Proliferating export controls, import bans, and shortages of key components since COVID-19 have made supply chain resilience a top strategic concern for firms and governments. Both groups have spent billions of dollars identifying supply chain weak points, stockpiling inputs, and diversifying suppliers so that cars worth tens of thousands of dollars never again sit unfinished for want of a microchip.
It is with these concerns and visceral chokepoint memories in mind that executives and government officials are grappling with the question of how much they can rely on artificial intelligence (AI) tools as a key input. Can users trust that they will have uninterrupted access to the best AI models and that governments will not exploit their dependence as leverage?
The US government in June effectively answered "no," cutting off international access to the best American models in a move likely to prove a gift to China's AI ecosystem.
The US Department of Commerce on June 12 abruptly placed export controls on Anthropic's top-of-the-line Mythos and Fable models, ordering Anthropic to deny access for any non-US persons. Unable to verify user citizenship, Anthropic took down the models for everyone, including reportedly the US National Security Agency (NSA).
The US government's action meant that for the first time in the current AI boom, AI capabilities available to the global public took a step backward. Soon after, at the G7 Summit, French president Emmanuel Macron bluntly warned the United States that after this "nationalist" action, "we will not buy any model made by [US AI] companies if from one day to the next you can just turn off the switch." He also noted that US AI firms rely heavily on revenue earned worldwide to recoup the escalating costs of training frontier AI models.
Macron's warning came too late to prevent serious damage. Though international access to Fable was restored on July 1 with more restrictive guardrails, Mythos has been released only to American institutions for now. This episode is not likely to be a one-off, as OpenAI has reportedly agreed to give the US government approval rights over customers for its latest model as well.
The sudden US action, without any public criteria or carve-outs for allies, is likely to boost international adoption of Chinese AI models because Chinese firms tend to release their models as "open weight," meaning users can run them on their own computing power. Once a user downloads an open weight model, the provider cannot shut off access—a feature that just became a greater selling point.
Chinese firms provide no guarantee of access to future models and may decide to release their most powerful models as closed weight if they embrace safety concerns similar to those that drove the US government's June 12 order. But for now, the US action and slower US model releases may give Chinese AI firms a chance to narrow the lead of their American rivals.
Mythos and model access
Ever since ChatGPT was released in late 2022, the best new AI models were available to nearly anyone in the world for a relatively small subscription fee. The fees, ranging from $20 to $220 per month, would be easier to bear in wealthier countries, but engineers at startups next to OpenAI headquarters could use the same powerful model as a small business owner in Kenya, Chile, or Cambodia.1 Those days may be over, with serious consequences.
The first actions restricting access to US AI models preceded the US government's June 12 export control order. Anthropic decided that its Mythos model, announced on April 7, was too capable 2 of finding and exploiting vulnerabilities in critical software systems to release broadly. Instead, it created "Project Glasswing" which allowed key firms early access to the model to conduct cyber defense. All the initial 12 Glasswing participants were American, but it is unclear whether this exclusion of foreign firms was purely Anthropic's choice or the result of US government pressure.3
The US government has no implemented export control authority that clearly would allow it to control Mythos access. However, the government reportedly successfully pressured Anthropic to delay expanding its roll out of the model, due to concerns about whether new users had sufficient security precautions and whether Anthropic had enough computing power to serve US government demand. The latter is ironic considering that an earlier dispute about guardrails for government AI use led the US Department of War to label Anthropic a "supply chain risk." 4 President Donald Trump even ordered the entire US executive branch to cease working with the company. Yet, Mythos seems to have led the government to reconsider. Press reports indicate the NSA was also using Anthropic for offensive cyber operations.
Project Glasswing had just expanded on June 2 to include 150 new organizations, reportedly including the North Atlantic Treaty Organization (NATO), the EU's cybersecurity agency, the SWIFT network for payment messages, and governments such as France and Germany. The US government reportedly cleared most but not all the new users. These organizations should have been able to use Mythos to start hardening their cyber defenses when Anthropic broadly released Fable 5, a "mythos-class" AI model, on June 9, with protections against cybersecurity-related use designed to differentiate it from Mythos.
Many of the key facts are disputed. Amazon reportedly discovered that these restrictions could be at least partially bypassed and reported this to the Trump administration. Anthropic, by contrast, claims that the supposed loophole in its safeguards is narrow and only unlocks capabilities "widely available from other models." Nevertheless, the administration's June 12 emergency export control5 led Anthropic to cut off access to both models.
Balancing act
The Mythos mess has erupted from multiple US goals that are in tension with one another. On the one hand, the United States wants to export the US AI "stack" of AI chips and cloud computing systems that train and run AI models, AI models themselves, and AI-based applications to generate revenue to sustain investment and establish global market share for US firms. But the United States also does not want adversaries to access frontier AI capabilities that can boost commercial competitiveness, military and strategic capabilities, and enable competing AI companies to "distill" or extract hard-won AI capabilities from US leaders. Broader access to US frontier AI, even while attempting to exclude competitors like China, will inevitably lead to leaks.
Before Trump's second presidential term began in 2025, the Biden administration's approach generally focused its export controls on depriving China of chips needed to train and run advanced AI models, including by denying the chips to a set of countries deemed a risk of diverting technology to China. It was only in its last days that the Biden administration issued the AI Diffusion Rule, which the current Trump administration criticized as overreach and withdrew before its main requirements took effect. That rule would have, for the first time, imposed controls on the model weights of certain advanced closed AI models while dividing countries into three tiers with varying access to US-origin advanced AI computing power.
But even this closest precedent to the Mythos and Fable controls did not go so far as to restrict who could use AI models. The diffusion rule's model controls would have only constrained AI labs' export of the model itself as expressed in its weights, with the idea that exporting the model to be served from computing power in a jurisdiction with lax cybersecurity could lead the entire model to leak.
While sharing concerns about leakage of US technology that could enhance Chinese AI capabilities, the Trump administration could not achieve consensus on a potential successor rule earlier this year. An AI executive order including a voluntary safety and security review that was pulled at the last minute and signed later on June 2 with some tweaks is another signal of the intense and unsettled debate within the administration. But declining to introduce some form of replacement for the diffusion rule left the administration without a clear framework or authorities to control frontier models like Mythos directly. The administration may not have had other tools to restrict the model, but the use of export controls with a clear US-foreign divide in access, with no carve-outs for even the closest allies, sent a particularly chilling signal.6
The Commerce Department's legal basis to control use of AI models through cloud means like Anthropic's API, as it did on June 12, is also contested.7 Export control jurisdiction does not typically apply to access to services—one reason that it has remained legal for Chinese firms to rent cloud-based access to powerful export-controlled AI chips. Congress has recognized this gap and considered but not passed a bill that would grant the Commerce Department this authority.
Fallout and Future
Much of the world already relies on US technology and firms for critical systems from cloud computing to payments and internet infrastructure, and the same pattern could recur for AI. US cloud computing firms have proven trustworthy with sensitive data, but AI requires even more trust because these systems go beyond data storage and analysis to guide and even make decisions for users. Potential users also need to trust AI actions and outputs for accuracy and "alignment" with user interests and policies. AI models are improving on these fronts.
However, the administration's June 12 order cutting off access for even close US allies who just negotiated Mythos access and maintaining a US/non-US dividing line for frontier capabilities is fueling concerns in Europe and around the world that the United States would use reliance on US technology as a leverage point. Some worry, for example, that the Trump administration would threaten to cut off AI access over trade deals or to gain control of Greenland. Pre-Mythos controls, senior European leaders flagged the risk of a "kill switch" for cloud providers.
The Mythos and Fable ban has further damaged the reputation of the United States and its firms as a supplier of technology and will fuel efforts around the world to at least hedge dependence on the United States—with China as the main beneficiary. It is reasonable to expect that the US safety concerns around cybersecurity risks, biosecurity risks, and more8 that led to these controls will only grow as AI systems become more powerful, and thus that government restrictions on AI technology will become the new norm—as OpenAI's GPT 5.6 rollout is likely to demonstrate.
The problem now is that there is no credible and consistent framework for controlling access that would give other governments and firms a sense of whether they would have early or even later reliable access to US frontier models, and what if any requirements the United States would place on that access.
A specific proposal is beyond the scope of this article, but the United States urgently needs a better framework if it intends to regulate deployment, preferably one developed together with leading firms and key allies that guarantees their early access to frontier models subject to transparent security precautions, a certification process for trusted users for cyber defense, and consistent, neutral procedures for emergencies that create a perceived need to narrow access to already deployed models (including an appeals process).
If future US model access is restricted by nationality, it will require American AI labs to create from scratch a know-your-customer (KYC) regime like banks. Unlike banks, though, US AI firms have rapidly built international user bases by minimizing friction for new users to sign up. There are precedents. For example, consumer-focused semiconductor companies also had to build stronger compliance systems to match more stringent export controls applied to their products since 2022.
Chinese firms will have strong incentives to undermine any AI model access controls by posing as other nationalities or buying through intermediaries. However, AI labs would have the hard task of trying to weed out unauthorized access across hundreds of millions of users, including also thorny issues of dealing with edge cases, such as Chinese nationals working at companies or studying at universities with access to the best models. The Commerce Department has lifted the restrictions on access for foreign nationals in US institutions, but restrictions could still be reimposed.9
Forcing users to identify themselves would also pose new questions about data privacy for users whose sensitive information would be associated with their real names and potentially shared with authorities.
China will gain, but will it stay open?
The recent government controls come at an inopportune time for US AI. While US firms have consistently been in the lead producing the world's best models, these are far more expensive than Chinese AI models that appear to be good enough for a growing variety of tasks—albeit with unknown security implications. Chinese models dominate the tier below US models as fast followers. Any migration from US models will likely be to Chinese models because no other countries have proven similarly capable of training near-frontier AI models.
As AI use has shifted from maximum $220 per month subscriptions to metered use of coding agents, costs have exploded to such an extent that even deep pocketed companies have indicated they are exploring Chinese models for some tasks. Chinese models have commensurately increased their share of use based on the limited data available. The fear of being cut off from US models thus adds to the cost concerns that have increased user openness to Chinese alternatives.
Many countries outside the United States and China have implicitly followed strategies that involve playing one against the other. Unable or unwilling to marshal the considerable resources required to compete at a fast-moving frontier, they hoped the threat of migrating to Chinese open models would be a check on US frontier labs' market power and US government leverage. After all, even Meta and xAI, despite amassing enormous computing investments and high-priced talent, have not been able to keep up with the frontier.
The main risk for the rest of the world is that China, with the same national security concerns as the United States, begins restricting access to some future generation of powerful models developed by Chinese firms. This could happen because of events that suddenly shift the equilibrium: For example, nonstate actors might use powerful Chinese open weight AI models, fine tune the guardrails out of them, and then engage in cyberattacks including against China. The inability to monitor and shut off access to open models applies to criminals too, after all.
Chinese labs may also shift away from open weight models for economic reasons, as it is challenging to create a sustainable business model for an AI lab if it releases the fruits of its expensive training runs for free. Third countries hoping to rely on China could then find themselves no longer able to use open weight Chinese models as a counterweight to the United States. The only way they could then access them could be through application programming interfaces (APIs) just as is the case for most US models today. That could involve sending sensitive data to China and ensuring models comply with Chinese censorship directives. Countries could also be forced to choose between an entirely Chinese or entirely American AI stack in a way that is not necessary today.
The US government seems to believe that AI has now crossed a threshold that requires restricted access to the best models. Its safety concerns may justify this assessment, but the government needs to explain its concerns to the international public. If it wants to restrict access while maintaining credibility, the administration urgently needs at least a provisional model access regime to replace the ad hoc de facto regime today in which the US government approves individual users and models without any clear criteria. The administration also should refrain from imposing restrictions based on a user's nationality, as did its June 12 export control letter to Anthropic.
Notes
Recently, more users, especially business users, are using plans that pay for usage, which can be significantly more expensive for intensive use of top of the line models.
This not a universally held view—some see it as mainly discovering already known vulnerabilities, at a large expense.
Anthropic has not publicly disclosed the full list of firms with Mythos access, which goes beyond the 12 Glasswing participants to a total of around 50 and may include foreign firms. But there is no evidence that any non-US participants were in the initial group.
The author has joined two amicus briefs on Anthropic's side in this matter but has no personal financial relationship or affiliation with Anthropic.
The export control took the form of an "is informed" letter that can be used to quickly control something. For example, is informed letters were sent to firms before the October 2022 export controls on AI chips and chipmaking equipment to stop Chinese buyers from using soon-to-be-banned transactions to stockpile before the rumored but not yet final controls could be designed and implemented.
The Commerce Department letter included "deemed export" restrictions that treat giving, say, an Anthropic engineer without US citizenship or permanent residency access to the model the same as exporting the model to their country of nationality.
One user has already sued the administration in an attempt to overturn the ban.
The AI space often refers to "CBRN" or chemical, biological, radiological, and nuclear risks, among others.
The Commerce Department's June 30 letter to Anthropic lifting controls included lifting the "deemed export" controls that restricted access for foreign nationals.
Data Disclosure
This publication does not include a replication package.