Washington keeps looking for the AI equivalent of a locked vault: control the chips, control the models, control the danger. But artificial intelligence is starting to look less like uranium and more like malware—hard to contain, easy to adapt, and most dangerous where people actually use it.
The White House’s new AI executive order is framed around innovation and security. Its clearest signal, however, is concern about frontier AI capabilities themselves: how they are benchmarked, who gets early access to them, and how their release should be coordinated with the federal government. That focus lands squarely in the middle of a growing debate over whether AI policy should target chips, models, or what Anthropic recently described as the “capability layer”—the environment where models are deployed, monitored, secured, and used.
Recent arguments within parts of the AI-policy community—most notably from Anthropic—have emphasized export controls, compute restrictions, and centralized governance as the primary tools for preserving U.S. leadership in frontier artificial intelligence. The concern is understandable. AI systems are likely to accelerate innovation across strategically important sectors, including semiconductors, cybersecurity, biotechnology, advanced manufacturing, and military systems. Maintaining American leadership in those areas is a legitimate national objective.
Much of the current debate, however, still views the strategic landscape primarily through the lens of chip denial and hardware restrictions. That perspective risks overstating the long-term importance of compute controls, while understating the significance of where AI systems actually meet the world: through cloud services, application programming interfaces (APIs), identity systems, monitoring tools, and security controls.
As models proliferate, open-weight ecosystems mature, and agentic orchestration techniques improve—that is, as systems become better at coordinating multiple tools and models to complete tasks—the core strategic challenge increasingly shifts. The question is less whether adversaries can ever obtain compute and more whether deployed systems can be hardened against misuse, monitored effectively, and integrated into resilient defensive architectures.
In practice, the emerging equilibrium looks far more like cybersecurity or fraud prevention than a traditional nonproliferation regime. Overindexing on the latter risks weakening both American national security and the ability of U.S. firms to remain at the technological frontier.
Put differently, current AI policy discussions too often blur the line between national security and incumbent protection. A sustainable strategy should preserve U.S. ecosystem leadership, focus governance on the places where models are actually accessed and abused, and encourage defensive open-source proliferation. Treating blunt hardware denial as the master key to AI security is unlikely to achieve any of those goals.
A Very Expensive Speed Bump
In a recent essay on AI competition with China, Anthropic argued that U.S. export controls on advanced AI chips have been highly effective. It suggests that Chinese firms have narrowed the gap primarily through talent, loopholes in export-control enforcement, and large-scale distillation attacks on frontier U.S. models. Distillation, in this context, means copying some of a model’s capabilities by systematically querying it and training another model on the results.
There is at least some evidence that export controls have imposed real friction on Chinese AI development, particularly by limiting access to leading-edge semiconductor manufacturing equipment and hyperscale computing resources. The controls have increased costs, reduced efficiency, and slowed progress at the frontier.
But slowing progress is not the same as stopping it. Substantial leakage, smuggling, stockpiling, and substitution remain. The restrictions have also encouraged “good enough” domestic alternatives, such as Huawei chips, that can leverage China’s abundant energy supplies to scale training workloads. In plain English: better chips do more work with less power, but weaker chips paired with enough electricity can still produce highly capable systems.
A recent Federal Reserve Bank of New York staff report adds an important domestic-cost dimension. Affected U.S. suppliers complied with the controls by reducing sales to Chinese customers, but many struggled to replace those relationships through reshoring or friendshoring. Meanwhile, targeted Chinese firms developed alternative supplier networks. The report estimates that affected U.S. suppliers lost roughly $130 billion in market capitalization, underscoring that export controls can impose substantial costs on the same firms they are supposed to protect.
The farther one moves from training frontier models from scratch, the less persuasive the hardware-denial framework becomes. At this point, enough advanced compute already exists around the world—and much of it is accessible remotely—that comprehensive denial is difficult to imagine. Even maintaining enough friction to preserve a meaningful gap across every relevant frontier appears increasingly implausible.
Perhaps export controls would have fundamentally altered the strategic landscape had they been implemented a decade earlier. But that counterfactual would also have changed the trajectory of American industry itself, making the ultimate outcome impossible to know. In any event, the world now contains a vast installed base of capable hardware, mature open-weight ecosystems, sophisticated distributed-training techniques, and increasingly commoditized model architectures. Those realities change the security problem.
Jeffrey Ding makes a related point. Anthropic’s short-horizon scenario depends on a contestable assumption about technological diffusion: general-purpose technologies often take years, if not decades, to translate into organizational and military advantage. That uncertainty matters because the longer the relevant timeline, the more significant the downsides of export controls become, including indigenous substitution, supply-chain reorientation, and permanent parallel technology stacks.
The more important question is no longer whether adversaries can access compute. It is whether the systems built on that compute can be hardened, monitored, defended, and instrumented effectively.
The Fight Has Moved Up the Stack
One revealing passage in Anthropic’s essay says that “[p]olicymakers have not tightened loopholes on the CCP’s access to compute.” But “access to compute” increasingly means far more than access to physical chips. It includes hosted AI services, distributed cloud infrastructure, stolen or synthetic identities used to evade know-your-customer (KYC) controls, and criminal proxy markets that can generate thousands of fraudulent accounts.
It also includes orchestration frameworks that combine smaller or older models into coordinated systems, as well as access to the outputs of frontier models through distillation attacks. In other words, the relevant threat is not always someone buying forbidden chips. Sometimes it is someone abusing a deployed model at scale.
Ironically, Anthropic’s own essay acknowledges this problem. It correctly identifies organized efforts to extract capabilities from hosted systems through mass account generation, structured querying, and automated harvesting.
But that observation undercuts the claim that hardware controls are the decisive battleground. If the principal threat vector is adversarial interaction with deployed systems, then the strategic center of gravity shifts upward from the chip layer to the capability layer. That is where the real contest increasingly lives.
This shift also exposes an application programming interface (API) blind spot. An API is the software doorway that lets outside users and applications interact with a model. Advanced capabilities can be reached globally through account arbitrage, distillation, synthetic identities, and evasion of customer-screening protocols. More rigorous end-use monitoring for APIs is technically possible, but commercially uncomfortable for high-growth labs. It requires limiting the same global access and revenue streams that make hosted frontier models so valuable.
That incentive helps explain why compute controls are often easier to champion politically than strict, auditable controls on model access. It is simpler to talk about denying chips than to explain how one will monitor millions of users, accounts, prompts, integrations, and downstream applications without crushing legitimate use.
Nonetheless, the emerging AI security architecture increasingly resembles cybersecurity, fraud prevention, anti-money-laundering systems, and counterintelligence operations more than traditional nonproliferation regimes. In this world, the key question is not simply who owns chips or trains model weights. It is who can access deployed systems, how they use them, and whether defenders can detect abuse in time.
That makes anomaly detection, threat telemetry, identity verification, and orchestration controls central. Unsurprisingly, this is where frontier firms are already pouring enormous effort.
The AI arms race is likely to resemble cybersecurity itself: a perpetual contest between attackers and defenders in which no side ever achieves total control. That does not make hardware irrelevant. But it does mean the decisive terrain is shifting away from pure hardware denial.
Dual Use Is Not a Blank Check
Another theme running through Anthropic’s essay is the claim that AI is a “dual-use technology.” That characterization is not wrong, per se, but it risks doing too much rhetorical work. Every sufficiently general technology is dual use. Electricity powers hospitals and weapons factories. Cryptography protects dissidents and criminal enterprises. The internet enables education, commerce, espionage, and fraud.
The existence of dual-use risks does not, by itself, justify highly centralized control. Nor does invoking an “arms race” automatically establish the case for expansive regulatory authority over general-purpose intelligence systems.
One danger in today’s policy debate is that legitimate security concerns become the rationale for an increasingly centralized, government-defined AI ecosystem. Such a regime would do more than limit misuse. It would shape which systems can be built, who may build them, which values become embedded in them, who may access them, and even which forms of machine cognition remain permissible.
Centralization also creates a straightforward market-structure problem. Licensing regimes, rigid compute thresholds, and data-center moratoria do not affect all market participants equally. They tend to favor firms that already possess capital, infrastructure, legal resources, and regulatory access, while raising barriers for startups, open-source communities, and downstream developers.
Even when framed as safety measures, these policies can function as ladder-pulling mechanisms, converting legitimate national-security concerns into incumbent protection. The risk is particularly acute in AI because the technologies, business models, and competitive landscape remain highly fluid.
History offers little reason to believe governments excel at managing rapidly evolving technological ecosystems through centralized control. More importantly, centralized institutions tend to outlive the emergencies that justified their creation. Temporary powers have a habit of becoming permanent ones.
Policy should also avoid treating China—or any other adversary—as a monolith. Private firms, state-owned enterprises, military-linked entities, and opportunistic commercial actors operate under different incentives and constraints. Policies that ignore those distinctions are more likely to block beneficial activity while missing the specific channels that pose genuine security risks.
The Best Defense Is More AI
One striking limitation in many AI-risk arguments is that they treat AI primarily as an accelerant for offensive capabilities. Anthropic notes that “[a]dvanced AI models will be able to compress R&D cycles in semiconductors, biotech, and advanced materials.” True enough. But AI will also improve defensive cybersecurity, malware analysis, anomaly detection, fraud prevention, vulnerability remediation, supply-chain auditing, biological-threat detection, infrastructure resilience, and autonomous defensive operations.
As models become more commoditized and the technology more diffuse, defensive capabilities will matter more. A dual-use framing that criminalizes—or tightly controls—the development of advanced capabilities risks leaving Americans at a serious disadvantage against emerging threats.
The same agentic systems that can accelerate attacks can also harden networks, monitor behavior, identify adversarial coordination, and defend users at machine speed. That matters because the likely long-run equilibrium is not a world in which dangerous capabilities disappear. It is one in which defensive capabilities proliferate alongside offensive ones.
The cybersecurity evidence also counsels against step-function panic. AI will improve vulnerability discovery, exploit adaptation, and triage, but those gains are more likely to accumulate as continuing pressure than to appear overnight as a clean break in the offense-defense balance. If frontier access is gated through regulatory delay or cartelized compliance costs, the defensive shortfall will fall hardest on smaller firms, open-source developers, and ordinary users who cannot buy bespoke security infrastructure.
This leads to a larger and still underdeveloped question: What does defensive AI look like at the individual level? Much of the current debate assumes security must come from centralized institutional control. Another possibility is emerging: the democratization of personalized defensive intelligence.
In practice, individuals may increasingly rely on persistent AI systems that function as anti-fraud and personal-security tools, monitoring the edges of their digital identities 24 hours a day. These systems would behave less like chatbots and more like always-on defensive infrastructure.
Cyberpunk fiction has a recurring concept of ICE and counter-ICE: intelligent defensive systems continuously contesting hostile intrusion attempts. The analogy feels less fictional by the day. As AI systems become commoditized, the strategic advantage may shift away from merely possessing powerful models and toward possessing trustworthy, aligned, defensive, and highly personalized systems.
In that world, raw model capability may not be the key competitive advantage. Public policy should therefore be careful with sweeping categories like “dual use,” which risk chilling beneficial development and deployment. The United States needs companies building trust systems that preserve individual autonomy while strengthening defensive architectures. Just as critically, those systems must not become entry points for future authoritarian control. That means continuing to develop these technologies in a distinctly American style: decentralized, private, and bottom-up.
A centralized regime that dictates which models can be built and deployed will not get us there. These questions are likely more important than whether an adversary possesses somewhat weaker chips.
Open source, then, is not merely a consumer convenience or a developer preference. It is a strategic lever. Broad domestic open-source availability commoditizes the model layer, prevents deployment from hardening around a few hosted APIs for regulatory reasons, gives emerging firms a distribution path against incumbent network effects, and keeps the global developer base oriented toward U.S.-aligned tools. If domestic open-source development is chilled, developers will not stop building; they will migrate to foreign open-source alternatives.
In short, open source is a strategic playbook, not merely a development norm. Suppressing domestic open-weight competition in the name of export controls would not eliminate open models. It would make foreign open ecosystems more attractive as the default base layer for global developers.
The Future Is Defense, Not Denial
None of this means export controls—or analogous controls at the capability layer—are useless. There may be narrow domains where targeted restrictions remain sensible, particularly at the bleeding edge. Nor does it mean capability-layer governance will be easy. The better approach is a sliding scale: delay access to the most advanced hardware and model capabilities where delay genuinely matters, but avoid sweeping embargoes that permanently push global developers toward alternative technology stacks.
The capability layer is likely to remain a permanent adversarial battleground. The future is unlikely to resemble nuclear nonproliferation. It will look much more like cybersecurity: an ongoing contest between attackers and defenders in which neither side ever achieves complete control.
The appropriate response is not tighter chip controls alone, nor a government-administered mother-may-I regime for developing and deploying frontier AI systems. It is a policy framework that enables U.S. firms to build resilient systems, democratize defensive intelligence, and harden the places where AI is actually used. In practice, that means preserving reliance on U.S. platforms, governing real access vectors, and making defensive AI broadly available so that security scales alongside the threat.
It also means ensuring that individuals, firms, and institutions possess the tools they need to defend themselves in an increasingly AI-saturated world.
The central challenge of AI policy is not preventing powerful capabilities from existing. That ship has largely sailed. The challenge is ensuring that defensive capabilities diffuse at least as quickly as offensive ones.
If AI’s future looks more like cybersecurity than nonproliferation, then the goal should not be to monopolize intelligence. It should be to make the defense scale faster than the attack.
