls for AI sovereignty within days of your export action, the export strategy is working against itself.\n\n## The quieter forces pushing people toward open weights\n\nThe ban gets the headlines, but it is not the only thing reviving interest in open source AI, and I want to be careful not to overstate its role. Several structural forces are converging at once, and most of them have nothing to do with geopolitics.\n\nThe first is cost, and it is the one practitioners feel most directly. For a brief window in early 2026 the loudest signal of AI adoption inside big companies was token consumption going up.\n\nThat has reversed hard. Coverage from ** TechCrunch **and others documented finance teams now trying to drive that same number down. Amazon reportedly shut down an internal leaderboard that ranked developers by token consumption in late May 2026, with the internal line being that you should not use AI just to use AI. Uber said it burned through its entire 2026 AI coding-tools budget in four months and capped spend at $1,500 per employee per month per tool.\n\nAgentic workflows consume something like 5x-30x the tokens of a standard chatbot interaction, so the economics of running everything through a metered frontier API stopped making sense for organizations operating at scale.\n\n[Adrian Sanabria](https://open.substack.com/users/11988704-adrian-sanabria?utm_source=mentions) has been making this point for a while, and it lands especially hard in security, where you are often running high-volume automated analysis and per-token costs compound quickly. When Gary Marcus says tokenmaxxing is giving way to tokenminimizing, that is not a vibe, it is a budget line. It also pours some cold water on the theme that the answer to every security problem AI introduces is to use AI to fight it.\n\nThe second force is the frontier labs themselves adding friction to their own products in the name of safety. When Anthropic redeployed Fable 5 in July 2026, it did so with a new classifier layer.\n\nPer Anthropic’s own ** Redeploying Claude Fable 5** post, a Fable 5 request that trips the new cyber classifier is rerouted to Claude Opus 4.8, with the user notified, so the work still completes on a more conservative model. Anthropic was honest about the tradeoff, which I respect, noting that the classifier flags benign requests more often during routine coding and debugging.\n\nIf you are a security engineer doing legitimate vulnerability research or debugging exploit-adjacent code, you now have a real chance of being downshifted to a different model mid-task because a safety-margin classifier decided your benign work looked risky. That is a rational safety decision on Anthropic’s part and a genuine capability tax on the practitioner. It is exactly the kind of friction that makes a self-hosted model you fully control look attractive.\n\nI’m in various private group chats with security researchers and leaders and it is full of folks frustrated with the classifiers downgrading their legitimate security work.\n\nThe third force is the one that changes everything, which is that open weights have caught up. In June 2026, Z.ai released [GLM-5.2](https://artificialanalysis.ai/articles/glm-5-2-is-the-new-leading-open-weights-model-on-the-artificial-analysis-intelligence-index), a roughly 744-billion-parameter mixture-of-experts model with around 40 billion active parameters, a one-million-token context window, and an MIT license.\n\nIt ranks first among open-weights models on the Artificial Analysis Intelligence Index and fourth overall. On coding benchmarks it beats GPT-5.5 on SWE-bench Pro and lands within a point of Claude Opus 4.8 on FrontierSWE, and it does it at roughly one-sixth the cost. For mainstream coding and engineering work, GLM-5.2 is effectively at parity with the closed frontier.\n\nThe gap only opens meaningfully on the hardest ultra-long-horizon tasks. When the open option is at parity, six times cheaper, self-hostable, and cannot be turned off by a government order, the pull is obvious.\n\nFolks such as [Joshua Saxe](https://open.substack.com/users/50731283-joshua-saxe?utm_source=mentions) have used GLM-5.2 as an example of how counterproductive the U.S. ban on closed source frontier models are, and how it hurts defenders more than attackers in his piece “** GLM-5.2 not Mythos, is the real security emergency**”.\n\nThe industry signals are stacking up as well. Alex Karp at Palantir went on CNBC on July 1, 2026 and [called the token-based pricing model of the frontier labs “completely wrong,](https://www.cnbc.com/2026/07/01/palantir-karp-open-ai-anthropic-tokens.html)[”](https://www.cnbc.com/2026/07/01/palantir-karp-open-ai-anthropic-tokens.html) framing open-weight models as the answer for customers who want control over their compute, their models, their data, and their alpha.\n\nHe also asked whether the country really wants to outsource its national security posture to the consensus view of Silicon Valley, and he warned against underestimating how fast China is moving. Say what you want about Palantir’s true motives, but many of his points are ones a lot of folks do share when it comes to AI. The below video has now gone viral:\n\nSeparately, ** Axios reported** that Microsoft is exploring a fine-tuned, Azure-hosted version of DeepSeek V4, or another open model, as a lower-cost option inside Copilot.\n\nI want to flag both of these carefully. Karp’s comments are on the record and his framing is his own. The Microsoft reporting describes an exploration that Microsoft says is not final, with the model that would be optional and hosted inside Azure with added safeguards. Neither is a settled decision to standardize on Chinese open weights, and I would not treat them as such. Microsoft isn’t along either though, as it is reported many other Western companies are adopting Chinese AI models as well:\n\nWhat they do show is that the “open weights are for hobbyists” framing is dead, and serious enterprises and serious buyers are actively pricing the switch. It is also interesting that one of the largest software suppliers to the U.S. Government in MSFT is looking at potentially using DeepSeek, albeit they likely wouldn’t use it for their Government approved offerings.\n\nThe political signal is arguably more striking. Former U.S. AI Czar David Sacks used a recent episode of the All-In podcast that I listened to over the weekend to make the case for open source AI directly, arguing that open source is one of America’s strongest cards in the competition with China rather than a liability.\n\nHe echoed Karp’s point that what enterprises actually want is control over their compute, models, and data, and he raised the concern that feeding proprietary knowledge to frontier labs is risky when those same labs are launching vertical applications that compete with their own customers.\n\nYou can debate how much of that is a fair characterization of the labs, and Anthropic and OpenAI would push back hard. What matters for this discussion is that a figure who sat at the center of U.S. AI policy is now publicly framing open source as a strategic asset, not the thing to be restricted. That is a meaningful shift in where the political center of gravity sits.\n\nSeveral others have had great pieces on this shift too, such as [Michael Spencer](https://open.substack.com/users/21731691-michael-spencer?utm_source=mentions)’s blog titled “** The Token Apocalypse**”, or\n\n[This Week in AI](https://open.substack.com/users/309691089-this-week-in-ai?utm_source=mentions)\n\n[HSM @ This Week in AI](https://open.substack.com/users/385081146-hsm-this-week-in-ai?utm_source=mentions)blog “\n\n**”.**\n\n[The State of AI: The US is Losing its AI Monopoly](https://thisweekinaiclub.substack.com/p/the-state-of-ai-the-us-is-losing)## The security argument that flips the usual intuition\n\nHere is where security practitioners have to update their intuition. The reflexive take is that closed, gated models are safer because access is controlled. [Joshua Saxe](https://open.substack.com/users/50731283-joshua-saxe?utm_source=mentions) made the sharper argument in his piece that ** GLM-5.2, not Mythos, is the real security emergency**, and I think he is right about the mechanism.\n\nWhen an attacker uses a closed model, they are operating on the provider’s infrastructure, under monitoring, with trust and safety teams watching for abuse. That is not a hypothetical benefit, it is exactly how Anthropic caught the ** first documented large-scale AI-orchestrated cyber espionage campaign**, which it disclosed in November 2025 and attributed with high confidence to a Chinese state-sponsored group.\n\nThe attackers jailbroke Claude Code, ran roughly thirty targets, and let the model handle an estimated 80 to 90 percent of the campaign autonomously, with humans stepping in at only a handful of decision points. Anthropic caught it, mapped it, banned the accounts, and notified victims, because the operation ran on monitored, API-gated infrastructure. Even if you discount some of the lab’s framing as marketing, the visibility point holds, you cannot ban an account you cannot see. This is something enterprise security leaders already know intuitively after years of wrestling with shadow IT/SaaS and now AI.\n\nNow run the same campaign on a self-hosted open-weights model.\n\nThere is no usage log, no trust and safety team, no account to ban, no detection to trigger. The capability does not go away when you restrict the closed model.\n\nIt relocates into the dark, onto a rack of H200s in an environment nobody is watching. So the current restrictions harm defenders more than attackers, because defenders lose their best monitored tooling while attackers simply migrate to the ungoverned option. Joshua Saxe’s conclusion, which I share, is that the priority should be accelerating AI adoption among defenders and security vendors rather than restricting frontier access, because the open-weights genie is already out of the bottle.\n\nIn fact, when I spoke at the SANS AI Security Summit earlier this year I made this exact argument, that security needs to be an early adopter and innovator with AI. It is very hard to do that if we’re being handicapped and having our access to the capabilities restricted.\n\nThis connects to something I have been writing about for a while, which is the jagged frontier of AI in offensive security. The comfortable assumption is that offensive capability is gated behind the biggest, most expensive, most restricted models.\n\nThe evidence says otherwise. AISLE’s [Stanislav Fort](https://open.substack.com/users/6503858-stanislav-fort?utm_source=mentions) ran ** Anthropic’s own showcase Mythos vulnerabilities through small, cheap, open-weights models** and found that eight out of eight models detected the flagship FreeBSD exploit, including one with only 3.6 billion active parameters costing eleven cents per million tokens.\n\nA model with 5.1 billion active parameters recovered the core chain of a 27-year-old OpenBSD bug. His conclusion is that the moat is the system, not the model, because capability does not scale smoothly with size or price.\n\nNiels Provos reached a compatible conclusion with his work on autonomous zero-day discovery, arguing that ** finding vulnerabilities is an orchestration problem, not a frontier-model problem**.\n\nI sat down with Niels for a full conversation on exactly this, and the through line is consistent. With a good harness, capability that we assumed required a frontier model is available to anyone with modest, older, or open hardware. Gating the frontier does very little to gate the capability.\n\n## The next policy mistake is already forming\n\nIf the Mythos ban was restriction aimed at the closed frontier, the move that worries me more is the growing appetite to regulate open source itself. Dario Amodei has been consistent that open-source AI is heading down what he calls a very dangerous path, and his June 2026 policy essay, ** Policy on the AI Exponential**, called for FAA-style, government-mandated safety evaluations before any frontier model can be publicly deployed, open or closed.\n\nHe points to genuine concerns, including bioweapons uplift from Anthropic’s own red-team testing, cyberattacks on critical infrastructure, and the plain fact that you cannot recall an open-weights release the way you patch a breach. That irreversibility point is real and worth taking seriously.\n\nI would weigh the framing honestly, though. Critics have noted that Anthropic sells API access to Claude, and open models approaching Claude’s capability are a direct competitive threat, which is a relevant data point when a lab argues that its competitors’ release model is the dangerous one.\n\nIt is the same skepticism people applied to the arguments against releasing GPT-2 back in 2019, and the safety case and the commercial case happen to point the same direction. I am not assigning motive, but practitioners should hold both things in view at once.\n\nThere’s also a strange conundrum involved, where yes, it is in Anthropic, OpenAI etc.’s commercial interest to stifle open source, but ironically, much of the U.S. economy is now riding high due to the AI boom, and the role of the frontier labs, hyperscalers, the venture capital involved, and infrastructure buildout and more. If the labs struggle, it inevitably will reverberate across the U.S. economy as well.\n\nThe bigger problem is that regulating open source would fail on its own terms and likely backfire, for reasons [Nathan Lambert](https://open.substack.com/users/10472909-nathan-lambert?utm_source=mentions) and [Kevin Xu](https://open.substack.com/users/9714824-kevin-xu?utm_source=mentions) laid out in ** Banning Open Source AI Would Be a Mistake**.\n\nA U.S. rule restricting open weights binds U.S. labs and U.S. developers. It does nothing to GLM-5.2, DeepSeek, or Qwen, which are already downloaded, mirrored, fine-tuned, and self-hosted around the world.** You cannot un-release a model (in open source). **\n\nRegulating domestic open source because of China would chill American education, research, and competition while handing the global default to Chinese models, which is the exact outcome the policy claims to prevent. It is the chip export-control lesson all over again, where denial accelerated the alternatives rather than stopping them.\n\nConstraint breeds innovation, which is exactly what we’re seeing play out with China’s AI, from chips to models.\n\nLambert has separately described the current posture as “*vibe governance”*, where model releases are judged by political instinct rather than transparent technical assessment, and he argues that export bans on model weights are a lasting negative for U.S. leadership.\n\nFor defenders specifically, this would widen the same visibility gap the Mythos ban opened. Restricting domestic open source hobbles the vendors and security teams building defensive tooling on open models, while attackers keep running whatever they already pulled down.\n\nYou would be regulating the people you can see and leaving untouched the people you cannot.\n\n## The uncomfortable part, and why it is not just “China bad”\n\nHere is the part that makes practitioners uneasy, and it should. Much of the leading open source is coming out of Chinese labs. GLM-5.2 is from Z.ai. DeepSeek is Chinese, Qwen is Chinese, Kimi is Chinese.\n\nThe nation the U.S. most wants to out-compete on AI is currently producing the open models that are cheap, publicly available, increasingly capable, and attractive precisely because they let enterprises keep their own data and control their own stack. There is real irony in a world where American export policy nudges American enterprises toward Chinese open weights.\n\nI also want to be specific about the risk here, because “*China bad*” is lazy and it leads to bad decisions. Open weights are not a black box you have to trust blindly. That is the whole point of them. You can self-host them, air-gap them, control every network flow in and out, scan the weights, monitor inference, and log everything.\n\nIn a lot of ways a locally hosted open model gives you more control and more visibility than a closed API where your data leaves your environment and you trust the provider’s word about what happens to it. For data-sovereignty-conscious organizations and entire nations, that control is the feature.\n\nBut the risks that remain are real and they are not the ones people usually name. The concern is not that the model phones home, because you can prevent that. The concern is what is baked into the weights and the pipeline that produced them.\n\nPoisoned or backdoored weights, where a model behaves normally until a specific trigger activates hidden behavior. Training-time bias, whether deliberate or incidental, that shapes outputs on politically or strategically sensitive topics. Jailbreak susceptibility that varies by model and is hard to fully characterize. Supply-chain tampering anywhere between the lab that trained the model and the checkpoint you actually download. These are not exotic, they are the AI-native versions of problems we have spent a decades learning to take seriously in software.\n\n## This is a software supply chain problem, and we have seen this movie\n\nWhen Tony Turner and I wrote ** Software Transparency,** with Steve Springett as technical editor and Allan Friedman writing the foreword, the core argument was that a software-driven society cannot run on components it cannot inspect.\n\nWe spent years pushing SBOM, provenance, and transparency because you cannot secure what you cannot see, and because trust in a supplier is not the same thing as verification of an artifact. The entire discipline grew out of watching supply-chain attacks like SolarWinds and the log4j scramble teach us that the thing you did not build, did not inspect, and cannot attest to can be exactly the thing that hurts you.\n\nAI models are now the most consequential unaudited dependency most organizations have ever adopted, and we are integrating them at the center of our development pipelines and security tooling with far less rigor than we would demand of a random npm package. The leading model hosting platform, ** Hugging Face** now has almost 3 million models alone.\n\nA model is a supply-chain artifact. It has provenance, or it should. It has a build process, which is the training data and the training run. It has a distribution channel, which is the checkpoint you pulled from a hub. It has integrity properties you would want to attest to and verify. Almost none of that infrastructure exists in a mature form for AI weights the way it now does for software components.\n\nThat said, no surprise that my friends at OWASP have been working on this problem for quite some time, with their ** AI Bill of Materials (AIBOM) project**, where they seek to make AI systems transparent, auditable and secure. For those unfamiliar, an AIBOM is a “a structured machine readable inventory of AI components such as models, datasets, agents tools, guardrails, and runtime elements along with evidence of origin, rights, integrity and evaluation.” I dove into this topic with one of the projects leaders, Helen Oakley:\n\nThat is the real through line for practitioners.\n\nThe open versus closed AI decision is a software supply chain decision, and the disciplines we built for software transparency map almost directly onto what we now need for models.\n\nWe need provenance for weights and for training data. We need the equivalent of an SBOM for a model, an artifact that tells you what went into it and lets you reason about it. We need integrity verification so you know the checkpoint you are running is the one the lab actually published. We need the ability to inspect, scan, and continuously monitor model behavior in the environments where we run them (e.g. runtime visibility and enforcement).\n\nSome of this is emerging. Model cards, dataset documentation, and early work on model signing and attestation are steps in the right direction. That said, AI is moving far faster than traditional software supply chain security did.\n\nThe point is that we already know how to think about this. We do not need a brand-new philosophy for AI supply chain security. We need to take the transparency and provenance thinking we spent the last decade building for software and apply it to models with the same seriousness, before the integration is so deep that retrofitting it becomes another decade-long slog, that never fully materializes.\n\n## What practitioners should actually weigh\n\nSo strip away the geopolitics and the headlines, and here is how I would frame the decision for a security leader choosing between open and closed AI, neutrally, because both are defensible depending on your context.\n\nClosed frontier models give you provider-side monitoring, faster patching of newly discovered issues, some assurance of abuse detection, and typically a small capability edge on the hardest tasks.\n\nYou pay for that with metered token costs, with data leaving your environment, with exposure to a provider’s safety classifiers reshaping your workflows without warning, and with the political and continuity risk that a model you depend on can be gated or pulled by forces outside your control. The Fable and Mythos episode was a live demonstration that this last risk is not theoretical.\n\nOpen-weights models give you control, cost efficiency, data sovereignty, the ability to fine-tune for your use case, and continuity that no government order can revoke overnight. You pay for that by owning the entire security burden yourself. You have to treat the weights as an untrusted supply-chain artifact, verify provenance and integrity as best you can, control the network boundary, monitor inference, scan for anomalous behavior, and accept that backdoor, bias, and poisoning risks are yours to manage rather than the provider’s.\n\nIf you are going to run a Chinese open-weights model, and many organizations will for entirely rational cost and control reasons, the answer is not to pretend the risk away and it is not to refuse on reflex. The answer is to wrap it in the same supply-chain rigor you would want for any critical dependency you did not build.\n\nMost organizations are going to end up running both, matched to the task, which is the same conclusion AISLE reached about being model-agnostic by design. We’re even seeing the rise of ** Model Fusion**, where a panel of models are fused together through routers, such as OpenRouter, and often outscore a single model alone. OpenRouter shared some excellent insights into this, in a blog titled “\n\n**”.**\n\n[Fusion Beats Frontier](https://openrouter.ai/blog/announcements/fusion-beats-frontier/)That is fine, but what is not fine is making the choice without a security framework, because the failure modes on each side are different and both are real.\n\nVulnerability exploitation is now the leading initial access vector according to the 2026 DBIR, defenders are already behind, and AI is the largest force multiplier available to close that gap.\n\nGetting the open versus closed decision right, with clear eyes about the security tradeoffs of each, is one of the more consequential architecture calls a security team will make this year.\n\nThe strategic mistake would be to keep treating this as a binary morality play about open being reckless or closed being safe, neither alone is true.\n\nThe capability is diffusing regardless of policy, the open models are at parity for most of what we do, and the security question is not whether these tools exist but whether we can see and govern how they are used.\n\nThat has always been the harder and more important question, and it is the one the software supply chain community has spent a decade learning to answer.", "url": "https://wpnews.pro/news/america-talked-itself-into-chinese-open-source-ai", "canonical_source": "https://www.resilientcyber.io/p/how-america-talked-itself-into-chinese", "published_at": "2026-07-08 14:32:46+00:00", "updated_at": "2026-07-08 14:42:58.798704+00:00", "lang": "en", "topics": ["ai-policy", "ai-safety", "ai-ethics", "artificial-intelligence", "ai-infrastructure"], "entities": ["Anthropic", "Amazon", "Uber", "TechCrunch", "Executive Order 14320", "Fable 5", "Mythos 5"], "alternates": {"html": "https://wpnews.pro/news/america-talked-itself-into-chinese-open-source-ai", "markdown": "https://wpnews.pro/news/america-talked-itself-into-chinese-open-source-ai.md", "text": "https://wpnews.pro/news/america-talked-itself-into-chinese-open-source-ai.txt", "jsonld": "https://wpnews.pro/news/america-talked-itself-into-chinese-open-source-ai.jsonld"}}